Building dmVPN using Cisco and S-Terra

It just so happened that the import of equipment with strict encryption (key length more than 56 bits) was officially covered up. The topic was discussed a lot, and those who already have networks deployed on Cisco vpn are not particularly worried - they don’t touch, and okay. But organizing a new small branch office on Cisco or expanding the existing one has become somewhat problematic (routers leaving the End-of-Sale as well as topics with changing software from NPE-K9 to K9 and rolling license SECs will not be considered - it’s, nevertheless, illegal )

What is a classic dmVPN? In a nutshell - we have the Central device - the Hub and a bunch of remote Nodes - Spoke, with dynamic routing between them and the copy-paste configuration of the new Spoke - the changes in the config are minimal, you do not need to touch the central Hub, the routes themselves will fly through the network. Beauty!

What needs to be added and completed so that the circuit doesn’t work on Cisco, but on Cisco plus S-Terra?


image

The classic scheme is complicated by the fact that encryption with Cisco is carried out on a separate device. This can be either a module in a Cisco ISR router or a separate gateway.
In our case, the Cisco 2851 + MCM module is installed in the Center, and the Cisco 1941 + HWIC-4ESW + CSP VPN Gate 100 is installed in the remote node.
I want to note that although the connection is always initiated by the remote node, the tunnel remains lifted almost always due to the spinning inside OSPF

We organize on the Central router dmVPN Hub. Now configure the crypto-gateway. You can access it through the Service-Engine interface: c2851 # service-module Special-Services-Engine 1/0 session

!---Создаем LoopBack через который будут строиться туннели
!
interface Loopback0
description -- loopback interface
ip address 172.31.100.1 255.255.255.255
!
!---Создаем туннельный интерфейс
!
interface Tunnel0
description -- dmvpn hub S-Terra interface
bandwidth 10000
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn172
ip nhrp map multicast dynamic
ip nhrp network-id 172
ip nhrp holdtime 360
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf priority 10
delay 1000
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 100000
!
!---Поднимаем OSPF внутри туннелей
!
router ospf 1
router-id 172.31.100.1
log-adjacency-changes
redistribute connected subnets route-map rm_conn_net
network 172.16.0.0 0.0.0.255 area 0
!
ip access-list extended acl_connected_network
remark -- redistribute networks to ospf
permit ip 192.168.0.0 0.0.0.255 any
permit ip host 172.31.100.1 any
!
route-map rm_conn_net permit 10
match ip address acl_connected_network
!
!
!---Теперь необходимо, чтобы туннелированый трафик шифровался на крипто-шлюзе.
!---Для этого указываем, что loopback удаленного узла доступен через адрес крипто-шлюза
!
ip route 172.31.100.10 255.255.255.255 172.31.0.2 name c1941-loop
!
!---Поднимаем интерфейс до крипто-шлюза
!
interface Special-Services-Engine1/0
ip address 172.31.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no keepalive
!
!---Пропускаем через NAT шифрованные пакеты
!
ip nat inside source static udp 172.31.0.2 500 10.0.0.1 500 extendable
ip nat inside source static udp 172.31.0.2 4500 10.0.0.1 4500 extendable
!




and exit - by pressing Ctrl + Shift + 6, then “x” and typing
c2851 # service-module Special-Services-Engine 1/0 session clear Total: the packet arrives at the router, is packaged in GRE on the tunnel interface, is sent to the crypto-gateway , the crypto-gateway encrypts GRE and throws it back to Cisco 2851, where it passes through NAT and flies to the public network. Then he arrives at the Cisco 1941, and goes the same way as on the Cisco 2851, only in the reverse order. Now it remains to configure the CSP VPN Gate 100: Now when you turn on the devices, OSPF will open the tunnels, exchange routes, and users of one network will be able to successfully reach users of another.

