giovedì, Settembre 28, 2023

Dynamic Multipoint VPN

markoer
markoerhttp://www.linkedin.com/in/marcoermini
Trentatre anni, perito informatico, professionista da dieci nel mondo ICT, possiede varie certificazioni - nel mondo Cisco è CCNA da Dicembre. Lavora nel mondo Unix, Cisco ed Oracle per una delle maggiori telco a Düsseldorf (Germania) come deployment leader e responsabile della sicurezza. E' generalmente entusiasta di condividere le sue conoscenze e la sua visione del mondo con altri tecnici.

SNRS – Dynamic Multipoint VPN (DMVPN)

Solution

  • Uses hub-and-spoke design
  • Supports redundancy
  • Does not use crypto maps
  • Multipoint GRE tunnel interfaces
  • Spokes connect to the HUB and never vice versa
  • Multiple or single topology
    • Single topology: only one subnet on the HUB side
    • Multiple topology: multiple subnets on the HUB side

Components

  • Multipoint GRE (mGRE) tunnel interface
  • Next Hop Resolution Protocol (NHRP)
    • 20 years old, originally designed for ATM/X.25 tunnels
    • Before sending a packet, the spoke does an NHRP query to the HUB that acts as an NHRP server
    • The server answers with the real IP address and advertise the destination network
    • If the destination is not the HUB router, the spoke sets up an IPSec tunnel directly to the remote spoke, if using mGRE, bypassing the router
    • Spoke-to-spoke tunnels are automatically removed if idle for a certain time
  • IPSec profiles
  • Replace static crypto maps, still needs a transform set
    rt(config)# crypto isakmp policy priority_#
    rt(config-isakmp)# authentication rsa-sign|rsa-encr|pre-share
    rt(config-isakmp)# encryption des|3des|aes|aes 192|aes 256
    rt(config-isakmp)# group 1|2|5
    rt(config-isakmp)# hash md5|sha
    rt(config-isakmp)# lifetime #_of_seconds
    rt(config-isakmp)# exit
    rt(config)# crypto isakmp key key address 0.0.0.0
    
    rt(config)#	crypto ipsec transform-set tsname ts_1 [ts2 [ts3]]
    	rt(config)#		mode tunnel
    
  • Profile instead of map
    rt(config)#	crypto ipsec profile profile_name
    rt(ipsec-profile)# set transform-set tsname ts_1 [ts2 [ts3]]
    rt(ipsec-profile)# set pfs group1|group2|group3
    rt(ipsec-profile)# set security-association lifetime …
    
  • Configuration

    • HUB configuration
      rt(config)#	interface tunnel int_#
      rt(config-if)# ip address ip_addr
      rt(config-if)# ip mtu 1416
      rt(config-if)# ip nhrp authentication key
      rt(config-if)# ip nhrp map multicast dynamic   - needed for routing!
      rt(config-if)# ip nhrp network-id id#
      rt(config-if)# ip nhrp holdtime seconds
      rt(config-if)# tunnel source public_int_name
      rt(config-if)# tunnel key key_#
      rt(config-if)# tunnel mode gre multipoint
      rt(config-if)# tunnel protection ipsec profile profile
      
    • Spoke configuration
    • rt(config)#	interface tunnel int_#
      rt(config-if)# ip address ip_addr
      rt(config-if)# ip mtu 1416
      rt(config-if)# ip nhrp authentication key
      rt(config-if)# ip nhrp map HUB_public_IP
      rt(config-if)# ip nhrp map multicast HUB_public_IP
      rt(config-if)# ip nhrp nhs HUB_tunnel_IP
      rt(config-if)# ip nhrp network-id id#
      rt(config-if)# ip nhrp holdtime seconds
      rt(config-if)# tunnel source public_int_name
      rt(config-if)# tunnel key key_#
      rt(config-if)# tunnel mode gre multipoint
      rt(config-if)# tunnel protection ipsec profile profile
      
    • Routing considerations
      • Disable split horizon for EIGRP
      • no eigrp next-hop-self
      • eigrp stub connected
      • on OSPF, set the bandwidth parameter in the interface tunnel – does not affect functionality but may help in limiting fragmentation and increase performances
      • on OSPF, the HUB needs to have OSPF broadcast enabled

Articoli correlati

Il caso “Medusa Ransomware”

I ransomware stanno diventando sempre più una minaccia di rilevanza importante, quasi da non far dormire sonni tranquilli ad aziende sia pubbliche che private,...

Digital Transformation


 

Noleggia una Tesla per il tuo evento ICT!

Categorie