Beruflich Dokumente
Kultur Dokumente
Knowledge
Base
Page 1 of 5
Home
BGP
Data Center
GPON
Hadoop
IP Multicast
IPv6
IS-IS
Juniper-JUNOS
L2VPN
LAN
Link Aggregation
LTE Notes
MPLS
NAT
OAM
OSPF
Here, the interesting traffic means traffic that will be encrypted; rest
PBB
of the traffic goes unencrypted. From Site1's perspective, all the traffic
with source address from internal network 10.1.1.0/24 and destination
PPP
QoS
Security
Traffic Engineering
VPLS
VPN
Site1:
Attachments
https://sites.google.com/site/amitsciscozone/home/ipsec/site-to-site-ipsec-vpn-using-sta... 4/08/2014
Page 2 of 5
Site 2:
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
!
! The policy number is not required to match on endpoints,
however, the corresponding parameters should match.
https://sites.google.com/site/amitsciscozone/home/ipsec/site-to-site-ipsec-vpn-using-sta... 4/08/2014
Page 3 of 5
https://sites.google.com/site/amitsciscozone/home/ipsec/site-to-site-ipsec-vpn-using-sta... 4/08/2014
Page 4 of 5
router's Loopback 0 interface, the Site1 router starts the IKE Phase 1
and once that is successful, it initiates IKE Phase 2. After successful
IKE Phase 2, traffic is sent through the IPSec tunnel.
The show crypto isakmp sa command shows the current IKE SAs.
"Active" status means ISAKMP SA is in active state. The Source IP
address indicates which endpoint initiated the IKE negotiation. The
QM_IDLE mode indicates Quick Mode exchange (there is also
Aggressive Mode exchange), meaning the IPSec SA remains
authenticated and can be used for several quick mode exchanges.
state
conn-id slot
QM_IDLE
https://sites.google.com/site/amitsciscozone/home/ipsec/site-to-site-ipsec-vpn-using-sta... 4/08/2014
Page 5 of 5
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7FAD546D(2142065773)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: CRYPTO
sa timing: remaining key lifetime (k/sec):
(4596305/3584)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Sign in | Recent Site Activity | Report Abuse | Print Page | Powered By Google Sites
https://sites.google.com/site/amitsciscozone/home/ipsec/site-to-site-ipsec-vpn-using-sta... 4/08/2014
Knowledge Base
Page 1 of 9
Home
BGP
Data Center
GPON
IPSec with digital certificate provides the most secure and scalable way to implement a VPN.
Authentication in IPSec can be provided through pre-shared keys (easy to implement) or digital
Hadoop
IP Multicast
IPv6
The following scenario demonstrates IPSec VPN between two Branch routers who obtain a Digital
Certificate from a CA Server (Windows Server 2003) based in their Central Office.
IS-IS
Juniper-JUNOS
L2VPN
LAN
Link Aggregation
LTE Notes
MPLS
NAT
OAM
OSPF
PBB
PPP
QoS
Security
Traffic Engineering
VPLS
VPN
Attachments
First step is to obtain a digital certificate from the trusted CA Server. This requires a hostname and
domain-name on both Branch routers. It also requires time synchronization between routers and CA
Server.
hostname Branch1
ip domain-name amit.com
!
ntp server 192.168.1.9
Then we generate general-purpose RSA keys. This process generates a Public Key and a Private
Key.
Branch1(config)# crypto key generate rsa general-keys modulus 1024 label BRANCH_KEY
exportable
! generating a general-purpose key pair of 1024 bits labelled as
BRANCH_KEY.
After creating the trustpoint, we request the CA Certificate for this trustpoint. This is to validate the CA
Server.
https://sites.google.com/site/amitsciscozone/home/ipsec/site-to-site-ipsec-vpn-using-di...
4/08/2014
Page 2 of 9
And the last step in the process of obtaining certificate is to actually request a digital certificate from
the CA Server for the router itself using crypto pki enroll WIN2003 command. The CA Server will
generate a unique digital certificate for each routers.
The following output shows the digital certificates available on the routers.
https://sites.google.com/site/amitsciscozone/home/ipsec/site-to-site-ipsec-vpn-using-di...
4/08/2014
Page 3 of 9
IKE Phase 1 policies can be verified using show crypto isakmp policy command.
The transform-set can be verified using show crypto ipsec transform-set command.
https://sites.google.com/site/amitsciscozone/home/ipsec/site-to-site-ipsec-vpn-using-di...
4/08/2014
Page 4 of 9
Verification
When Branch1 router initiates a Ping to remote LAN using the source-interface as its LAN interface,
the traffic matches the ACL and is considered interesting traffic. IKE Phase 1 begins at this stage. No
traffic is sent successfully until IKE Phase 1 and 2 are successfully completed.
The purpose of IKE Phase 1 is to establish a secure communication channel (sometimes called
management connection) and generate keys for IPSec.
Branch1 router initiates IKE negotiation by sending a Policy Proposal message to its peer. This
message contains one or more IKE policies containing parameters such as encryption algorithm,
authentication method, hash algorithm, Diffie-Hellman group and SA lifetime. The peer router
examines the IKE policy information and attempts to find a match within its own locally configured IKE
policies. It responds with a Policy Acceptance message of acceptance of one of the sender's policies.
The IKE policy is now negotiated.
6
6
6
6
6
6
6
6
6
6
6
6
6
6
10:21:50.071:
10:21:50.071:
10:21:50.071:
10:21:50.071:
10:21:50.075:
10:21:50.075:
10:21:50.087:
10:21:50.087:
10:21:50.091:
10:21:50.091:
10:21:50.095:
10:21:50.095:
10:21:50.095:
10:21:50.095:
MM_NO_STATE
Jun
Jun
(I) MM_NO_STATE
peer
Jun
! Indicates Branch1 router received IKE Policy Acceptance message from remote
6
6
6
6
6
6
6
6
6
6
6
6
! Indicates
! Indicates that
Jun
Jun
Jun
Jun
Jun
Jun
6
6
6
6
6
6
Jun
Jun
https://sites.google.com/site/amitsciscozone/home/ipsec/site-to-site-ipsec-vpn-using-di...
4/08/2014
Jun
Jun
Jun
Page 5 of 9
The next two message serve to exchange Diffie-Hellman Public-Key values. Diffie-Hellman is a publickey algorithm that allows peers to exchange Public Key values over an insecure network. Combined
together with their own Private Keys, both routers derive a same shared secret key (also called
session key).
MM_SA_SETUP ! Indicates Branch1 router is sending its Diffie-Hellman Public Key and Nonce
value to remote peer
Jun
Jun
! Indicates
6 10:21:50.587: ISAKMP (0:0): received packet from 10.2.2.1 dport 500 sport 500 Global
(I) MM_SA_SETUP
! Indicates Branch1 router receives Diffie-Hellman Public Key and Nonce
value from remote peer- Branch2 router
Jun 6 10:21:50.587: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 6 10:21:50.591: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
that four messages have been exchanged successfully in IKE Phase 1
Jun 6 10:21:50.595: ISAKMP:(0): processing KE payload. message ID = 0
contains Diffie-Hellman Public Key of Branch2 router
! Indicates
! This payload
! This payload
The last two messages of IKE Phase 1 between IKE peers using RSA-Signature exchange
Identification, Digital Certificate and Digital Signature. The ID can be the peer IP Address or fully
qualified domain name (FQDN). The messages are encrypted using the encryption method negotiated
in IKE Policy and the key used is the session-key derived using Diffie-Hellman key exchange.
https://sites.google.com/site/amitsciscozone/home/ipsec/site-to-site-ipsec-vpn-using-di...
4/08/2014
Page 6 of 9
2003)
Jun 6 10:21:50.751: ISAKMP:(1001): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I)
MM_KEY_EXCH
Jun 6 10:21:50.755: ISAKMP:(1001):Sending an IKE IPv4 Packet.
Jun 6 10:21:50.755: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 6 10:21:50.759: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM5 ! Indicates
the Branch1 router has sent the fifth message of IKE Phase 1 containing the Digital
Certificate
Jun
6 10:21:51.075: ISAKMP (0:1001): received packet from 10.2.2.1 dport 500 sport 500 Global
(I) MM_KEY_EXCH
Jun
Jun
Jun
! This router has received the Digital Certificate from the peer
6
6
6
6
6
10:21:51.087:
10:21:51.143:
10:21:51.187:
10:21:51.191:
10:21:51.191:
! The CERT
! This indicates
and inserted
! Indicates
Jun
Jun
Jun
Jun
Jun 6 10:21:51.247:
Jun 6 10:21:51.251:
Jun 6 10:21:51.255:
QM_IDLE
Jun 6 10:21:51.255:
Jun 6 10:21:51.259:
Jun 6 10:21:51.259:
Jun 6 10:21:51.259:
Jun 6 10:21:51.263:
https://sites.google.com/site/amitsciscozone/home/ipsec/site-to-site-ipsec-vpn-using-di...
4/08/2014
Page 7 of 9
The completion of IKE Phase 1 can be verified using show crypto isakmp sa command.
state
QM_IDLE
At this point a bidirectional SA is established between the peers. This is used to secure IKE Phase 2
negotiations which are used to negotiate IPSec SAs.
In IKE Phase 2, three messages are exchanged between IPSec peers. IKE Phase 2 occurs in only
Quick Mode. The first message contains a Hash, IPSec proposals (configured using crypto ipsec
transform-set command), a Nonce value and ID. The Hash authenticates the message to the remote
peer. The IPSec proposals used to specify the security protocol like AH or ESP, encryption algorithm
like DES/3DES/AES, and IPSec tunnel mode like Transport mode or Tunnel mode. The Nonce value is
used to protect against replay attacks.
An additional Diffie-Hellman Key Exchange can also occur if Perfect Forward Secrecy (PFS) is enabled
in IPSec Proposal. This is configured as below. Group 1/2/5 indicates Diffie-Hellman groups.
Enabling PFS
crypto map CRYPT0 10 ipsec-isakmp
match address ACL
set peer 10.2.2.1
set transform-set TS
set pfs {group 1 | group 2 | group 5}
The ID payload contains the identities like address, port, protocol for which this IPSec SA is being
established. This is defined using crypto access-list (configured using match address <acl>
command).
The remote peer then responds with a Hash, an IPSec Proposal Acceptance, a Nonce value, and
identities. This is the second message of IKE Phase 2.
The last message contains a Hash, and it is used to acknowledge to the remote peer.
! IKE
6
6
6
6
6
10:21:51.259:
10:21:51.259:
10:21:51.259:
10:21:51.263:
10:21:51.447:
(I) QM_IDLE
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
6
6
6
6
6
6
6
6
6
6
6
10:21:51.451:
10:21:51.451:
10:21:51.455:
10:21:51.455:
10:21:51.455:
10:21:51.455:
10:21:51.455:
10:21:51.455:
10:21:51.459:
10:21:51.459:
10:21:51.459:
https://sites.google.com/site/amitsciscozone/home/ipsec/site-to-site-ipsec-vpn-using-di...
4/08/2014
Jun
Jun
Jun
Jun
Jun
Page 8 of 9
6
6
6
6
6
Jun 6 10:21:51.487: ISAKMP:(1001):deleting node -1512312688 error FALSE reason "No Error"
Jun 6 10:21:51.487: ISAKMP:(1001):Node -1512312688, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 6 10:21:51.487: ISAKMP:(1001):Old State = IKE_QM_I_QM1 New State =
IKE_QM_PHASE2_COMPLETE
https://sites.google.com/site/amitsciscozone/home/ipsec/site-to-site-ipsec-vpn-using-di...
4/08/2014
Page 9 of 9
All the actual data traffic is encrypted using the encryption algorithm negotiated in IPSec proposal.
Comments
You do not have permission to add comments.
Sign in | Recent Site Activity | Report Abuse | Print Page | Powered By Google Sites
https://sites.google.com/site/amitsciscozone/home/ipsec/site-to-site-ipsec-vpn-using-di...
4/08/2014
Knowledge Base
Page 1 of 6
Home
BGP
Data Center
HSRP is used to track router's interface status to achieve failover between routers.
GPON
However, no correlation exists between IPSec and HSRP, and so HSRP cannot track
Hadoop
IPSec's SA state and IPSec requires schemes in order to synchronize HSRP failover when
IP Multicast
IPv6
IS-IS
it occurs. Here, the HA for site-to-site VPN using HSRP is illustrated which is a scheme
that provides a correlation between HSRP and IPSec.
Network topology:
Juniper-JUNOS
L2VPN
LAN
Link Aggregation
LTE Notes
MPLS
NAT
OAM
OSPF
PBB
PPP
QoS
Security
Traffic Engineering
The Remote site R4 router negotiates an IPSec tunnel at the Headend site to access the
internal network behind R3 router. But, redundancy is configured using HSRP on R1 and
VPLS
R2 routers. So, R4 router initiates IPSec negotiation with the Virtual IP address
VPN
10.1.1.1/24. In case of link-failure or device-failure, the standby HSRP router takes over
the role of active router.
