Note
Securing DMVPN connections with IPsec requires an IPsec Application License.
DMVPN and NHRP security¶
Securing DPVN connections with IPsec¶
Securing a DMVPN connection requires to configure an IKE VPN. More information on how to configure IKE is given in IKE user guide.
A VPN is defined in the IKE context, that requires to encrypt GRE traffic in IPsec transport mode, and specifies the necessary IKE and IPsec settings.
The local and remote addresses of the VPN are left unspecified, they will be dynamically provided by the NHRP layer.
NHRP use case example¶
We will now configure all devices of the DMVPN network to encrypt GRE encapsulated traffic with IPsec.
The procedure consists in configuring an IKE VPN with a security-policy
for GRE traffic, then to request that the NHRP connection uses this
security-policy to protect the GRE tunnels (NHRP and data traffic).
create the IKE VPN¶
The below configuration defines a VPN with a security-policy named
dmvpn-gre. It has the IKE identity spoke1. Each device must have
a distinct identity. For example, hub identity would be hub.
Each instance that wants to secure its connection has to set up similar IKE
settings. Basically, only the VPN local-id will change.
spoke1
spoke1 running# vrf main
spoke1 running vrf main# ike
spoke1 running ike# pre-shared-key dmvpn-psk
spoke1 running pre-shared-key dmvpn-psk# secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
spoke1 running pre-shared-key dmvpn-psk# ..
spoke1 running ike# ike-policy-template ikepol
spoke1 running ike-policy-template ikepol# ike-proposal 1
spoke1 running ike-proposal 1# enc-alg aes256-cbc
spoke1 running ike-proposal 1# auth-alg hmac-sha512
spoke1 running ike-proposal 1# dh-group ecp384
spoke1 running ike-proposal 1# ..
spoke1 running ike-policy-template ikepol# dpd-delay 15
spoke1 running ike-policy-template ikepol# ..
spoke1 running ike# ipsec-policy-template ipsecpol
spoke1 running ipsec-policy-template ipsecpol# esp-proposal 1
spoke1 running esp-proposal 1# enc-alg aes256-cbc
spoke1 running esp-proposal 1# auth-alg hmac-sha512
spoke1 running esp-proposal 1# dh-group ecp384
spoke1 running esp-proposal 1# ..
spoke1 running ipsec-policy-template ipsecpol# start-action none
spoke1 running ipsec-policy-template ipsecpol# close-action none
spoke1 running ipsec-policy-template ipsecpol# dpd-action clear
spoke1 running ipsec-policy-template ipsecpol# rekey-time 100m
spoke1 running ipsec-policy-template ipsecpol# ..
spoke1 running ike# vpn dmvpn
spoke1 running vpn dmvpn# ike-policy
spoke1 running ike-policy# template ikepol
spoke1 running ike-policy# ..
spoke1 running vpn dmvpn# ipsec-policy
spoke1 running ipsec-policy# template ipsecpol
spoke1 running ipsec-policy# ..
spoke1 running vpn dmvpn# local-id spoke1
spoke1 running vpn dmvpn# security-policy dmvpn-gre
spoke1 running security-policy gretunnel# local-ts protocol 47
spoke1 running security-policy gretunnel# remote-ts protocol 47
spoke1 running security-policy gretunnel# mode transport
spoke1 running security-policy gretunnel# ..
spoke1 running vpn dmvpn# ..
spoke1 running ike# ..
spoke1 running vrf main# commit
The same configuration can be applied to other spokes and hub. However,
ensure that each device has its own local-id.
spoke2
[..]
spoke2 running# vrf main
spoke2 running vrf main# ike
spoke2 running ike# vpn dmvpn
spoke2 running vpn dmvpn# local-id spoke2
spoke2 running vpn dmvpn# commit
spoke3
[..]
spoke3 running# vrf main
spoke3 running vrf main# ike
spoke3 running ike# vpn dmvpn
spoke3 running vpn dmvpn# local-id spoke3
spoke3 running vpn dmvpn# commit
hub
[..]
hub running# vrf main
hub running vrf main# ike
hub running ike# vpn dmvpn
hub running vpn dmvpn# local-id hub
hub running vpn dmvpn# commit
reference the IKE VPN in NHRP¶
Then, the NHRP configuration specifies that the NHRP connection must be
protected by an IPsec security-policy named dmvpn-gre. The name of the
ipsec-profile must match the name of the security-policy.
