Saturday, December 5, 2015

Configuring DMVPN Phase 1 w/ IPSEC and EIGRP

In this blogtorial we will take a look at how to configure DMVPN, EIGRP over DMVPN and get the traffic going over the DMVPN encrypted using IPSEC. We will break the blogtorial in 3 parts. First we will configure the DMVPN / tunnel and verify end-to-end IP connectivity, then we will move on to configuring routing over the tunnel and finally get IPSEC configured to encrypt everything going over the tunnel.

Here is our topology.



As always, let's get the interfaces configured first.

 R1#sh run int gig1.151  
 Building configuration...  
 Current configuration : 126 bytes  
 !  
 interface GigabitEthernet1.151  
  description Internet_Facing  
  encapsulation dot1Q 151  
  ip address 1.1.1.1 255.255.255.0  
 end  
 !
 R1#sh run int lo100
 interface Loopback100
  ip address 10.10.10.1 255.255.255.255
 end
 
 R2#sh run int gig1.151  
 Building configuration...  
 Current configuration : 126 bytes  
 !  
 interface GigabitEthernet1.151  
  description Internet_Facing  
  encapsulation dot1Q 151  
  ip address 1.1.1.2 255.255.255.0  
 end  
 !
 R2#sh run int lo100
 interface Loopback100
  ip address 10.10.10.2 255.255.255.255
 end

 R3#sh run int gig1.151  
 Building configuration...  
 Current configuration : 126 bytes  
 !  
 interface GigabitEthernet1.151  
  description Internet_Facing  
  encapsulation dot1Q 151  
  ip address 1.1.1.3 255.255.255.0  
 end
 !
 R3#sh run int lo100
 interface Loopback100
  ip address 10.10.10.3 255.255.255.255
 end  

Ping and verify basic Layer 3 connectivity between the routers.

 R2#ping 1.1.1.1  
 Type escape sequence to abort.  
 Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms  
 R3#ping 1.1.1.1  
 Type escape sequence to abort.  
 Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms  

Next let's move onto configuring the DMVPN including NHRP parameters on all 3 routers. We will use the private subnet 192.168.1.0/24 for the DMVPN tunnel.

 R1#sh run int tun0  
 Building configuration...  
 Current configuration : 263 bytes  
 !  
 interface Tunnel0  
  ip address 192.168.1.1 255.255.255.0  
  no ip redirects

!!--Set the MTU to account for the GRE / IPSEC overhead 
  ip mtu 1400  

!!--Optional NHRP Authentication 
  ip nhrp authentication AUTH  
  ip nhrp map multicast dynamic  

!!--NHRP network-id must match on all routers
  ip nhrp network-id 1  
  ip tcp adjust-mss 1360  
  tunnel source GigabitEthernet1.151  
  tunnel mode gre multipoint  
 end  

 R2#sh run int tun0  
 Building configuration...  
 Current configuration : 291 bytes  
 !  
 interface Tunnel0  
  ip address 192.168.1.2 255.255.255.0  
  ip nhrp authentication AUTH  
  i
!!--Map the NHRP Next hop server to the NBMA address of the HUB
  ip nhrp map 192.168.1.1 1.1.1.1  
!!--Remember to do map multicast to HUB NBMA address (not the tunnel address) or else routing protocols will not work 
  ip nhrp map multicast 1.1.1.1  
  ip nhrp network-id 1  
  ip nhrp nhs 192.168.1.1  
  ip tcp adjust-mss 1360  
  tunnel source GigabitEthernet1.151  
  tunnel destination 1.1.1.1  
 end  

 R3#sh run int tun0  
 Building configuration...  
 Current configuration : 291 bytes  
 !  
 interface Tunnel0  
  ip address 192.168.1.3 255.255.255.0  
  ip nhrp authentication AUTH  
  ip mtu 1400
  ip nhrp map 192.168.1.1 1.1.1.1  
  ip nhrp map multicast 1.1.1.1  
!!-Make sure network-id matches on all the routers
  ip nhrp network-id 1  
  ip nhrp nhs 192.168.1.1  
  ip tcp adjust-mss 1360  
  tunnel source GigabitEthernet1.151  
  tunnel destination 1.1.1.1  
 end  

At this point we should full tunnel-to-tunnel-end connectivity.

 R1#ping 192.168.1.2  
 Type escape sequence to abort.  
 Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms  

 R1#ping 192.168.1.3  
 Type escape sequence to abort.  
 Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/5 ms  
 
 R1#show ip nhrp dynamic  
  192.168.1.2/32 via 192.168.1.2  
   Tunnel0 created 00:12:18, expire 01:49:03  
   Type: dynamic, Flags: unique registered used nhop  
   NBMA address: 1.1.1.2  
  192.168.1.3/32 via 192.168.1.3  
   Tunnel0 created 00:09:29, expire 01:50:31  
   Type: dynamic, Flags: unique registered used nhop  
   NBMA address: 1.1.1.3  

Keep in mind that this is DMVPN Phase 1 and as such dynamic spoke-to-spoke tunnels are not created. Therefore, all traffic between the spokes must go through the HUB. Here is a traceroute from R2 to R3 showing that the packets are indeed routed through the HUB.