Attachments
Initial configuration on R1
interface fastethernet 0/0
ip address 172.16.1.1 255.255.255.0
!
interface fastethernet 0/1
ip address 10.1.1.2 255.255.255.0
standby 1 ip 10.1.1.1
standby 1 preempt
standby 1 priority 105
standby 1 timers 1 3
standby 1 track fastethernet 0/0 10
!
Initial configuration on R2
interface fastethernet 0/0
ip address 172.16.1.2 255.255.255.0
!
interface fastethernet 0/1
ip address 10.1.1.3 255.255.255.0
standby 1 ip 10.1.1.1
standby 1 preempt
standby 1 timers 1 3
standby 1 track fastethernet 0/0 10
!
https://sites.google.com/site/amitsciscozone/home/ipsec/ha-for-site-to-site-vpn-using-hsr 4/08/2014
Page 2 of 6
Initial configuration on R3
interface fastethernet 0/0
ip address 172.16.1.3 255.255.255.0
!
interface Loopback 0
ip address 192.168.1.1 255.255.255.0
!
Initial configuration on R4
interface fastethernet 0/0
ip address 172.16.2.2 255.255.255.0
!
interface Loopback 0
ip address 192.168.2.1 255.255.255.0
!
https://sites.google.com/site/amitsciscozone/home/ipsec/ha-for-site-to-site-vpn-using-hsr 4/08/2014
Page 3 of 6
authentication pre-share
hash md5
group 2
!
crypto isakmp key 0 MY_K3Y address 0.0.0.0
!
crypto ipsec transform-set TS esp-des esp-md5-hmac
!
crypto dynamic-map DM 10
set transform-set TS
match address Traffic_to_remote
reverse-route
!
ip access-list extended Traffic_to_remote
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
crypto map CRYPTO 10 ipsec-isakmp dynamic DM
!
Now, these static crypto-maps are assigned to HSRP. However, an additional information
is required- HSRP name. HSRP name is configured using standby <group-number>
name <name> command under interface configuration mode. It assigns a unique name
for HSRP group which will be used to assign along with the crypto-map.
This HSRP name when assigned to the crypto-map, forces the crypto-map to source IKE
Phase 1 and IKE Phase 2 packets off the HSRP Virtual IP address 10.1.1.1. This can be
done using crypto map <map-name> redundancy <group-name> command from
interface configuration mode.
R1 router:
interface fastethernet 0/1
standby 1 name INTERNAL
crypto map CRYPTO redundancy INTERNAL
!
R2 router:
interface fastethernet 0/1
standby 1 name INTERNAL
crypto map CRYPTO redundancy INTERNAL
https://sites.google.com/site/amitsciscozone/home/ipsec/ha-for-site-to-site-vpn-using-hsr 4/08/2014
Page 4 of 6
!
!HSRP group names should match on both routers.
RIP configuration on R3
router rip
version 2
no auto-summary
network 172.16.1.0
network 192.168.1.0
!
Before any SAs are created, the routing protocols exchange prefixes with each router.
https://sites.google.com/site/amitsciscozone/home/ipsec/ha-for-site-to-site-vpn-using-hsr 4/08/2014
Page 5 of 6
However, when R4 router attempts to ping the network 192.168.1.0/24 sourcing from its
Loopback 0 interface 192.168.2.1, it classifies as the interesting traffic and R4 negotiates
IKE Phase 1 & 2 with the peer 10.1.1.1. Here, 10.1.1.1 is the Virtual IP address of the
HSRP group and since R1 router is the active HSRP router, it will respond to R4 router's
negotiations and form the IPSec SA. Since RRI is configured on R1, it will create a static
route to 192.168.2.0/24 network with next-hop as R4's tunnel endpoint 172.16.2.2.
C
R
src
172.16.2.2
state
QM_IDLE
C
R
Now, Fastethernet 0/0 of R1 fails, HSRP fails over to R2 router and changes the HSRP
state from "standby" to "active". R4 deletes the SA since R1 relinquishes the "active" state
and R2 becomes the "active" router. This causes R2 router to respond to R4 router for
virtual IP address 10.1.1.1. R1 deletes the static route while R2 creates the same static
route and redistributes to R3 router.
D EX
D
C
10.1.1.0 is directly connected, FastEthernet0/1
D EX 192.168.1.0/24 [170/281600] via 10.1.1.3, 00:01:54, FastEthernet0/1
D EX 192.168.2.0/24 [170/307200] via 10.1.1.4, 00:00:48, FastEthernet0/1
R2# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
10.1.1.1
src
172.16.2.2
state
QM_IDLE
https://sites.google.com/site/amitsciscozone/home/ipsec/ha-for-site-to-site-vpn-using-hsr 4/08/2014
Page 6 of 6
C
R
R
C
Although HSRP timers are tuned, it takes a lot longer for IPSec tunnel to recreate again
after failover. This method is not recommended for high-availability in IPSec VPN.
Sign in | Recent Site Activity | Report Abuse | Print Page | Powered By Google Sites
https://sites.google.com/site/amitsciscozone/home/ipsec/ha-for-site-to-site-vpn-using-hsr 4/08/2014
Knowledge Base
Page 1 of 5
Home
BGP
Data Center
GPON
Hadoop
IP Multicast
IPv6
IS-IS
Juniper-JUNOS
L2VPN
LAN
Link Aggregation
LTE Notes
MPLS
NAT
OAM
OSPF
PBB
PPP
QoS
Security
Traffic Engineering
VPLS
High-availability for IPSec VPN can also be provided using IP SLA object
tracking. Here, the remote site R4 router first attempts to set up an IPSec
tunnel with R1 router at the Central Site. When the path to reach R1 router is
unreachable, R4 router deletes IPSec SA for R1 router and tries to negotiate an
IPSec tunnel through backup path via R2 router.
All the traffic for the network behind R3 router sourced from the network behind
R4 router and vice versa will be encrypted by IPSec.
VPN
Attachments
https://sites.google.com/site/amitsciscozone/home/ipsec/ha-for-ipsec-vpn-using-ip-sla
4/08/2014
Page 2 of 5
2
isakmp key 0 MY_K3Y address 10.1.1.1
isakmp key 0 MY_K3Y address 10.1.1.5
ipsec transform-set TS esp-des esp-md5-hmac
map PRIMARY 10 ipsec-isakmp
https://sites.google.com/site/amitsciscozone/home/ipsec/ha-for-ipsec-vpn-using-ip-sla
4/08/2014
Page 3 of 5
IP SLA configuration on R4
ip sla 1
icmp-echo 10.1.1.1
timeout 1000
frequency 3
threshold 2
!
ip sla schedule 1 life forever start-time now
!
track 10 rtr 1 reachability
!
! Tagging the static route with the tracking object 10 and adjusting the
AD of the floating static route to a higher value
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1 track 10
!
ip route 0.0.0.0 0.0.0.0 172.16.1.5 254
!
The static route is available only if the status of tracking object is UP.
https://sites.google.com/site/amitsciscozone/home/ipsec/ha-for-ipsec-vpn-using-ip-sla
4/08/2014
R
R
R
R
R
Page 4 of 5
FastEthernet0/0
FastEthernet0/0
masks
FastEthernet0/0
FastEthernet0/0
FastEthernet0/0
Ping output on R4
Type escape sequence to abort.
Sending 1500, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
..!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!.
*Mar 1 02:33:52.183: %TRACKING-5-STATE: 10 rtr 1 reachability
Up->Down..!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 98 percent (298/303), round-trip min/avg/max = 4/108/404
ms
FastEthernet0/0
masks
FastEthernet0/0
FastEthernet0/0
ISAKMP output on R4
R4# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src
10.1.1.1
172.16.1.2
10.1.1.5
172.16.1.6
state
QM_IDLE
QM_IDLE
https://sites.google.com/site/amitsciscozone/home/ipsec/ha-for-ipsec-vpn-using-ip-sla
4/08/2014
Page 5 of 5
As seen above, the failover is very quick and this solution provides highavailability (HA) with great results.
Sign in | Recent Site Activity | Report Abuse | Print Page | Powered By Google Sites
https://sites.google.com/site/amitsciscozone/home/ipsec/ha-for-ipsec-vpn-using-ip-sla
4/08/2014
Knowledge Base
Page 1 of 10
Home
BGP
Data Center
GPON
Hadoop
RFC 4891 discusses about IPSec with IPv6-in-IPv4 tunnels. It points out two
IP Multicast
different types of threats with IPv6-in-IPv4 tunnels which mandates the use of IPSec.
The two types of threats are-
IPv6
IS-IS
1) The IPv4 source address of the encapsulating (outer) packet can be spoofed
Juniper-JUNOS
L2VPN
2) The IPv6 source address of the encapsulated (inner) packet can be spoofed.
LAN
Link Aggregation
RFC 4891 discusses two ways to use IPSec- in transport and tunnel modes.
LTE Notes
MPLS
NAT
OAM
OSPF
PBB
PPP
QoS
Security
Traffic Engineering
VPLS
VPN
Attachments
In transport mode, the IPSec ESP or AH SA are established to protect traffic with the
header {IPv4 Source address, IPv4 Destination address, Protocol = 41}. On receiving
an IPSec packet, the receiver applies the IPSec transform (e.g. ESP or AH) and
matches the packet against Security Parameter Index (SPI) and the inbound selectors
associated with the SA to verify that the packet is appropriate for the SA via which it
was received. The successful verification ensures that the packet came from correct
IPv4 endpoint.
The transport mode takes care of threat # 1. But IPSec in Transport mode does not
verify the payload of the IPSec packet which carries IPv6 addresses. Hence, the inner
payload can be spoofed. The packet will be decapsulated and accepted. This
shortcoming can be mitigated by Ingress filtering which is a check to ensure packet is
received on the correct interface like RPF in IP multicasting.
Network topology:
https://sites.google.com/site/amitsciscozone/home/ipsec/ipsec-with-ipv6-in-ipv4-gre-tu... 4/08/2014
Page 2 of 10
Initial configuration on R1
ipv6 unicast-routing
!
interface Loopback 0
ip address 1.1.1.1 255.255.255.255
!
interface serial 0/0
description IPv4 WAN Interface
ip address 10.1.1.1 255.255.255.252
!
interface fastethernet 0/0
description Internal IPv6 network
ipv6 address CAFE:1::1/64
!
router ospf 1
network 1.1.1.1 0.0.0.0 area 0
network 10.1.1.0 0.0.0.3 area 0
!
Initial configuration on R2
ipv6 unicast-routing
!
interface Loopback 0
ip address 2.2.2.2 255.255.255.255
!
interface serial 0/0
description IPv4 WAN Interface
ip address 10.2.2.2 255.255.255.252
!
interface fastethernet 0/0
description Internal IPv6 network
ipv6 address CAFE:2::1/64
!
router ospf 1
network 2.2.2.2 0.0.0.0 area 0
network 10.2.2.0 0.0.0.3 area 0
!
Tunnel configuration on R1
interface Tunnel 0
tunnel mode gre ip
ipv6 address 2001::1/64
tunnel source Loopback 0
tunnel destination 2.2.2.2
!
ipv6 route CAFE:2::/64 2001::2
!
Tunnel configuration on R2
https://sites.google.com/site/amitsciscozone/home/ipsec/ipsec-with-ipv6-in-ipv4-gre-tu... 4/08/2014
Page 3 of 10
interface Tunnel 0
tunnel mode gre ip
ipv6 address 2001::2/64
tunnel source Loopback 0
tunnel destination 1.1.1.1
!
ipv6 route CAFE:1::/64 2001::1
!
When traffic is generated from R1 router's IPv6 domain towards R2 router's IPv6
network, ICMPv6 packets are encapsulated in a GRE packet (protocol= 0x2F or
decimal value 47) with packet's source IP address as R1's Loopback 0 interface and
destination IP address as R2's Loopback 0 interface. At R2 router, these GRE packets
are decapsulated and forwarded to the correct destination.
s=1.1.1.1
s=1.1.1.1
s=1.1.1.1
s=1.1.1.1
s=1.1.1.1
(Tunnel0),
(Tunnel0),
(Tunnel0),
(Tunnel0),
(Tunnel0),
d=2.2.2.2
d=2.2.2.2
d=2.2.2.2
d=2.2.2.2
d=2.2.2.2
(Serial0/0),
(Serial0/0),
(Serial0/0),
(Serial0/0),
(Serial0/0),
len
len
len
len
len
124,
124,
124,
124,
124,
sending,
sending,
sending,
sending,
sending,
proto=47
proto=47
proto=47
proto=47
proto=47
https://sites.google.com/site/amitsciscozone/home/ipsec/ipsec-with-ipv6-in-ipv4-gre-tu... 4/08/2014
Page 4 of 10
IPSec configuration on R1
crypto isakmp policy 10
encryption des
authentication pre-share
hash md5
group 2
!
crypto isakmp key 0 MY_K3Y address 2.2.2.2
!
crypto ipsec transform-set TS esp-des esp-md5-hmac
!
crypto ipsec profile PROFILE
set transform-set TS
!
interface tunnel 0
https://sites.google.com/site/amitsciscozone/home/ipsec/ipsec-with-ipv6-in-ipv4-gre-tu... 4/08/2014
Page 5 of 10
IPSec configuration on R2
crypto isakmp policy 10
encryption des
authentication pre-share
hash md5
group 2
!
crypto isakmp key 0 MY_K3Y address 1.1.1.1
!
crypto ipsec transform-set TS esp-des esp-md5-hmac
!
crypto ipsec profile PROFILE
set transform-set TS
!
interface tunnel 0
tunnel protection ipsec profile PROFILE
!
