Saturday, February 22, 2020

DMVPN over IPsec

In our first DMVPN lesson we talked about the basics of DMVPN and its different phases. DMVPN is a “routing technique” that relies on multipoint GRE and NHRP and IPsec is not mandatory.
However since you probably use DMVPN with the Internet as the underlay network, it might be wise to encrypt your tunnels. In this lesson I’ll show you how to configure IPsec to encrypt your multipoint GRE tunnels. Here’s the topology we will use:
DMVPN Example Topology with hub, two spokes and loopback interfaces.
Above we have a hub and spoke topology which I used in all of my previous DMVPN examples. We’ll use a DMVPN phase 2 network with RIP as the routing protocol to test IPsec.

Configuration


Tunnel Interfaces

Let’s start with the tunnel interfaces on all routers. This is a basic DMVPN phase 2 configuration:
Hub(config)#interface Tunnel 0
Hub(config-if)#ip address 172.16.123.1 255.255.255.0
Hub(config-if)#ip nhrp authentication DMVPN
Hub(config-if)#ip nhrp map multicast dynamic
Hub(config-if)#ip nhrp network-id 1
Hub(config-if)#tunnel source GigabitEthernet0/1
Hub(config-if)#tunnel mode gre multipoint
Here are the spoke routers:
Spoke1(config)#interface Tunnel 0
Spoke1(config-if)#ip address 172.16.123.2 255.255.255.0
Spoke1(config-if)#ip nhrp authentication DMVPN
Spoke1(config-if)#ip nhrp map 172.16.123.1 192.168.123.1
Spoke1(config-if)#ip nhrp map multicast 192.168.123.1
Spoke1(config-if)#ip nhrp network-id 1
Spoke1(config-if)#ip nhrp nhs 172.16.123.1
Spoke1(config-if)#tunnel source GigabitEthernet0/1
Spoke1(config-if)#tunnel mode gre multipoint
Spoke2(config)#interface Tunnel 0
Spoke2(config-if)#ip address 172.16.123.3 255.255.255.0
Spoke2(config-if)#ip nhrp authentication DMVPN
Spoke2(config-if)#ip nhrp map 172.16.123.1 192.168.123.1
Spoke2(config-if)#ip nhrp map multicast 192.168.123.1
Spoke2(config-if)#ip nhrp network-id 1
Spoke2(config-if)#ip nhrp nhs 172.16.123.1
Spoke2(config-if)#tunnel source GigabitEthernet0/1
Spoke2(config-if)#tunnel mode gre multipoint
Now we can configure RIP…

RIP

We will advertise all interfaces in RIP, here’s the hub router:
Hub(config)#router rip
Hub(config-router)#version 2
Hub(config-router)#network 1.0.0.0
Hub(config-router)#network 172.16.0.0
Hub(config-router)#no auto-summary
Hub(config)#interface Tunnel 0
Hub(config-if)#no ip split-horizon
Don’t forget to disable split horizon. Here are the spoke routers:
Spoke2(config)#router rip
Spoke2(config-router)#version 2
Spoke2(config-router)#network 3.0.0.0
Spoke2(config-router)#network 172.16.0.0
Spoke2(config-router)#no auto-summary
Spoke1(config)#router rip
Spoke1(config-router)#version 2
Spoke1(config-router)#network 2.0.0.0
Spoke1(config-router)#network 172.16.0.0
Spoke1(config-router)#no auto-summary
That should do it. Now before we start messing around with IPsec, we should check if everything is working without encryption. Let’s check if the hub router has two NHRP registrations:
Hub#show dmvpn | begin Peer
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 192.168.123.2      172.16.123.2    UP 00:06:15     D
     1 192.168.123.3      172.16.123.3    UP 00:06:22     D
That’s looking good. Do we have some RIP routes?
Hub#show ip route rip 

