THE FASCINATING WORLD OF NETWORKING
OPTIMIZED FOR GOOGLE CHROME
DMVPN with PKI as the authentication method
Date: 8-9-2016
Table of Contents
Introduction to DMVPN
Dynamic Multipoint VPN (DMVPN) is a scalable solution for centrally managed VPNs:
-
GRE-based.
-
Supports dynamically assigned IPs & Spoke-to-Spoke tunnels.
-
Supports multicasts and dynamic routing: RIP, EIGRP, OSPF and BGP.
-
IPSec must be added on top for security.
DMVPN provides full meshed connectivity for large Hub-and-Spoke network topologies. The first time configuration is a little bit complex, but after you get it working you can start adding Spoke sites without changing the Hub configuration. Also, spoke sites with dynamic WAN IP are supported as well. Moreover, there is no need to manually configure Spoke-to-Spoke VPN tunnels since these are created automatically whenever there is traffic between spokes.
DMVPN is only supported on cisco routers, so is not possible to implement it on Cisco ASA or PIX. This is because DMVPN still uses GRE which is supported only on routers.
DMVPN is a secure network that exchanges data between sites without needing to pass traffic through an organization's headquarter virtual private network (VPN) server or router.
VPNs traditionally connect each remote site to the headquarters; the DMVPN essentially creates a mesh VPN topology. This means that each site (spoke) can connect directly with all other sites, no matter where they are located.
A DMVPN service runs on VPN routers. Each remote site has a router configured to connect to the company’s headquarters VPN device (hub), providing access to the resources available. When two spokes are required to exchange data between each other -- for a VoIP telephone call, for example -- the spoke will contact the hub, obtain the necessary information about the other end, and create a dynamic IPsec VPN tunnel directly between them.
Direct spoke-to-spoke deployments provide a number of advantages when compared to traditional VPN deployments:
-
Traffic between remote sites does not need to traverse the hub (headquarter VPN router).
-
A DMVPN deployment eliminates additional bandwidth requirements at the hub.
-
DMVPNs eliminate additional network delays.
-
DMVPNs conserve WAN bandwidth.
-
They lower costs for VPN circuits.
-
They increase resiliency and redundancy.
DMVPN is built of two main components:
-
Multipoint GRE interfaces (mGRE): Capable of terminating multiple tunnels.
-
Next-Hop Resolution Protocol (NHRP): Provides mappings of Logical (tunnel) to Physical (NBMA) addresses.
Topology
IOS=c7200-adventerprisek9-mz.124-15.T6.bin
In a real world the CA would probably be a stand-alone box, so I’m going to configure Internet_CAServer as the CA Server.
Another scenary
In other cases, one of the DMVPN routers will act as the CA Server, so it will need self-authentication:
-
Configure a trustpoint on the CA Server with an enrollment URL that points to the CA itself: crypto pki trustpoint <trustpoint>; enrollment url http://15.0.0.1, …
-
Enroll and authenticate the CA to itself with the standard procedures: crypto pki authenticate <trustpoint>, crypto pki enroll <trustpoint>
NOTE Try to implement this new scenary on your own.
Initial Configurations
Internet_CAServer
hostname Internet_CAServer
!
interface FastEthernet0/0
ip address 35.0.0.2 255.255.255.252
no shut
!
interface FastEthernet0/1
ip address 25.0.0.2 255.255.255.252
no shut
!
interface FastEthernet1/0
ip address 15.0.0.2 255.255.255.252
duplex full
no shut
R1_HUB
hostname R1_HUB
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.0.1 255.255.255.0
ip mtu 1400
ip nhrp authentication juantron
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 7000
no ip next-hop-self eigrp 777
no ip split-horizon eigrp 777
!
interface FastEthernet1/0
ip address 15.0.0.1 255.255.255.252
duplex full
no shut
!
ip route 0.0.0.0 0.0.0.0 15.0.0.2
!
router eigrp 777
no auto-sum
network 172.16.0.0
network 1.1.1.0 0.0.0.255
R2_Spoke
hostname R2_Spoke
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Tunnel0
ip address 172.16.0.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication juantron
ip nhrp map 172.16.0.1 15.0.0.1
ip nhrp map multicast 15.0.0.1
ip nhrp network-id 1
ip nhrp nhs 172.16.0.1
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 7000
!
interface FastEthernet0/1
ip address 25.0.0.1 255.255.255.252
no shut
!
ip route 0.0.0.0 0.0.0.0 25.0.0.2
!
router eigrp 777
no auto-sum
network 2.2.2.0 0.0.0.255
network 172.16.0.0
!
end
NOTE Similar configuration for R3_Spoke.