When traffic is generated from R1 router's IPv6 domain towards R2 router's IPv6
network, ICMPv6 packets are encapsulated in GRE packets, which are then
encapsulated in an ESP packet. R1 router also initiates an IKE negotiation with R2
router, meanwhile all packets are dropped.
The debugging on R2 router shows how it negotiates SA with R1 router. It shows that
when R2 router receives a packet from 1.1.1.1 peer, it checks to see if it has a preshared key. It initiates IKE Phase 1 during which it checks whether the policy sent by
R1 matches any of its policy and if it agrees to the policy. After successful IKE Phase
1, it initiates IKE Phase 2 during which it checks IPSec transform-set. After successful
transform-set negotiation IKE Phase 2 is completed after which communication is
possible.
https://sites.google.com/site/amitsciscozone/home/ipsec/ipsec-with-ipv6-in-ipv4-gre-tu... 4/08/2014
Page 6 of 10
ISAKMP:
life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
ISAKMP:(0:1:SW:1): processing vendor id payload
ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP (0:134217729): vendor ID is NAT-T v7
ISAKMP:(0:1:SW:1): processing vendor id payload
ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP:(0:1:SW:1): vendor ID is NAT-T v3
ISAKMP:(0:1:SW:1): processing vendor id payload
ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2
ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1
ISAKMP:(0:1:SW:1): constructed NAT-T vendor-07 ID
ISAKMP:(0:1:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R)
MM_SA_SETUP
ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2
ISAKMP (0:134217729): received packet from 1.1.1.1 dport 500 sport 500 Global
(R) MM_SA_SETUP
ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0:1:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3
ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
ISAKMP:(0:1:SW:1): processing NONCE payload. message ID =0
ISAKMP:(0:1:SW:1):found peer pre-shared key matching 1.1.1.1
ISAKMP:(0:1:SW:1):SKEYID state generated
ISAKMP:(0:1:SW:1): processing vendor id payload
ISAKMP:(0:1:SW:1): vendor ID is Unity
ISAKMP:(0:1:SW:1): processing vendor id payload
ISAKMP:(0:1:SW:1): vendor ID is DPD
ISAKMP:(0:1:SW:1): processing vendor id payload
ISAKMP:(0:1:SW:1): speaking to another IOS box!
ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3
ISAKMP:(0:1:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R)
MM_KEY_EXCH
ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4
ISAKMP (0:134217729): received packet from 1.1.1.1 dport 500 sport 500 Global
(R) MM_KEY_EXCH
ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0:1:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0
ISAKMP (0:134217729): ID payload
next-payload : 8
type
: 1
address
: 1.1.1.1
protocol
: 17
port
: 500
length
: 12
ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0
ISAKMP:(0:1:SW:1): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 64BB6094
ISAKMP:(0:1:SW:1):SA authentication status:authenticated
ISAKMP:(0:1:SW:1): Process initial contact,bring down existing phase 1 and 2
SA's with local 2.2.2.2 remote 1.1.1.1 remote port 500
ISAKMP:(0:1:SW:1):SA authentication status: authenticated
ISAKMP:(0:1:SW:1):SA has been authenticated with 1.1.1.1
ISAKMP: Trying to insert a peer 2.2.2.2/1.1.1.1/500/, and inserted
successfully 64BB250C.
ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication using id type
https://sites.google.com/site/amitsciscozone/home/ipsec/ipsec-with-ipv6-in-ipv4-gre-tu... 4/08/2014
Page 7 of 10
ID_IPV4_ADDR
ISAKMP (0:134217729): ID payload
next-payload : 8
type
: 1
address
: 2.2.2.2
protocol
: 17
port
: 500
length
: 12
ISAKMP:(0:1:SW:1):Total payload length: 12
ISAKMP:(0:1:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R)
MM_KEY_EXCH
ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP (0:134217729): received packet from 1.1.1.1 dport 500 sport 500 Global
(R) QM_IDLE
ISAKMP: set new node 1046004050 to QM_IDLE
ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 1046004050
ISAKMP:(0:1:SW:1): processing SA payload. message ID = 1046004050
ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP:
attributes in transform:
ISAKMP:
encaps is 1 (Tunnel)
ISAKMP:
SA life type in seconds
ISAKMP:
SA life duration (basic) of 3600
ISAKMP:
SA life type in kilobytes
ISAKMP:
SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP:
authenticator is HMAC-MD5
ISAKMP:(0:1:SW:1):atts are acceptable.
ISAKMP:(0:1:SW:1): processing NONCE payload. message ID =1046004050
ISAKMP:(0:1:SW:1): processing ID payload. message ID = 1046004050
ISAKMP:(0:1:SW:1): processing ID payload. message ID = 1046004050
ISAKMP:(0:1:SW:1): asking for 1 spis from ipsec
ISAKMP:(0:1:SW:1):Node 1046004050, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
ISAKMP: received ke message (2/1)
ISAKMP: Locking peer struct 0x64BB250C, IPSEC refcount 1 for for stuff_ke
ISAKMP:(0:1:SW:1): Creating IPSec SAs
inbound SA from 1.1.1.1 to 2.2.2.2 (f/i) 0/ 0
(proxy 1.1.1.1 to 2.2.2.2)
has spi 0x4F11F20E and conn_id 0 and flags 2
lifetime of 3600 seconds
lifetime of 4608000 kilobytes
has client flags 0x0
outbound SA from 2.2.2.2 to 1.1.1.1 (f/i) 0/0
(proxy 2.2.2.2 to 1.1.1.1)
lifetime of 3600 seconds
lifetime of 4608000 kilobytes
has client flags 0x0
ISAKMP:(0:1:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R)
QM_IDLE
ISAKMP:(0:1:SW:1):Node 1046004050, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
ISAKMP:(0:1:SW:1):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
ISAKMP: Locking peer struct 0x64BB250C, IPSEC refcount 2 for from
create_transforms
ISAKMP: Unlocking IPSEC struct 0x64BB250C from create_transforms, count 1
ISAKMP (0:134217729): received packet from 1.1.1.1 dport 500 sport 500 Global
(R) QM_IDLE
ISAKMP:(0:1:SW:1):deleting node 1046004050 error FALSE reason "QM done
(await)"
ISAKMP:(0:1:SW:1):Node 1046004050, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(0:1:SW:1):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
The show crypto isakmp peer [detail] command shows peer description.
https://sites.google.com/site/amitsciscozone/home/ipsec/ipsec-with-ipv6-in-ipv4-gre-tu... 4/08/2014
Page 8 of 10
The show crypto session detail command provides details on currently active
crypto sessions.
The show crypto isakmp sa and show crypto ipsec sa commands show IKE Phase
1 and Phase 2 SA respectively.
state
QM_IDLE
https://sites.google.com/site/amitsciscozone/home/ipsec/ipsec-with-ipv6-in-ipv4-gre-tu... 4/08/2014
Page 9 of 10
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x4F11F20E(1326576142)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4586052/3200)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
The following output shows R1 sending ESP encapsulated packets (protocol 50).
https://sites.google.com/site/amitsciscozone/home/ipsec/ipsec-with-ipv6-in-ipv4-gre-tu... 4/08/2014
Page 10 of 10
Sign in | Recent Site Activity | Report Abuse | Print Page | Powered By Google Sites
https://sites.google.com/site/amitsciscozone/home/ipsec/ipsec-with-ipv6-in-ipv4-gre-tu... 4/08/2014
Knowledge Base
Page 1 of 8
Home
BGP
Data Center
GPON
Hadoop
IP Multicast
IPv6
IS-IS
Juniper-JUNOS
L2VPN
LAN
Link Aggregation
LTE Notes
MPLS
NAT
OAM
OSPF
PBB
Configuration
PPP
QoS
PE11, PE12, PE21 and PE22 routers have a very simple and similar VRF configuration. There is
Security
Traffic Engineering
VPLS
VPN
Attachments
PE100 and PE200 routers act as Route-Reflectors (RR) for their respective ASes. To exchange
VPNv4 routes, they run MP-eBGP connection across the two physical connections- one
preferred over the other achieved by setting higher local-preference value for prefixes learnt
via one connection.
https://sites.google.com/site/amitsciscozone/home/ipsec/dmvpn-with-dual-isps
4/08/2014
Page 2 of 8
PE100 Configuration
interface Loopback 0
ip address 2.2.2.2 255.255.255.255
ip ospf 1 area 0
!
router ospf 1
passive-interface FastEthernet1/0
passive-interface FastEthernet2/0
network 10.100.1.0 0.0.0.255 area 0
network 10.100.2.0 0.0.0.255 area 0
!
router bgp 100
no bgp route-target default filter
! Accept all VPNv4 routes
neighbor 1.1.1.1 remote-as 100
! PE11 router
neighbor 1.1.1.1 update-source Loopback 0
neighbor 3.3.3.3 remote-as 100
! PE12 router
neighbor 3.3.3.3 update-source Loopback 0
neighbor 10.100.1.2 remote-as 200
neighbor 10.100.1.2 send-label
! eBGP connection with PE200 router.
The "send-label" keyword allows the router to send label with BGP VPNv4 prefixes
neighbor 10.100.2.2 remote-as 200
neighbor 10.100.2.2 send-label
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 route-reflector-client
neighbor 1.1.1.1 next-hop-self
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 route-reflector-client
neighbor 3.3.3.3 next-hop-self
neighbor 10.100.1.2 activate
neighbor 10.100.1.2 route-map LOCAL_PREF in
! Set Local-Preference to 150 for all
incoming VPNv4 prefixes from this neighbor
neighbor 10.100.2.2 activate
!
route-map LOCAL_PREF permit 10
set local-preference 150
!
PE200 Configuration
interface Loopback 0
ip address 5.5.5.5 255.255.255.255
ip ospf 2 area 0
!
router ospf 2
passive-interface FastEthernet1/0
passive-interface FastEthernet2/0
network 10.100.1.0 0.0.0.255 area 0
network 10.100.2.0 0.0.0.255 area 0
!
router bgp 200
no bgp route-target default filter
neighbor 4.4.4.4 remote-as 200
neighbor 4.4.4.4 update-source Loopback 0
neighbor 6.6.6.6 remote-as 200
neighbor 6.6.6.6 update-source Loopback 0
neighbor 10.100.1.1 remote-as 100
neighbor 10.100.1.1 send-label
neighbor 10.100.2.1 remote-as 100
neighbor 10.100.2.1 send-label
!
address-family vpnv4
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 route-reflector-client
neighbor 4.4.4.4 next-hop-self
neighbor 6.6.6.6 activate
neighbor 6.6.6.6 route-reflector-client
neighbor 6.6.6.6 next-hop-self
neighbor 10.100.1.1 activate
neighbor 10.100.1.1 route-map LOCAL_PREF in
! PE21 router
! PE22 router
! eBGP connection to PE100
https://sites.google.com/site/amitsciscozone/home/ipsec/dmvpn-with-dual-isps
4/08/2014
Page 3 of 8
The following output shows the VPNv4 prefixes learnt by PE100 and PE200 routers. Note the
prefixes with higher local-preference value are preferred.
V
4
4
4
4
AS MsgRcvd MsgSent
100
41
47
100
41
47
200
51
52
200
40
41
TblVer
13
13
13
13
100
150
100
150
0
0
0
0
0
0
?
200
200
?
200
200
?
?
?
?
150
100
150
100
0
0
0
0
0
0
100
100
?
100
100
?
?
?
?
?
https://sites.google.com/site/amitsciscozone/home/ipsec/dmvpn-with-dual-isps
4/08/2014
Page 4 of 8
hash md5
group 2
!
crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set TS
!
interface Tunnel10
! Primary Tunnel
ip address 192.168.100.1 255.255.255.0
no ip next-hop-self eigrp 1020
ip nhrp map multicast dynamic
ip nhrp network-id 123
no ip split-horizon eigrp 1020
delay 5
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN shared
!
interface Tunnel20
! Backup Tunnel
ip address 192.168.200.1 255.255.255.0
no ip next-hop-self eigrp 1020
ip nhrp map multicast dynamic
ip nhrp network-id 456
no ip split-horizon eigrp 1020
delay 10
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 456
tunnel protection ipsec profile DMVPN shared
!
router eigrp 1020
no auto-summary
network 192.168.0.0
network 192.168.100.0
network 192.168.200.0
!
router bgp 65001
neighbor 172.11.1.2 remote-as 100
neighbor 172.11.1.2 filter-list 10 out
neighbor 172.12.1.2 remote-as 200
neighbor 172.12.1.2 filter-list 10 out
!
ip as-path access-list 10 permit ^$
! Allows only local routes to be advertised
!
