KB ID 0000956
Problem
Just recently I covered DMVPN, which is a great scalable system for adding new sites to your network infrastructure and have them join an existing VPN solution without the need to add extra config at the ‘hub’ site.
One of the advantages of DMVPN is it maintains VPN connections from your ‘Spoke’ sites back to the ‘Hub’ site, but if a spoke site needs to speak to another spoke site, it will dynamically build a VPN tunnel to that spoke site.
That’s great right? Well it’s pretty cool, but there is a downside. There is a slight ‘lag’ while that dynamic VPN is established, for normal network traffic you probably wont even notice, but if you are sending streaming media, or voice traffic then it becomes more of a problem.
So if we had a system where all the routers have all the same settings, the hub router wouldn’t need to ‘broker’ the initial connection and the routers get all their VPN settings from a central ‘Server’. Well that’s what GDOI gives us, we set up a router as a central ‘Key Server’ and all the other GDOI ‘Group Members’ register with the key server, and get all their settings.
So I’ll use the same network that I built the DMVPN on, I’ve added another router that will be the ‘Key Server’, other than that the topology is the same.
Note: The GDOI Key Server, cannot run on the DMVPN hub router.
Solution
GDOI Key Server Setup
1. Firstly setup the requirements for ISAKMP phase 1. Note: here I’m using pre-shared keys, this does not scale well if you have a lot of sites, you might want to look at a PKI solution and use certificates instead.
[box]
crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0 EXAMPLE KS#configure terminal Enter configuration commands, one per line. End with CNTL/Z. KS(config)#crypto isakmp policy 10 KS(config-isakmp)#encr aes KS(config-isakmp)#authentication pre-share KS(config-isakmp)#group 2 KS(config-isakmp)#crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0 KS(config)#
[/box]
2. Then setup IPSEC phase 2 requirements. With a transform-set and a profile.
[box]
crypto ipsec transform-set TS-GDOI esp-aes esp-sha-hmac crypto ipsec profile PF-GDOI set transform-set TS-GDOI EXAMPLE KS(config)#crypto ipsec transform-set TS-GDOI esp-aes esp-sha-hmac KS(cfg-crypto-trans)#crypto ipsec profile PF-GDOI KS(ipsec-profile)#set transform-set TS-GDOI KS(ipsec-profile)#
[/box]
3. The Key server will use its certificate for authentication, if you DO have a PKI solution and this router has already enrolled to it then you can skip this step. If not you need to generate a LOCAL certificate on the key server. (Note: This requires the device to have a hostname and domain name set).
[box]
ip domain-name testbench.local crypto key generate rsa modulus 2048 EXAMPLE KS(config)#ip domain-name testbench.local KS(config)#crypto key generate rsa modulus 2048 % The key modulus size is 2048 bits % Generating 2048 bit RSA keys, keys will be non-exportable... *Mar 1 00:17:13.591: %SSH-5-ENABLED: SSH 1.99 has been enabled KS(config)#
[/box]
4. To setup the key server, create a group (GDOI-VPN) and give it an identity number,all members of the group will share this number. It used the profile we created above, and will apply encryption based on ACL 123 (we will create in a minute). Finally it sets the IP that it will be used as the key servers (this is the IP in use on FastEthernet 0/0).
[box]
crypto gdoi group GDOI-DMVPN identity number 999 server local rekey retransmit 10 number 2 rekey authentication mypubkey rsa rsa rekey transport unicast sa ipsec 10 profile PF-GDOI match address ipv4 123 replay counter window-size 64 address ipv4 5.5.5.2 EXAMPLE KS(config)#crypto gdoi group GDOI-DMVPN KS(config-gdoi-group)#identity number 999 KS(config-gdoi-group)#server local KS(gdoi-local-server)# rekey retransmit 10 number 2 KS(gdoi-local-server)# rekey authentication mypubkey rsa rsa KS(gdoi-local-server)# rekey transport unicast KS(gdoi-local-server)# sa ipsec 10 KS(gdoi-sa-ipsec)# profile PF-GDOI KS(gdoi-sa-ipsec)# match address ipv4 123 KS(gdoi-sa-ipsec)# replay counter window-size 64 KS(gdoi-sa-ipsec)# address ipv4 5.5.5.2 KS(gdoi-local-server)#
[/box]
5. Create the ACL we specified above, this ACL will get downloaded to all the group members. As will the VPN profile, they will then apply that profile to traffic defined in the ACL. It’s an ‘interesting traffic ACL, (if you are used to working with VPN’s).
