Note

Securing DMVPN connections with IPsec requires an IPsec Application License.

DMVPN and NHRP security

Securing DPVN connections with IPsec

Securing a DMVPN connection requires to configure an IKE VPN. More information on how to configure IKE is given in IKE user guide.

A VPN is defined in the IKE context, that requires to encrypt GRE traffic in IPsec transport mode, and specifies the necessary IKE and IPsec settings.

The local and remote addresses of the VPN are left unspecified, they will be dynamically provided by the NHRP layer.

../../../../_images/nhrp-config.svg

NHRP use case example

We will now configure all devices of the DMVPN network to encrypt GRE encapsulated traffic with IPsec.

The procedure consists in configuring an IKE VPN with a security-policy for GRE traffic, then to request that the NHRP connection uses this security-policy to protect the GRE tunnels (NHRP and data traffic).

create the IKE VPN

The below configuration defines a VPN with a security-policy named dmvpn-gre. It has the IKE identity spoke1. Each device must have a distinct identity. For example, hub identity would be hub.

Each instance that wants to secure its connection has to set up similar IKE settings. Basically, only the VPN local-id will change.

spoke1

spoke1 running# vrf main
spoke1 running vrf main# ike
spoke1 running ike# pre-shared-key dmvpn-psk
spoke1 running pre-shared-key dmvpn-psk# secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
spoke1 running pre-shared-key dmvpn-psk# ..
spoke1 running ike# ike-policy-template ikepol
spoke1 running ike-policy-template ikepol# ike-proposal 1
spoke1 running ike-proposal 1# enc-alg aes256-cbc
spoke1 running ike-proposal 1# auth-alg hmac-sha512
spoke1 running ike-proposal 1# dh-group ecp384
spoke1 running ike-proposal 1# ..
spoke1 running ike-policy-template ikepol# dpd-delay 15
spoke1 running ike-policy-template ikepol# ..
spoke1 running ike# ipsec-policy-template ipsecpol
spoke1 running ipsec-policy-template ipsecpol# esp-proposal 1
spoke1 running esp-proposal 1# enc-alg aes256-cbc
spoke1 running esp-proposal 1# auth-alg hmac-sha512
spoke1 running esp-proposal 1# dh-group ecp384
spoke1 running esp-proposal 1# ..
spoke1 running ipsec-policy-template ipsecpol# start-action none
spoke1 running ipsec-policy-template ipsecpol# close-action none
spoke1 running ipsec-policy-template ipsecpol# dpd-action clear
spoke1 running ipsec-policy-template ipsecpol# rekey-time 100m
spoke1 running ipsec-policy-template ipsecpol# ..
spoke1 running ike# vpn dmvpn
spoke1 running vpn dmvpn# ike-policy
spoke1 running ike-policy# template ikepol
spoke1 running ike-policy# ..
spoke1 running vpn dmvpn# ipsec-policy
spoke1 running ipsec-policy# template ipsecpol
spoke1 running ipsec-policy# ..
spoke1 running vpn dmvpn# local-id spoke1
spoke1 running vpn dmvpn# security-policy dmvpn-gre
spoke1 running security-policy gretunnel# local-ts protocol 47
spoke1 running security-policy gretunnel# remote-ts protocol 47
spoke1 running security-policy gretunnel# mode transport
spoke1 running security-policy gretunnel# ..
spoke1 running vpn dmvpn# ..
spoke1 running ike# ..
spoke1 running vrf main# commit

The same configuration can be applied to other spokes and hub. However, ensure that each device has its own local-id.

spoke2

[..]
spoke2 running# vrf main
spoke2 running vrf main# ike
spoke2 running ike# vpn dmvpn
spoke2 running vpn dmvpn# local-id spoke2
spoke2 running vpn dmvpn# commit

spoke3

[..]
spoke3 running# vrf main
spoke3 running vrf main# ike
spoke3 running ike# vpn dmvpn
spoke3 running vpn dmvpn# local-id spoke3
spoke3 running vpn dmvpn# commit

hub

[..]
hub running# vrf main
hub running vrf main# ike
hub running ike# vpn dmvpn
hub running vpn dmvpn# local-id hub
hub running vpn dmvpn# commit

reference the IKE VPN in NHRP

Then, the NHRP configuration specifies that the NHRP connection must be protected by an IPsec security-policy named dmvpn-gre. The name of the ipsec-profile must match the name of the security-policy.