R1_HUB#sh ip route
--ouput omitted--
Gateway of last resort is 15.0.0.2 to network 0.0.0.0
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/297372416] via 172.16.0.2, 00:01:00, Tunnel0
3.0.0.0/24 is subnetted, 1 subnets
D 3.3.3.0 [90/297372416] via 172.16.0.3, 00:00:50, Tunnel0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.0.0 is directly connected, Tunnel0
15.0.0.0/30 is subnetted, 1 subnets
C 15.0.0.0 is directly connected, FastEthernet1/0
S* 0.0.0.0/0 [1/0] via 15.0.0.2
R1_HUB#sh ip eigrp neighbors
IP-EIGRP neighbors for process 777
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 172.16.0.2 Tu0 11 00:10:56 102 5000 0 3
0 172.16.0.3 Tu0 10 00:10:56 149 5000 0 3
R1_HUB#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel0, Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 25.0.0.1 172.16.0.2 UP never D
1 35.0.0.1 172.16.0.3 UP never D
Configuring IOS CA Server on Internet_CAServer
NOTE It’s Cisco recommended to configure a loopback interface as the ntp source through which the NTP packets are sent, but I didn’t configure it for simplicity. Also, use ntp authentication for deployment in a real world.
​
clock timezone GMT 0
ntp master
!
ip domain-name juantron.com
crypto key generate rsa general-keys modulus 2048 label CA-Key exportable
!
ip http server
!
crypto pki trustpoint CA-Server
revocation-check crl
rsakeypair CA-Key
!
crypto pki server CA-Server
database url nvram:
database level complete
issuer-name C=sp,L=juantrontown,O=juantronCo,OU=x.509 certs,CN=juantron.com VPN
hash sha1
lifetime crl 1
lifetime certificate 730
lifetime ca-certificate 1825
grant auto
no shut
% Please enter a passphrase to protect the private key
% or type Return to exit
Password: juantron
Re-enter password: juantron
% Exporting Certificate Server signing certificate and keys...
% Certificate Server enabled.
Internet_CAServer#show crypto pki server
Certificate Server CA-Serve
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: C=sp,L=juantrontown,O=juantronCo,OU=x.509 certs,CN=juantron.com VPN
CA cert fingerprint: FD27BC61 10065A7F 7645A4C7 CB2E4DF9
Granting mode is: auto
Last certificate issued serial number: 0x1
CA certificate expiration timer: 17:52:28 GMT Aug 28 2021
CRL NextUpdate timer: 18:52:28 GMT Aug 29 2016
Current primary storage dir: nvram:
Database Level: Complete - all issued certs written as <serialnum>.cer
To see the certificates where are located the certificates:
Internet_CAServer#dir nvram:
Configuring certificate enrollment on Hub and Spokes
If you wish, see before my article: PKI - CA Server and Client enrollment using Cisco Routers
Configuring certificate enrollment on R1_Hub
clock timezone GMT 0
ntp server 15.0.0.2
!
ip domain-name juantron.com
crypto key generate rsa general-keys modulus 2048 label VPN-client exportable
!Add this command to use PKI instead of a preshared key as the authentication:
crypto isakmp policy 5
authentication rsa-sig
group 5
encryption aes 256
!Use show run all to see the authentication rsa-sig line; it’s Cisco default.
crypto isakmp key cisco123 address 0.0.0.0
!
crypto ipsec transform-set OURSET esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile OUR_IPSEC_PROFILE
set transform-set OURSET
!
interface tunnel 0
tunnel protection ipsec profile OUR_IPSEC_PROFILE
!
crypto pki trustpoint CA-Server
enrollment url http://15.0.0.2
revocation-check crl
fqdn R1_Hub.juantron.com
subject-name CN= R1_Hub,OU=X.509,O=juantronCo,C=sp
rsakeypair VPN-client
​
Now, the eigrp neighbors go to down, because we have to do the enrollment process on this router. The following output is displayed:
Sep 3 20:26:58.695: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Sep 3 20:27:01.275: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /15.0.0.1, src_addr= 35.0.0.1, prot= 47
R1_HUB(ca-trustpoint)#
Sep 3 20:27:11.810: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 777: Neighbor 172.16.0.3 (Tunnel0) is down: holding time expired
Sep 3 20:27:12.386: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 777: Neighbor 172.16.0.2 (Tunnel0) is down: holding time expired
!
crypto pki authenticate CA-Server
!The following output is displayed:
Certificate has the following attributes:
Fingerprint MD5: FD27BC61 10065A7F 7645A4C7 CB2E4DF9
Fingerprint SHA1: 13591222 C21FCC35 AE8B57C5 3176FCA6 214D70CF
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
!
crypto pki enroll CA-Server
!The following output is displayed:
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:juantron
Re-enter password: juantron
% The subject name in the certificate will include: CN= R1_Hub,OU=X.509,O=juantronCo,C=sp
% The subject name in the certificate will include: R1_Hub.juantron.com
% Include the router serial number in the subject name? [yes/no]:no
% Include an IP address in the subject name? [no]:no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate CA-Server verbose' commandwill show the fingerprint.