 R2#traceroute 192.168.1.3  
 Type escape sequence to abort.  
 Tracing the route to 192.168.1.3  
 VRF info: (vrf in name/id, vrf out name/id)  
  1 192.168.1.1 4 msec 4 msec 4 msec  
  2 192.168.1.3 4 msec * 5 msec  

 R2#show ip nhrp static  
 192.168.1.1/32 via 192.168.1.1  
   Tunnel0 created 00:11:51, never expire  
   Type: static, Flags:  
   NBMA address: 1.1.1.1  

Now that we have DMVPN Phase 1 working end-to-end, let's configure EIGRP on the tunnel interface and advertise the routers Loopbacks. Let's configure EIGRP named mode just to mix things up. Of course all of this can be configured under the normal 'router eigrp <AS>' that we are all very familiar with.

 R1#show run | sec eigrp  
 router eigrp EIGRP_OVER_DMVPN  
  !  
  address-family ipv4 unicast autonomous-system 1  
  !  
  topology base  
  exit-af-topology  
  network 10.10.10.1 0.0.0.0  
  network 192.168.1.0  
  exit-address-family 
 
 R2#show run | sec eigrp  
 router eigrp EIGRP_OVER_DMVPN  
  !  
  address-family ipv4 unicast autonomous-system 1  
  !  
  topology base  
  exit-af-topology  
  network 10.10.10.2 0.0.0.0  
  network 192.168.1.0  
  exit-address-family  

 R3#show run | sec eigrp  
 router eigrp EIGRP_OVER_DMVPN  
  !  
  address-family ipv4 unicast autonomous-system 1  
  !  
  topology base  
  exit-af-topology  
  network 10.10.10.3 0.0.0.0  
  network 192.168.1.0  
  exit-address-family  

 R1#ping 10.10.10.2  
 Type escape sequence to abort.  
 Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/5 ms  

 R1#ping 10.10.10.3  
 Type escape sequence to abort.  
 Sending 5, 100-byte ICMP Echos to 10.10.10.3, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/4 ms  

Although R1 can ping the loopback of R2 and R3, R2 and R3 cannot ping each others loopback.

 R2#  ping 10.10.10.3  
 Type escape sequence to abort.  
 Sending 5, 100-byte ICMP Echos to 10.10.10.3, timeout is 2 seconds:  
 .....  
 Success rate is 0 percent (0/5)  

The reason we cannot ping from R2 and R3 to each others loopback is because of the EIGRP split horizon rule. After disabling split-horizon on R1, R2 and R3 can ping each other.

 R1(config)#router eigrp EIGRP_OVER_DMVPN  
 R1(config-router)#address-family ipv4 as 1  
 R1(config-router-af)#af-interface tun0  
 R1(config-router-af-interface)#no split-horizon  
 R1#  
 %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.1.3 (Tunnel0) is resync: split horizon changed  
 %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.1.2 (Tunnel0) is resync: split horizon changed  
 
 R2#ping 10.10.10.3  
 Type escape sequence to abort.  
 Sending 5, 100-byte ICMP Echos to 10.10.10.3, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/22 ms  
 
 R3#ping 10.10.10.2  
 Type escape sequence to abort.  
 Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 5/8/23 ms  

At this point, everything going over the DMVPN is in clear text. Let's encrypt our traffic by configuring IPSEC for everything that goes over the DMVPN tunnel.

 R1#  
 crypto isakmp policy 10  
  encr 3des  
  hash md5  
  authentication pre-share  
  group 2  
 crypto isakmp key ITHITMAN address 0.0.0.0  
 crypto ipsec transform-set aes-128-sha-256 esp-aes esp-sha256-hmac  
  mode tunnel  
 crypto ipsec profile dmvpn_ipsec  
  set transform-set aes-128-sha-256  

Once the ISAKMP policy / IPSEC profile are created apply it to the interface so the traffic can be encrypted/decrypted accordingly.

 R1(config)#int tun0  
 R1(config-if)#tunnel protection ipsec profile dmvpn_ipsec  
 R1(config-if)#end  
 R1#  

Let's get the same configured on R2 and R3.

 R2#  
!!--Router 2 configs
 crypto isakmp policy 10  
  encr 3des  
  hash md5  
  authentication pre-share  
  group 2  
 crypto isakmp key ITHITMAN address 0.0.0.0  
 crypto ipsec transform-set aes-128-sha-256 esp-aes esp-sha256-hmac  
  mode tunnel  
 crypto ipsec profile dmvpn_ipsec  
  set transform-set aes-128-sha-256  
 int tunnel0  
  tunnel protection ipsec profile dmvpn_ipsec  

!!--Router 3 configs
 R3# 
 crypto isakmp policy 10  
  encr 3des  
  hash md5  
  authentication pre-share  
  group 2  
 crypto isakmp key ITHITMAN address 0.0.0.0  
 crypto ipsec transform-set aes-128-sha-256 esp-aes esp-sha256-hmac  
  mode tunnel  
 crypto ipsec profile dmvpn_ipsec  
  set transform-set aes-128-sha-256  
 int tunnel0  
  tunnel protection ipsec profile dmvpn_ipsec  

Simple as that ... DMVPN Phase 1 + IPSEC + EIGRP Routing.

Many more articles to come so ....

Please subscribe/comment/+1 if you like my posts as it keeps me motivated to write more and spread the knowledge.