spoke1
spoke1 running config# vrf main
spoke1 running vrf main# routing interface gre1
spoke1 running interface gre1# nhrp-connection ipsec-profile dmvpn-gre
spoke1 running interface gre1# commit
spoke2
spoke2 running config# vrf main
spoke2 running vrf main# routing interface gre2
spoke2 running interface gre2# nhrp-connection ipsec-profile dmvpn-gre
spoke2 running interface gre2# commit
spoke3
spoke3 running config# vrf main
spoke3 running vrf main# routing interface gre3
spoke3 running interface gre3# nhrp-connection ipsec-profile dmvpn-gre
spoke3 running interface gre3# commit
hub
hub running config# vrf main
hub running vrf main# routing interface gre4
hub running interface gre4# nhrp-connection ipsec-profile dmvpn-gre
hub running interface gre4# commit
IPsec establishment¶
Thanks to this configuration, prior to sending NHRP packets, the NHRP layer on the spokes will trigger an IKE negotiation between the NBMA addresses of the spoke and the hub, and request the GRE traffic between these addresses to be encrypted in IPsec transport mode.
Only then the NHRP packets may be exchanged. Both NHRP and data traffic sent through the GRE tunnels will be encrypted by IPsec.
The command below displays the established IKE SA and their installed child SAs.
spoke1
spoke1> show ike ike-sa vpn dmvpn details
dmvpn: #1, ESTABLISHED, IKEv2, 82fd942f9fdc4325_i 8901f24b124cbe9c_r
local 'spoke1' @ 11.11.11.11[500]
remote 'hub' @ 44.44.44.44[500]
aes256-cbc/hmac-sha512/hmac-sha512/ecp384
established 714s ago, rekeying in 9499s
dmvpn-gre: #1, reqid 1, INSTALLED, TRANSPORT, esp:aes256-cbc/hmac-sha512
installed 714s ago, rekeying in 5140s, expires in 5886s
in c481a614, 106076 bytes, 577 packets
out cb8a052d, 16032 bytes, 100 packets
local 11.11.11.11/32
remote 44.44.44.44/32
We can now verify that the NHRP connections are protected by IPsec. As can
be seen, the SAs column stands for the number of child SA used. Identity
is the IKE id of the peer.
hub
hub> show nhrp-connection
Src Dst Flags SAs Identity
44.44.44.44 22.22.22.22 n 1 spoke2
44.44.44.44 33.33.33.33 n 1 spoke3
44.44.44.44 11.11.11.11 n 1 spoke1
spoke1
spoke1> show nhrp-connection
Src Dst Flags SAs Identity
11.11.11.11 44.44.44.44 n 1 hub
The same processing occurs between spokes before establishing shortcuts. If the hub and spokes are set up to allow direct spoke-to-spoke communication, a spoke that receives a traffic indication from the hub will trigger an IKE negotiation with the other spoke, in order to encrypt the GRE traffic between the NBMA addresses of the spokes. Only then the spoke-to-spoke NHRP exchanges may start. The spoke-to-spoke data traffic will also be protected by IPsec.
spoke1
spoke1> show nhrp-connection
Src Dst Flags SAs Identity
11.11.11.11 22.22.22.22 1 spoke2
11.11.11.11 44.44.44.44 n 1 hub
spoke1> show ike ike-sa vpn dmvpn details
dmvpn: #2, ESTABLISHED, IKEv2, 633207c251b7df62_i b4dbd7645d4979f2_r
local 'spoke1' @ 11.11.11.11[500]
remote 'spoke2' @ 22.22.22.22[500]
aes256-cbc/hmac-sha512/hmac-sha512/ecp384
established 420s ago, rekeying in 13606s
dmvpn-gre: #2, reqid 2, INSTALLED, TRANSPORT, esp:aes256-cbc/hmac-sha512
installed 420s ago, rekeying in 5345s, expires in 6180s
in c5fe8f0d, 186104 bytes, 1082 packets
out cc1346d0, 280908 bytes, 1633 packets
local 11.11.11.11/32
remote 22.22.22.22/32
dmvpn: #1, ESTABLISHED, IKEv2, 82fd942f9fdc4325_i 8901f24b124cbe9c_r
local 'spoke1' @ 11.11.11.11[500]
remote 'hub' @ 44.44.44.44[500]
aes256-cbc/hmac-sha512/hmac-sha512/ecp384
established 714s ago, rekeying in 9499s
dmvpn-gre: #1, reqid 1, INSTALLED, TRANSPORT, esp:aes256-cbc/hmac-sha512
installed 714s ago, rekeying in 5140s, expires in 5886s
in c481a614, 116076 bytes, 677 packets
out cb8a052d, 21032 bytes, 126 packets
local 11.11.11.11/32
remote 44.44.44.44/32