Now, since the Spoke routers have a single connection to the ISP, they share the same
interface for both tunnels.
https://sites.google.com/site/amitsciscozone/home/ipsec/dmvpn-with-dual-isps
4/08/2014
Page 5 of 8
delay 5
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN shared
!
interface Tunnel20
ip address 192.168.200.2 255.255.255.0
ip nhrp map 192.168.200.1 172.12.1.1
ip nhrp map multicast 172.12.1.1
ip nhrp network-id 456
ip nhrp nhs 192.168.200.1
delay 10
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 456
tunnel protection ipsec profile DMVPN shared
!
router bgp 65002
neighbor 172.22.1.2 remote-as 100
!
The major issue with this setup is that if the primary connection to ISP at Hub site goes down,
the tunnel interface (tunnel 10) goes down as well. EIGRP adjacency with Spoke routers fall.
However, the Spoke routers still have primary tunnel interface as functional. Hence, a tracking
mechanism is required on Spoke routers to track the reachability of the source address of
primary tunnel interface. IP SLA with tracking can do the job. Further, this reachability
information can be used to administer the functionality of tunnel interfaces on Spoke routers.
For example, if primary tunnel interface goes down on Hub, the Spoke routers shut down their
primary tunnel interface and bring the secondary tunnel up. This can be done using
https://sites.google.com/site/amitsciscozone/home/ipsec/dmvpn-with-dual-isps
4/08/2014
Page 6 of 8
Embedded Event Manager EEM. Before any IP SLA configuration on Spoke routers, ip sla
responder command is required on the Hub router. The configuration is as below:
IP SLA on Hub
ip sla responder
!
https://sites.google.com/site/amitsciscozone/home/ipsec/dmvpn-with-dual-isps
4/08/2014
Page 7 of 8
Verification
Since the primary tunnel interface is UP, all the Spoke routers register their NHRP mappings
with the Hub router over primary tunnel interface 10. Also, all internal prefixes are learnt over
primary tunnel as EIGRP adjacency is established over that interface.
When the source address of primary tunnel interface on the Hub router is
unreachable (data-link between Hub and PE11 is down), the tracking object discovers that
the Hub is not reachable over Tunnel 10. The Spoke routers shut down Tunnel 10 and bring up
Tunnel 20. The Hub router receives NHRP mapping over Tunnel 20. EIGRP adjacency is formed
over this interface and routes are exchanged.
Spoke1#
*Jul 15 15:42:45.734: %TRACKING-5-STATE: 1 ip sla 1 reachability Up->Down
*Jul 15 15:42:45.982: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Jul 15 15:42:46.434: %SYS-5-CONFIG_I: Configured from console by vty0
*Jul 15 15:42:47.898: %LINK-5-CHANGED: Interface Tunnel10, changed state to
administratively down
*Jul 15 15:42:48.186: %LINK-3-UPDOWN: Interface Tunnel20, changed state to up
*Jul 15 15:42:48.286: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Jul 15 15:42:48.910: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel10, changed
state to down
*Jul 15 15:42:49.194: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel20, changed
state to up
*Jul 15 15:42:52.614: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1020: Neighbor 192.168.200.1
(Tunnel20) is up: new adjacency
Spoke1# show track
Track 1
IP SLA 1 reachability
Reachability is Down
99 changes, last change 00:00:33
Delay up 180 secs, down 180 secs
Latest operation return code: Timeout
Tracked by:
EEM applet UP_TUNNEL_10
EEM applet SHUT_TUNNEL_10
Hub# show ip nhrp
192.168.200.2/32 via 192.168.200.2
Tunnel20 created 00:03:58, expire 01:56:01
Type: dynamic, Flags: unique registered
NBMA address: 172.22.1.1
192.168.200.3/32 via 192.168.200.3
https://sites.google.com/site/amitsciscozone/home/ipsec/dmvpn-with-dual-isps
4/08/2014
Page 8 of 8
During Spoke-to-Spoke traffic forwarding, dynamic tunnel is formed via Tunnel 20.
Comments
You do not have permission to add comments.
Sign in | Recent Site Activity | Report Abuse | Print Page | Powered By Google Sites
https://sites.google.com/site/amitsciscozone/home/ipsec/dmvpn-with-dual-isps
4/08/2014
Knowledge Base
Page 1 of 19
Home
BGP
Dual DMVPN
Data Center
DMVPN stands for Dynamic Multipoint Virtual Private Network. It is basically a concept
GPON
Hadoop
IP Multicast
IPv6
Traditional site-to-site IPSec VPNs require individual (point-to-point GRE or IPSec) tunnels
between a pair of Hub and Branch routers. For all new branch routers, configurations need
IS-IS
to be added on the Branch router as well as the Hub router. Also, traffic between Branch
Juniper-JUNOS
L2VPN
LAN
Link Aggregation
LTE Notes
MPLS
NAT
OAM
OSPF
PBB
Conversely, DMVPN uses mGRE tunnel which has multiple end-points and is treated as a
non-broadcast multi-access (NBMA) network. DMVPN has evolved into 3 phasesPhase 1: Hub and Spoke - mGRE at the Hub and p2p GRE at the Branch routers
Phase 2: Hub and Spoke with Spoke-to-spoke tunnels (mGRE at the Hub and Branch
routers)
Phase 3: Same as Phase 2 but now Spoke routers can also respond to NHRP Requests.
This article discusses Phase 2.
PPP
QoS
DMVPN Components
Security
Traffic Engineering
VPLS
VPN
Attachments
https://sites.google.com/site/amitsciscozone/home/ipsec/dual-dmvpn
4/08/2014
Page 2 of 19
A dual DMVPN cloud topology with spoke-to-spoke model consists of two Hub routers,
each with mGRE tunnel interface(s) connecting all Branch routers. Each DMVPN cloud
represents a unique subnet. One DMVPN cloud is considered Primary- this is preferred by
all Branch routers to send traffic. The second DMVPN cloud is implemented to provide
resiliency to the Primary DMVPN cloud.
Primary router
interface Serial 0/0
description WAN Interface
ip address 172.16.1.1 255.255.255.0
!
interface Fastethernet 0/0
description LAN Interface
ip address 192.168.0.1 255.255.255.0
!
interface Tunnel 11
ip address 10.0.1.1 255.255.255.0
tunnel mode gre multipoint
tunnel source serial 0/0
tunnel key 123
!
Backup router
interface Serial 0/0
description WAN Interface
ip address 172.26.1.1 255.255.255.0
!
interface Fastethernet 0/0
description LAN Interface
ip address 192.168.0.2 255.255.255.0
https://sites.google.com/site/amitsciscozone/home/ipsec/dual-dmvpn
4/08/2014
Page 3 of 19
!
interface Tunnel 22
ip address 10.0.2.1 255.255.255.0
tunnel mode gre multipoint
tunnel source serial 0/0
tunnel key 456
!
Branch1 router
interface Serial 0/0
description WAN Interface
ip address 172.36.1.1 255.255.255.0
!
interface Fastethernet 0/0
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel 11
ip address 10.0.1.2 255.255.255.0
tunnel mode gre multipoint
tunnel source serial 0/0
tunnel key 123
!
interface Tunnel 22
ip address 10.0.2.2 255.255.255.0
tunnel mode gre multipoint
tunnel source serial 0/0
tunnel key 456
!
Branch2 router
interface Serial 0/0
description WAN Interface
ip address 172.46.1.1 255.255.255.0
!
interface Fastethernet 0/0
ip address 192.168.2.1 255.255.255.0
!
interface Tunnel 11
ip address 10.0.1.3 255.255.255.0
tunnel mode gre multipoint
tunnel source serial 0/0
tunnel key 123
!
interface Tunnel 22
ip address 10.0.2.3 255.255.255.0
tunnel mode gre multipoint
tunnel source serial 0/0
tunnel key 456
!
Branch3 router
interface Serial 0/0
description WAN Interface
ip address 172.56.1.1 255.255.255.0
!
interface Fastethernet 0/0
ip address 192.168.3.1 255.255.255.0
!
interface Tunnel 11
ip address 10.0.1.4 255.255.255.0
tunnel mode gre multipoint
tunnel source serial 0/0
tunnel key 123
!
interface Tunnel 22
https://sites.google.com/site/amitsciscozone/home/ipsec/dual-dmvpn
4/08/2014
Page 4 of 19
NHRP Configuration
The most basic commands to implement NHRP are as follows1) ip nhrp map <tunnel-ip> <physical-ip> command creates a static binding between
a tunnel IP address and physical IP address. This command is usually configured on the
Branch routers (who act as NHRP Clients) to provide the information to Branch routers to
reach the tunnel address of the Hub.
2) ip nhrp map multicast <dynamic | static-ip> command specifies the destination(s)
that will receive multicast/broadcast traffic. Spokes map multicast to the physical IP
address of the Hub, and the Hub maps multicast packets to the dynamic mappings i.e. to
all NHRP Clients registered to the Hub (NHRP Server). This is important for routing
protocols to form adjacency and exchange routing updates.
3) ip nhrp nhs <server-ip> command specifies the NHRP Server to the Branch routers.
The "Server IP Address" is the tunnel IP address.
4) ip nhrp authentication <key> command is optional. The key is in plain-text and is
used to authenticate the NHRP Client. This must be same on all NHRP routers.
5) ip nhrp network-id <id> command identifies the logical network. This must be same
on all NHRP routers.
6) ip nhrp holdtime <seconds> command specifies the hold-time value in registration
requests. The NHS will keep the registration request cache for the hold-time period, and if
no updates are received, it will flush them out.
Primary router
interface Tunnel11
......
ip nhrp map multicast dynamic
ip nhrp network-id 123
ip nhrp holdtime 60
!
Backup router
interface Tunnel22
.....
ip nhrp map multicast dynamic
ip nhrp network-id 456
ip nhrp holdtime 60
!
https://sites.google.com/site/amitsciscozone/home/ipsec/dual-dmvpn
4/08/2014
Page 5 of 19
!
interface Tunnel22
....
ip nhrp map 10.0.2.1 172.26.1.1
Physical IP Addresses
Routing Instances
We will use two separate instance of routing protocol on Hub and Branch routers- one for
WAN domain (OSPF) and another for VPN domain (EIGRP).
For EIGRP, we need to disable split-horizon on Hub mGRE tunnel interface to ensure
optimal forwarding. We also need to disable the default EIGRP behavior to overwrite the
next-hop as itself. And lastly, we also need to tweak the metric in EIGRP for tunnels to
prefer Primary over Backup.
Primary router
router ospf 1
! WAN domain
!
network 172.16.1.0 0.0.0.255 area 0
!
router eigrp 1
! VPN domain
!
no auto-summary
network 10.0.0.0
network 192.168.0.0
!
interface Tunnel11
....
no ip split-horizon eigrp 1
no ip next-hop-self eigrp 1
delay 5
!
Backup router
router ospf 1
! WAN domain
!
network 172.26.1.0 0.0.0.255 area 0
!
router eigrp 1
! VPN domain
!
no auto-summary
network 10.0.0.0
network 192.168.0.0
!
interface Tunnel22
....
delay 10
no ip split-horizon eigrp 1
no ip next-hop-self eigrp 1
Branch routers
https://sites.google.com/site/amitsciscozone/home/ipsec/dual-dmvpn
4/08/2014
Page 6 of 19
Branch1 router:
router ospf 1
network 172.36.1.0 0.0.0.255 area 0
!
router eigrp 1
no auto-summary
network 10.0.0.0
network 192.168.1.0
!
interface Tunnel11
....
delay 5
!
interface Tunnel22
....
delay 10
!
Branch2 router:
router ospf 1
network 172.46.1.0 0.0.0.255 area 0
!
router eigrp 1
no auto-summary
network 10.0.0.0
network 192.168.2.0
!
interface Tunnel11
....
delay 5
!
interface Tunnel22
....
delay 10
!
Branch3 router:
router ospf 1
network 172.56.1.0 0.0.0.255 area 0
!
router eigrp 1
no auto-summary
network 10.0.0.0
network 192.168.3.0
!
interface Tunnel11
....
delay 5
!
interface Tunnel22
....
delay 10
!
All the Spoke routers try to register their logical IP address to NBMA IP address mapping
with the Hub. Each Spoke router has 2 tunnel interfaces to two different Hubs- Primary
and Backup. Hence all Spoke routers send Registration Request packets to both
Primary and Backup with its logical-to-NBMA address mapping. The following output
shows Spoke1 router registering with two Hubs. The Hubs respond with Registration Reply
packet to the Spoke routers.
