Note
Securing DMVPN connections with IPsec requires an IPsec Application License.
DMVPN and NHRP security¶
Securing DPVN connections with IPsec¶
Securing a DMVPN connection requires to configure an IKE VPN. More information on how to configure IKE is given in IKE user guide.
A VPN is defined in the IKE context, that requires to encrypt GRE traffic in IPsec transport mode, and specifies the necessary IKE and IPsec settings.
The local and remote addresses of the VPN are left unspecified, they will be dynamically provided by the NHRP layer.
NHRP use case example¶
We will now configure all devices of the DMVPN network to encrypt GRE encapsulated traffic with IPsec.
The procedure consists in configuring an IKE VPN with a security-policy
for GRE traffic, then to request that the NHRP connection uses this
security-policy to protect the GRE tunnels (NHRP and data traffic).
The configuration is based on the previous chapter configuration.
hub running config# / vrf main interface physical wan port pci-b0s4
hub running config# / vrf main interface physical wan ipv4 address 44.44.44.44/24
hub running config# / vrf main interface physical lan port pci-b0s5
hub running config# / vrf main interface physical lan ipv4 address 192.168.4.1/24
hub running config# / vrf main interface gre gre4 ipv4 address 10.255.255.4/32
hub running config#! / vrf main interface gre gre4 link-interface wan
hub running config#! / vrf main interface gre gre4 local 44.44.44.44
hub running config# / vrf main interface gre gre4 ttl 64
hub running config# / vrf main routing static ipv4-route 0.0.0.0/0 next-hop 44.44.44.1
hub running config# / vrf main routing nhrp enabled true
hub running config# / vrf main routing nhrp hub-mode true
hub running config# / vrf main routing interface gre4 ip nhrp registration-no-unique true
hub running config# / vrf main routing interface gre4 ip nhrp network-id 123
hub running config# / vrf main routing interface gre4 ip nhrp holdtime 1200
hub running config# / vrf main routing interface gre4 ip nhrp redirect true
hub running config# / vrf main routing bgp as 65000
hub running config# / vrf main routing bgp router-id 10.255.255.4
hub running config# / vrf main routing bgp ebgp-connected-route-check false
hub running config# / vrf main routing bgp ebgp-requires-policy false
hub running config# / vrf main routing bgp network-import-check false
hub running config# / vrf main routing bgp address-family ipv4-unicast network 192.168.4.0/24
hub running network 192.168.4.0/24# / vrf main routing bgp listen neighbor-range 10.255.255.0/24 neighbor-group GROUP
hub running network 192.168.4.0/24#! / vrf main routing bgp neighbor-group GROUP remote-as 65099
hub running network 192.168.4.0/24# / vrf main routing bgp neighbor-group GROUP address-family ipv4-unicast nexthop-self force true
hub running network 192.168.4.0/24# / vrf main routing bgp neighbor-group GROUP address-family ipv4-unicast route-reflector-client true
hub running network 192.168.4.0/24# / vrf main routing bgp address-family ipv4-unicast network 192.168.0.0/16
hub running network 192.168.0.0/16# / vrf main routing bgp address-family ipv4-unicast network 10.255.255.0/24
spoke1 running config# / vrf main interface physical lan port pci-b0s5
spoke1 running config# / vrf main interface physical lan ipv4 address 192.168.1.1/24
spoke1 running config# / vrf main interface physical wan port pci-b0s4
spoke1 running config# / vrf main interface physical wan ipv4 address 11.11.11.11/24
spoke1 running config# / vrf main interface gre gre1 ipv4 address 10.255.255.1/32
spoke1 running config#! / vrf main interface gre gre1 link-interface wan
spoke1 running config#! / vrf main interface gre gre1 local 11.11.11.11
spoke1 running config# / vrf main interface gre gre1 ttl 64
spoke1 running config# / vrf main routing static ipv4-route 0.0.0.0/0 next-hop 11.11.11.1
spoke1 running config# / vrf main routing nhrp enabled true
spoke1 running config# / vrf main routing interface gre1 ip nhrp registration-no-unique true
spoke1 running config# / vrf main routing interface gre1 ip nhrp shortcut true
spoke1 running config# / vrf main routing interface gre1 ip nhrp network-id 123
spoke1 running config# / vrf main routing interface gre1 ip nhrp holdtime 1200
spoke1 running config# / vrf main routing interface gre1 ip nhrp nhrp-nhs dynamic nbma 44.44.44.44
spoke1 running config# / vrf main routing bgp as 65099
spoke1 running config# / vrf main routing bgp ebgp-connected-route-check false
spoke1 running config# / vrf main routing bgp ebgp-requires-policy false