spoke1

spoke1 running config# vrf main
spoke1 running vrf main# routing interface gre1
spoke1 running interface gre1# nhrp-connection ipsec-profile dmvpn-gre
spoke1 running interface gre1# commit

spoke2

spoke2 running config# vrf main
spoke2 running vrf main# routing interface gre2
spoke2 running interface gre2# nhrp-connection ipsec-profile dmvpn-gre
spoke2 running interface gre2# commit

spoke3

spoke3 running config# vrf main
spoke3 running vrf main# routing interface gre3
spoke3 running interface gre3# nhrp-connection ipsec-profile dmvpn-gre
spoke3 running interface gre3# commit

hub

hub running config# vrf main
hub running vrf main# routing interface gre4
hub running interface gre4# nhrp-connection ipsec-profile dmvpn-gre
hub running interface gre4# commit

IPsec establishment

Thanks to this configuration, prior to sending NHRP packets, the NHRP layer on the spokes will trigger an IKE negotiation between the NBMA addresses of the spoke and the hub, and request the GRE traffic between these addresses to be encrypted in IPsec transport mode.

Only then the NHRP packets may be exchanged. Both NHRP and data traffic sent through the GRE tunnels will be encrypted by IPsec.

The command below displays the established IKE SA and their installed child SAs.

spoke1

spoke1> show ike ike-sa vpn dmvpn details
dmvpn: #1, ESTABLISHED, IKEv2, 82fd942f9fdc4325_i 8901f24b124cbe9c_r
  local  'spoke1' @ 11.11.11.11[500]
  remote 'hub' @ 44.44.44.44[500]
  aes256-cbc/hmac-sha512/hmac-sha512/ecp384
  established 714s ago, rekeying in 9499s
  dmvpn-gre: #1, reqid 1, INSTALLED, TRANSPORT, esp:aes256-cbc/hmac-sha512
    installed 714s ago, rekeying in 5140s, expires in 5886s
    in  c481a614, 106076 bytes, 577 packets
    out cb8a052d, 16032 bytes, 100 packets
    local  11.11.11.11/32
    remote 44.44.44.44/32

We can now verify that the NHRP connections are protected by IPsec. As can be seen, the SAs column stands for the number of child SA used. Identity is the IKE id of the peer.

hub

hub> show nhrp-connection
Src                      Dst                      Flags  SAs  Identity
44.44.44.44              22.22.22.22              n      1    spoke2
44.44.44.44              33.33.33.33              n      1    spoke3
44.44.44.44              11.11.11.11              n      1    spoke1

spoke1

spoke1> show nhrp-connection
Src                      Dst                      Flags  SAs  Identity
11.11.11.11              44.44.44.44              n      1    hub

The same processing occurs between spokes before establishing shortcuts. If the hub and spokes are set up to allow direct spoke-to-spoke communication, a spoke that receives a traffic indication from the hub will trigger an IKE negotiation with the other spoke, in order to encrypt the GRE traffic between the NBMA addresses of the spokes. Only then the spoke-to-spoke NHRP exchanges may start. The spoke-to-spoke data traffic will also be protected by IPsec.

spoke1

spoke1> show nhrp-connection
Src                      Dst                      Flags  SAs  Identity
11.11.11.11              22.22.22.22                     1    spoke2
11.11.11.11              44.44.44.44              n      1    hub

spoke1> show ike ike-sa vpn dmvpn details
dmvpn: #2, ESTABLISHED, IKEv2, 633207c251b7df62_i b4dbd7645d4979f2_r
  local  'spoke1' @ 11.11.11.11[500]
  remote 'spoke2' @ 22.22.22.22[500]
  aes256-cbc/hmac-sha512/hmac-sha512/ecp384
  established 420s ago, rekeying in 13606s
  dmvpn-gre: #2, reqid 2, INSTALLED, TRANSPORT, esp:aes256-cbc/hmac-sha512
    installed 420s ago, rekeying in 5345s, expires in 6180s
    in  c5fe8f0d, 186104 bytes, 1082 packets
    out cc1346d0, 280908 bytes, 1633 packets
    local  11.11.11.11/32
    remote 22.22.22.22/32
dmvpn: #1, ESTABLISHED, IKEv2, 82fd942f9fdc4325_i 8901f24b124cbe9c_r
  local  'spoke1' @ 11.11.11.11[500]
  remote 'hub' @ 44.44.44.44[500]
  aes256-cbc/hmac-sha512/hmac-sha512/ecp384
  established 714s ago, rekeying in 9499s
  dmvpn-gre: #1, reqid 1, INSTALLED, TRANSPORT, esp:aes256-cbc/hmac-sha512
    installed 714s ago, rekeying in 5140s, expires in 5886s
    in  c481a614, 116076 bytes, 677 packets
    out cb8a052d, 21032 bytes, 126 packets
    local  11.11.11.11/32
    remote 44.44.44.44/32