IPsec VPN Configuration On Cisco IOS XE - Part 7 - Single Tier Dynamic Multipoint VPN (DMVPN) Cloud
There are two spoke routers connected to single tier Phase 1 DMVPN Cloud hosted on CSR1000V router.
This is the seventh article in series about configuring VPN tunnels in IOS XE. [ Link to Part 1 ] [ Link to Part 2 ] [ Link to Part 3 ] [ Link to Part 4 ] [ Link to Part 5 ] [ Link to Part 6 ]
In the previous part, I configured route-based VPN tunnels. In this article, I will show how to build a Dynamic Multipoint VPN (DMVPN) cloud with dynamic routing protocol OSPF.
This is an imaginary setup of a company which has Data Centre (DC) with Application and Storage servers. And two sites (a and b) connect to DC via IPSEC VPN tunnels with the Internet as an underlay. Details of IP addresses, device connections and OSPF area are as shown in the diagram.
Goals of this scenario are -
1) Create DMVPN network cloud on "dc-gw1" and connect routers "site-a-gw1" and "site-b-gw1" in this cloud.
2) This setup will be DMVPN Phase 1, with hub and spoke architecture.
3) Configure dynamic routing between DC and Site routers.
Router IOS version used for this setup are -
dc-gw1 = Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2)
site-a-gw1 and site-b-gw1 = Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)
I had configured Interface IP's on DC router and site routers and implemented default route towards Internet router. This simulates underlay Internet links for DC and sites.
Interface And Route Configuration On DC Router = "dc-gw1"
| interface GigabitEthernet1 platform ring rx 256 ip address 10.0.0.2 255.255.255.248 negotiation auto interface GigabitEthernet2 platform ring rx 256 ip address 100.0.10.1 255.255.255.0 ip mtu 1400 ip nat inside negotiation auto interface GigabitEthernet3 platform ring rx 256 ip address 100.0.20.1 255.255.255.0 ip mtu 1400 negotiation auto ip route 0.0.0.0 0.0.0.0 10.0.0.1 |
Interface And Route Configuration On site A Router = "site-a-gw1"
| interface GigabitEthernet0/0 ip address 20.0.0.2 255.255.255.252 duplex full speed 1000 media-type gbic negotiation auto interface GigabitEthernet1/0 ip address 192.168.10.1 255.255.255.0 negotiation auto ip route 0.0.0.0 0.0.0.0 20.0.0.1 |
Interface And Route Configuration On site B Router = "site-b-gw1"
| interface GigabitEthernet0/0 ip address 30.0.0.2 255.255.255.252 duplex full speed 1000 media-type gbic negotiation auto interface GigabitEthernet1/0 ip address 192.168.20.1 255.255.255.0 negotiation auto ip route 0.0.0.0 0.0.0.0 30.0.0.1 |
Next is creating DMVPN Cloud on DC router and connect site routers to this cloud.
