Community ForumCommunity Wiki * Blog Home  * Log in
« »

Shared IPsec with DMVPN and VRF-Lite

posted in Cisco Networking, Technical
by on October 11th, 2010 tags: , ,


Not long ago I was tasked with developing a connectivity solution for some remote sites that we needed to connect to our corporate WAN but where our preferred Service Provider was not available. Indeed, the only connectivity these sites had was a standard Internet connection using the local ISP.

Our SP provides us with an MPLS service, and we have a couple different MPLS VPNs that we use for different purposes. One use is around different extending different security zones across the WAN to offer various services to our remote sites. With MPLS this was easy. With the Internet, being able to offer the same service to our client seemed to cause more problems that it was worth.

After doing a little research I came up with a design that combined a couple different technologies. I’m a huge DMVPN fan, and when ever I need to do hub-and-spoke with VPNs I’m always vocalizing my view. Our organization also uses VRF-Lite extensively to segregate traffic within our network. Using it here seemed like the best way to not have a separate physical hub router for each security zone I wanted to extend to a remote site. After getting this far I thought to myself “Wouldn’t it be nice if I could send ALL my GRE tunnels down a single IPsec tunnel?” Well, low and behold, this is possible.

So now that I’ve bored you with background, let’s jump into some of this config. I’m going to assume you are familiar with phase 1 DMVPN (hub and spoke only), and VRF-Lite. I’m not using anything fancy with either of these, only the most basic of functions. I’m also using static routing over DMVPN instead of a dynamic protocol.

Let’s start with a diagram of what we’re doing here. This is a conceptual idea of that I’m doing. The coloured lines represent the GRE tunnels, not the Ipsec tunnels (Ipsec is not show on this, but know for know there will only be a single IPsec tunnel per spoke site. I’ll prove it later).

Diagram

Here’s the hub config. It first creates the VRFs we’re going to use. Then sets up the Ipsec phase 1 and 2 attributes before creating a Ipsec profile. DMVPN uses crypto profiles instead of crypto maps. Then we move into the GRE tunnel interfaces and the NHRP parameters. As this is the NHRP hub there’s no map statements other than the “multicast dynamic” line. You’ll notice that the crypto profile is applied with a special keyword on the end: shared. This is where we’re telling this GRE interface that the Ipsec tunnel we’re using is shared amongst other players. The config then ends with the subinterfaces for the LAN side networks, and some static routes to the far side LANs over the DMVPN cloud.

Hub Config

ip vrf 101
 rd 101:0
!
ip vrf 102
 rd 102:0
!
ip vrf 103
 rd 103:0
!
ip vrf 104
 rd 104:0
!
!
crypto keyring DMVPN
  pre-shared-key address 0.0.0.0 0.0.0.0 key CRYPTO_KEY
!
crypto isakmp policy 100
 encr aes 192
 authentication pre-share
 group 2
!
!
crypto ipsec transform-set AES_256 esp-aes 256
!
crypto ipsec profile SHARED_DMVPN
 set transform-set AES_256
!
interface Tunnel101
 ip vrf forwarding 101
 ip address 192.168.10.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NHRP1
 ip nhrp map multicast dynamic
 ip nhrp network-id 10
 ip nhrp holdtime 30
 ip tcp adjust-mss 1360
 ip ospf network broadcast
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 10
 tunnel protection ipsec profile SHARED_DMVPN shared
!
interface Tunnel102
 ip vrf forwarding 102
 ip address 192.168.20.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NHRP2
 ip nhrp map multicast dynamic
 ip nhrp network-id 20
 ip nhrp holdtime 30
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 20
 tunnel protection ipsec profile SHARED_DMVPN shared
!
interface Tunnel103
 ip vrf forwarding 103
 ip address 192.168.30.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NHRP3
 ip nhrp map multicast dynamic
 ip nhrp network-id 30
 ip nhrp holdtime 30
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 30
 tunnel protection ipsec profile SHARED_DMVPN shared
!
interface Tunnel104
 ip vrf forwarding 104
 ip address 192.168.40.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NHRP4
 ip nhrp map multicast dynamic
 ip nhrp network-id 40
 ip nhrp holdtime 30
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 40
 tunnel protection ipsec profile SHARED_DMVPN shared
!
interface GigabitEthernet0/0
 ip address 172.16.0.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.1
 encapsulation dot1Q 101
 ip vrf forwarding 101
 ip address 10.1.10.1 255.255.255.0
!
interface GigabitEthernet0/1.2
 encapsulation dot1Q 102
 ip vrf forwarding 102
 ip address 10.1.20.1 255.255.255.0
!
interface GigabitEthernet0/1.3
 encapsulation dot1Q 103
 ip vrf forwarding 103
 ip address 10.1.30.1 255.255.255.0
!
interface GigabitEthernet0/1.4
 encapsulation dot1Q 104
 ip vrf forwarding 104
 ip address 10.1.40.1 255.255.255.0
!
!
ip route vrf 101 10.2.10.0 255.255.255.0 192.168.10.2
ip route vrf 101 10.3.10.0 255.255.255.0 192.168.10.3
ip route vrf 102 10.2.20.0 255.255.255.0 192.168.20.2
ip route vrf 102 10.3.20.0 255.255.255.0 192.168.20.3
ip route vrf 103 10.2.30.0 255.255.255.0 192.168.30.2
ip route vrf 103 10.3.30.0 255.255.255.0 192.168.30.3
ip route vrf 104 10.2.40.0 255.255.255.0 192.168.40.2
ip route vrf 104 10.3.40.0 255.255.255.0 192.168.40.3
!