NHRP Registration
Primary#
*Mar 1 09:55:23.589: NHRP: Receive Registration Request via Tunnel11 vrf 0, packet
size: 92
*Mar
*Mar
https://sites.google.com/site/amitsciscozone/home/ipsec/dual-dmvpn
NBMA:
4/08/2014
Page 7 of 19
172.36.1.1
*Mar
*Mar
*Mar 1 09:55:23.593: NHRP: Send Registration Reply via Tunnel11 vrf 0, packet
size: 112
*Mar
*Mar
1 09:55:23.597:
src: 10.0.1.1, dst: 10.0.1.2
1 09:55:23.597: NHRP: 112 bytes out Tunnel11
Backup#
*Mar 1 09:54:59.585: NHRP: Receive Registration Request via Tunnel22 vrf 0, packet
size: 92
*Mar 1 09:54:59.585: NHRP: netid_in = 456, to_us = 1
*Mar 1 09:54:59.585: NHRP: Tu22: Creating dynamic multicast mapping
172.36.1.1
*Mar
*Mar
NBMA:
*Mar 1 09:54:59.593: NHRP: Send Registration Reply via Tunnel22 vrf 0, packet
size: 112
*Mar
*Mar
1 09:54:59.593:
src: 10.0.2.1, dst: 10.0.2.2
1 09:54:59.593: NHRP: 112 bytes out Tunnel22
This registration on the mGRE interface on the Hub router to build a dynamic tunnel back
to the registering Branch/Spoke router without having to know the Branch tunnel
destination statically. NHRP tells mGRE interface where to tunnel a packet to reach a
certain address.
The NHRP cache can be viewed using show ip nhrp command. The Hubs learn the
mappings dynamically and the Spoke routers have only a single static mapping via each
tunnel interface in their NHRP cache.
NHRP Cache
Primary# show ip nhrp
10.0.1.2/32 via 10.0.1.2, Tunnel11 created 07:57:45, expire 00:00:58
Type: dynamic, Flags: unique registered used
NBMA address: 172.36.1.1
10.0.1.3/32 via 10.0.1.3, Tunnel11 created 00:36:01, expire 00:00:49
Type: dynamic, Flags: unique registered used
NBMA address: 172.46.1.1
10.0.1.4/32 via 10.0.1.4, Tunnel11 created 00:03:49, expire 00:00:49
Type: dynamic, Flags: unique registered used
NBMA address: 172.56.1.1
Spoke3# show ip nhrp
10.0.1.1/32 via 10.0.1.1, Tunnel11 created 00:14:53, never expire
Type: static, Flags: used
NBMA address: 172.16.1.1
10.0.2.1/32 via 10.0.2.1, Tunnel22 created 00:14:46, never expire
Type: static, Flags: used
NBMA address: 172.26.1.1
The unique flag indicates that the Registration Request message had unique flag enabled.
The NHS rejects all Registration Requests if the mapping in the message is already
present or not unique. The used flag indicates that the router uses this mapping to switch
IP packets.
All Branch routers learn about remote 192.168.x.0/24 networks via EIGRP over Tunnel 11
(Primary tunnel).
EIGRP routes
Spoke1# show ip route eigrp
D
D
https://sites.google.com/site/amitsciscozone/home/ipsec/dual-dmvpn
4/08/2014
Page 8 of 19
D
D
However, the CEF adjacency for prefixes connected to remote Branch router over the
DMVPN cloud, are seen as invalid adjacency on the Branch3 routers. While the CEF
adjacency for the next-hop is valid punt adjacency which means that the packet cannot
be CEF-switched and need to be fast-switched or process-switched.
When Branch3 router tries to send packet to 192.168.1.0/24, it finds out that it has a
punt adjacency for its next-hop of 10.0.1.2. Then Branch3 router attempts to send NHRP
Resolution Request directly to its next-hop 10.0.1.2 i.e. Spoke1 router, but it fails as the
NBMA address of Branch1 router is unknown. However, the Branch3 router continues to
send packets via the NHS.
*Mar
out 123
*Mar 1 08:36:58.865: NHRP: Checking for delayed event 0.0.0.0/10.0.1.2 on list
(Tunnel11).
*Mar 1 08:36:58.869: NHRP: No node found.
*Mar
*Mar
(Tunnel11).
*Mar 1 08:36:58.881: NHRP: No node found.
*Mar
*Mar
size: 72
*Mar 1 08:36:58.885:
*Mar
*Mar
1 08:36:58.885:
1 08:36:58.889:
*Mar
*Mar
1 08:36:58.889:
1 08:36:58.889:
*Mar
*Mar
1 08:36:58.889:
1 08:36:58.893:
*Mar
*Mar
1 08:36:58.893:
1 08:36:58.893:
pref: 0
*Mar 1 08:36:58.893: NHRP: Encapsulation failed for destination 10.0.1.2 out
Tunnel11
*Mar 1 08:36:58.897: NHRP: Attempting to send packet via NHS 10.0.1.1
*Mar
An NHRP packet contains 3 parts1. Fixed Part (F): It specifies the address-family (afn), protocol type (IP) as well as
subnetwork type and length.
2. Mandatory Part (M): It specifies the flags and the request ID (reqid). It also includes
the source NBMA address and source/destination protocol IP addresses.
https://sites.google.com/site/amitsciscozone/home/ipsec/dual-dmvpn
4/08/2014
Page 9 of 19
3. Client Information Element (CIE C-1) part: It contains information about networks
connected to requesting/responding routers.
The Spoke3 router then tries to send the Resolution Request to NHS. It contains the
source NBMA address of Spoke3 router (itself) and tunnel source address of Spoke3 router
and tunnel destination address of Spoke1 router.
*Mar 1 08:36:58.897: NHRP: Send Resolution Request via Tunnel11 vrf 0, packet
size: 72
*Mar
*Mar
1 08:36:58.901:
1 08:36:58.901:
*Mar
*Mar
1 08:36:58.901:
1 08:36:58.901:
*Mar
*Mar
1 08:36:58.905:
1 08:36:58.905:
*Mar
*Mar
1 08:36:58.905:
1 08:36:58.905:
*Mar 1 08:36:58.909:
pref: 0
*Mar
*Mar
out 123
*Mar 1 08:36:59.125: NHRP: Checking for delayed event 0.0.0.0/10.0.1.2 on list
(Tunnel11).
*Mar 1 08:36:59.129: NHRP: No node found.
*Mar
The request arrives at NHS. The NHS has a mapping for 10.0.1.2 in its NHRP cache. It
responds with a Resolution Reply message with correct mapping in the Mandatory part.
*Mar 1 08:36:59.133: NHRP: Receive Resolution Request via Tunnel11 vrf 0, packet
size: 92
*Mar
*Mar
1 08:36:59.137:
1 08:36:59.137:
*Mar
*Mar
1 08:36:59.137:
1 08:36:59.137:
*Mar
*Mar
1 08:36:59.137:
1 08:36:59.141:
*Mar
*Mar
1 08:36:59.141:
1 08:36:59.141:
pref: 0
*Mar 1 08:36:59.141: NHRP: netid_in = 123, to_us = 1
The Spoke3 router receives the Resolution Reply packet and hence its CEF adjacency is
now completed for 10.0.1.2. It now attempts to send the packet directly to Spoke1 router
rather than through Hub router.
*Mar 1 08:36:59.285: NHRP: Receive Resolution Reply via Tunnel11 vrf 0, packet
size: 120
*Mar
*Mar
1 08:36:59.289:
1 08:36:59.289:
*Mar 1 08:36:59.289:
reqid: 129
*Mar
*Mar
1 08:36:59.289:
1 08:36:59.293:
*Mar
*Mar
1 08:36:59.293:
1 08:36:59.293:
*Mar 1 08:36:59.293:
pref: 0
*Mar
*Mar
1 08:36:59.297:
1 08:36:59.297:
*Mar
*Mar
(Tunnel11).
*Mar 1 08:36:59.301: NHRP: No node found.
*Mar 1 08:36:59.301: NHRP: No need to delay processing of resolution event nbma
src:172.56.1.1 nbma dst:172.36.1.1
https://sites.google.com/site/amitsciscozone/home/ipsec/dual-dmvpn
4/08/2014
Page 10 of 19
The show ip cef command now shows that the CEF adjacency is completed. Also, the
show ip nhrp command shows a dynamically learnt NHRP entry.
The router flag means that the mapping is either for the remote router or for a network
behind the remote router.
Once again when Spoke3 router attempts to send packet to 192.168.1.0/24 prefix
connected to Spoke1 router, first it tries to send the packet directly to Spoke1 router but
since the CEF adjacency is not complete, the packets are forwarded to the Hub. However,
the Spoke3 router also sends a Resolution Request packet for Backup NHS via Tunnel 22.
Backup#
*Mar 1 18:11:13.611: NHRP: Receive Resolution Request via Tunnel22 vrf 0, packet
size: 72
https://sites.google.com/site/amitsciscozone/home/ipsec/dual-dmvpn
4/08/2014
Page 11 of 19
*Mar
1 18:11:13.615:
*Mar
*Mar
1 18:11:13.615:
1 18:11:13.615:
*Mar
*Mar
1 18:11:13.615:
1 18:11:13.615:
*Mar
*Mar
1 18:11:13.619:
1 18:11:13.619:
*Mar 1 18:11:13.619:
pref: 0
The Backup NHS receives the Resolution Reply packet. It looks up its NHRP cache and
finds a valid mapping. It responds with a Resolution Reply packet back to the Spoke3
router with correct mapping.
*Mar
packet size: 92
*Mar 1 18:11:13.627:
*Mar
*Mar
1 18:11:13.627:
1 18:11:13.627:
*Mar
*Mar
1 18:11:13.627:
1 18:11:13.631:
*Mar
*Mar
1 18:11:13.631:
1 18:11:13.631:
*Mar
*Mar
1 18:11:13.631:
1 18:11:13.631:
pref: 0
The show ip nhrp command confirms the dynamically learnt mapping on Spoke3 router.
show ip nhrp
Spoke3# show ip nhrp
10.0.1.1/32 via 10.0.1.1, Tunnel11 created 00:28:08, never expire
Type: static, Flags: used
NBMA address: 172.16.1.1
10.0.2.1/32 via 10.0.2.1, Tunnel22 created 00:28:01, never expire
Type: static, Flags: used
NBMA address: 172.26.1.1
10.0.2.2/32 via 10.0.2.2, Tunnel22 created 00:01:13, expire 00:00:23
Type: dynamic, Flags: router
NBMA address: 172.36.1.1
10.0.2.4/32 via 10.0.2.4, Tunnel22 created 00:01:12, expire 00:00:05
Type: dynamic, Flags: router unique local
NBMA address: 172.56.1.1
(no-socket)
Adding IPSec
For simplicity, we will use pre-shared keys for authentication for IKE Phase 1 in IPSec.
For most scalability, X.509 digital certificates and PKI must be used. For IKE Phase 2, we
use IPSec Profiles with tunnel interfaces. This can be applied to tunnel interfaces using
tunnel protection ipsec profile <profile-name> [shared] command. The shared
keyword is used on Branch routers as the two mGRE tunnel interfaces use the same
tunnel source (Serial 0/0). All the traffic passing through the tunnel will be protected by
IPSec.
Since mGRE adds new IP header, the transport mode is used with IPSec. The IPSec
configuration on all routers is as follows:
https://sites.google.com/site/amitsciscozone/home/ipsec/dual-dmvpn
4/08/2014
Page 12 of 19
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set TS
!
interface Tunnel 11
....
tunnel protection ipsec profile DMVPN
Since all Branch routers send mGRE encapsulated EIGRP Hello multicast packets towards
the Hub routers over both tunnels, ISAKMP negotiations start between Branch routers and
Hub routers.
Both, Branch and Hub routers will create IPSec SA for GRE protocol (value = 47).
https://sites.google.com/site/amitsciscozone/home/ipsec/dual-dmvpn
4/08/2014
Page 13 of 19
dst
src
state
172.26.1.1
172.16.1.1
172.56.1.1
172.56.1.1
QM_IDLE
QM_IDLE
0 ACTIVE
0 ACTIVE
https://sites.google.com/site/amitsciscozone/home/ipsec/dual-dmvpn
4/08/2014
Page 14 of 19
spi: 0xEF9D4CCB(4020063435)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 1, flow_id: SW:1, crypto map: DMVPN-head-1
sa timing: remaining key lifetime (k/sec): (4569056/3351)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB4509812(3025180690)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2, flow_id: SW:2, crypto map: DMVPN-head-1
sa timing: remaining key lifetime (k/sec): (4569056/3351)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Tunnel22
Crypto map tag: DMVPN-head-1, local addr 172.56.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (172.56.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.26.1.1/255.255.255.255/47/0)
current_peer 172.26.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 76, #pkts encrypt: 76, #pkts digest: 76
#pkts decaps: 77, #pkts decrypt: 77, #pkts verify: 77
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 172.56.1.1, remote crypto endpt.: 172.26.1.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0x6D677A69(1835498089)
inbound esp sas:
spi: 0x171FDA10(387963408)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 3, flow_id: SW:3, crypto map: DMVPN-head-1
sa timing: remaining key lifetime (k/sec): (4437345/3357)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6D677A69(1835498089)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 4, flow_id: SW:4, crypto map: DMVPN-head-1
sa timing: remaining key lifetime (k/sec): (4437345/3357)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
https://sites.google.com/site/amitsciscozone/home/ipsec/dual-dmvpn
4/08/2014
Page 15 of 19
state
172.56.1.1
172.26.1.1
172.36.1.1
172.56.1.1
QM_IDLE
QM_IDLE
1003
1002
0 ACTIVE
0 ACTIVE
172.36.1.1
172.16.1.1
172.56.1.1
172.56.1.1
QM_IDLE
QM_IDLE
1004
1001
0 ACTIVE
0 ACTIVE
https://sites.google.com/site/amitsciscozone/home/ipsec/dual-dmvpn
4/08/2014
Page 16 of 19
https://sites.google.com/site/amitsciscozone/home/ipsec/dual-dmvpn
4/08/2014
Page 17 of 19
https://sites.google.com/site/amitsciscozone/home/ipsec/dual-dmvpn
4/08/2014
Page 18 of 19
https://sites.google.com/site/amitsciscozone/home/ipsec/dual-dmvpn
4/08/2014
Page 19 of 19
Comments
You do not have permission to add comments.