DMVPN Configuration On DC Router = "dc-gw1"
| crypto isakmp policy 10 encr aes 256 authentication pre-share group 14 crypto isakmp key acme address 0.0.0.0 crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec profile tunnel-to-site set transform-set AES-256-SHA interface Tunnel1 description DMVPN Tunnel to Sites ip address 172.20.10.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication acme ip nhrp map multicast dynamic ip nhrp network-id 1 ip ospf network point-to-multipoint tunnel source GigabitEthernet1 tunnel mode gre multipoint tunnel key 10 tunnel protection ipsec profile tunnel-to-site |
DMVPN Configuration On site A Router = "site-a-gw1"
| crypto isakmp policy 10 encr aes 256 authentication pre-share group 14 crypto isakmp key acme address 0.0.0.0 0.0.0.0 crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac crypto ipsec profile tunnel-to-dc set transform-set AES-256-SHA interface Tunnel1 description DMVPN Tunnel to DC ip address 172.20.10.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication acme ip nhrp map 172.20.10.1 10.0.0.2 ip nhrp map multicast 10.0.0.2 ip nhrp network-id 1 ip nhrp holdtime 60 ip nhrp nhs 172.20.10.1 ip nhrp registration timeout 30 ip ospf network point-to-multipoint tunnel source GigabitEthernet0/0 tunnel destination 10.0.0.2 tunnel key 10 tunnel protection ipsec profile tunnel-to-dc |
DMVPN Configuration On site B Router = "site-b-gw1"
| crypto isakmp policy 10 encr aes 256 authentication pre-share group 14 crypto isakmp key acme address 0.0.0.0 0.0.0.0 crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac crypto ipsec profile tunnel-to-dc set transform-set AES-256-SHA interface Tunnel1 description DMVPN Tunnel to DC ip address 172.20.10.3 255.255.255.0 ip mtu 1400 ip nhrp authentication acme ip nhrp map 172.20.10.1 10.0.0.2 ip nhrp map multicast 10.0.0.2 ip nhrp network-id 1 ip nhrp holdtime 60 ip nhrp nhs 172.20.10.1 ip nhrp registration timeout 30 ip ospf network point-to-multipoint tunnel source GigabitEthernet0/0 tunnel destination 10.0.0.2 tunnel key 10 tunnel protection ipsec profile tunnel-to-dc |
DMVPN Status On DC Router = "dc-gw1"
| dc-gw1#sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel1, IPv4 NHRP Details Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 20.0.0.2 172.20.10.2 UP 00:08:21 D 1 30.0.0.2 172.20.10.3 UP 00:08:12 D dc-gw1# |
DMVPN Status On Site A Router = "site-a-gw1"
| site-a-gw1#sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding UpDn Time --> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel1, IPv4 NHRP Details Type:Spoke, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 10.0.0.2 172.20.10.1 UP 00:21:46 S site-a-gw1# |
DMVPN Status On Site B Router = "site-b-gw1"
| site-b-gw1#sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding UpDn Time --> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel1, IPv4 NHRP Details Type:Spoke, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 10.0.0.2 172.20.10.1 UP 00:26:12 S site-b-gw1# |
This completes our goal 1 and 2, we have DMVPN cloud in DC router and site routers are connected to this cloud. There is no "spoke-to-spoke" tunnel between routers at site A and site B, Which means this setup is Phase 1 DMVPN implementation. Next part is about implementing dynamic routing using OSPF.
OSPF Configuration On DC Router = "dc-gw1"
| router ospf 100 redistribute connected subnets route-map ospf-redistribute network 172.20.10.0 0.0.0.255 area 0 route-map ospf-redistribute permit 10 match interface GigabitEthernet2 route-map ospf-redistribute permit 20 match interface GigabitEthernet3 |
OSPF Configuration On Site A Router = "site-a-gw1"
| router ospf 100 log-adjacency-changes redistribute connected subnets route-map ospf-redistribute network 172.20.10.0 0.0.0.255 area 0 route-map ospf-redistribute permit 10 match interface GigabitEthernet1/0 |
OSPF Configuration On Site B Router = "site-b-gw1"
| router ospf 100 log-adjacency-changes redistribute connected subnets route-map ospf-redistribute network 172.20.10.0 0.0.0.255 area 0 route-map ospf-redistribute permit 10 match interface GigabitEthernet1/0 |
This OSPF configuration is basic and has single area, it distributes routes between DC router and site routers.
I had configured a route map with interfaces connecting DC servers and site LAN, and these route maps are used for redistribution of connected subnets in OSPF. This also avoids distribution of subnets configured on Internet side interfaces.
