A dynamic multipoint virtual private network (DMVPN) combines the technologies of generic routing encapsulation (GRE) tunnels, multipoint GRE (mGRE), Internet Protocol Security (IPSec), and Next Hop Resolution Protocol (NHRP) along with dynamic routing protocols. Such a network provides a framework which allows secure hub and spoke topologies to be deployed with reduced configurations on the hub devices compared to more traditional methods, and without need for reconfiguration of the hub when new spokes are added
Phase 3 NHRP
In Phase 1 NHRP all of the NHRP information comes from the hub. In Phase 3 NHRP, the hub is not the only source of NHRP information; the spoke devices also participate. When a spoke originates communication with another spoke, the traffic will initially pass through the hub. The hub now sends a NHRP redirect message back to the originating spoke to let it know that it is using a suboptimal route. The originator then sends an NHRP request to the destination spoke, which replies directly (not via the hub) to the originator with full routing information rather than just the next-hop information. The originator then rewrites the CEF entry for the destination with the optimized path, a process known as NHRP shortcut.
Gateway_R1#conf t
Gateway_R1(config)#interface Tunnel137
Gateway_R1(config)#ip address 10.137.137.1 255.255.255.0
Gateway_R1(config)#ip nhrp authentication vpnkey
Gateway_R1(config)#ip nhrp map multicast dynamic
Gateway_R1(config)#ip nhrp map 10.137.137.2 199.200.202.202 this multicast ip address it the connection that connects to the gateway . multicast we only turn on map hub to hub or spoke to hub
Gateway_R1(config)#ip nhrp map multicast 199.200.202.202 identify multicast IP address
Gateway_R1(config#ip nhrp nhs 10.137.137.2 command indicates the next-hop server for the tunnel.
Gateway_R1(config-if)#ip network-id 137 ========given NHRP domain
Gateway_R1(config-if)#ip nhrp shortcut
Gateway_R1(config-if)#ip nhrp redirect
Gateway-R1(Config-if)#tunnel source E0/0
Gateway-R1(Config-if)#tunnel mode gre multippoint
Gateway-R1(Config-if)#tunnel key 137 The tunnel key acts as a form of weak security for the tunnel
Gateway-R1(Config-if)#end
Gateway_R2(Config-if)#tunnel protection ipsec profile IPSEC-IKEv2 this will put on last when we created IPSEC
The ip nhrp redirect command is configured on the hub to ensure that spoke-to-spoke connections utilize the spoke’s tunnel address as the next-hop rather than the hub.
The use of ip nhrp shortcut and ip nhrp redirect different Phase 3 (spoke-spoke) DMVPN from Phase 1 (hub-spoke)
Gateway-R2(Config-if)#interface Tunnel137
Gateway-R2(Config-if)#ip address 10.137.137.2 255.255.255.0
Gateway-R2(Config-if)#ip nhrp authentication vpnkey
Gateway-R2(Config-if)#ip nhrp map multicast dynamic
Gateway-R2(Config-if)#ip nhrp map 10.137.137.1 199.200.201.200 Add static NHRP mappings
Gateway-R2(Config-if)#ip nhrp map multicast 199.200.201.200
Gateway-R2(Config-if)#ip nhrp nhrp 10.137.137.1
Gateway-R2(Config-if)#ip nhrp network-id 137
Gateway-R2(Config-if)#ip nhrp shortut
Gateway_R2(Config-if)#ip nhrp redirect
Gateway_R2(Config-if)#tunnel source e0/0
Gateway_R2(Config-if)#tunnel mode gre mutilpoint
Gateway_R2(Config-if)#tunnel key 137
Gateway_R2(Config-if)#tunnel protection ipsec profile IPSEC-IKEv2 this will put on last when we created IPSEC
TOOL
sh ip nhrp
show dmvpn
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +
R_Branch1#conf t
R_Branch1(config)#interface Tunnel137
R_Branch1(config-if)#ip address 10.137.137.3 255.255.255.0
R_Branch1(config-if)#ip nhrp authentication vpnkey
Branch1(config-if)ip nhrp map 10.137.137.1 199.200.201.202 Add static NHRP mappings to hub
R_Branch1(config-if)#ip nhrp map multicast 199.200.201.202 identify multicast IP address
Branch1(config-if)ip nhrp map 10.137.137.2 199.200.202.202 Add static NHRP mappings to hub
R_Branch1(config-if)#ip nhrp map multicast 199.200.202.202 identify multicast IP address
R_Branch1(config-if)#ip nhrp nhs 10.137.137.1 indicates the next-hop server for the tunnel.