!
crypto isakmp identity hostname
ip host csp-c1941 10.0.0.10
hostname csp-nmervpn
!
!
crypto isakmp policy 100
hash sha
encr aes
authentication pre-share
group 2
!
crypto isakmp key dmvpn172 hostname csp-c1941
!
crypto ipsec transform-set ts_dmvpn172 esp-aes esp-sha-hmac
!
ip access-list extended acl_crypto
permit gre host 172.31.100.1 any
!
crypto dynamic-map dm_vpn 100
match address acl_crypto
set transform-set ts_dmvpn172
!
crypto map cm_vpn 100 ipsec-isakmp dynamic dm_vpn
!
interface FastEthernet0/0
ip address 172.31.0.2 255.255.255.0
crypto map cm_vpn
!
ip route 0.0.0.0 0.0.0.0 172.31.0.1
!






!---Создаем LoopBack через который будут строиться туннели
!
interface Loopback0
description -- router id
ip address 172.31.100.10 255.255.255.255
!
!---Создаем туннельный интерфейс
!
interface Tunnel0
description -- dmvpn spoke interface
bandwidth 10000
ip address 172.16.0.10 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn172
ip nhrp map 172.16.0.1 172.31.100.1
ip nhrp map multicast 172.31.100.1
ip nhrp network-id 172
ip nhrp nhs 172.16.0.1
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf priority 0
delay 1000
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 100000
!
!---Поднимаем интерфейс до крипто-шлюза
!
interface Vlan2
description -- to S-Terra Gate100
ip address 172.31.10.1 255.255.255.0
ip nat inside
!
!---В порт 0/0/0 будет подключен VPN Gate 100
!
interface FastEthernet0/0/0
description -- to S-Terra Gate100
switchport access vlan 2
!
!---В остальные порты – локальная сеть
!
interface FastEthernet0/0/1
description -- local net
!
interface FastEthernet0/0/2
description -- local net
!
interface FastEthernet0/0/3
description -- local net
!
interface Vlan1
description -- to local net
ip address 192.168.10.1 255.255.255.0
ip nat inside
!
!---Поднимаем OSPF внутри туннелей
!
router ospf 2
router-id 172.31.100.10
log-adjacency-changes
redistribute connected subnets route-map rm_conn_net
network 172.16.0.0 0.0.0.255 area 0
!
ip access-list extended acl_conn_net
remark -- redistribute networks to ospf
permit ip 192.168.10.0 0.0.0.255 any
permit ip host 172.31.100.10 any
!
route-map rm_conn_net permit 10
match ip address acl_conn_net
!
!---Пропускаем через NAT шифрованные пакеты
!
ip nat inside source static udp 172.31.10.2 500 10.0.0.10 500 extendable
ip nat inside source static udp 172.31.10.2 4500 10.0.0.10 4500 extendable
!




!
crypto isakmp identity hostname
ip host csp-nmervpn 10.0.0.1
hostname csp-c1941
!
crypto isakmp policy 100
hash sha
encr aes
authentication pre-share
group 2
!
crypto isakmp key dmvpn172 hostname csp-nmervpn
!
crypto ipsec transform-set ts_dmvpn172 esp-aes esp-sha-hmac
!
ip access-list extended acl_crypto
permit gre host 172.31.100.10 host 172.31.100.1
!
crypto map cm_vpn 100 ipsec-isakmp
match address acl_crypto
set transform-set ts_dmvpn172
set peer 10.0.0.1
!
interface FastEthernet0/1
description – to c1941-1
ip address 172.31.10.1 255.255.255.0
crypto map cm_vpn
!
ip route 0.0.0.0 0.0.0.0 172.31.10.1
!
crypto isakmp peer address 10.0.0.1
set aggressive-mode client-endpoint ipv4-address 10.0.0.1
!




Unfortunately, with this scheme, there is no way around the need for a small Hub setup when adding Spoke - therefore, the dmVPN's charm is somewhat lost. However, the scale of customization is much smaller compared to the classic Site-to-Site, and this is good news.

In conclusion, I would like to say that the cisco-like CLI S-Terra is just an interpreter of commands, which are then translated into commands for Linux installed on all their devices. The work of the interpreter is quite specific, however, the technical support of S-Terra is quite responsive and can help if something goes wrong.

In preparation, we used materials from cisco.com and s-terra.com, as well as correspondence with technical support from S-Terra.

Also popular now: