DMVPN: Dual Tier Headend Architecture

DMVPN: Dual Tier Headend Architecture

The Dual Tier architecture splits the mGRE and crypto functions to two different routers (or chasses). DMVPN usually involves 3 different control planes- Routing Control plane (NHRP), GRE Control plane (mGRE) and IPSec Control plane (Dynamic Crypto map). The routing and GRE control planes are on one router and IPSec control plane is on another.

Sample Scenario

This scenario deals with Dual Tier Headend architecture. The Crypto functions are handled by Crypto Headend routers. There are two possible options to implement IPSec in the sample scenario- a) Dynamic Crypto maps on the Crypto Headend routers and Static Crypto maps on Spoke routers, and, b) implementing a GET VPN style architecture over DMVPN networks.

The issue with option-(a) is that if Static Crypto maps pointing to HSRP Virtual IP address at the Headend site is applied to Spoke routers, the whole advantage of dynamic Spoke-to-Spoke tunnel of DMVPN is lost. Hence, option-(b) is used which is more scalable and an appropriate choice. The Crypto Headend routers and Spoke routers become the group members of the Key Server. Note that the mGRE Headend router does not need to be a group member of the Key Server as it wont perform any IPSec functions.

Key Server (KS) Configuration

The Key Server is responsible to distribute IPSec policies to its group members. The configuration of KS is as below:

KS Configuration

interface Loopback 0

 ip address 1.1.1.1 255.255.255.255

crypto key generate rsa general-keys label GDOI_KEYS modulus 1024 exportable

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key 0 cisco address 3.3.3.3         ! Crypto Headend-1 router

crypto isakmp key 0 cisco address 4.4.4.4         ! Crypto Headend-2 router

crypto isakmp key 0 cisco address 11.11.11.11     ! Spoke1 router

crypto isakmp key 0 cisco address 12.12.12.12     ! Spoke2 router

crypto ipsec transform-set TS esp-3des esp-md5-hmac

crypto ipsec profile GDOI_PROFILE

 set transform-set TS

crypto gdoi group GDOI_GROUP

 identity number 123

 server local

  rekey retransmit 60 number 2

  rekey transport unicast

  rekey authentication mypubkey rsa GDOI_KEYS

  sa ipsec 1

   profile GDOI_PROFILE

   match address ipv4 ACL

   replay time window-size 5

  address ipv4 1.1.1.1

ip access-list extended ACL

 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

mGRE Configuration

The mGRE Headend router houses the Routing and GRE Control plane. The configuration is as below:

mGRE Headend Router Configuration

interface Serial 0/0

 ip address 172.17.1.1 255.255.255.0

interface Fastethernet 0/0

 ip address 10.1.1.4 255.255.255.0

interface Tunnel 10

 ip address 172.168.100.1 255.255.255.0

 tunnel mode gre multipoint

 tunnel source Serial 0/0

 tunnel key 123

 ip nhrp map multicast dynamic

 ip nhrp network-id 123

 no ip next-hop-self eigrp 10

 no ip split-horizon eigrp 10

router eigrp 10

 no auto-summary

 network 172.168.100.0

 network 10.1.1.0

 redistribute static

ip route 192.168.1.0 255.255.255.0 10.1.1.1    ! Forwards all traffic for 192.168.1.0/24 network to HSRP Virtual IP Address 10.1.1.1

The configuration on Spoke routers is as below:

mGRE Configuration on Spoke1 Router

interface Loopback 0

 ip address 11.11.11.11 255.255.255.255

interface Tunnel 10

 ip address 172.168.100.2 255.255.255.0

 tunnel mode gre multipoint

 tunnel source Serial 0/0

 tunnel key 123

 ip nhrp nhs 172.168.100.1

 ip nhrp map 172.168.100.1 172.17.1.1

 ip nhrp map multicast 172.17.1.1

 ip nhrp network-id 123

router eigrp 10

 no auto-summary

 network 11.0.0.0

 network 172.168.100.0

 network 192.168.2.0

mGRE Configuration on Spoke2 router

interface Loopback 0

 ip address 12.12.12.12 255.255.255.255

interface Tunnel 10

 ip address 172.168.100.3 255.255.255.0

 tunnel mode gre multipoint

 tunnel source Serial 0/0

 tunnel key 123

 ip nhrp nhs 172.168.100.1

 ip nhrp map 172.168.100.1 172.17.1.1

 ip nhrp map multicast 172.17.1.1

 ip nhrp network-id 123

router eigrp 10

 no auto-summary

network 12.0.0.0

 network 172.168.100.0

 network 192.168.3.0

IPSec Configuration

The Crypto Headend routers houses the crypto control plane. Also, at the Hub site, HSRP is implemented between the two crypto Headend routers to provide high-availability.

