Thursday, September 1, 2011

EIGRP over GRE Point-to-Multipoint DMVPN with IPSec


Hi Guys, Back again to bust one more topology. Lets look into DMVPN (Dynamic Multipoint VPN) technology with IPSec encryption which is useful when we want to connect multiple branch office to a head office using VPN. Now either we can go for Hub-Spoke static VPN where head office is Hub and branch offices are spokes. In this case, branch office can only communicate to head office, communication to other branch office will be through head office connection. Other case would be to have Spoke-Spoke so that branch offices can form dynamic tunnels with each other. Hub-Spoke & Spoke-Spoke topology definitely saves bandwidth as compared to the Spoke-Hub-Spoke topology. But there is a need of NHRP (Next Hop Routing Protocol) for Spoke-Spoke communication to work. I will explain more about this a later in the post.

Above is the typical scenario for implementation of DMVPN where we want to span our Internal Routing region over the WAN connection to the branch offices with Encryption for security. Lets list some important considerations related to topology.
  • EIGRP 510 with 52.1.1.0/24 network is the head office network. 
  • Router R8 is the gateway for all the traffic in head office. 
  • Router R1 is acting as DMVPN router for head office connected to ISP router R6. 
  • Router R1 is running routing processes for both EIGRP 510 & EIGRP 1000.
  • EIGRP 510 & EIGRP 1000 in Router R1 are redistributed completely. (Please read this post if you are unclear about Route Redistribution)
  • Default route for R1 is 11.1.1.2.
  • Router R1 has IPSec crypto configuration with pre-share authentication.
  • Router R1 is configured with tunnel interface 10.0.0.1. More on this in next section.
  • ISP region is configured with three routers running EIGRP protocol. It is just to realize the WAN connection to branch offices.
  • Similarly Branch office 2 is with 54.1.1.0/24 network with R2 as the DMVPN router. 
  • Router R2 runs both EIGRP 1000 & EIGRP 530 routing processes which are completely redistributed.
  • Branch Office 1 is with 53.1.1.0/24 network. R3 router is DMVPN router for Branch office 1.
  • Router R3 runs both EIGRP 1000 & EIGRP 520 routing processes completely redistributed.
  • Router R2 & R3 is configured with tunnel interface IP addresses 10.0.0.3 & 10.0.0.2 respectively.
  • ISP region sees all Internal IP traffic packets as ESP (Encapsulated Security Payload) packets.
  • EIGRP 1000 routing messages are encapsulated over GRE (Generic Routing Encapsulation) protocol.
  • Tunnels at the DMVPN routers are protected using IPSec profiles.

 Layered diagram :



Now lets look into the configuration part of topology.

Hub Section :

Lets look into Router R1 configurations

Encryption/Authentication configuration :
crypto isakmp policy 1
 encr aes
 authentication pre-share
crypto isakmp key awesome address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set awesomeset esp-aes esp-sha-hmac
!
crypto ipsec profile awesomeprofile
 set transform-set awesomeset

First we need to setup the ISAKMP (Internet Security Association Key Management Protocol). This protocol is needed to set the key exchange formats, SA (Security Associations) format. Encryption is AES (Advance Encryption System), authentication mode is pre-share. Key used is "awesome" for all the connections as this is DMVPN configuration. IPSec SA is based on Encryption algorithm, Authentication algorithm & the shared session key.
Transform set statement provides authentication mechanism along with data compression mode to be used.
Then IPSec profile is created with "awesomeset" transform set. Later we can use this profile at different stages for enforcing IPSec policy.

Tunnel configuration :
interface Tunnel0
  ip address 10.0.0.1 255.255.255.0
  no ip redirects
  no ip next-hop-self eigrp 1000
  ip nhrp map multicast dynamic
  ip nhrp network-id 1
  no ip split-horizon eigrp 1000
  tunnel source 11.1.1.1
  tunnel mode gre multipoint
  tunnel protection ipsec profile awesomeprofile

Tunnel interface is configured with 10.0.0.0/24 network. First lets analyze the NHRP (Next Hop Resolution Protocol) protocol. NHRP is layer-2 protocol used for address resolution. It is used by branch routers connected to NBMA (Non Broadcast Multi-Access) networks to determine the IP address of another branch router. 

Note - Do not consider tunnel interface IP as the actual IP address traversing in the IP Packet Header. Consider it as the Tunnel pipe on the same router where packets destined to tunnel network enters and gets mapped to actual networks. Receiving router does exactly the mirror image operation of this.

Packets destined to 10.0.0.0/24 network from R8 goes through R1 tunnel interface where NHRP protocol maps the next hop tunnel interface IP address to actual interface IP of next hop DMVPN router. To elaborate this, R8 router sees the 53.1.1.0/24 network at Branch Office 1 location at 10.0.0.0/24 network through redistribution, R8 forwards packet to R1 router. R1 router has NHRP table maintained for mapping the next hop tunnel interface IP address 10.0.0.2 to 13.1.1.2 actual IP address.