spoke1 running config# / vrf main routing bgp router-id 10.255.255.1
spoke1 running config# / vrf main routing bgp address-family ipv4-unicast network 192.168.1.0/24
spoke1 running network 192.168.1.0/24# / vrf main routing bgp neighbor 10.255.255.4 remote-as 65000
spoke2 running config# / vrf main interface physical lan port pci-b0s5
spoke2 running config# / vrf main interface physical lan ipv4 address 192.168.2.1/24
spoke2 running config# / vrf main interface physical wan port pci-b0s4
spoke2 running config# / vrf main interface physical wan ipv4 address 22.22.22.22/24
spoke2 running config# / vrf main interface gre gre2 ipv4 address 10.255.255.2/32
spoke2 running config#! / vrf main interface gre gre2 link-interface wan
spoke2 running config#! / vrf main interface gre gre2 local 22.22.22.22
spoke2 running config# / vrf main interface gre gre2 ttl 64
spoke2 running config# / vrf main routing static ipv4-route 0.0.0.0/0 next-hop 22.22.22.1
spoke2 running config# / vrf main routing nhrp enabled true
spoke2 running config# / vrf main routing interface gre2 ip nhrp registration-no-unique true
spoke2 running config# / vrf main routing interface gre2 ip nhrp shortcut true
spoke2 running config# / vrf main routing interface gre2 ip nhrp network-id 123
spoke2 running config# / vrf main routing interface gre2 ip nhrp holdtime 1200
spoke2 running config# / vrf main routing interface gre2 ip nhrp nhrp-nhs dynamic nbma 44.44.44.44
spoke2 running config# / vrf main routing bgp as 65099
spoke2 running config# / vrf main routing bgp ebgp-connected-route-check false
spoke2 running config# / vrf main routing bgp ebgp-requires-policy false
spoke2 running config# / vrf main routing bgp router-id 10.255.255.2
spoke2 running config# / vrf main routing bgp address-family ipv4-unicast network 192.168.2.0/24
spoke2 running network 192.168.2.0/24# / vrf main routing bgp neighbor 10.255.255.4 remote-as 65000
spoke3 running config# / vrf main interface physical lan port pci-b0s5
spoke3 running config# / vrf main interface physical lan ipv4 address 192.168.3.1/24
spoke3 running config# / vrf main interface physical wan port pci-b0s4
spoke3 running config# / vrf main interface physical wan ipv4 address 33.33.33.33/24
spoke3 running config# / vrf main interface gre gre3 ipv4 address 10.255.255.3/32
spoke3 running config#! / vrf main interface gre gre3 link-interface wan
spoke3 running config#! / vrf main interface gre gre3 local 33.33.33.33
spoke3 running config# / vrf main interface gre gre3 ttl 64
spoke3 running config# / vrf main routing static ipv4-route 0.0.0.0/0 next-hop 33.33.33.1
spoke3 running config# / vrf main routing nhrp enabled true
spoke3 running config# / vrf main routing interface gre3 ip nhrp registration-no-unique true
spoke3 running config# / vrf main routing interface gre3 ip nhrp shortcut true
spoke3 running config# / vrf main routing interface gre3 ip nhrp network-id 123
spoke3 running config# / vrf main routing interface gre3 ip nhrp holdtime 1200
spoke3 running config# / vrf main routing interface gre3 ip nhrp nhrp-nhs dynamic nbma 44.44.44.44
spoke3 running config# / vrf main routing bgp as 65099
spoke3 running config# / vrf main routing bgp ebgp-connected-route-check false
spoke3 running config# / vrf main routing bgp ebgp-requires-policy false
spoke3 running config# / vrf main routing bgp router-id 10.255.255.3
spoke3 running config# / vrf main routing bgp address-family ipv4-unicast network 192.168.3.0/24
spoke3 running network 192.168.3.0/24# / vrf main routing bgp neighbor 10.255.255.4 remote-as 65000
A router is configured to represent the network between the spokes and the hub with the following configuration:
router-vm running config# / vrf main interface physical eth1 port pci-b0s4
router-vm running config# / vrf main interface physical eth1 ipv4 address 11.11.11.1/24
router-vm running config# / vrf main interface physical eth2 port pci-b0s5
router-vm running config# / vrf main interface physical eth2 ipv4 address 22.22.22.1/24
router-vm running config# / vrf main interface physical eth3 port pci-b0s6
router-vm running config# / vrf main interface physical eth3 ipv4 address 33.33.33.1/24
router-vm running config# / vrf main interface physical eth4 port pci-b0s7
router-vm running config# / vrf main interface physical eth4 ipv4 address 44.44.44.1/24
create the IKE VPN¶
The below configuration defines a VPN with a security-policy named
dmvpn-gre. It has the IKE identity spoke1. Each device must have
a distinct identity. For example, hub identity would be hub.