Here’s a spoke config. I’m only going to show one since the other is exactly the same. The concepts are much the same as the the hub, except the NHRP stuff is for a NHRP client instead of a server, and the GRE tunnels are GRE and not mGRE.

Spoke Config

ip vrf 201
 rd 201:0
!
ip vrf 202
 rd 202:0
!
ip vrf 203
 rd 203:0
!
ip vrf 204
 rd 204:0
!
crypto keyring DMVPN
  pre-shared-key address 172.16.0.1 key CRYPTO_KEY
!
crypto isakmp policy 20
 encr aes 192
 authentication pre-share
 group 2
!
!
crypto ipsec transform-set AES_256 esp-aes 256
!
crypto ipsec profile DMVPN_SHARED
 set transform-set AES_256
!
interface Tunnel201
 ip vrf forwarding 201
 ip address 192.168.10.2 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NHRP1
 ip nhrp map 192.168.10.1 172.16.0.1
 ip nhrp map multicast 172.16.0.1
 ip nhrp network-id 10
 ip nhrp holdtime 450
 ip nhrp nhs 192.168.10.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0
 tunnel destination 172.16.0.1
 tunnel key 10
 tunnel protection ipsec profile DMVPN_SHARED shared
!
interface Tunnel202
 ip vrf forwarding 202
 ip address 192.168.20.2 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NHRP2
 ip nhrp map 192.168.20.1 172.16.0.1
 ip nhrp map multicast 172.16.0.1
 ip nhrp network-id 20
 ip nhrp holdtime 450
 ip nhrp nhs 192.168.20.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0
 tunnel destination 172.16.0.1
 tunnel key 20
 tunnel protection ipsec profile DMVPN_SHARED shared
!
interface Tunnel203
 ip vrf forwarding 203
 ip address 192.168.30.2 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NHRP3
 ip nhrp map 192.168.30.1 172.16.0.1
 ip nhrp map multicast 172.16.0.1
 ip nhrp network-id 30
 ip nhrp holdtime 450
 ip nhrp nhs 192.168.30.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0
 tunnel destination 172.16.0.1
 tunnel key 30
 tunnel protection ipsec profile DMVPN_SHARED shared
!
interface Tunnel204
 ip vrf forwarding 204
 ip address 192.168.40.2 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NHRP4
 ip nhrp map 192.168.40.1 172.16.0.1
 ip nhrp map multicast 172.16.0.1
 ip nhrp network-id 40
 ip nhrp holdtime 450
 ip nhrp nhs 192.168.40.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0
 tunnel destination 172.16.0.1
 tunnel key 40
 tunnel protection ipsec profile DMVPN_SHARED shared
!
interface FastEthernet0
 ip address 172.16.0.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet1.1
 encapsulation dot1Q 201
 ip vrf forwarding 201
 ip helper-address 192.168.10.1
!
interface FastEthernet1.2
 encapsulation dot1Q 202
 ip vrf forwarding 202
 ip helper-address 192.168.20.1
!
interface FastEthernet1.3
 encapsulation dot1Q 203
 ip vrf forwarding 203
 ip helper-address 192.168.30.1
!
interface FastEthernet1.4
 encapsulation dot1Q 204
 ip vrf forwarding 204
 ip helper-address 192.168.40.1
!
ip route vrf 201 0.0.0.0 0.0.0.0 192.168.10.1
ip route vrf 202 0.0.0.0 0.0.0.0 192.168.20.1
ip route vrf 203 0.0.0.0 0.0.0.0 192.168.30.1
ip route vrf 204 0.0.0.0 0.0.0.0 192.168.40.1
!