Sign in | Recent Site Activity | Report Abuse | Print Page | Powered By Google Sites
https://sites.google.com/site/amitsciscozone/home/ipsec/dual-dmvpn
4/08/2014
Knowledge Base
Page 1 of 6
Home
BGP
Data Center
The Dual Tier architecture splits the mGRE and crypto functions to two different routers (or
GPON
chasses). DMVPN usually involves 3 different control planes- Routing Control plane (NHRP), GRE
Hadoop
Control plane (mGRE) and IPSec Control plane (Dynamic Crypto map). The routing and GRE control
IP Multicast
IPv6
IS-IS
Sample Scenario
Juniper-JUNOS
L2VPN
LAN
Link Aggregation
LTE Notes
This scenario deals with Dual Tier Headend architecture. The Crypto functions are handled by Crypto
Headend routers. There are two possible options to implement IPSec in the sample scenario- a)
Dynamic Crypto maps on the Crypto Headend routers and Static Crypto maps on Spoke routers,
and, b) implementing a GET VPN style architecture over DMVPN networks.
MPLS
The issue with option-(a) is that if Static Crypto maps pointing to HSRP Virtual IP address at the
NAT
Headend site is applied to Spoke routers, the whole advantage of dynamic Spoke-to-Spoke tunnel of
OAM
DMVPN is lost. Hence, option-(b) is used which is more scalable and an appropriate choice. The
OSPF
PBB
PPP
Crypto Headend routers and Spoke routers become the group members of the Key Server. Note that
the mGRE Headend router does not need to be a group member of the Key Server as it wont
perform any IPSec functions.
QoS
Security
Traffic Engineering
VPLS
VPN
Attachments
KS Configuration
interface Loopback 0
ip address 1.1.1.1 255.255.255.255
!
crypto key generate rsa general-keys label GDOI_KEYS modulus 1024 exportable
!
crypto isakmp policy 10
authentication pre-share
!
crypto isakmp key 0 cisco address 3.3.3.3
crypto isakmp key 0 cisco address 4.4.4.4
! Spoke1 router
https://sites.google.com/site/amitsciscozone/home/ipsec/dmvpn-dual-tier-headend-arch... 4/08/2014
Page 2 of 6
mGRE Configuration
The mGRE Headend router houses the Routing and GRE Control plane. The configuration is as
below:
https://sites.google.com/site/amitsciscozone/home/ipsec/dmvpn-dual-tier-headend-arch... 4/08/2014
Page 3 of 6
IPSec Configuration
The Crypto Headend routers houses the crypto control plane. Also, at the Hub site, HSRP is
implemented between the two crypto Headend routers to provide high-availability.
https://sites.google.com/site/amitsciscozone/home/ipsec/dmvpn-dual-tier-headend-arch... 4/08/2014
Page 4 of 6
The crypto-map is applied to the Tunnel interfaces as 10.1.1.0/24 and 192.168.1.0/24 networks are
reachable through the tunnel. The active HSRP router at the Headend will respond to the Spoke
routers.
Verification
All the group members register with the Key Server and download IKE Policies after successful IKE
Phase 1. The below output shows the IKE Policy downloaded by Spoke1 router.
: GDOI_GM
: 123
Rekeys received
IPSec SA Direction
: 0
: Both
: 1.1.1.1
: 1.1.1.1
GM Reregisters in
: 3357 secs
https://sites.google.com/site/amitsciscozone/home/ipsec/dmvpn-dual-tier-headend-arch... 4/08/2014
Rekey Received
Page 5 of 6
: never
Rekeys received
Cumulative
After registration
Rekey Acks sent
: 0
: 0
: 0
KEK POLICY:
Rekey Transport Type
: Unicast
Lifetime (secs)
Encrypt Algorithm
Key Size
: 86399
: 3DES
: 192
: HMAC_AUTH_SHA
: 1024
TEK POLICY:
Tunnel10:
IPsec SA:
sa direction:inbound
spi: 0x6ECBE7BC(1858856892)
transform: esp-3des esp-md5-hmac
sa timing:remaining key lifetime (sec): (3475)
Anti-Replay(Time Based) : 5 sec interval
IPsec SA:
sa direction:outbound
spi: 0x6ECBE7BC(1858856892)
transform: esp-3des esp-md5-hmac
sa timing:remaining key lifetime (sec): (3475)
Anti-Replay(Time Based) : 5 sec interval
The Crypto Headend-1 router becomes the active HSRP router due to its higher priority (105 as
compared to 100 of Crypto Headend-2 router).
The Spoke routers also register to mGRE Headend router using NHRP and hence the router learns
about the Tunnel IP Address to NBMA IP address mapping dynamically.
When Spoke1 router sends ICMP traffic to 192.168.1.0/24 network sourced from 192.168.2.0/24,
and half-way, if Crypto Headend-1 router dies, Crypto Headend-2 router becomes the active HSRP
router, and since mGRE router is configured to forward the traffic to 10.1.1.1, Crypto Headend-2
router will accept the encrypted traffic, decrypt it and forward to proper destination.
Failover test
Crypto_Headend_2# show standby
FastEthernet0/1 - Group 1
State is Active
7 state changes, last state change 00:00:46
Virtual IP address is 10.1.1.1
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 15 msec, hold time 50 msec
Next hello sent in 0.003 secs
Preemption enabled
https://sites.google.com/site/amitsciscozone/home/ipsec/dmvpn-dual-tier-headend-arch... 4/08/2014
Page 6 of 6
Comments
You do not have permission to add comments.
Sign in | Recent Site Activity | Report Abuse | Print Page | Powered By Google Sites
https://sites.google.com/site/amitsciscozone/home/ipsec/dmvpn-dual-tier-headend-arch... 4/08/2014
Knowledge Base
Page 1 of 10
Home
BGP
Data Center
GPON
Hadoop
IP Multicast
IPv6
IS-IS
GET VPN
GET (Group Encrypted Transport) VPN is a VPN technology which introduces the concept to eliminate point-topoint tunnels (site-to-site VPN) and associated overlay routing (DMVPN) since it relies on WAN routing. It enables
any-to-any VPN connectivity using a group IPSec security paradigm.
In addition to IPSec, the following are the building blocks for GET VPN solution:
Juniper-JUNOS
L2VPN
LAN
Link Aggregation
LTE Notes
MPLS
NAT
OAM
OSPF
PBB
PPP
QoS
GDOI is a group key management protocol used to provide a set of IPSec keys to a group of IOS devices called
Group Members (GM) that wish to communicate securely i.e. GDOI is run between a GM and a Key Server (KS).
These keys are periodically refreshed on all devices using a process called rekey.
GDOI is a "Phase 2" protocol which is protected by "Phase 1 Security Association (SA)". IKE Phase 1 remains the
same as in traditional IPSec. All Group Members authenticate themselves using IKE to the device providing keys
(called a Key Server) which is statically configured for all Group Members. All IKE authentication methods are
supported - Pre-Shared Keys (PSK) or RSA-Signature (PKI) or RSA-Encryption.
GDOI introduces two different types of encryption keys- the Key Encryption Key (KEK) is used to secure GET VPN
control plane, and the Traffic Encryption Key (TEK) which encrypts the data traffic.
RFC 3547 defines GDOI. GDOI runs on UDP port 848. There are six new payloads for GDOI:
Security
Traffic Engineering
VPLS
VPN
Attachments
a) GDOI SA
b) SA KEK which follows the SA payload
c) SA TEK which follows the SA payload
d) Key Download Array (KD)
e) Sequence Number (SEQ)
f) Proof of Possession (POP)
5. Rekeying
A KS performs rekey process (sending new keys when existing keys are about to expire) which includes refreshing
keys and distributing to the GMs. GET VPN supports two types of rekey messages:
a) Unicast rekey: In this process, the KS generates a rekey message and sends multiple copies of the message, one
for each GM. The GM sends an ACK message upon receiving the rekey message.
b) Multicast rekey: In this process, the KS generates a rekey message and sends a single copy of the message to the
multicast address defined in the configuration. Each GM joins the multicast group at the time of registration and
hence receives the rekey message. No ACK messages are sent by GM upon receiving the rekey message.
https://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn
4/08/2014
Page 2 of 10
GET VPN uses Tunnel mode of IPSec, but instead of using the tunnel endpoints in the new IP header, it reuses the
original IP header as the new Tunnel header (much like IPSec Transport mode). This provides an advantage as the
existing routing infrastructure can be used and no separate routing instance needs to be run for GET VPN.
Note
GET VPN is not suitable to run over Internet since it reuses the original IP header as Tunnel IP header.
This can cause end-to-end routing issues as the traffic from Private network will not be able to reach the
remote end.
Hence, GET VPN is best suited for Private infrastructure like MPLS VPN or VPLS.
i) GROUPKEY-PULL Exchange
This exchange is also called Registration. This Phase 2 exchange downloads keys for a group's Re-key SA and Datasecurity SA. The Re-key SA includes Key Encryption Key (KEK) common to the group, and the Data-security SA
includes Traffic Encryption Key (TEK) used to encrypt/decrypt data traffic.
The Group Member (Initiator) initiates and contacts the Key Server. The GM is configured with the group identifier
and acceptable Phase 1 policy. Once Phase 1 is complete, the initiator moves to GDOI protocol. The initiator builds a
NONCE payload by choosing the Ni (Nonce value by initiator), builds an ID payload using the group identifier, and
generates HASH(1). The first GDOI message is also called Request message.
Upon receipt of the GDOI message, the Key Server (Responder) processes the NONCE and ID payloads. It verifies
that its database contains the group information for the group ID. It constructs the second GDOI message, chooses
the Nr (Nonce value by responder) for NONCE payload, the policy for the group in the ID payload, followed by SA TEK
payload for traffic SAs and SA KEK payload, and generates HASH(2). The second GDOI message is also called
Push message.
The GM receives the second GDOI message, validates the HASH(2) and process NONCE and SA payloads. If the
group policy uses Certificates for authorization, the GM generates a hash with Ni and Nr, and signs it. This becomes
the POP payload. The CERT payload holds the Public Key. The GM creates the third GDOI message using POP and
CERT payloads, and generates HASH(3). The third GDOI messages is also called ACK message.
Upon receipt of the third GDOI message, the KS validates the hash. It constructs a fourth GDOI message including
the SEQ payload containing the sequence number, the KD payload containing keys corresponding to policy previously
sent in SA TEK and KEK, and POP and CERT payloads (if needed), and generates HASH(4). The fourth message is
also called Key Download message.
The GM receives the fourth GDOI message and validates the hash. It then processes the SA TEK and KEK payloads.
The ISAKMP Header is protected by IKE Phase1 while everything after the header is encrypted. KE payload is used if
Perfect Forward Secrecy (PFS) is set.
https://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn
4/08/2014
Page 3 of 10
Sample Scenario
A Key Server is present at the Central Site. To demonstrate unicast rekeying process with Key Server, this scenario
has Group Members GM-1 and GM-2 register with Key Server (KS).
! Central router
! GM-1 router
! GM-2 router
Then an access-list policy needs to be defined on the KS which will identify the interesting traffic. This ACL Policy will
also be downloaded by all GMs for this KS. A Symmetric ACL policy is recommended on the KS which includes all the
networks from the GMs as source and destination. In this case, it would be as below:
https://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn
4/08/2014
Page 4 of 10
Lastly, we create a GDOI group on KSs. Each group defined on the KS has an identity that is shared among the GMs
within the group. Here, the identity is set to 123 for the group GDOI_GROUP.
KS will be responsible for sending rekey messages. Here, rekey messages are sent through unicast transport
mechanism with 2 retransmit messages every 60 seconds.
KS GDOI Configuration
crypto ipsec transform-set GDOI_TS esp-3des esp-md5-hmac
!
crypto ipsec profile GDOI_PROFILE
set transform-set GDOI_TS
set security-association lifetime seconds 3600
! Group SA identifier
! Indicates this is a Key Server
!
! Rekey configuration
rekey retransmit 60 number 2
GM Configuration
1. Configuring IKE Policies
All GMs authenticate with the KS using pre-shared keys.
