IPsec VPN Configuration On Cisco IOS XE - Part 8 - Single Tier Phase 3 Dynamic Multipoint VPN (DMVPN) Cloud

This is the eighth article in series about configuring VPN tunnels in IOS XE. [ Link to Part 1 ] [ Link to Part 2 ] [ Link to Part 3 ] [ Link to Part 4 ] [Link to Part 5 ] [ Link to Part 6 ] [ Link to Part 7 ]

In the previous part, I configured Phase 1 DMVPN Cloud. In this article, I will show how to build a Phase 3 Dynamic Multipoint VPN (DMVPN) cloud with dynamic routing protocol OSPF.

This is an imaginary setup of a company which has Data Centre (DC) with Application and Storage servers. And two sites (a and b) connect to DC via IPSEC VPN tunnels with the Internet as an underlay. Details of IP addresses, device connections, and OSPF area are as shown in the diagram.

Goals of this scenario are -
1) Create DMVPN network cloud on "dc-gw1" and connect routers "site-a-gw1" and "site-b-gw1" in this cloud.

2) This setup will be Phase 3 DMVPN, with hub and spoke architecture, with spoke-to-spoke tunnels.
3) Configure dynamic routing between DC and Site routers.

Router IOS version used for this setup are -
dc-gw1 = Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2)
site-a-gw1 and site-b-gw1 = Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)

I had configured Interface IP's on DC router and site routers and implemented default route towards Internet router. This simulates underlay Internet links for DC and sites.

Interface And Route Configuration On DC Router = "dc-gw1"

interface GigabitEthernet1
platform ring rx 256
ip address 10.0.0.2 255.255.255.248
negotiation auto

interface GigabitEthernet2
platform ring rx 256
ip address 100.0.10.1 255.255.255.0
ipmtu 1400
negotiation auto

interface GigabitEthernet3
platform ring rx 256
ip address 100.0.20.1 255.255.255.0
ipmtu 1400
negotiation auto

ip route 0.0.0.0 0.0.0.0 10.0.0.1

Interface And Route Configuration On-site A Router = "site-a-gw1"

interface GigabitEthernet0/0
ip address 20.0.0.2 255.255.255.252
duplex full
speed 1000
media-type gbic
negotiation auto

interface GigabitEthernet1/0
ip address 192.168.10.1 255.255.255.0
negotiation auto

ip route 0.0.0.0 0.0.0.0 20.0.0.1

Interface And Route Configuration On-site B Router = "site-b-gw1"

interface GigabitEthernet0/0
ip address 30.0.0.2 255.255.255.252
duplex full
speed 1000
media-type gbic
negotiation auto

interface GigabitEthernet1/0
ip address 192.168.20.1 255.255.255.0
negotiation auto

ip route 0.0.0.0 0.0.0.0 30.0.0.1

Next is creating DMVPN Cloud on DC router and connect site routers to this cloud.

DMVPN Configuration On DC Router = "dc-gw1"

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14

crypto isakmp key acme address 0.0.0.0

crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac
mode tunnel

crypto ipsec profile tunnel-to-site
set transform-set AES-256-SHA

interface Tunnel1
description DMVPN Tunnel to Sites
ip address 172.20.10.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication acme
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp redirect
ip ospf network point-to-multipoint
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 10
tunnel protection ipsec profile tunnel-to-site

DMVPN Configuration On-site A Router = "site-a-gw1"

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key acme address 0.0.0.0 0.0.0.0

crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac

crypto ipsec profile tunnel-to-dc
set transform-set AES-256-SHA

interface Tunnel1
description DMVPN Tunnel to DC
ip address 172.20.10.2 255.255.255.0
no ip redirects
ipmtu 1400
ipnhrp authentication acme
ipnhrp map 172.20.10.1 10.0.0.2
ipnhrp map multicast 10.0.0.2
ipnhrp network-id 1
ip nhrp nhs 172.20.10.1
ip nhrp shortcut
ip ospf network point-to-multipoint
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 10
tunnel protection ipsec profile tunnel-to-dc