Lets summarize it again,
  • Router R8 sees 53.1.1.0/24 network through 10.0.0.2 (EIGRP 1000 Network) IP address. 
  • Route Redistribution at router R1 helps to learn the routes in the EIGRP 1000 network. 
  • R1 router maps the 10.0.0.2 address to NBMA Address 13.1.1.2. 
  • To reach 13.1.1.2 R1 forwards its packet to default route 11.1.1.2. 
  • Then it is routed through ISP network to reach 13.1.1.2. 
  • Router R3 again maps it according to the NHRP table.
  • At last, Route Redistribution at router R3 helps to learn routes in the EIGRP 520 network.

Moving on, tunnel source statement specifies the out interface for the tunnel. GRE (Generic Routing Encapsulation) protocol is used to carry the routing related information such as multicast messages over the WAN to the branch offices. EIGRP 1000 area is spanned over multiple areas. Here GRE is configured in multipoint mode. Tunnel protection is applied to encrypt all the traffic (IP and Non-IP) going out on WAN.

As I have already discussed, NHRP protocol provides a mapping between inside and outside interface IP addresses of a tunnel. These mapping can be static or dynamic. NHS (Next Hop Server) is used in case of Dynamic. Statement at R1 for nhrp map multicast provides dynamic multicast mapping for NHRP protocol.
NHRP network id is 1 here. "ip nhrp map multicast dynamic" statement automatically adds routers to multicast NHRP mappings. Multicast dynamic mapping is also required when branch end router initiates the connection with GRE. Dynamic routing protocols such as IGP protocols which sends multicast messages also requires multicast mapping.

EIGRP Split Horizon and Next-Hop-Self configuration :

For dynamic routing protocols, certain configuration needs to be done to enable the Spoke-to-Spoke communication in DMVPN.

Note - Routing protocols use IP Multicast to discover other routers participating in routing process. Static map is configured on the branch routers R3 & R2 pointing towards public address of the head office router which is configured for multicast dynamic map. This allows only branch-head to exchange the broadcast information to each other. Spokes does not receive broadcasts from each other.

no ip split-horizon eigrp 1000
This statement allows the DMVPN routers to advertise the routes received again on the same subnet. Generally this operation is prevented by split-horizon.

no ip next-hop-self eigrp 1000
This statement prevents advertising DMVPN routers as Next-Hop to be itself. It must contain original next hop router for Spoke-to-Spoke to work. By default every EIGRP hub advertises IP Next-Hop value to be itself. After applying this statement EIGRP uses the received Next-Hop value when advertising the routes.

Routing configuration :
router eigrp 1000
  redistribute eigrp 510 metric 56000 10 255 255 1500
  network 10.0.0.0 0.0.0.255
  auto-summary
!
router eigrp 510
  redistribute eigrp 1000 metric 56000 10 255 255 1500
  network 52.1.1.0 0.0.0.255
  auto-summary
!
ip route 0.0.0.0 0.0.0.0 11.1.1.2

EIGRP 510 and EIGRP 1000 are redistributed. Default route is 11.1.1.2

Spoke section :

Now lets look into Router R3 for branch router configuration

IPSec configuration is same as that of hub router.

Tunnel configuration :

interface Tunnel0
  ip address 10.0.0.2 255.255.255.0
  no ip redirects
  no ip next-hop-self eigrp 1000
  ip nhrp map 10.0.0.1 11.1.1.1
  ip nhrp map multicast 11.1.1.1
  ip nhrp network-id 1
  ip nhrp nhs 10.0.0.1
  no ip split-horizon eigrp 1000
  tunnel source 13.1.1.2
  tunnel mode gre multipoint
  tunnel protection ipsec profile awesomeprofile

NHRP is mapped to tunnel interface of the hub followed by the corresponding NBMA address. Multicast is mapped to NBMA address of hub router to forward all the routing messages through tunnel. NHS (Next Hop Server) is pointed towards the tunnel interface IP address of the hub router. Rest of the statements are pretty much same to hub router.

Router configuration :
router eigrp 1000
  redistribute eigrp 520 metric 56000 10 255 255 1500
  network 10.0.0.0 0.0.0.255
  auto-summary
!
router eigrp 520
  redistribute eigrp 1000 metric 56000 10 255 255 1500
  network 53.1.1.0 0.0.0.255
  auto-summary
!
ip route 0.0.0.0 0.0.0.0 13.1.1.1

EIGRP 1000 and EIGRP 520 are redistributed. Default route is 13.1.1.1

Router R2 has the similar configuration like router R3.

Spoke-to-Spoke Dynamic tunnel formation :

Check on R3 for flags "D-Dynamic" & "S-Static" using "sh dmvpn" command. If Spoke-to-Spoke entry is not present then try to ping spoke and then check again. Spoke-Spoke dynamic tunnel will form. IPSec crypto can be checked using "sh crypto isakmp sa".

Some interesting packet capture snapshots :

Tunnel formation at Router R1 for both spoke routers :


Spoke-Spoke dynamic tunnel formation :


This is really cool topology & this got my routing abstraction level concepts cleared.
Thats it guys, I will explore more about IPSec in upcoming posts.
Happy Networking. Do write me regarding any suggestions or problems.

All routers configurations with packet captures can be downloaded here.

No comments:

Post a Comment