Each instance that wants to secure its connection has to set up similar IKE
settings. Basically, only the VPN local-id will change.
spoke1 running config# / vrf main ike pre-shared-key dmvpn-psk secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
spoke1 running config# / vrf main ike ike-policy-template ikepol ike-proposal 1 enc-alg aes256-cbc
spoke1 running config#! / vrf main ike ike-policy-template ikepol ike-proposal 1 auth-alg hmac-sha512
spoke1 running config#! / vrf main ike ike-policy-template ikepol ike-proposal 1 dh-group ecp384
spoke1 running config# / vrf main ike ike-policy-template ikepol dpd-delay 15
spoke1 running config# / vrf main ike ipsec-policy-template ipsecpol esp-proposal 1 enc-alg aes256-cbc
spoke1 running config#! / vrf main ike ipsec-policy-template ipsecpol esp-proposal 1 auth-alg hmac-sha512
spoke1 running config# / vrf main ike ipsec-policy-template ipsecpol esp-proposal 1 dh-group ecp384
spoke1 running config# / vrf main ike ipsec-policy-template ipsecpol start-action none
spoke1 running config# / vrf main ike ipsec-policy-template ipsecpol close-action none
spoke1 running config# / vrf main ike ipsec-policy-template ipsecpol dpd-action clear
spoke1 running config# / vrf main ike ipsec-policy-template ipsecpol rekey-time 100m
spoke1 running config# / vrf main ike vpn dmvpn ike-policy template ikepol
spoke1 running config#! / vrf main ike vpn dmvpn ipsec-policy template ipsecpol
spoke1 running config# / vrf main ike vpn dmvpn local-id spoke1
spoke1 running config# / vrf main ike vpn dmvpn security-policy dmvpn-gre local-ts protocol 47
spoke1 running config# / vrf main ike vpn dmvpn security-policy dmvpn-gre remote-ts protocol 47
spoke1 running config# / vrf main ike vpn dmvpn security-policy dmvpn-gre mode transport
The same configuration can be applied to other spokes and hub. However,
ensure that each device has its own local-id.
spoke2 running config# / vrf main ike pre-shared-key dmvpn-psk secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
spoke2 running config# / vrf main ike ike-policy-template ikepol ike-proposal 1 enc-alg aes256-cbc
spoke2 running config#! / vrf main ike ike-policy-template ikepol ike-proposal 1 auth-alg hmac-sha512
spoke2 running config#! / vrf main ike ike-policy-template ikepol ike-proposal 1 dh-group ecp384
spoke2 running config# / vrf main ike ike-policy-template ikepol dpd-delay 15
spoke2 running config# / vrf main ike ipsec-policy-template ipsecpol esp-proposal 1 enc-alg aes256-cbc
spoke2 running config#! / vrf main ike ipsec-policy-template ipsecpol esp-proposal 1 auth-alg hmac-sha512
spoke2 running config# / vrf main ike ipsec-policy-template ipsecpol esp-proposal 1 dh-group ecp384
spoke2 running config# / vrf main ike ipsec-policy-template ipsecpol start-action none
spoke2 running config# / vrf main ike ipsec-policy-template ipsecpol close-action none
spoke2 running config# / vrf main ike ipsec-policy-template ipsecpol dpd-action clear
spoke2 running config# / vrf main ike ipsec-policy-template ipsecpol rekey-time 100m
spoke2 running config# / vrf main ike vpn dmvpn ike-policy template ikepol
spoke2 running config#! / vrf main ike vpn dmvpn ipsec-policy template ipsecpol
spoke2 running config# / vrf main ike vpn dmvpn local-id spoke2
spoke2 running config# / vrf main ike vpn dmvpn security-policy dmvpn-gre local-ts protocol 47
spoke2 running config# / vrf main ike vpn dmvpn security-policy dmvpn-gre remote-ts protocol 47
spoke2 running config# / vrf main ike vpn dmvpn security-policy dmvpn-gre mode transport
spoke3 running config# / vrf main ike pre-shared-key dmvpn-psk secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
spoke3 running config# / vrf main ike ike-policy-template ikepol ike-proposal 1 enc-alg aes256-cbc
spoke3 running config#! / vrf main ike ike-policy-template ikepol ike-proposal 1 auth-alg hmac-sha512