! KS Router
! Key Server KS
https://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn
4/08/2014
Page 5 of 10
Verification
When the crypto-map is applied to the physical interface on GM-1, it immediately sends a Register message to the KS
and downloads the policies. All GMs follow the same process. The below output is taken from KS using debug crypto
gdoi command.
! KS receives an IKE
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
23:46:51.291:
23:46:51.291:
23:46:51.295:
23:46:51.295:
23:46:51.299:
23:46:51.303:
23:46:51.303:
23:46:51.307:
23:46:51.307:
23:46:51.311:
23:46:51.315:
23:46:51.315:
23:46:51.319:
23:46:51.323:
23:46:51.323:
23:46:51.327:
23:46:51.327:
23:46:51.327:
23:46:51.331:
23:46:51.331:
23:46:51.335:
23:46:51.335:
23:46:51.339:
23:46:51.343:
23:46:51.343:
23:46:51.347:
23:46:51.347:
23:46:51.351:
23:46:51.355:
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
*Jun
28
28
28
28
28
28
28
28
28
28
28
28
28
23:46:51.355:
23:46:51.359:
23:46:51.359:
23:46:51.363:
23:46:51.367:
23:46:51.367:
23:46:51.371:
23:46:51.375:
23:46:51.375:
23:46:51.379:
23:46:51.383:
23:46:51.383:
23:46:51.387:
28
28
28
28
28
28
28
28
23:46:51.687:
23:46:51.731:
23:46:51.739:
23:46:51.747:
23:46:51.751:
23:46:51.755:
23:46:51.755:
23:46:51.759:
https://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn
4/08/2014
Page 6 of 10
*Jun 28 23:46:51.759: ISAKMP:(1003): vendor ID seems Unity/DPD but major 221 mismatch
*Jun 28 23:46:51.759: ISAKMP:(1003): vendor ID is XAUTH
*Jun 28 23:46:51.759: ISAKMP:received payload type 20
*Jun 28 23:46:51.759: ISAKMP (1003): His hash no match - this node outside NAT
*Jun 28 23:46:51.759: ISAKMP:received payload type 20
*Jun 28 23:46:51.759: ISAKMP (1003): No NAT Found for self or peer
*Jun 28 23:46:51.759: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 28 23:46:51.759: ISAKMP:(1003):Old State = IKE_R_MM3
*Jun 28 23:46:51.759: ISAKMP:(1003): sending packet to 11.11.11.11 my_port 848 peer_port 848 (R) MM_KEY_EXCH
*Jun 28 23:46:51.759: ISAKMP:(1003):Sending an IKE IPv4 Packet.
*Jun 28 23:46:51.759: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 28 23:46:51.763: ISAKMP:(1003):Old State = IKE_R_MM3
!---- Once IKE Phase 1 is completed, GDOI protocol starts. The GM-1 sends a Register message to KS for
group-identity 123
!
*Jun 28 23:46:52.291: ISAKMP (1003): received packet from 11.11.11.11 dport 848 sport 848 Global (R)
GDOI_IDLE
*Jun 28 23:46:52.295: ISAKMP: set new node 847121871 to GDOI_IDLE
*Jun 28 23:46:52.303: ISAKMP:(1003): processing HASH payload. message ID = 847121871
*Jun 28 23:46:52.307: ISAKMP:(1003): processing NONCE payload. message ID = 847121871
!---- The KS sends the second GDOI message- PUSH message. It carries the policy for the group-identity, and
KEK and TEK policy
*Jun 28 23:46:52.319: ISAKMP:(1003): sending packet to 11.11.11.11 my_port 848 peer_port 848 (R) GDOI_IDLE
*Jun 28 23:46:52.323: ISAKMP:(1003):Sending an IKE IPv4 Packet.
*Jun 28 23:46:52.327: ISAKMP:(1003):Node 847121871, Input = IKE_MESG_FROM_PEER, IKE_GDOI_EXCH
*Jun 28 23:46:52.327: ISAKMP:(1003):Old State = GDOI_KS_LISTEN New State = GDOI_KS_AWAIT_ACK
!---- KS receives a GDOI ACK message from GM-1
*Jun 28 23:46:52.571: ISAKMP (1003): received packet from 11.11.11.11 dport 848 sport 848 Global (R)
GDOI_IDLE
*Jun 28 23:46:52.579: ISAKMP:(1003): processing HASH payload. message ID = 847121871
!---- KS now sends the Key Download GDOI message carrying the KEK and TEK Keys for policies distributed
earlier
*Jun 28 23:46:52.591: ISAKMP:(1003): sending packet to 11.11.11.11 my_port 848 peer_port 848 (R) GDOI_IDLE
*Jun 28 23:46:52.595: ISAKMP:(1003):Sending an IKE IPv4 Packet.
*Jun 28 23:46:52.599: ISAKMP:(1003):deleting node 847121871 error TRUE reason ""
https://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn
4/08/2014
Page 7 of 10
The show crypto gdoi command displays all the basic configuration about a GDOI group. The output vary
depending on KS or GM.
: GDOI_GROUP (Unicast)
Group Identity
Group Members
: 123
: 3
IPSec SA Direction
: Both
: Local
: 86400 secs
Group Rekey
Remaining Lifetime
Rekey Retransmit Period
: 83307 secs
: 60 secs
: 0 secs
IPSec SA Number
:
IPSec SA Rekey Lifetime:
Profile Name
:
Replay method
:
Replay Window Size
:
SA Rekey
Remaining Lifetime :
ACL Configured
:
Group Server list
1
3600 secs
GDOI_PROFILE
Time Based
5
508 secs
access-list ACL
: Local
This GDOI policy is downloaded on GM. The below output shows GDOI group on GM-1.
:
:
:
:
:
:
GDOI_GROUP
123
1
Both
1.1.1.1
1.1.1.1
GM Reregisters in
: 2607 secs
Rekey Received(hh:mm:ss) : 00:14:18
Rekeys received
Cumulative
: 1
After registration
Rekey Acks sent
: 1
: 1
: Unicast
: 83284
: 3DES
: 192
: HMAC_AUTH_SHA
: 1024
The show crypto gdoi ks command shows number of GMs registered with the KS for a particular group.
https://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn
4/08/2014
Page 8 of 10
Group Members
: 3
IPSec SA Direction
: Both
ACL Configured:
access-list ACL
: Both
: gdoi_group_GDOI_GROUP_temp_acl
: 1
Re-register
Remaining time
: 2593 secs
Retry Timer
:NOT RUNNING
Rekey Messages
When the key lifetime is about to expire on KS, the KS sends new keys via unicast or multicast (depending on the
mechanism configured). Here, KS sends unicast rekey messages to all GMs (Central, GM-1 and GM-2 routers). All
GMs responds back with an ACK message to the KS.
23:59:35.927:
23:59:35.927:
23:59:35.931:
23:59:36.043:
23:59:36.043:
23:59:36.191:
23:59:36.191:
23:59:36.351:
23:59:36.355:
23:59:36.359:
with seq # 1
The following output is taken from Central router receiving rekey messages from KS. It basically contains the Key
Download (KD) payload which contains new keys for KEK and TEK policies.
28
28
28
28
28
23:59:45.607:
23:59:45.611:
23:59:45.611:
23:59:45.615:
23:59:45.619:
https://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn
4/08/2014
Page 9 of 10
0
1694900728
1694900728
1694900728
: 52
68
https://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn
4/08/2014
Page 10 of 10
*Jun 28 23:59:45.803: GDOI:GM:(0):Unicast Rekey installed 1 new ipsec SA(s) for group GDOI_GROUP.
*Jun 28 23:59:45.807: GDOI:GM:(GDOI_GROUP:0):If no rekey is received in 3482 seconds, group GDOI_GROUP will
re-register to KS
Further reading:
1. http://www.securemulticast.org/msec2_ietf51_gdoi_update.pdf
2. http://www.wr-mem.com/?p=307
3. http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/deployment_guide
Comments
You do not have permission to add comments.
Sign in | Recent Site Activity | Report Abuse | Print Page | Powered By Google Sites
https://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn
4/08/2014
Knowledge
Base
Page 1 of 20
Home
BGP
Data Center
GPON
Hadoop
IP Multicast
IPv6
IS-IS
Juniper-JUNOS
L2VPN
LAN
Link Aggregation
LTE Notes
MPLS
NAT
OAM
OSPF
PBB
PPP
QoS
Security
Traffic Engineering
VPLS
VPN
GDOI-based DMVPN
In traditional DMVPN, if Spoke-to-Spoke direct connectivity is
enabled (i.e DMVPN Phase 2), a permanent IPSec tunnel is
maintained between the Spoke and the Hub, and a dynamic
IPSec tunnel is created on demand between the Spokes. When a
Spoke router wishes to send traffic to another Spoke router, it
sends a NHRP Resolution Request message to the DMVPN Hub for
the destination Spoke router. Once the mapping is received, the
Spoke router will initiate a dynamic IPSec tunnel with the
destination Spoke router. Until this dynamic IPSec tunnel is
created, traffic flows through the Hub. If traffic needs to come in
reverse direction, the destination Spoke router follows the same
process towards the originating Spoke router.
When a dynamic IPSec tunnel is created for Spoke-to-Spoke
connectivity, it introduces a slight delay caused by IPSec
negotiation which can lead to poor performance for certain realtime applications like VOIP. GDOI eliminates this delay.
With GDOI, the DMVPN Hub and Spokes are the Group Members
(GMs). Group Keys and security policies are distributed to GMs by
the Key Server (KS)- a separate Cisco IOS router. This eliminates
the point-to-point IPSec session between the GMs. Once NHRP
resolution is completed, the Spokes can communicate using the
same key. This reduces delay between Spoke-to-Spoke
communication by eliminating creation of dynamic IPSec
tunnels between them.
Attachments
Sample Scenario
https://sites.google.com/site/amitsciscozone/home/ipsec/gdoi-based-dmvpn
4/08/2014
Page 2 of 20
KS Configuration
crypto key generate rsa general-keys label GDOI_KEYS
modulus 1024 exportable
!
crypto isakmp policy 10
authentication pre-share
!
!---- Manually configuring pre-shared keys for all GMs
!
crypto isakmp key 0 cisco address 2.2.2.2
! Hub
router
crypto isakmp key 0 cisco address 11.11.11.11
! Spoke1
router
crypto isakmp key 0 cisco address 12.12.12.12
! Spoke2
router
crypto isakmp key 0 cisco address 13.13.13.13
! Spoke3
router
!
crypto ipsec transform-set GDOI_TS edp-3des esp-md5-hmac
!
crypto ipsec profile GDOI_PROFILE
set transform-set GDOI_TS
!
https://sites.google.com/site/amitsciscozone/home/ipsec/gdoi-based-dmvpn
4/08/2014
Page 3 of 20
!
!
ip access-list extended ACL
permit gre any any
! Encrypt all GRE packets
!
! Disable next-hop
no ip split-horizon eigrp 10
advertised to Spoke routers
!
router eigrp 10
! routing instance for DMVPN
no auto-summary
network 192.168.100.0
network 192.168.1.0
!
https://sites.google.com/site/amitsciscozone/home/ipsec/gdoi-based-dmvpn
4/08/2014
Page 4 of 20
GDOI Configuration
crypto isakmp policy 10
authentication pre-share
!
crypto isakmp key 0 cisco address 1.1.1.1
!
crypto gdoi group GDOI_GM
identity number 123
server address ipv4 1.1.1.1
! Address of KS
!
crypto map DMVPN local-address Loopback0
crypto map DMVPN 10 gdoi
set group GDOI_GM
!
interface serial 1/0
....
crypto map DMVPN
!