[box]
access-list 123 permit gre any any
EXAMPLE
KS(config)#access-list 123 permit gre any any
KS(config)#
[/box]
Setup GDOI Group Members
Note: These settings are the same for the DMVPN hub router and all the spoke routers.
6. As above we specify a matching phase 1 policy.
[box]
crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0 EXAMPLE Branch1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Branch1(config)#crypto isakmp policy 10 Branch1(config-isakmp)#encr aes Branch1(config-isakmp)#authentication pre-share Branch1(config-isakmp)#group 2 Branch1(config-isakmp)#crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0 Branch1(config)#
[/box]
7. Then join the router to the GDOI group.
[box]
crypto gdoi group GDOI-DMVPN identity number 999 server address ipv4 5.5.5.2 EXAMPLE Branch1(config)#crypto gdoi group GDOI-DMVPN Branch1(config-gdoi-group)#identity number 999 Branch1(config-gdoi-group)#server address ipv4 5.5.5.2 Branch1(config-gdoi-group)#exit
[/box]
8. Then use that group to create a ‘crypto map’, and apply that map to the public interface that ‘faces outwards’. Note: Normally when applying encryption to DMVPN you would apply your crypto to the tunnel interface, with GDOI you do NOT.
[box]
crypto map CM-GDOI 10 gdoi set group GDOI-DMVPN interface FastEthernet0/0 crypto map CM-GDOI EXAMPLE Branch1(config)#crypto map CM-GDOI 10 gdoi % NOTE: This new crypto map will remain disabled until a valid group has been configured. Branch1(config-crypto-map)#set group GDOI-DMVPN Branch1(config-crypto-map)#interface FastEthernet0/0 Branch1(config-if)#crypto map CM-GDOI *Mar 1 05:11:31.546: %CRYPTO-5-GM_REGSTER: Start registration to KS 5.5.5.2 for group GDOI-DMVPN using address 2.2.2.1 *Mar 1 05:11:31.582: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
[/box]
9. Now I could add a route to my DMVPN network, with a static statement (i.e. ip route 192.168.0.0 0.0.255.255 Tunnel0), but I’m using EIGRP anyway, so I can just advertise the DMVPN network into my EIGRP group.
[box]
router eigrp 20 network 192.168.0.0 EXAMPLE Branch1(config)#router eigrp 20 Branch1(config-router)#network 192.168.0.0 Branch1(config-router)#exit Branch1(config)#
[/box]
Testing GDOI
[box]
Branch1#show crypto session Crypto session current status Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: port 848 IKE SA: local 2.2.2.1/848 remote 5.5.5.2/848 Active IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 2, origin: crypto map Branch1# Branch1#show crypto gdoi
GROUP INFORMATION Group Name : GDOI-DMVPN Group Identity : 999 Rekeys received : 0 IPSec SA Direction : Both Active Group Server : 5.5.5.2 Group Server list : 5.5.5.2 GM Reregisters in : 2042 secs Rekey Received : never Rekeys received Cumulative : 0 After registration : 0 ACL Downloaded From KS 5.5.5.2: access-list permit gre any any TEK POLICY for the current KS-Policy ACEs Downloaded: FastEthernet0/0: IPsec SA: spi: 0x93842CD3(2474912979) transform: esp-aes esp-sha-hmac sa timing:remaining key lifetime (sec): (2197) Anti-Replay : Disabled
[/box]
Complete GDOI with DMVPN Configs
Below I’ll show the configs, with the GDOI config highlighted in Red and the DMVPN config highlighted in blue.