Routes Learned By DC Router = "dc-gw1"
| dc-gw1#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.10.1 0 FULL/ - 00:01:43 172.20.10.2 Tunnel1 192.168.20.1 0 FULL/ - 00:01:52 172.20.10.3 Tunnel1 dc-gw1#sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 10.0.0.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 10.0.0.1 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.0.0.0/29 is directly connected, GigabitEthernet1 L 10.0.0.2/32 is directly connected, GigabitEthernet1 100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 100.0.10.0/24 is directly connected, GigabitEthernet2 L 100.0.10.1/32 is directly connected, GigabitEthernet2 C 100.0.20.0/24 is directly connected, GigabitEthernet3 L 100.0.20.1/32 is directly connected, GigabitEthernet3 172.20.0.0/16 is variably subnetted, 4 subnets, 2 masks C 172.20.10.0/24 is directly connected, Tunnel1 L 172.20.10.1/32 is directly connected, Tunnel1 O 172.20.10.2/32 [110/1000] via 172.20.10.2, 00:11:09, Tunnel1 O 172.20.10.3/32 [110/1000] via 172.20.10.3, 00:07:07, Tunnel1 O E2 192.168.10.0/24 [110/20] via 172.20.10.2, 00:11:09, Tunnel1 O E2 192.168.20.0/24 [110/20] via 172.20.10.3, 00:07:07, Tunnel1 dc-gw1# |
Routes Learned By Site A Router = "site-a-gw1"
| site-a-gw1#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 172.20.10.1 0 FULL/ - 00:01:50 172.20.10.1 Tunnel1 site-a-gw1#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 20.0.0.1 to network 0.0.0.0 100.0.0.0/24 is subnetted, 2 subnets O E2 100.0.10.0 [110/20] via 172.20.10.1, 00:22:03, Tunnel1 O E2 100.0.20.0 [110/20] via 172.20.10.1, 00:22:03, Tunnel1 20.0.0.0/30 is subnetted, 1 subnets C 20.0.0.0 is directly connected, GigabitEthernet0/0 C 192.168.10.0/24 is directly connected, GigabitEthernet1/0 172.20.0.0/16 is variably subnetted, 3 subnets, 2 masks O 172.20.10.3/32 [110/2000] via 172.20.10.1, 00:21:27, Tunnel1 C 172.20.10.0/24 is directly connected, Tunnel1 O 172.20.10.1/32 [110/1000] via 172.20.10.1, 00:22:03, Tunnel1 O E2 192.168.20.0/24 [110/20] via 172.20.10.1, 00:21:27, Tunnel1 S* 0.0.0.0/0 [1/0] via 20.0.0.1 site-a-gw1# |
Routes Learned By Site B Router = "site-b-gw1"
| site-b-gw1#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 172.20.10.1 0 FULL/ - 00:01:47 172.20.10.1 Tunnel1 site-b-gw1#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 30.0.0.1 to network 0.0.0.0 100.0.0.0/24 is subnetted, 2 subnets O E2 100.0.10.0 [110/20] via 172.20.10.1, 00:25:52, Tunnel1 O E2 100.0.20.0 [110/20] via 172.20.10.1, 00:25:52, Tunnel1 O E2 192.168.10.0/24 [110/20] via 172.20.10.1, 00:25:52, Tunnel1 172.20.0.0/16 is variably subnetted, 3 subnets, 2 masks O 172.20.10.2/32 [110/2000] via 172.20.10.1, 00:25:52, Tunnel1 C 172.20.10.0/24 is directly connected, Tunnel1 O 172.20.10.1/32 [110/1000] via 172.20.10.1, 00:25:52, Tunnel1 C 192.168.20.0/24 is directly connected, GigabitEthernet1/0 30.0.0.0/30 is subnetted, 1 subnets C 30.0.0.0 is directly connected, GigabitEthernet0/0 S* 0.0.0.0/0 [1/0] via 30.0.0.1 site-b-gw1# |
Here are ping results show connections between app server in DC and user computer in branch site.