      2.0.0.0/32 is subnetted, 1 subnets
R        2.2.2.2 [120/1] via 172.16.123.2, 00:00:02, Tunnel0
      3.0.0.0/32 is subnetted, 1 subnets
R        3.3.3.3 [120/1] via 172.16.123.3, 00:00:11, Tunnel0
Spoke1#show ip route rip 

      1.0.0.0/32 is subnetted, 1 subnets
R        1.1.1.1 [120/1] via 172.16.123.1, 00:00:07, Tunnel0
      3.0.0.0/32 is subnetted, 1 subnets
R        3.3.3.3 [120/2] via 172.16.123.3, 00:00:07, Tunnel0
Spoke2#show ip route rip 

      1.0.0.0/32 is subnetted, 1 subnets
R        1.1.1.1 [120/1] via 172.16.123.1, 00:00:28, Tunnel0
      2.0.0.0/32 is subnetted, 1 subnets
R        2.2.2.2 [120/2] via 172.16.123.2, 00:00:28, Tunnel0
Yes we do! Everything is looking good so now we can focus on encryption.

IPsec

IPsec has two phases, phase 1 and 2 (don’t confuse them with the DMVPN phases).

Phase 1

We need an ISAKMP policy that matches on all our routers. Let’s pick something:
Hub, Spoke1 & Spoke 2
(config)#crypto isakmp policy 10
(config-isakmp)#authentication pre-share 
(config-isakmp)#encryption aes 128
(config-isakmp)#group 5
(config-isakmp)#hash sha256
When it comes to encryption we can choose between pre-shared keys or PKI. To keep it simple, I’ll go for the pre-shared keys:
Hub(config)#crypto isakmp key DMVPN_KEY address ?       
  A.B.C.D  Peer IP address
  ipv6     define shared key with IPv6 address
When you configure the pre-shared key you have to enter the NBMA address. Keep in mind that encryption occurs before multipoint GRE / NHRP. We also have to specify a peer address, we have two options here:
  • Configure a pre-shared key for each “router pair” you have: this means we use a unique key for hub-spoke1, hub-spoke2 and spoke1-spoke2. This is secure but it’s not a very scalable solution, the more spoke routers we add to the network, the more keys we have to configure.
  • Configure a “wildcard” pre-shared key: this allows us to use a single key for all routers. This is the most convenient but it also means that if you want to change the key, you have to do it on all your routers.
I’ll use the wildcard pre-shared key for our example:
Hub, Spoke1 & Spoke2
(config)#crypto isakmp key DMVPN_KEY address 0.0.0.0
Now we can worry about phase 2.

Phase 2

On each router we require a transform set that tells the router what encryption/hashing to use and if we want tunnel or transport mode:
Hub, Spoke1 & Spoke2
(config)#crypto ipsec transform-set DMVPN_TRANSFORM esp-aes esp-sha-hmac 
(cfg-crypto-trans)#mode transport
I’ll go for ESP with AES as the encryption algorithm and SHA for hashing. The mode is important, since we are using GRE we are already using tunnels so we can use transport mode. If you use tunnel mode then we will have even more overhead which is not required.
To apply the transform set on our tunnel interfaces we need to create a profile:
Hub, Spoke1 & Spoke2
(config)#crypto ipsec profile DMVPN_PROFILE
(ipsec-profile)#set transform-set DMVPN_TRANSFORM
Now we can apply this profile to the tunnel interfaces:
Hub, Spoke1 & Spoke2
(config)#interface Tunnel 0
(config-if)#tunnel protection ipsec profile DMVPN_PROFILE
Everything is now in place. Let’s test drive this setup