R1_HUB(config)#
Aug 29 18:47:15.014: CRYPTO_PKI: Certificate Request Fingerprint MD5: 96E02A5A 68345CC7 892B0413 5E0E2EEE
Aug 29 18:47:15.018: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 91C3BC5B 4117FB62 65A2267C F9D905A2 76E7E684
Aug 29 18:47:19.422: %PKI-6-CERTRET: Certificate received from Certificate Authority%
Configuring certificate enrollment on R2_Spoke
clock timezone GMT 0
ntp server 25.0.0.2
!
ip domain-name juantron.com
crypto key generate rsa general-keys modulus 2048 label VPN-key exportable
!
crypto isakmp policy 5
authentication rsa-sig
group 5
encryption aes 256
!
crypto isakmp key cisco123 address 0.0.0.0
!
crypto ipsec transform-set OURSET esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile OUR_IPSEC_PROFILE
set transform-set OURSET
!
interface tunnel 0
tunnel protection ipsec profile OUR_IPSEC_PROFILE
!
crypto pki trustpoint CA-Server
enrollment url http://25.0.0.2
revocation-check crl
fqdn R2_Spoke.juantron.com
subject-name CN= R2_Spoke,OU=X.509,O=juantronCo,C=sp
rsakeypair VPN-key
!
crypto pki authenticate CA-Server
!You have to accept the certificate with yes
!
crypto pki enroll CA-Server
!Use the same answers as before.
Sep 3 20:36:35.291: %CRYPTO-6-IKMP_NO_ID_CERT_FQDN_MATCH: ID of R1_HUB.juantron.com (type 2) and certificate fqdn with R1_Hub.juantron.com
Sep 3 20:36:35.291: %CRYPTO-6-IKMP_NO_ID_CERT_FQDN_MATCH: ID of R1_HUB.juantron.com (type 2) and certificate fqdn with R1_Hub.juantron.com
Sep 3 20:36:38.703: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 777: Neighbor 172.16.0.1 (Tunnel0) is up: new adjacency
Configuring certificate enrollment on R3_Spoke
clock timezone GMT 0
ntp server 35.0.0.2
!
ip domain-name juantron.com
crypto key generate rsa general-keys modulus 2048 label VPN-key exportable
!
crypto isakmp policy 5
authentication rsa-sig
group 5
encryption aes 256
!
crypto isakmp key cisco123 address 0.0.0.0
!
crypto ipsec transform-set OURSET esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile OUR_IPSEC_PROFILE
set transform-set OURSET
!
interface tunnel 0
tunnel protection ipsec profile OUR_IPSEC_PROFILE
!
crypto pki trustpoint CA-Server
enrollment url http://35.0.0.2
revocation-check crl
fqdn R3_Spoke.juantron.com
subject-name CN= R3_Spoke,OU=X.509,O=juantronCo,C=sp
rsakeypair VPN-key
!
crypto pki authenticate CA-Server
!The following output is displayed:
..
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
crypto pki enroll CA-Server
!Use the same answers as before.
!After enrolling this client:
Aug 29 19:35:20.859: %CRYPTO-6-IKMP_NO_ID_CERT_FQDN_MATCH: ID of R1_HUB.juantron.com (type 2) and certificate fqdn with R1_Hub.juantron.com
Aug 29 19:35:20.859: %CRYPTO-6-IKMP_NO_ID_CERT_FQDN_MATCH: ID of R1_HUB.juantron.com (type 2) and certificate fqdn with R1_Hub.juantron.com
Aug 29 19:35:22.383: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 777: Neighbor 172.16.0.1 (Tunnel0) is up: new adjacency
DMVPN Verification
R1_HUB#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel0, Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 25.0.0.1 172.16.0.2 UP never D
1 35.0.0.1 172.16.0.3 UP never D
R1_HUB#sh crypto isakmp policy
Global IKE policy
Protection suite of priority 5
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature <----- Digital signatures
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R1_HUB#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
15.0.0.1 25.0.0.1 QM_IDLE 1002 0 ACTIVE
15.0.0.1 35.0.0.1 QM_IDLE 1004 0 ACTIVE
R1_HUB#ping 2.2.2.2 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/113/144 ms
R1_HUB#ping 3.3.3.3 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/113/144 ms
​
And this is the end of this article. I hope you like this.
NOTE: Your e-mail will not be shown in the output. You can use an invalid e-mail, if you want.
Thank you for your co-operation in helping me to improve.