| app1> ping 192.168.10.10 84 bytes from 192.168.10.10 icmp_seq=1 ttl=62 time=155.031 ms 84 bytes from 192.168.10.10 icmp_seq=2 ttl=62 time=103.521 ms 84 bytes from 192.168.10.10 icmp_seq=3 ttl=62 time=120.024 ms 84 bytes from 192.168.10.10 icmp_seq=4 ttl=62 time=251.551 ms 84 bytes from 192.168.10.10 icmp_seq=5 ttl=62 time=55.011 ms app1> ping 192.168.20.10 84 bytes from 192.168.20.10 icmp_seq=1 ttl=62 time=400.080 ms 84 bytes from 192.168.20.10 icmp_seq=2 ttl=62 time=163.033 ms 84 bytes from 192.168.20.10 icmp_seq=3 ttl=62 time=158.531 ms 84 bytes from 192.168.20.10 icmp_seq=4 ttl=62 time=232.546 ms 84 bytes from 192.168.20.10 icmp_seq=5 ttl=62 time=294.059 ms app1> |
Here are ping and trace-route results which show connections between user computer in site A to the user computer in site B. Traffic from Site A user computer is going to Site A router (192.168.10.1), then to DC router (172.20.10.1), then to site B router (172.20.10.3). There is no spoke-to-spoke tunnel and traffic between branch sites (spoke) is via DC (hub).
| VPCS> ping 192.168.20.10 84 bytes from 192.168.20.10 icmp_seq=1 ttl=61 time=84.017 ms 84 bytes from 192.168.20.10 icmp_seq=2 ttl=61 time=68.014 ms 84 bytes from 192.168.20.10 icmp_seq=3 ttl=61 time=74.015 ms 84 bytes from 192.168.20.10 icmp_seq=4 ttl=61 time=94.019 ms 84 bytes from 192.168.20.10 icmp_seq=5 ttl=61 time=62.013 ms VPCS> trace 192.168.20.10 trace to 192.168.20.10, 8 hops max, press Ctrl+C to stop 1 192.168.10.1 8.502 ms 5.501 ms 13.503 ms 2 172.20.10.1 31.506 ms 35.007 ms 31.506 ms 3 172.20.10.3 55.511 ms 60.012 ms 68.513 ms 4 *192.168.20.10 78.516 ms (ICMP type:3, code:3, Destination port unreachable) VPCS> |
And here are ping and trace-route results which show connections between user computer in site B to the user computer in site A. Traffic from Site B user computer is going to Site B router (192.168.20.1), then to DC router (172.20.10.1), then to site B router (172.20.10.2). There is no spoke-to-spoke tunnel and traffic between branch sites (spoke) is via DC (hub).
| VPCS> ping 192.168.10.10 84 bytes from 192.168.10.10 icmp_seq=1 ttl=61 time=120.524 ms 84 bytes from 192.168.10.10 icmp_seq=2 ttl=61 time=175.535 ms 84 bytes from 192.168.10.10 icmp_seq=3 ttl=61 time=143.528 ms 84 bytes from 192.168.10.10 icmp_seq=4 ttl=61 time=117.023 ms 84 bytes from 192.168.10.10 icmp_seq=5 ttl=61 time=184.537 ms VPCS> trace 192.168.10.10 trace to 192.168.10.10, 8 hops max, press Ctrl+C to stop 1 192.168.20.1 24.505 ms 27.505 ms 12.002 ms 2 172.20.10.1 77.516 ms 73.515 ms 58.012 ms 3 172.20.10.2 95.519 ms 95.519 ms 75.515 ms 4 *192.168.10.10 147.029 ms (ICMP type:3, code:3, Destination port unreachable) VPCS> |
These traceroute results show that this setup is Phase 1 DMVPN implementation. This completes our goal 3 and is the end of Part 7 of this series, we have seen DMVPN Phase 1 Cloud setup with dynamic routing protocol OSPF and its sample configuration. Anyone who is working on DMVPN setup using Cisco routers with IOS XE may use this configuration.
In the next article, we will be configuring Phase 3 Dynamic Multipoint VPN (DMVPN) tunnels configuration.
Link to the next article in this series = Part 8 - Single Tier Phase 3 Dynamic Multipoint VPN (DMVPN) Cloud
I hope you find this helpful.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)