Verification

IPsec occurs before multipoint GRE and NHRP. To test if everything is working properly we should go for a fresh start. I’ll shut all the interfaces on our routers:
Hub, Spoke1 & Spoke2
(config)#interface Tunnel 0
(config-if)#shutdown
First we will enable the hub again:
Hub(config)#interface Tunnel 0
Hub(config-if)#no shutdown
And then we will enable the spoke routers again:
Spoke1 & Spoke2
(config)#interface Tunnel 0
(config-if)#no shutdown
Let’s check if the spoke routers were able to register again with the hub:
Hub#show dmvpn | begin Peer
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 192.168.123.2      172.16.123.2    UP 00:02:35     D
     1 192.168.123.3      172.16.123.3    UP 00:00:19     D
No problem at all…do we still have RIP routes?
Hub#show ip route rip 

      2.0.0.0/32 is subnetted, 1 subnets
R        2.2.2.2 [120/1] via 172.16.123.2, 00:00:02, Tunnel0
      3.0.0.0/32 is subnetted, 1 subnets
R        3.3.3.3 [120/1] via 172.16.123.3, 00:00:11, Tunnel0
Spoke1#show ip route rip 

      1.0.0.0/32 is subnetted, 1 subnets
R        1.1.1.1 [120/1] via 172.16.123.1, 00:00:07, Tunnel0
      3.0.0.0/32 is subnetted, 1 subnets
R        3.3.3.3 [120/2] via 172.16.123.3, 00:00:07, Tunnel0
Spoke2#show ip route rip 

      1.0.0.0/32 is subnetted, 1 subnets
R        1.1.1.1 [120/1] via 172.16.123.1, 00:00:28, Tunnel0
      2.0.0.0/32 is subnetted, 1 subnets
R        2.2.2.2 [120/2] via 172.16.123.2, 00:00:28, Tunnel0
That’s also looking good. Let’s take a closer look at some of the IPsec show commands:
Hub#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.123.1   192.168.123.3   QM_IDLE           1008 ACTIVE
192.168.123.1   192.168.123.2   QM_IDLE           1007 ACTIVE
Spoke1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.123.1   192.168.123.2   QM_IDLE           1004 ACTIVE
Spoke2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.123.1   192.168.123.3   QM_IDLE           1004 ACTIVE
As you can see above there are only two IPsec tunnels:
  • Hub to spoke1
  • Hub to spoke2
At this moment there is no IPsec tunnel from spoke1 to spoke2. This makes sense since there hasn’t been any traffic between the spoke routers. Let’s see what traffic is actually being encrypted, here’s an example for traffic between the hub and spoke1 router:
Hub#show crypto ipsec sa peer 192.168.123.2

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 192.168.123.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.123.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (192.168.123.2/255.255.255.255/47/0)
   current_peer 192.168.123.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17
    #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.123.1, remote crypto endpt.: 192.168.123.2
     plaintext mtu 1426, path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0
     current outbound spi: 0x87C9B200(2278142464)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x1150FD74(290520436)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 9, flow_id: SW:9, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4288279/3285)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x87C9B200(2278142464)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 10, flow_id: SW:10, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4288278/3285)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     outbound ah sas:

     outbound pcp sas:
Above we can see that traffic between 192.168.123.1 and 192.168.123.2 is encrypted. The “47” that you see is the protocol, GRE in our example. We can also see that we are using transport mode.
Now let’s send a ping from spoke1 to spoke2:
Spoke1#ping 3.3.3.3 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/41/59 ms
Our ping is working, behind the scenes our two spoke routers will establish an IPsec tunnel. You can the security association below:
Spoke1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.123.2   192.168.123.3   QM_IDLE           1006 ACTIVE
192.168.123.1   192.168.123.2   QM_IDLE           1004 ACTIVE
192.168.123.3   192.168.123.2   QM_IDLE           1005 ACTIVE
Spoke2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.123.1   192.168.123.3   QM_IDLE           1004 ACTIVE
192.168.123.3   192.168.123.2   QM_IDLE           1005 ACTIVE
192.168.123.2   192.168.123.3   QM_IDLE           1006 ACTIVE
And we can see how many packets have been encrypted between spoke1 and spoke2:
Spoke1#show crypto ipsec sa peer 192.168.123.3