spoke3 running config#! / vrf main ike ike-policy-template ikepol ike-proposal 1 dh-group ecp384
spoke3 running config# / vrf main ike ike-policy-template ikepol dpd-delay 15
spoke3 running config# / vrf main ike ipsec-policy-template ipsecpol esp-proposal 1 enc-alg aes256-cbc
spoke3 running config#! / vrf main ike ipsec-policy-template ipsecpol esp-proposal 1 auth-alg hmac-sha512
spoke3 running config# / vrf main ike ipsec-policy-template ipsecpol esp-proposal 1 dh-group ecp384
spoke3 running config# / vrf main ike ipsec-policy-template ipsecpol start-action none
spoke3 running config# / vrf main ike ipsec-policy-template ipsecpol close-action none
spoke3 running config# / vrf main ike ipsec-policy-template ipsecpol dpd-action clear
spoke3 running config# / vrf main ike ipsec-policy-template ipsecpol rekey-time 100m
spoke3 running config# / vrf main ike vpn dmvpn ike-policy template ikepol
spoke3 running config#! / vrf main ike vpn dmvpn ipsec-policy template ipsecpol
spoke3 running config# / vrf main ike vpn dmvpn local-id spoke3
spoke3 running config# / vrf main ike vpn dmvpn security-policy dmvpn-gre local-ts protocol 47
spoke3 running config# / vrf main ike vpn dmvpn security-policy dmvpn-gre remote-ts protocol 47
spoke3 running config# / vrf main ike vpn dmvpn security-policy dmvpn-gre mode transport
hub running config# / vrf main ike pre-shared-key dmvpn-psk secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
hub running config# / vrf main ike ike-policy-template ikepol ike-proposal 1 enc-alg aes256-cbc
hub running config#! / vrf main ike ike-policy-template ikepol ike-proposal 1 auth-alg hmac-sha512
hub running config#! / vrf main ike ike-policy-template ikepol ike-proposal 1 dh-group ecp384
hub running config# / vrf main ike ike-policy-template ikepol dpd-delay 15
hub running config# / vrf main ike ipsec-policy-template ipsecpol esp-proposal 1 enc-alg aes256-cbc
hub running config#! / vrf main ike ipsec-policy-template ipsecpol esp-proposal 1 auth-alg hmac-sha512
hub running config# / vrf main ike ipsec-policy-template ipsecpol esp-proposal 1 dh-group ecp384
hub running config# / vrf main ike ipsec-policy-template ipsecpol start-action none
hub running config# / vrf main ike ipsec-policy-template ipsecpol close-action none
hub running config# / vrf main ike ipsec-policy-template ipsecpol dpd-action clear
hub running config# / vrf main ike ipsec-policy-template ipsecpol rekey-time 100m
hub running config# / vrf main ike vpn dmvpn ike-policy template ikepol
hub running config#! / vrf main ike vpn dmvpn ipsec-policy template ipsecpol
hub running config# / vrf main ike vpn dmvpn local-id hub
hub running config# / vrf main ike vpn dmvpn security-policy dmvpn-gre local-ts protocol 47
hub running config# / vrf main ike vpn dmvpn security-policy dmvpn-gre remote-ts protocol 47
hub running config# / vrf main ike vpn dmvpn security-policy dmvpn-gre mode transport
reference the IKE VPN in NHRP¶
Then, the NHRP configuration specifies that the NHRP connection must be
protected by an IPsec security-policy named dmvpn-gre. The name of the
ipsec-profile must match the name of the security-policy.
hub running config# / vrf main routing interface gre4 nhrp-connection ipsec-profile dmvpn-gre
spoke1 running config# / vrf main routing interface gre1 nhrp-connection ipsec-profile dmvpn-gre
spoke2 running config# / vrf main routing interface gre2 nhrp-connection ipsec-profile dmvpn-gre
spoke3 running config# / vrf main routing interface gre3 nhrp-connection ipsec-profile dmvpn-gre
IPsec establishment¶
Thanks to this configuration, prior to sending NHRP packets, the NHRP layer on the spokes will trigger an IKE negotiation between the NBMA addresses of the spoke and the hub, and request the GRE traffic between these addresses to be encrypted in IPsec transport mode.
