February 12, 2009 at 07:05VPN full coverage
Imagine your company is gaining momentum, sales are growing, many branches are opening, and these branches are actively working with each other. And this means that you need to connect them all with each other! We have Cisco routers as equipment, which, however, only cancels the final examples of settings, if you don’t have Cisco, I found the OpenNHRP project on the network.
So, let's begin. First, we’ll connect the center with the first branch using IPSEC.
We introduce the addressing - the internal network of the company is 10.0.0.0/8, the network of the head office is 10.0.0.0/24, the network of the first branch is 10.1.0.0/24. The external address of the head office router is 172.16.0.2/30, and its default route goes, respectively, to 172.16.0.1. For a better distinction, we will issue the branch an “external” address 192.168.45.14/30, and the gateway we will have is the only remaining address in the range - 192.168.45.13.
Head Office Router:
The branch router is configured by analogy, and the main thing here is to analyze the disadvantages of the solution. Based on our assumption, the number of branches is growing rapidly, so when you connect the second branch, you will need to configure two more tunnels, when you connect the third - 3, the fourth - 4, and so on. You can stop on the 20th for example and think about it - but is it really how it should be?
And in such cases there should be orders of magnitude more dynamics - we need routing protocols and a multipoint VPN, and together Cisco calls DMVPN - Dynamic Multipoint VPN. At the beginning of the development, few people understand why he needs OSPF and certificates - after all, registering ip route 10.1.0.0 ... is much easier, and bothering with certificates when you can just drive a key at two ends is a perversion. But driving one key to all points is unacceptable, and driving pairs of keys to everything is unrealistic. Thus, certificates still have to be mastered.
However, the topic of certificates in Cisco IPSEC goes beyond the scope of this habratopik - here I will show you what DMVPN is and how remarkable it is.
So, DMVPN is a combination of NHRP, dynamic routing protocol (EIGRP, OSPF, IS-IS - you are not limited to this) and a multipoint GRE tunnel. DMVPN allows minimizing the configuration of additional points, clients can have dynamic addresses (the server needs a permanent one, this is an entry point), tunnels between clients will automatically rise upon request.
NHRP protocol - NBMA Next Hop Resolution Protocol, is used to resolve addresses in non-broadcast networks - in our case, it helps to determine the external address of the router to which the packet is intended. The permission is carried out by a “hub”, a server to which its addresses are reported and information about other “spokes” is requested, clients.
I used DMVPN when VoIP was introduced in the company - not to drive voice traffic through the center. For example, Vasya from Tomsk needed to call Petya from Krasnoyarsk - the tunnel between the routers will be installed dynamically. Each router has an IP address for a special network (for example, 10.0.1.0/24), and routers are registered on the NHRP server of the center (10.0.1.1). When Tomsk is required to connect to Krasnoyarsk, he looks at the routing table and sees that the route to this network lies through point 10.0.1.7. Through NHRP, the router learns the public IP address of the router and may begin to establish an IPSEC tunnel. It doesn't sound very difficult in my opinion.
We will use OSPF as a dynamic routing protocol based on personal preferences. It can easily be replaced by any other as you wish.
The example uses a shared key, one for all. But this cannot be done in the real world - be sure to study the topic of certificates.
Relevant central router configuration:
Branch Router:
As you can see, the basic settings relate to the Tunnel7 tunnel interface. The first block is the NHRP settings.
The ip nhrp map commands specify the address resolution order. Here we set the correspondence of the internal address of the NHRP server and its WAN address - ip nhrp map 10.0.1.1 172.16.0.2. Also, by analogy, all multicast requests are addressed there. Well, ip nhrp nhs sets the server address.
Note that the addresses of all DMVPNs are from the same network.
The ip ospf commands specify the dynamic routing settings on the interface. There may be ip eigrp of your choice.
Well, tunnel protection ipsec profile BIGCOMPANY-TRSET includes encryption, as you might imagine, the step is optional.
Here, the spoke-spoke option is considered, that is, a direct connection between DMVPN clients. There is a hub-spoke option that serves to connect clients to the center.
I hope someone faced with explosive business growth, having read this topic, will know what to do in such a situation. The settings given here are just an example, do not use the article as a HOW-TO, read cisco.com.
In addition, I can say that setting up the router took us no more than half an hour - it was generating a certificate, uploading it to the router, generating a config (a simple bash script), editing a config file, packing in a box.
Home reading on the official website . From the document that you download there, it is clear that the possibilities of using DMVPN are somewhat wider than presented here.
So, let's begin. First, we’ll connect the center with the first branch using IPSEC.
We introduce the addressing - the internal network of the company is 10.0.0.0/8, the network of the head office is 10.0.0.0/24, the network of the first branch is 10.1.0.0/24. The external address of the head office router is 172.16.0.2/30, and its default route goes, respectively, to 172.16.0.1. For a better distinction, we will issue the branch an “external” address 192.168.45.14/30, and the gateway we will have is the only remaining address in the range - 192.168.45.13.
Head Office Router:
! Определяем политику ISAKMP. Главное здесь это указание, что аутентификация у нас
! с предварительно заданным ключом.
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 3600
!
! Задаем ключ для связи с маршрутизатором филиала.
!
crypto isakmp key MEGAKEY123 address 192.168.45.14
!
crypto ipsec transform-set BIGCOMPANY-TRSET esp-aes esp-sha-hmac
!
crypto ipsec profile BIGCOMPANY-profile
set transform-set BIGCOMPANY-TRSET
!
interface FastEthernet0/0
ip address 172.16.0.2 255.255.255.252
!