IPSec Configuration on Crypto Headend-1 router

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key 0 cisco address 1.1.1.1

crypto gdoi group GDOI_GM

 identity number 123

 server address ipv4 1.1.1.1

crypto map CRYPTO

 set group GDOI_GM

interface Fastethernet 0/0

 ip address 10.1.1.2 255.255.255.0

 standby 1 ip 10.1.1.1

 standby 1 priority 105

 standby 1 preempt

 standby 1 timers msec 15 msec 50

 standby 1 track fastethernet 0/1

 crypto map CRYPTO

router eigrp 10

 no auto-summary

 network 10.1.1.0

 network 192.168.1.0

IPSec Configuration on Crypto Headend-2 router

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key 0 cisco address 1.1.1.1

crypto gdoi group GDOI_GM

 identity number 123

 server address ipv4 1.1.1.1

crypto map CRYPTO 10 gdoi

 set group GDOI_GM

interface Fastethernet 0/0

 ip address 10.1.1.3 255.255.255.0

 standby 1 ip 10.1.1.1

standby 1 timers msec 15 msec 50

 standby 1 track fastethernet 0/1

 standby 1 preempt

crypto map CRYPTO

router eigrp 10

 no auto-summary

 network 10.1.1.0

 network 192.168.1.0

The crypto-map is applied to the Tunnel interfaces as 10.1.1.0/24 and 192.168.1.0/24 networks are reachable through the tunnel. The active HSRP router at the Headend will respond to the Spoke routers.

IPSec Configuration on Spoke1 router

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key 0 cisco address 1.1.1.1

crypto gdoi group GDOI_GM

 identity number 123

 server address ipv4 1.1.1.1

crypto map CRYPTO 10 gdoi

 set group GDOI_GM

interface Tunnel 10

 ip address 172.168.100.2 255.255.255.0

 ....

 crypto map CRYPTO

IPSec Configuration on Spoke2 router

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key 0 cisco address 1.1.1.1

crypto gdoi group GDOI_GM

 identity number 123

 server address ipv4 1.1.1.1

crypto map CRYPTO 10 gdoi

 set group GDOI_GM

interface Tunnel 10

 ip address 172.168.100.3 255.255.255.0

 ....

 crypto map CRYPTO

Verification

All the group members register with the Key Server and download IKE Policies after successful IKE Phase 1. The below output shows the IKE Policy downloaded by Spoke1 router.

IKE Policy downloaded by Spoke1 router

Spoke1# show crypto gdoi

GROUP INFORMATION

    Group Name               : GDOI_GM

    Group Identity           : 123

    Rekeys received          : 0

    IPSec SA Direction       : Both

    Active Group Server      : 1.1.1.1

    Group Server list        : 1.1.1.1

    GM Reregisters in        : 3357 secs

    Rekey Received           : never

    Rekeys received

         Cumulative          : 0

         After registration  : 0

    Rekey Acks sent          : 0

 ACL Downloaded From KS 1.1.1.1:

   access-list  permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

KEK POLICY:

    Rekey Transport Type     : Unicast

    Lifetime (secs)          : 86399

    Encrypt Algorithm        : 3DES

    Key Size                 : 192

    Sig Hash Algorithm       : HMAC_AUTH_SHA

    Sig Key Length (bits)    : 1024

TEK POLICY:

  Tunnel10:

    IPsec SA:

        sa direction:inbound

        spi: 0x6ECBE7BC(1858856892)

        transform: esp-3des esp-md5-hmac

        sa timing:remaining key lifetime (sec): (3475)

        Anti-Replay(Time Based) : 5 sec interval

    IPsec SA:

        sa direction:outbound

        spi: 0x6ECBE7BC(1858856892)

        transform: esp-3des esp-md5-hmac

        sa timing:remaining key lifetime (sec): (3475)

        Anti-Replay(Time Based) : 5 sec interval

The Crypto Headend-1 router becomes the active HSRP router due to its higher priority (105 as compared to 100 of Crypto Headend-2 router).

Active HSRP router

Crypto_Headend_1# show standby

FastEthernet0/1 - Group 1

  State is Active

    2 state changes, last state change 00:15:03

  Virtual IP address is 10.1.1.1

  Active virtual MAC address is 0000.0c07.ac01

    Local virtual MAC address is 0000.0c07.ac01 (v1 default)

  Hello time 3 sec, hold time 10 sec

    Next hello sent in 2.488 secs

  Preemption enabled

  Active router is local

  Standby router is 10.1.1.3, priority 100 (expires in 7.224 sec)

  Priority 105 (configured 105)

  Group name is "CRYPTO_FOR_HSRP" (cfgd)

The Spoke routers also register to mGRE Headend router using NHRP and hence the router learns about the Tunnel IP Address to NBMA IP address mapping dynamically.

When Spoke1 router sends ICMP traffic to 192.168.1.0/24 network sourced from 192.168.2.0/24, and half-way, if Crypto Headend-1 router dies, Crypto Headend-2 router becomes the active HSRP router, and since mGRE router is configured to forward the traffic to 10.1.1.1, Crypto Headend-2 router will accept the encrypted traffic, decrypt it and forward to proper destination.

Failover test

Crypto_Headend_2# show standby

FastEthernet0/1 - Group 1

  State is Active

    7 state changes, last state change 00:00:46

  Virtual IP address is 10.1.1.1

  Active virtual MAC address is 0000.0c07.ac01

    Local virtual MAC address is 0000.0c07.ac01 (v1 default)

  Hello time 15 msec, hold time 50 msec

    Next hello sent in 0.003 secs

  Preemption enabled

  Active router is local

  Standby router is unknown

  Priority 100 (default 100)

  Group name is "CRYPTO_FOR_HSRP" (cfgd)

Spoke1# ping 192.168.1.3 source fa 0/0 repeat 500

Type escape sequence to abort.

Sending 500, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.1

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!U.......!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 92 percent (113/122), round-trip min/avg/max = 12/148/400 ms

Page updated

Google Sites

Report abuse