DMVPN Configuration On-site B Router = "site-b-gw1"

crypto isakmp policy 10
encraes 256
authentication pre-share
group 14

crypto isakmp key acme address 0.0.0.0 0.0.0.0

crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac

crypto ipsec profile tunnel-to-dc
set transform-set AES-256-SHA

interface Tunnel1
description DMVPN Tunnel to DC
ip address 172.20.10.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication acme
ip nhrp map multicast 10.0.0.2
ip nhrp map 172.20.10.1 10.0.0.2
ip nhrp network-id 2
ip nhrp nhs 172.20.10.1
ip nhrp shortcut
ip ospf network point-to-multipoint
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 10
tunnel protection ipsec profile tunnel-to-dc

DMVPN Status On DC Router = "dc-gw1"

dc-gw1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel1, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 20.0.0.2 172.20.10.2 UP 00:47:50 D
1 30.0.0.2 172.20.10.3 UP 00:50:25 D

dc-gw1#sh ip nhrp
172.20.10.2/32 via 172.20.10.2
Tunnel1 created 00:50:04, expire 01:51:55
Type: dynamic, Flags: unique registered used nhop
NBMA address: 20.0.0.2
172.20.10.3/32 via 172.20.10.3
Tunnel1 created 00:50:32, expire 01:49:18
Type: dynamic, Flags: unique registered used nhop
NBMA address: 30.0.0.2
dc-gw1#

DMVPN Status On-Site A Router = "site-a-gw1"

site-a-gw1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.0.0.2 172.20.10.1 UP 00:55:05 S
2 30.0.0.2 172.20.10.3 UP 00:03:42 D
172.20.10.3 UP 00:03:42 D

site-a-gw1#sh ip nhrp
172.20.10.1/32 via 172.20.10.1
Tunnel1 created 00:55:12, never expire
Type: static, Flags: used
NBMA address: 10.0.0.2
172.20.10.3/32 via 172.20.10.3
Tunnel1 created 00:03:47, expire 01:56:12
Type: dynamic, Flags: router implicit
NBMA address: 30.0.0.2
192.168.10.0/24 via 172.20.10.2
Tunnel1 created 00:03:47, expire 01:56:12
Type: dynamic, Flags: router unique local
NBMA address: 20.0.0.2
(no-socket)
192.168.20.0/24 via 172.20.10.3
Tunnel1 created 00:03:48, expire 01:56:11
Type: dynamic, Flags: router
NBMA address: 30.0.0.2
site-a-gw1#

DMVPN Status On-Site B Router = "site-b-gw1"

site-b-gw1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.0.0.2 172.20.10.1 UP 00:56:10 S
2 20.0.0.2 172.20.10.2 UP 00:02:11 D
172.20.10.2 UP 00:02:11 D

site-b-gw1#sh ip nhrp
172.20.10.1/32 via 172.20.10.1
Tunnel1 created 00:56:19, never expire
Type: static, Flags: used
NBMA address: 10.0.0.2
172.20.10.2/32 via 172.20.10.2
Tunnel1 created 00:02:19, expire 01:57:41
Type: dynamic, Flags: router implicit
NBMA address: 20.0.0.2
192.168.10.0/24 via 172.20.10.2
Tunnel1 created 00:02:17, expire 01:57:42
Type: dynamic, Flags: router
NBMA address: 20.0.0.2
192.168.20.0/24 via 172.20.10.3
Tunnel1 created 00:02:18, expire 01:57:41
Type: dynamic, Flags: router unique local
NBMA address: 30.0.0.2
(no-socket)
site-b-gw1#

This completes our goal 1 and 2, we have DMVPN cloud in DC router and site routers are connected to this cloud. There is a "spoke-to-spoke" tunnel between routers at site A and site B, Which means this setup is Phase 3 DMVPN implementation. Next part is about implementing dynamic routing using OSPF.

OSPF Configuration On DC Router = "dc-gw1"

router ospf 100
redistribute connected subnets route-map ospf-redistribute
network 172.20.10.0 0.0.0.255 area 0

route-map ospf-redistribute permit 10
match interface GigabitEthernet2

route-map ospf-redistribute permit 20
match interface GigabitEthernet3

OSPF Configuration On-Site A Router = "site-a-gw1"

router ospf 100
log-adjacency-changes
redistribute connected subnets route-map ospf-redistribute
network 172.20.10.0 0.0.0.255 area 0

route-map ospf-redistribute permit 10
match interface GigabitEthernet1/0

OSPF Configuration On-Site B Router = "site-b-gw1"

This OSPF configuration is basic and has a single area, it distributes routes between DC router and site routers.