[box]
GDOI Key Server Config version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname KS ! boot-start-marker boot-end-marker ! no aaa new-model memory-size iomem 5 no ip icmp rate-limit unreachable ip cef ! no ip domain lookup ! multilink bundle-name authenticated ! archive log config hidekeys ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set TS-GDOI esp-aes esp-sha-hmac ! crypto ipsec profile PF-GDOI set transform-set TS-GDOI ! crypto gdoi group GDOI-DMVPN identity number 999 server local rekey retransmit 10 number 2 rekey authentication mypubkey rsa rsa rekey transport unicast sa ipsec 10 profile PF-GDOI match address ipv4 123 replay counter window-size 64 address ipv4 5.5.5.2 ! ip tcp synwait-time 5 ! interface FastEthernet0/0 ip address 5.5.5.2 255.255.255.252 speed auto half-duplex ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! router eigrp 20 network 5.5.5.0 0.0.0.3 no auto-summary ! ip forward-protocol nd ! no ip http server no ip http secure-server ! access-list 123 permit gre any any ! control-plane ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login ! end
[/box]
DMVPN Hub Server Config
[box]
version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname MainSiteRTR ! boot-start-marker boot-end-marker ! no aaa new-model memory-size iomem 5 no ip icmp rate-limit unreachable ip cef ! no ip domain lookup ! multilink bundle-name authenticated ! archive log config hidekeys ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0 ! crypto gdoi group GDOI-DMVPN identity number 999 server address ipv4 5.5.5.2 ! crypto map CM-GDOI 10 gdoi set group GDOI-DMVPN ! ip tcp synwait-time 5 ! interface Tunnel0 ip address 192.168.0.1 255.255.255.0 no ip redirects ip nhrp map multicast dynamic ip nhrp network-id 1 tunnel source 1.1.1.1 tunnel mode gre multipoint ! interface FastEthernet0/0 ip address 172.16.1.1 255.255.0.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 1.1.1.1 255.255.255.252 duplex auto speed auto crypto map CM-GDOI ! interface FastEthernet1/0 ip address 5.5.5.1 255.255.255.252 duplex auto speed auto ! router eigrp 20 network 1.1.1.0 0.0.0.3 network 5.5.5.0 0.0.0.3 network 172.16.1.0 0.0.0.255 network 192.168.0.0 no auto-summary ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 ! no ip http server no ip http secure-server ! no cdp log mismatch duplex ! control-plane ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login ! end Branch (Spoke) Routers version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Branch1 ! boot-start-marker boot-end-marker ! no aaa new-model memory-size iomem 5 no ip icmp rate-limit unreachable ip cef ! no ip domain lookup ! multilink bundle-name authenticated ! archive log config hidekeys ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0 ! crypto gdoi group GDOI-DMVPN identity number 999 server address ipv4 5.5.5.2 ! crypto map CM-GDOI 10 gdoi set group GDOI-DMVPN ! ip tcp synwait-time 5 ! interface Tunnel0 ip address 192.168.0.2 255.255.255.0 no ip redirects ip nhrp map 192.168.0.1 1.1.1.1 ip nhrp map multicast 1.1.1.1 ip nhrp network-id 1 ip nhrp nhs 192.168.0.1 tunnel source 2.2.2.1 tunnel mode gre multipoint ! interface FastEthernet0/0 ip address 2.2.2.1 255.255.255.252 duplex auto speed auto crypto map CM-GDOI ! interface FastEthernet0/1 ip address 172.17.1.1 255.255.0.0 duplex auto speed auto ! router eigrp 20 network 2.2.2.0 0.0.0.3 network 172.17.0.0 network 192.168.0.0 no auto-summary ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 ! no ip http server no ip http secure-server ! control-plane ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login ! end
[/box]
Related Articles, References, Credits, or External Links
Cisco – Configuring Dynamic Multipoint Virtual Private Networks DMVPN