DMVPN: Dual Tier Headend Architecture

DMVPN: Dual Tier Headend Architecture

The Dual Tier architecture splits the mGRE and crypto functions to two different routers (or chasses). DMVPN usually involves 3 different control planes- Routing Control plane (NHRP), GRE Control plane (mGRE) and IPSec Control plane (Dynamic Crypto map). The routing and GRE control planes are on one router and IPSec control plane is on another.

Sample Scenario

This scenario deals with Dual Tier Headend architecture. The Crypto functions are handled by Crypto Headend routers. There are two possible options to implement IPSec in the sample scenario- a) Dynamic Crypto maps on the Crypto Headend routers and Static Crypto maps on Spoke routers, and, b) implementing a GET VPN style architecture over DMVPN networks.

The issue with option-(a) is that if Static Crypto maps pointing to HSRP Virtual IP address at the Headend site is applied to Spoke routers, the whole advantage of dynamic Spoke-to-Spoke tunnel of DMVPN is lost. Hence, option-(b) is used which is more scalable and an appropriate choice. The Crypto Headend routers and Spoke routers become the group members of the Key Server. Note that the mGRE Headend router does not need to be a group member of the Key Server as it wont perform any IPSec functions.

Key Server (KS) Configuration

The Key Server is responsible to distribute IPSec policies to its group members. The configuration of KS is as below:

KS Configuration

interface Loopback 0
 ip address 1.1.1.1 255.255.255.255
!
crypto key generate rsa general-keys label GDOI_KEYS modulus 1024 exportable
!
crypto isakmp policy 10
 authentication pre-share
!
crypto isakmp key 0 cisco address 3.3.3.3         ! Crypto Headend-1 router
crypto isakmp key 0 cisco address 4.4.4.4         ! Crypto Headend-2 router
crypto isakmp key 0 cisco address 11.11.11.11     ! Spoke1 router
crypto isakmp key 0 cisco address 12.12.12.12     ! Spoke2 router
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile GDOI_PROFILE
 set transform-set TS
!
crypto gdoi group GDOI_GROUP
 identity number 123
 server local
  rekey retransmit 60 number 2
  rekey transport unicast
  rekey authentication mypubkey rsa GDOI_KEYS
  sa ipsec 1
   profile GDOI_PROFILE
   match address ipv4 ACL
   replay time window-size 5
   !
  address ipv4 1.1.1.1
 !
!
ip access-list extended ACL
 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
!

mGRE Configuration

The mGRE Headend router houses the Routing and GRE Control plane. The configuration is as below:

mGRE Headend Router Configuration

interface Serial 0/0
 ip address 172.17.1.1 255.255.255.0
!
interface Fastethernet 0/0
 ip address 10.1.1.4 255.255.255.0
!
interface Tunnel 10
 ip address 172.168.100.1 255.255.255.0
 tunnel mode gre multipoint
 tunnel source Serial 0/0
 tunnel key 123
 ip nhrp map multicast dynamic
 ip nhrp network-id 123
 no ip next-hop-self eigrp 10
 no ip split-horizon eigrp 10
!
router eigrp 10
 no auto-summary
 network 172.168.100.0
 network 10.1.1.0
 redistribute static
!
ip route 192.168.1.0 255.255.255.0 10.1.1.1    ! Forwards all traffic for 192.168.1.0/24 network to HSRP Virtual IP Address 10.1.1.1
!

The configuration on Spoke routers is as below:

mGRE Configuration on Spoke1 Router

interface Loopback 0
 ip address 11.11.11.11 255.255.255.255
!
interface Tunnel 10
 ip address 172.168.100.2 255.255.255.0
 tunnel mode gre multipoint
 tunnel source Serial 0/0
 tunnel key 123
 ip nhrp nhs 172.168.100.1
 ip nhrp map 172.168.100.1 172.17.1.1
 ip nhrp map multicast 172.17.1.1
 ip nhrp network-id 123
!
router eigrp 10
 no auto-summary
 network 11.0.0.0
 network 172.168.100.0
 network 192.168.2.0
!

mGRE Configuration on Spoke2 router

interface Loopback 0
 ip address 12.12.12.12 255.255.255.255
!
interface Tunnel 10
 ip address 172.168.100.3 255.255.255.0
 tunnel mode gre multipoint
 tunnel source Serial 0/0
 tunnel key 123
 ip nhrp nhs 172.168.100.1
 ip nhrp map 172.168.100.1 172.17.1.1
 ip nhrp map multicast 172.17.1.1
 ip nhrp network-id 123
!
router eigrp 10
 no auto-summary

network 12.0.0.0

 network 172.168.100.0
 network 192.168.3.0
!

IPSec Configuration

The Crypto Headend routers houses the crypto control plane. Also, at the Hub site, HSRP is implemented between the two crypto Headend routers to provide high-availability.

IPSec Configuration on Crypto Headend-1 router

crypto isakmp policy 10
 authentication pre-share
!
crypto isakmp key 0 cisco address 1.1.1.1
!
crypto gdoi group GDOI_GM
 identity number 123
 server address ipv4 1.1.1.1
!
crypto map CRYPTO
 set group GDOI_GM
!
interface Fastethernet 0/0
 ip address 10.1.1.2 255.255.255.0
 standby 1 ip 10.1.1.1
 standby 1 priority 105
 standby 1 preempt
 standby 1 timers msec 15 msec 50
 standby 1 track fastethernet 0/1
 crypto map CRYPTO
!
router eigrp 10
 no auto-summary
 network 10.1.1.0
 network 192.168.1.0
!