I had configured a route map with interfaces connecting DC servers and site LAN, and these route maps are used for redistribution of connected subnets in OSPF. This also avoids distribution of subnets configured on Internet side interfaces.

Routes Learned By DC Router = "dc-gw1"

dc-gw1#sh ipospf neighbor

Neighbor ID Pri State Dead Time Address Interface
192.168.10.1 0 FULL/ - 00:01:45 172.20.10.2 Tunnel1
192.168.20.1 0 FULL/ - 00:01:41 172.20.10.3 Tunnel1
dc-gw1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 10.0.0.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.0.0.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/29 is directly connected, GigabitEthernet1
L 10.0.0.2/32 is directly connected, GigabitEthernet1
100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 100.0.10.0/24 is directly connected, GigabitEthernet2
L 100.0.10.1/32 is directly connected, GigabitEthernet2
C 100.0.20.0/24 is directly connected, GigabitEthernet3
L 100.0.20.1/32 is directly connected, GigabitEthernet3
172.20.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 172.20.10.0/24 is directly connected, Tunnel1
L 172.20.10.1/32 is directly connected, Tunnel1
O 172.20.10.2/32 [110/1000] via 172.20.10.2, 00:48:12, Tunnel1
O 172.20.10.3/32 [110/1000] via 172.20.10.3, 00:49:34, Tunnel1
O E2 192.168.10.0/24 [110/20] via 172.20.10.2, 00:48:12, Tunnel1
O E2 192.168.20.0/24 [110/20] via 172.20.10.3, 00:49:34, Tunnel1
dc-gw1#

Routes Learned By Site A Router = "site-a-gw1"

site-a-gw1#sh ipospf neighbor

Neighbor ID Pri State Dead Time Address Interface
172.20.10.1 0 FULL/ - 00:01:54 172.20.10.1 Tunnel1
site-a-gw1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 20.0.0.1 to network 0.0.0.0

100.0.0.0/24 is subnetted, 2 subnets
O E2 100.0.10.0 [110/20] via 172.20.10.1, 00:50:18, Tunnel1
O E2 100.0.20.0 [110/20] via 172.20.10.1, 00:50:18, Tunnel1
20.0.0.0/30 is subnetted, 1 subnets
C 20.0.0.0 is directly connected, GigabitEthernet0/0
C 192.168.10.0/24 is directly connected, GigabitEthernet1/0
172.20.0.0/16 is variably subnetted, 3 subnets, 2 masks
O 172.20.10.3/32 [110/2000] via 172.20.10.1, 00:50:18, Tunnel1
C 172.20.10.0/24 is directly connected, Tunnel1
O 172.20.10.1/32 [110/1000] via 172.20.10.1, 00:50:18, Tunnel1
O E2 192.168.20.0/24 [110/20] via 172.20.10.1, 00:50:18, Tunnel1
S* 0.0.0.0/0 [1/0] via 20.0.0.1
site-a-gw1#

Routes Learned By Site B Router = "site-b-gw1"

site-b-gw1#sh ipospf neighbor

Neighbor ID Pri State Dead Time Address Interface
172.20.10.1 0 FULL/ - 00:01:37 172.20.10.1 Tunnel1
site-b-gw1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 30.0.0.1 to network 0.0.0.0

100.0.0.0/24 is subnetted, 2 subnets
O E2 100.0.10.0 [110/20] via 172.20.10.1, 00:55:15, Tunnel1
O E2 100.0.20.0 [110/20] via 172.20.10.1, 00:55:14, Tunnel1
O E2 192.168.10.0/24 [110/20] via 172.20.10.1, 00:53:42, Tunnel1
172.20.0.0/16 is variably subnetted, 3 subnets, 2 masks
O 172.20.10.2/32 [110/2000] via 172.20.10.1, 00:53:42, Tunnel1
C 172.20.10.0/24 is directly connected, Tunnel1
O 172.20.10.1/32 [110/1000] via 172.20.10.1, 00:56:03, Tunnel1
C 192.168.20.0/24 is directly connected, GigabitEthernet1/0
30.0.0.0/30 is subnetted, 1 subnets
C 30.0.0.0 is directly connected, GigabitEthernet0/0
S* 0.0.0.0/0 [1/0] via 30.0.0.1
site-b-gw1#

Here are ping results show connections between app server in DC and user computer in the branch site.