R_Branch1(config-if)#ip nhrp nhs 10.137.137.2 indicates the next-hop server for the tunnel.
R_Branch1(config-if)#ip nhrp network-id 137
R_Branch1(config-if)#ip nhrp shortcut
R_Branch1(config-if)#tunnel source Ethernet0/0
R_Branch1(config-if)#tunnel mode gre multipoint
R_Branch1(config-if)#tunnel key 137
R_Branch1(config-if)#end
Gateway_R2(Config-if)#tunnel protection ipsec profile IPSEC-IKEv2 this will put on last when we created IPSEC
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
confiure the same thing on R_Bracnh2
R_Branch2#conf t
R_Branch2(config)#interface Tunnel137
R_Branch2(config-if)#ip address 10.137.137.4 255.255.255.0
R_Branch2(config-if)#ip nhrp authentication vpnkey
R_Branch2(config-if)#ip nhrp map 10.137.137.1 199.200.201.202
R_Branch2(config-if)#ip nhrp map multicast 199.200.201.202
R_Branch2(config-if)#ip nhrp map 10.137.137.2 199.200.202.202
R_Branch2(config-if)#ip nhrp map multicast 199.200.202.202
R_Branch2(config-if)#ip nhrp network-id 137
R_Branch2(config-if)#ip nhrp nhs 10.137.137.1
R_Branch2(config-if)#ip nhrp nhs 10.137.137.2
R_Branch2(config-if)#ip nhrp shortcut
R_Branch2(config-if)#tunnel source Ethernet0/0
R_Branch2(config-if)#tunnel mode gre multipoint
R_Branch2(config-if)#tunnel key 137
R_Branch2(config-if)#end
Gateway_R2(Config-if)#tunnel protection ipsec profile IPSEC-IKEv2 this will put on last when we created IPSEC
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
There are 3 step ceated ipsec
1 . crypto ikev2 keryring
2. crypto ikev2 profile
3. crypto ipsec profile
LAST
attract this ipsec profile in the tunnel protection ip profile......................for the tunnel
Gateway_R1#conf t
Gateway_R1(config)#crypto ikev2 keyring IKEv2-KEYRING
Gateway_R1(config-ikev2-keyring)#peer dmvpn-node
Gateway_R1(config-ikev2-keyring-peer)#address 0.0.0.0 0.0.0.0
Gateway_R1(config-ikev2-keyring-peer)#pre-shared-key dmvpn<3y p="">
Gateway_R1#conf t
Gateway_R1(config)#crypto ikev2 profile IKEV2-PROFILE
Gateway_R1(config-ikev2-profile)#keyring local IKEv2-KEYRING
Gateway_R1(config-ikev2-profile)#authentication remote pre-share
Gateway_R1(config-ikev2-profile)#authentication local pre-share
Gateway_R1(config-ikev2-profile)#match identity remote any
Gateway_R1(config-ikev2-profile)#end
Gateway_R1#conf t
Gateway_R1(config)#crypto ipsec profile IPSEC-IKEv2
Gateway_R1(ipsec-profile)#set ikev2-profile IKEv2-PROFILE
Gateway_R1(ipsec-profile)#end
Gateway_R1(config)interface tunnel137
Gateway_R1(config-if)#tunnel protection ipsec profile IPSEC-IKEv2
Gateway_R1(config-if)#end
do same thing on gateway 2 and two branch
Gateway_R1#sh crypto ikev2 profile
IKEv2 profile: IKEv2-PROFILE
Ref Count: 1
Match criteria:
Fvrf: global
Local address/interface: none
Identities: any
Certificate maps: none
Local identity: none
Remote identity: none
Local authentication method: pre-share
Remote authentication method(s): pre-share
EAP options: none
Keyring: IKEv2-KEYRING
Trustpoint(s): none
Lifetime: 86400 seconds
DPD: disabled
NAT-keepalive: disabled
Ivrf: none
Virtual-template: none
mode auto: none
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none
Gateway_R1#show crypto ipsec profile
IPSEC profile IPSEC-IKEv2
IKEv2 Profile: IKEv2-PROFILE
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
default: { esp-aes esp-sha-hmac } ,
No comments:
Post a Comment