Only then the NHRP packets may be exchanged. Both NHRP and data traffic sent through the GRE tunnels will be encrypted by IPsec.
The command below displays the established IKE SA and their installed child SAs.
spoke1> show ike ike-sa vpn dmvpn details
dmvpn: #1, ESTABLISHED, IKEv2, 34edfc184cc3c051_i 88d93afa450176ac_r
local 'spoke1' @ 11.11.11.11[500]
remote 'hub' @ 44.44.44.44[500]
aes256-cbc/hmac-sha512/hmac-sha512/ecp384
established 2s ago, rekeying in 13981s
dmvpn-gre: #1, reqid 1, INSTALLED, TRANSPORT, esp:aes256-cbc/hmac-sha512
installed 2s ago, rekeying in 5406s, expires in 6598s
in cafab6b3, 136 bytes, 1 packets
out c9fa53c8, 96 bytes, 1 packets
local 11.11.11.11/32
remote 44.44.44.44/32
We can now verify that the NHRP connections are protected by IPsec. As can
be seen, the SAs column stands for the number of child SA used. Identity
is the IKE id of the peer.
hub> show nhrp-connection
Src Dst Flags SAs Identity
44.44.44.44 22.22.22.22 n 1 spoke2
44.44.44.44 33.33.33.33 n 1 spoke3
44.44.44.44 11.11.11.11 n 1 spoke1
spoke1> show nhrp-connection
Src Dst Flags SAs Identity
11.11.11.11 44.44.44.44 n 1 hub
The same processing occurs between spokes before establishing shortcuts. If the hub and spokes are set up to allow direct spoke-to-spoke communication, a spoke that receives a traffic indication from the hub will trigger an IKE negotiation with the other spoke, in order to encrypt the GRE traffic between the NBMA addresses of the spokes. Only then the spoke-to-spoke NHRP exchanges may start. The spoke-to-spoke data traffic will also be protected by IPsec.
spoke1> cmd ping 192.168.2.1 source 192.168.1.1 rate 100 count 1000 | match packets
1000 packets transmitted, 1000 received, 0% packet loss, time 9993ms
spoke1> show nhrp-connection
Src Dst Flags SAs Identity
11.11.11.11 22.22.22.22 n 1 spoke2
11.11.11.11 44.44.44.44 n 1 hub
spoke1> show ike ike-sa vpn dmvpn details
dmvpn: #2, ESTABLISHED, IKEv2, 4e7ff127ec1f232e_i e619645b78c7e49b_r
local 'spoke1' @ 11.11.11.11[500]
remote 'spoke2' @ 22.22.22.22[500]
aes256-cbc/hmac-sha512/hmac-sha512/ecp384
established 10s ago, rekeying in 14237s
dmvpn-gre: #2, reqid 2, INSTALLED, TRANSPORT, esp:aes256-cbc/hmac-sha512
installed 10s ago, rekeying in 5474s, expires in 6590s
in c6bc73ed, 35640 bytes, 330 packets
out c0c8ba66, 45796 bytes, 520 packets
local 11.11.11.11/32
remote 22.22.22.22/32
dmvpn: #1, ESTABLISHED, IKEv2, 34edfc184cc3c051_i 88d93afa450176ac_r
local 'spoke1' @ 11.11.11.11[500]
remote 'hub' @ 44.44.44.44[500]
aes256-cbc/hmac-sha512/hmac-sha512/ecp384
established 16s ago, rekeying in 13967s
dmvpn-gre: #1, reqid 1, INSTALLED, TRANSPORT, esp:aes256-cbc/hmac-sha512
installed 16s ago, rekeying in 5392s, expires in 6584s
in cafab6b3, 35583 bytes, 328 packets
out c9fa53c8, 11985 bytes, 137 packets
local 11.11.11.11/32
remote 44.44.44.44/32