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 192.168.123.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.123.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (192.168.123.3/255.255.255.255/47/0)
   current_peer 192.168.123.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.123.2, remote crypto endpt.: 192.168.123.3
     plaintext mtu 1426, path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0
     current outbound spi: 0x2C6A6B7B(745171835)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x2375C852(594921554)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 7, flow_id: SW:7, sibling_flags 80004000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4608000/3474)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
      spi: 0xCD7F7ED0(3447684816)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 9, flow_id: SW:9, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4608000/3474)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
      spi: 0xCF0A21D9(3473547737)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 11, flow_id: SW:11, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4301724/3484)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xE2EBC457(3807102039)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 8, flow_id: SW:8, sibling_flags 80004000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4608000/3474)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
      spi: 0xCE677AEE(3462888174)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 10, flow_id: SW:10, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4608000/3474)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
      spi: 0x2C6A6B7B(745171835)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 12, flow_id: SW:12, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4301724/3484)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
That’s looking good. If you are curious to see what a packet looks like, here’s a protected capture in wireshark:
DMVPN IPsec protected packet
Here’s the capture file if you want to see it for yourself:
hostname Hub
!
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 5
crypto isakmp key DMVPN_KEY address 0.0.0.0        
!
crypto ipsec transform-set DMVPN_TRANSFORM esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile DMVPN_PROFILE
 set transform-set DMVPN_TRANSFORM 
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
 ip address 172.16.123.1 255.255.255.0
 no ip redirects
 ip nhrp authentication DMVPN
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 no ip split-horizon
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel protection ipsec profile DMVPN_PROFILE
!
interface GigabitEthernet0/1
 ip address 192.168.123.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
router rip
 version 2
 network 1.0.0.0
 network 172.16.0.0
 no auto-summary
!
end
hostname Spoke1
!
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 5
crypto isakmp key DMVPN_KEY address 0.0.0.0        
!
crypto ipsec transform-set DMVPN_TRANSFORM esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile DMVPN_PROFILE
 set transform-set DMVPN_TRANSFORM 
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
 ip address 172.16.123.2 255.255.255.0
 no ip redirects
 ip nhrp authentication DMVPN
 ip nhrp map 172.16.123.1 192.168.123.1
 ip nhrp map multicast 192.168.123.1
 ip nhrp network-id 1
 ip nhrp nhs 172.16.123.1
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel protection ipsec profile DMVPN_PROFILE
!
interface GigabitEthernet0/1
 ip address 192.168.123.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
router rip
 version 2
 network 2.0.0.0
 network 172.16.0.0
 no auto-summary
!
end
hostname Spoke2
!
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 5
crypto isakmp key DMVPN_KEY address 0.0.0.0        
!
crypto ipsec transform-set DMVPN_TRANSFORM esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile DMVPN_PROFILE
 set transform-set DMVPN_TRANSFORM 
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
 ip address 172.16.123.3 255.255.255.0
 no ip redirects
 ip nhrp authentication DMVPN
 ip nhrp map 172.16.123.1 192.168.123.1
 ip nhrp map multicast 192.168.123.1
 ip nhrp network-id 1
 ip nhrp nhs 172.16.123.1
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel protection ipsec profile DMVPN_PROFILE
!
interface GigabitEthernet0/1
 ip address 192.168.123.3 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
router rip
 version 2
 network 3.0.0.0
 network 172.16.0.0
 no auto-summary
!
end

Conclusion

Once you understand DMVPN, adding IPsec is pretty simple.
The only problem with this implementation is scalability. Our hub router will have a security association with each spoke router so if you have a large network, that’ll put quite some burden on the hub router.
One solution is to implement DMVPN over GETVPN (Group Encrypted Transport).
GETVPN is a “any to any” VPN where we use the same encryption and decryption for all routers which means the hub doesn’t need an unique security association with each spoke router. This is something we’ll look at in another lesson though.
I hope you enjoyed this lesson, if you have any questions feel free to leave a comment!
at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)