Verification
First all routers (Hub and Spokes) register with the KS and
download the policies configured on the KS. All routers complete
IKE Phase 1 with the KS and start GDOI protocol by sending
Register messages to the KS. In the end, the KS sends the Key
Download Payload which contains the KEK and TEK keys. The
below output shows successful IKE Phase 1 with all routers, but
no IKE Phase 2 on KS.
https://sites.google.com/site/amitsciscozone/home/ipsec/gdoi-based-dmvpn
4/08/2014
Page 5 of 20
src
state
conn-id
1.1.1.1
ACTIVE
13.13.13.13
GDOI_IDLE
1004
1.1.1.1
ACTIVE
11.11.11.11
GDOI_IDLE
1002
1.1.1.1
ACTIVE
12.12.12.12
GDOI_IDLE
1003
1.1.1.1
ACTIVE
2.2.2.2
GDOI_IDLE
1001
: GDOI_GM
: 123
Rekeys received
IPSec SA Direction
: 1
: Both
: 1.1.1.1
: 1.1.1.1
GM Reregisters in
: 2287 secs
Rekeys received
Cumulative
After registration
Rekey Acks sent
: 1
: 1
: 1
: Unicast
: 86399
Encrypt Algorithm
Key Size
: 3DES
: 192
: HMAC_AUTH_SHA
: 1024
https://sites.google.com/site/amitsciscozone/home/ipsec/gdoi-based-dmvpn
4/08/2014
Page 6 of 20
All GMs have a single IKE session with KS. Notice that the remote
endpoint peer is 0.0.0.0 i.e. Spoke1 is open for any other GM.
src
state
conn-id
1.1.1.1
ACTIVE
11.11.11.11
GDOI_IDLE
1001
11.11.11.11
ACTIVE
1.1.1.1
GDOI_REKEY
1002
11.11.11.11
ACTIVE
1.1.1.1
GDOI_REKEY
1003
https://sites.google.com/site/amitsciscozone/home/ipsec/gdoi-based-dmvpn
4/08/2014
Page 7 of 20
spi: 0x42CE20E(70050318)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: SW:5, sibling_flags 80000040,
crypto map: DMVPN
sa timing: remaining key lifetime (sec): (2359)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x42CE20E(70050318)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: SW:6, sibling_flags 80000040,
crypto map: DMVPN
sa timing: remaining key lifetime (sec): (2359)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
This forms EIGRP adjacency over the tunnel interface and routes
are exchanged between DMVPN routers. Note that these EIGRP
packets are also encapsulated in GRE as they travel over tunnel
https://sites.google.com/site/amitsciscozone/home/ipsec/gdoi-based-dmvpn
4/08/2014
Page 8 of 20
debug NHRP
Spoke3# debug nhrp
NHRP protocol debugging is on
Spoke3#
Spoke3# ping 192.168.2.1 source fastethernet 0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2
seconds:
Packet sent with a source address of 192.168.4.1
*Jul
https://sites.google.com/site/amitsciscozone/home/ipsec/gdoi-based-dmvpn
4/08/2014
Page 9 of 20
DEST 192.168.100.1
*Jul 1 00:02:32.959: NHRP: NHRP successfully resolved
192.168.100.1 to NBMA 172.17.1.1
*Jul 1 00:02:32.963: NHRP: Encapsulation succeeded.
Tunnel IP addr 172.17.1.1
*Jul 1 00:02:32.963: NHRP: Send Registration Request via
Tunnel10 vrf 0, packet size: 92
*Jul 1 00:02:32.963: NHRP: 120 bytes out Tunnel10
*Jul 1 00:02:33.199: NHRP: Receive Registration Reply via
Tunnel10 vrf 0, packet size: 112
*Jul
*Jul
with ouraddress
*Jul 1 00:02:35.223: NHR!!!P: Checking for delayed event
192.168.100.2/192.168.100.4 on list (Tunnel10).
*Jul 1 00:02:35.227: NHRP: No node found.
*Jul 1 00:02:35.227: NHRP: No need to delay processing of
resolution event nbma src:172.47.1.1 nbma dst:172.27.1.1
*Jul 1 00:02:35.231: NHRP: Attempting to send packet via
DEST 192.168.100.2
*Jul 1 00:02:35.231: NHRP: NHRP successfully resolved
192.168.100.2 to NBMA 172.17.1.1
*Jul
https://sites.google.com/site/amitsciscozone/home/ipsec/gdoi-based-dmvpn
4/08/2014
Page 10 of 20
Comments
https://sites.google.com/site/amitsciscozone/home/ipsec/gdoi-based-dmvpn
4/08/2014
Page 11 of 20
Sign in | Recent Site Activity | Report Abuse | Print Page | Powered By Google Sites
https://sites.google.com/site/amitsciscozone/home/ipsec/gdoi-based-dmvpn
4/08/2014
https://sites.google.com/site/amitsciscozone/home/ipsec/gdoi-based-dmvpn
Page 12 of 20
4/08/2014
https://sites.google.com/site/amitsciscozone/home/ipsec/gdoi-based-dmvpn
Page 13 of 20
4/08/2014
https://sites.google.com/site/amitsciscozone/home/ipsec/gdoi-based-dmvpn
Page 14 of 20
4/08/2014
https://sites.google.com/site/amitsciscozone/home/ipsec/gdoi-based-dmvpn
Page 15 of 20
4/08/2014
https://sites.google.com/site/amitsciscozone/home/ipsec/gdoi-based-dmvpn
Page 16 of 20
4/08/2014
https://sites.google.com/site/amitsciscozone/home/ipsec/gdoi-based-dmvpn
Page 17 of 20
4/08/2014
https://sites.google.com/site/amitsciscozone/home/ipsec/gdoi-based-dmvpn
Page 18 of 20
4/08/2014
https://sites.google.com/site/amitsciscozone/home/ipsec/gdoi-based-dmvpn
Page 19 of 20
4/08/2014
https://sites.google.com/site/amitsciscozone/home/ipsec/gdoi-based-dmvpn
Page 20 of 20
4/08/2014
Knowledge
Base
Page 1 of 10
Home
BGP
Data Center
When a Group Member (GM) registers with a Key Server (KS) in GET
GPON
Hadoop
IP Multicast
IPv6
IS-IS
is used to download new group IPSec SAs (rekey SAs). The advantage of
enabling GDOI rekey is that the GMs do not need to re-register with the
KS every time the group IPSec SA lifetime expires. New group IPSec SAs
are downloaded even before the existing IPSec SAs expire.
Juniper-JUNOS
L2VPN
The KS can either unicast these rekey SAs to all GMs or just multicast to
LAN
Link Aggregation
LTE Notes
MPLS
NAT
OAM
OSPF
PBB
networks.
However, using multicast transport requires entire network to be
multicast enabled. This is could be an issue when the part of the network
belongs to the Service Provider. Even with GDOI-based DMVPN, it is not
possible as the Customer routers are directly connected to the Service
Provider routers.
PPP
The best way is to enable multicasting on the mGRE tunnel itself. This
QoS
Security
Traffic Engineering
VPLS
VPN
Attachments
https://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn-rekey-using-multicast
4/08/2014
Page 2 of 10
will fail. To overcome this, a static multicast entry is created to trick the
router into thinking that the source address is reachable through the
tunnel interface. This can be done using ip mroute command.
Sample Scenario
This scenario demonstrates rekey using multicast. RP election is based
on Cisco Auto-RP, however, only KS is configured as the Candidate-RP.
The KS is also the Mapping Agent (MA). The Mapping Agent is
responsible to send Group-to-RP mappings to the PIM routers.
It is very essential that the MA is located at the Hub site otherwise the
Cisco-RP-Discovery messages would not be sent across to other Spoke
routers if the MA was located behind a Spoke router, for example.
KS Configuration
The KS configuration is as follows:
KS Configuration
ip multicast-routing
!
interface Loopback 0
ip address 1.1.1.1 255.255.255.255
ip pim sparse-mode
!
interface Fastethernet 1/0
description Connection to Central router
ip address 10.1.1.2 255.255.255.0
ip pim sparse-mode
!
crypto key generate rsa general-keys label GDOI_KEYS modulus 1024
exportable
!
crypto isakmp policy 10
https://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn-rekey-using-multicast
4/08/2014
Page 3 of 10
authentication pre-share
!
crypto isakmp key 0 cisco address 2.2.2.2
! Central router
crypto isakmp key 0 cisco address 11.11.11.11
! GM-1 router
crypto isakmp key 0 cisco address 12.12.12.12
! GM-2 router
!
crypto ipsec transform-set GDOI_TS esp-3des esp-md5-hmac
!
crypto ipsec profile GDOI_PROFILE
set transform-set GDOI_TS
!
crypto gdoi group GDOI_GROUP
identity number 123
server local
!
rekey address ipv4 MULTICAST_REKEY
! Indicates
multicast address to which Rekey SAs must be sent
rekey lifetime seconds 300
! Rekeys will be
sent after 300 seconds
rekey retransmit 60 number 2
rekey authentication mypubkey rsa GDOI_KEYS
!
sa ipsec 1
profile GDOI_PROFILE
match address ipv4 ACL
replay time window-size 5
!
address ipv4 1.1.1.1
!
!
ip access-list extended MULTICAST_REKEY
remark Multicast address to which Rekey SAs will be sent
permit ip any host 239.10.10.1
!
ip access-list extended ACL
remark Interesting traffic to be encrypted
permit gre any any
!
ip pim send-rp-announce Loopback 0 scope 10 group-list 1
!
Advertise this router as Candidate-RP for the range defined in ACL
1
ip pim send-rp-discovery Loopback 0 scope 10
! Indicates
this router is the RP Mapping Agent
!
access-list 1 permit 239.0.0.0 0.255.255.255
!
DMVPN Configuration
The Central router is the Hub for DMVPN network. The configuration is as
below:
https://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn-rekey-using-multicast
4/08/2014
Page 4 of 10
!
crypto isakmp policy 10
authentication pre-share
!
crypto isakmp key 0 cisco address 1.1.1.1
!
crypto gdoi group GDOI_GM
identity number 123
server address ipv4 1.1.1.1
!
crypto map DMVPN local-address Loopback 0
crypto map DMVPN 10 gdoi
set group GDOI_GM
!
interface Serial 2/0
ip address 172.17.1.1 255.255.255.0
crypto map DMVPN
!
interface Tunnel 10
ip address 192.168.100.1 255.255.255.0
tunnel mode gre multipoint
tunnel source serial 2/0
tunnel key 123
ip nhrp map multicast dynamic
ip nhrp network-id 123
ip pim dr-priority 100
ip pim sparse-mode
ip pim nbma-mode
ip igmp join-group 239.10.10.1
!
router eigrp 10
! Routing instance for DMVPN network
no auto-summary
network 192.168.1.0
network 192.168.100.0
!
https://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn-rekey-using-multicast
4/08/2014
Page 5 of 10
https://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn-rekey-using-multicast
4/08/2014
Page 6 of 10
Verification
When the ip mroute 1.1.1.1 255.255.255.255 192.168.100.1
command is not applied to GM-2 router, all the PIM packets received on
its Tunnel interface will be dropped due to RPF check failure.
https://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn-rekey-using-multicast
4/08/2014
Page 7 of 10
RP Election
In this case, the KS is configured as the Candidate-RP. So, the KS starts
sending out RP-Discovery messages on multicast address 224.0.1.39 to
the RP Mapping Agent. Since, it is setup as the RP Mapping Agent as
well, it elects the RP based on the available information. The KS
becomes the RP for the range 239.0.0.0/8. It starts advertising itself as
the RP for the range in RP-Announce messages to multicast address
224.0.1.40 to other PIM routers. All PIM enabled routers receive this
Group-to-RP mapping.
Group-to-RP mapping
KS# show ip pim rp mapping
PIM Group-to-RP Mappings
This system is an RP (Auto-RP)
This system is an RP-mapping agent (Loopback0)
Group(s) 239.0.0.0/8
RP 1.1.1.1 (?), v2v1
Info source: 1.1.1.1 (?), elected via Auto-RP
Uptime: 00:06:03, expires: 00:02:54
Central# show ip pim rp mapping
PIM Group-to-RP Mappings
Group(s) 239.0.0.0/8
RP 1.1.1.1 (?), v2v1
Info source: 1.1.1.1 (?), elected via Auto-RP
Uptime: 00:00:57, expires: 00:01:58
GM-1# show ip pim rp mapping
PIM Group-to-RP Mappings
Group(s) 239.0.0.0/8
RP 1.1.1.1 (?), v2v1
Info source: 1.1.1.1 (?), elected via Auto-RP
Uptime: 00:00:43, expires: 00:02:14
GM-2# show ip pim rp mapping
PIM Group-to-RP Mappings
Group(s) 239.0.0.0/8
RP 1.1.1.1 (?), v2v1
Info source: 1.1.1.1 (?), elected via Auto-RP
Uptime: 00:01:28, expires: 00:02:30
When all GMs register with the KS, they download the KEK and TEK
policies using GDOI. The KS is setup as below:
KS Policy
https://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn-rekey-using-multicast
4/08/2014
Page 8 of 10
GDOI_GROUP (Multicast)
123
3
Both
Local
300 secs
71 secs
60 secs
2
0 secs
1
3600 secs
GDOI_PROFILE
Time Based
5
3072 secs
access-list ACL
: Local
:
:
:
:
:
:
:
:
:
:
4
8
300
22
60
2
3600
2123
0
239.10.10.1
All the GMs download this policy and can be displayed as below on
Central router:
:
:
:
:
:
:
GDOI_GM
123
0
Both
1.1.1.1
1.1.1.1
GM Reregisters in
Rekey Received
: 3436 secs
: never
Rekeys received
https://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn-rekey-using-multicast
4/08/2014
Cumulative
After registration
Page 9 of 10
: 0
: 0
:
:
:
:
:
:
Multicast
299
3DES
192
HMAC_AUTH_SHA
1024
Multicast Rekeying
When the rekey lifetime is about to expire, the KS sends new rekey
messages. In this case, it will be sent to multicast address 239.10.10.1
configured on the KS router. Since the GMs are tuned to this multicast
address, they will also receive this message via Tunnel 10.
https://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn-rekey-using-multicast
4/08/2014
Page 10 of 10
Comments
You do not have permission to add comments.
Sign in | Recent Site Activity | Report Abuse | Print Page | Powered By Google Sites
https://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn-rekey-using-multicast
4/08/2014