app1> ping 192.168.10.10
84 bytes from 192.168.10.10 icmp_seq=1 ttl=62 time=92.018 ms
84 bytes from 192.168.10.10 icmp_seq=2 ttl=62 time=88.518 ms
84 bytes from 192.168.10.10 icmp_seq=3 ttl=62 time=58.012 ms
84 bytes from 192.168.10.10 icmp_seq=4 ttl=62 time=53.510 ms
84 bytes from 192.168.10.10 icmp_seq=5 ttl=62 time=208.042 ms

app1> ping 192.168.20.10
84 bytes from 192.168.20.10 icmp_seq=1 ttl=62 time=176.535 ms
84 bytes from 192.168.20.10 icmp_seq=2 ttl=62 time=134.026 ms
84 bytes from 192.168.20.10 icmp_seq=3 ttl=62 time=72.014 ms
84 bytes from 192.168.20.10 icmp_seq=4 ttl=62 time=117.024 ms
84 bytes from 192.168.20.10 icmp_seq=5 ttl=62 time=208.041 ms

app1>

Here are ping and trace-route results which show connections between user computer in site A to the user computer in site B. Traffic from Site A user computer is going to Site A router (192.168.10.1), then to site B router (172.20.10.3), this excludes DC router (172.20.10.1). This means there is a dynamic spoke-to-spoke tunnel between site routers and traffic between branch sites (spoke) is direct without passing through DC (hub).

VPCS> ping 192.168.20.10
84 bytes from 192.168.20.10 icmp_seq=1 ttl=62 time=155.031 ms
84 bytes from 192.168.20.10 icmp_seq=2 ttl=62 time=54.011 ms
84 bytes from 192.168.20.10 icmp_seq=3 ttl=62 time=126.525 ms
84 bytes from 192.168.20.10 icmp_seq=4 ttl=62 time=97.020 ms
84 bytes from 192.168.20.10 icmp_seq=5 ttl=62 time=188.037 ms

VPCS> trace 192.168.20.10
trace to 192.168.20.10, 8 hops max, press Ctrl+C to stop
1 192.168.10.1 68.514 ms 11.502 ms 9.502 ms
2 172.20.10.3 76.015 ms 111.022 ms 69.514 ms
3 *192.168.20.10 76.016 ms (ICMP type:3, code:3, Destination port unreachable)

VPCS>

And here are ping and trace-route results which show connections between user computer in site B to the user computer in site A. Traffic from Site B user computer is going to Site B router (192.168.20.1), then to site A router (172.20.10.2), this excludes DC router (172.20.10.1). This means there is a dynamic spoke-to-spoke tunnel between site routers and traffic between branch sites (spoke) is direct without passing through DC (hub).

VPCS> ping 192.168.10.10
84 bytes from 192.168.10.10 icmp_seq=1 ttl=62 time=109.522 ms
84 bytes from 192.168.10.10 icmp_seq=2 ttl=62 time=78.516 ms
84 bytes from 192.168.10.10 icmp_seq=3 ttl=62 time=90.018 ms
84 bytes from 192.168.10.10 icmp_seq=4 ttl=62 time=90.018 ms
84 bytes from 192.168.10.10 icmp_seq=5 ttl=62 time=59.512 ms

VPCS> trace 192.168.10.10
trace to 192.168.10.10, 8 hops max, press Ctrl+C to stop
1 192.168.20.1 40.508 ms 100.521 ms 66.513 ms
2 172.20.10.2 210.542 ms 81.516 ms 44.009 ms
3 *192.168.10.10 92.018 ms (ICMP type:3, code:3, Destination port unreachable)

VPCS>

These traceroute results show that this setup is Phase 3 DMVPN implementation. This completes our goal 3 and is the end of Part 8 of this series, we have seen DMVPN Phase 3 Cloud setup with dynamic routing protocol OSPF and its sample configuration. Anyone who is working on DMVPN setup using Cisco routers with IOS XE may use this configuration.

In the next article, we will be configuring two-tier DMVPN Phase 3 Cloud with a dynamic routing protocol under different VRF's.

Link to Part 9 of this series here: IPsec VPN Configuration On Cisco IOS XE - Part 9 - Dual Hub Phase 3 Dynamic Multipoint VPN (DMVPN) Cloud

I hope you find this helpful.

IPsec VPN Configuration On Cisco IOS XE - Part 8 - Single Tier Phase 3 Dynamic Multipoint VPN (DMVPN) Cloud

Comments (0)