!А теперь создаем интерфейс, который будет вратами в филиал №1
!
interface Tunnel1
description Tunnel to filial №1 10.1.0.0/24
ip address 10.55.0.1 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 192.168.45.14
tunnel mode ipsec ipv4
tunnel protection ipsec profile BIGCOMPANY-profile
!
ip route 0.0.0.0 0.0.0.0 172.16.0.1
! А теперь пакеты для сети филиала пихаем на другой конец туннеля.
ip route 10.1.0.0 255.255.255.0 10.55.0.2
The branch router is configured by analogy, and the main thing here is to analyze the disadvantages of the solution. Based on our assumption, the number of branches is growing rapidly, so when you connect the second branch, you will need to configure two more tunnels, when you connect the third - 3, the fourth - 4, and so on. You can stop on the 20th for example and think about it - but is it really how it should be?
And in such cases there should be orders of magnitude more dynamics - we need routing protocols and a multipoint VPN, and together Cisco calls DMVPN - Dynamic Multipoint VPN. At the beginning of the development, few people understand why he needs OSPF and certificates - after all, registering ip route 10.1.0.0 ... is much easier, and bothering with certificates when you can just drive a key at two ends is a perversion. But driving one key to all points is unacceptable, and driving pairs of keys to everything is unrealistic. Thus, certificates still have to be mastered.
However, the topic of certificates in Cisco IPSEC goes beyond the scope of this habratopik - here I will show you what DMVPN is and how remarkable it is.
So, DMVPN is a combination of NHRP, dynamic routing protocol (EIGRP, OSPF, IS-IS - you are not limited to this) and a multipoint GRE tunnel. DMVPN allows minimizing the configuration of additional points, clients can have dynamic addresses (the server needs a permanent one, this is an entry point), tunnels between clients will automatically rise upon request.
NHRP protocol - NBMA Next Hop Resolution Protocol, is used to resolve addresses in non-broadcast networks - in our case, it helps to determine the external address of the router to which the packet is intended. The permission is carried out by a “hub”, a server to which its addresses are reported and information about other “spokes” is requested, clients.
I used DMVPN when VoIP was introduced in the company - not to drive voice traffic through the center. For example, Vasya from Tomsk needed to call Petya from Krasnoyarsk - the tunnel between the routers will be installed dynamically. Each router has an IP address for a special network (for example, 10.0.1.0/24), and routers are registered on the NHRP server of the center (10.0.1.1). When Tomsk is required to connect to Krasnoyarsk, he looks at the routing table and sees that the route to this network lies through point 10.0.1.7. Through NHRP, the router learns the public IP address of the router and may begin to establish an IPSEC tunnel. It doesn't sound very difficult in my opinion.
We will use OSPF as a dynamic routing protocol based on personal preferences. It can easily be replaced by any other as you wish.
The example uses a shared key, one for all. But this cannot be done in the real world - be sure to study the topic of certificates.
Relevant central router configuration:
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 3600
!
! Задаем ключ, один для всех
!
crypto isakmp key MEGAKEY123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set BIGCOMPANY-TRSET esp-aes esp-sha-hmac
!
crypto ipsec profile BIGCOMPANY-profile
set transform-set BIGCOMPANY-TRSET
!
interface FastEthernet0/0
description WAN interface
ip address 172.16.0.2 255.255.255.252
!
interface Tunnel101
ip address 10.0.1.1 255.255.0.0
no ip redirects
ip mtu 1440
ip nhrp authentication KUKU321
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 3600
ip nhrp cache non-authoritative
ip tcp adjust-mss 1360
no ip mroute-cache
ip ospf network broadcast
ip ospf hello-interval 30
ip ospf priority 2
delay 1000
tunnel source Vlan1
tunnel mode gre multipoint
tunnel key KUKU
tunnel protection ipsec profile BIGCOMPANY-TRSET
!
ip route 0.0.0.0 0.0.0.0 172.16.0.1
!
Branch Router:
interface Tunnel7
ip address 10.0.1.2 255.255.255.0
no ip redirects
ip nhrp authentication KUKU321
ip nhrp map multicast dynamic
ip nhrp map multicast 172.16.0.2
ip nhrp map 10.0.1.1 172.16.0.2
ip nhrp network-id 1
ip nhrp holdtime 3600
ip nhrp nhs 10.0.1.1
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1360
no ip mroute-cache
ip ospf network broadcast
ip ospf hello-interval 30
ip ospf priority 0
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key KUKU
tunnel protection ipsec profile BIGCOMPANY-TRSET
As you can see, the basic settings relate to the Tunnel7 tunnel interface. The first block is the NHRP settings.
The ip nhrp map commands specify the address resolution order. Here we set the correspondence of the internal address of the NHRP server and its WAN address - ip nhrp map 10.0.1.1 172.16.0.2. Also, by analogy, all multicast requests are addressed there. Well, ip nhrp nhs sets the server address.
Note that the addresses of all DMVPNs are from the same network.
The ip ospf commands specify the dynamic routing settings on the interface. There may be ip eigrp of your choice.
Well, tunnel protection ipsec profile BIGCOMPANY-TRSET includes encryption, as you might imagine, the step is optional.
Here, the spoke-spoke option is considered, that is, a direct connection between DMVPN clients. There is a hub-spoke option that serves to connect clients to the center.
I hope someone faced with explosive business growth, having read this topic, will know what to do in such a situation. The settings given here are just an example, do not use the article as a HOW-TO, read cisco.com.
In addition, I can say that setting up the router took us no more than half an hour - it was generating a certificate, uploading it to the router, generating a config (a simple bash script), editing a config file, packing in a box.
Home reading on the official website . From the document that you download there, it is clear that the possibilities of using DMVPN are somewhat wider than presented here.