Again, notice the “shared” keyword on the tunnel protection lines.

And here’s the best part. This is the “show crypto ipse sa” off of router2. I’d apologize for the length, but it’s Cisco’s fault and not mine. You’ll notice that all the inbound SPIs are the same, and all the outbound SPIs are the same. 4 GRE tunnels, ONE IPsec tunnel!

The Results

Router2#sh cry ipsec sa

interface: Tunnel201
    Crypto map tag: DMVPN_SHARED-head-1, local addr 172.16.0.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.0.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.16.0.1/255.255.255.255/47/0)
   current_peer 172.16.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17
    #pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 172.16.0.2, remote crypto endpt.: 172.16.0.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0x896109AD(2304838061)

     inbound esp sas:
      spi: 0xFAED162A(4209841706)
        transform: esp-256-aes ,
        in use settings ={Tunnel, }
        conn id: 609, flow_id: Motorola SEC 2.0:609, crypto map: DMVPN_SHARED-head-1
        sa timing: remaining key lifetime (k/sec): (4534020/3498)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x896109AD(2304838061)
        transform: esp-256-aes ,
        in use settings ={Tunnel, }
        conn id: 610, flow_id: Motorola SEC 2.0:610, crypto map: DMVPN_SHARED-head-1
        sa timing: remaining key lifetime (k/sec): (4534019/3498)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Tunnel202
    Crypto map tag: DMVPN_SHARED-head-1, local addr 172.16.0.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.0.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.16.0.1/255.255.255.255/47/0)
   current_peer 172.16.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17
    #pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 172.16.0.2, remote crypto endpt.: 172.16.0.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0x896109AD(2304838061)

     inbound esp sas:
      spi: 0xFAED162A(4209841706)
        transform: esp-256-aes ,
        in use settings ={Tunnel, }
        conn id: 609, flow_id: Motorola SEC 2.0:609, crypto map: DMVPN_SHARED-head-1
        sa timing: remaining key lifetime (k/sec): (4534020/3497)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x896109AD(2304838061)
        transform: esp-256-aes ,
        in use settings ={Tunnel, }
        conn id: 610, flow_id: Motorola SEC 2.0:610, crypto map: DMVPN_SHARED-head-1
        sa timing: remaining key lifetime (k/sec): (4534019/3497)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Tunnel203
    Crypto map tag: DMVPN_SHARED-head-1, local addr 172.16.0.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.0.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.16.0.1/255.255.255.255/47/0)
   current_peer 172.16.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17
    #pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 172.16.0.2, remote crypto endpt.: 172.16.0.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0x896109AD(2304838061)

     inbound esp sas:
      spi: 0xFAED162A(4209841706)
        transform: esp-256-aes ,
        in use settings ={Tunnel, }
        conn id: 609, flow_id: Motorola SEC 2.0:609, crypto map: DMVPN_SHARED-head-1
        sa timing: remaining key lifetime (k/sec): (4534020/3497)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x896109AD(2304838061)
        transform: esp-256-aes ,
        in use settings ={Tunnel, }
        conn id: 610, flow_id: Motorola SEC 2.0:610, crypto map: DMVPN_SHARED-head-1
        sa timing: remaining key lifetime (k/sec): (4534019/3497)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Tunnel204
    Crypto map tag: DMVPN_SHARED-head-1, local addr 172.16.0.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.0.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.16.0.1/255.255.255.255/47/0)
   current_peer 172.16.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17
    #pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 172.16.0.2, remote crypto endpt.: 172.16.0.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0x896109AD(2304838061)

     inbound esp sas:
      spi: 0xFAED162A(4209841706)
        transform: esp-256-aes ,
        in use settings ={Tunnel, }
        conn id: 609, flow_id: Motorola SEC 2.0:609, crypto map: DMVPN_SHARED-head-1
        sa timing: remaining key lifetime (k/sec): (4534020/3497)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x896109AD(2304838061)
        transform: esp-256-aes ,
        in use settings ={Tunnel, }
        conn id: 610, flow_id: Motorola SEC 2.0:610, crypto map: DMVPN_SHARED-head-1
        sa timing: remaining key lifetime (k/sec): (4534019/3497)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Comments

A thread has been created on the site forum specifically for commenting on this blog post.