IPSec Configuration on Crypto Headend-2 router

crypto isakmp policy 10
 authentication pre-share
!
crypto isakmp key 0 cisco address 1.1.1.1
!
crypto gdoi group GDOI_GM
 identity number 123
 server address ipv4 1.1.1.1
!
crypto map CRYPTO 10 gdoi
 set group GDOI_GM
!
interface Fastethernet 0/0
 ip address 10.1.1.3 255.255.255.0
 standby 1 ip 10.1.1.1

standby 1 timers msec 15 msec 50

 standby 1 track fastethernet 0/1
 standby 1 preempt

crypto map CRYPTO

!
router eigrp 10
 no auto-summary
 network 10.1.1.0
 network 192.168.1.0
!

The crypto-map is applied to the Tunnel interfaces as 10.1.1.0/24 and 192.168.1.0/24 networks are reachable through the tunnel. The active HSRP router at the Headend will respond to the Spoke routers.

IPSec Configuration on Spoke1 router

crypto isakmp policy 10
 authentication pre-share
!
crypto isakmp key 0 cisco address 1.1.1.1
!
crypto gdoi group GDOI_GM
 identity number 123
 server address ipv4 1.1.1.1
!
crypto map CRYPTO 10 gdoi
 set group GDOI_GM
!
interface Tunnel 10
 ip address 172.168.100.2 255.255.255.0
 ....
 crypto map CRYPTO
!

IPSec Configuration on Spoke2 router

crypto isakmp policy 10
 authentication pre-share
!
crypto isakmp key 0 cisco address 1.1.1.1
!
crypto gdoi group GDOI_GM
 identity number 123
 server address ipv4 1.1.1.1
!
crypto map CRYPTO 10 gdoi
 set group GDOI_GM
!
interface Tunnel 10
 ip address 172.168.100.3 255.255.255.0
 ....
 crypto map CRYPTO
!

Verification

All the group members register with the Key Server and download IKE Policies after successful IKE Phase 1. The below output shows the IKE Policy downloaded by Spoke1 router.

IKE Policy downloaded by Spoke1 router

Spoke1# show crypto gdoi
GROUP INFORMATION
    Group Name               : GDOI_GM
    Group Identity           : 123
    Rekeys received          : 0
    IPSec SA Direction       : Both
    Active Group Server      : 1.1.1.1
    Group Server list        : 1.1.1.1
    GM Reregisters in        : 3357 secs
    Rekey Received           : never
    Rekeys received
         Cumulative          : 0
         After registration  : 0
    Rekey Acks sent          : 0
 ACL Downloaded From KS 1.1.1.1:
   access-list  permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
KEK POLICY:
    Rekey Transport Type     : Unicast
    Lifetime (secs)          : 86399
    Encrypt Algorithm        : 3DES
    Key Size                 : 192
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 1024
TEK POLICY:
  Tunnel10:
    IPsec SA:
        sa direction:inbound
        spi: 0x6ECBE7BC(1858856892)
        transform: esp-3des esp-md5-hmac
        sa timing:remaining key lifetime (sec): (3475)
        Anti-Replay(Time Based) : 5 sec interval
    IPsec SA:
        sa direction:outbound
        spi: 0x6ECBE7BC(1858856892)
        transform: esp-3des esp-md5-hmac
        sa timing:remaining key lifetime (sec): (3475)
        Anti-Replay(Time Based) : 5 sec interval

The Crypto Headend-1 router becomes the active HSRP router due to its higher priority (105 as compared to 100 of Crypto Headend-2 router).

Active HSRP router

Crypto_Headend_1# show standby
FastEthernet0/1 - Group 1
  State is Active
    2 state changes, last state change 00:15:03
  Virtual IP address is 10.1.1.1
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.488 secs
  Preemption enabled
  Active router is local
  Standby router is 10.1.1.3, priority 100 (expires in 7.224 sec)
  Priority 105 (configured 105)
  Group name is "CRYPTO_FOR_HSRP" (cfgd)

The Spoke routers also register to mGRE Headend router using NHRP and hence the router learns about the Tunnel IP Address to NBMA IP address mapping dynamically.

When Spoke1 router sends ICMP traffic to 192.168.1.0/24 network sourced from 192.168.2.0/24, and half-way, if Crypto Headend-1 router dies, Crypto Headend-2 router becomes the active HSRP router, and since mGRE router is configured to forward the traffic to 10.1.1.1, Crypto Headend-2 router will accept the encrypted traffic, decrypt it and forward to proper destination.

Failover test

Crypto_Headend_2# show standby
FastEthernet0/1 - Group 1
  State is Active
    7 state changes, last state change 00:00:46
  Virtual IP address is 10.1.1.1
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 15 msec, hold time 50 msec
    Next hello sent in 0.003 secs
  Preemption enabled
  Active router is local
  Standby router is unknown
  Priority 100 (default 100)
  Group name is "CRYPTO_FOR_HSRP" (cfgd)
Spoke1# ping 192.168.1.3 source fa 0/0 repeat 500
Type escape sequence to abort.
Sending 500, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!U.......!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 92 percent (113/122), round-trip min/avg/max = 12/148/400 ms