Note: Full working solution is located at the end of the document. 
Change was in the air, and Bob knew it. Bob had simply been ignoring the fact that the existing IPSec site to site tunnels that he inherited at his company were old school, and there were better options, especially when plans included bringing up dozens of new sites. Since his company was going to be purchasing MPLS services, Bob was open to learning better ways of implementing secure tunnels. In Bob’s studies, he read a article written by Petr Lapukhov on DMVPN and was very interested. Bob’s glee was short lived when he learned that when the spokes of DMVPN had to build tunnels to other spokes, it was not quick enought for voice traffic. Bob learned that the latency happens when setting up the IKE phase 1 and 2 tunnels between the spokes. Then Bob chanced upon one of Anthony Sequeira’s blog posts regarding GET VPN, and learned that with GET (Group Encrypted Transport), there was no need to build the tunnels between spokes, and therefore less latency. This would solve the latency issue for time sensitive traffic, and still have the benefits of encryption! It sounded almost too good to be true.
Eagerly, Bob set up 4 routers to test DMVPN for dynamic GRE tunnels and GET VPN to provide the encryption services.
Bob’s heart beat a little faster as he thought about the layout of the test; R1 would be the KEY, CA and NTP server. R2 would be the DMVPN hub with R3 and R4 being spokes. From the GET VPN side of the house, R2, R3 and R4 would all be GET VPN group members so no IPSec profiles would be required for the GRE interfaces.
Bob's test bed for DMVPN/GET VPN
Bob put the configuration he planned to use into his favorite configuration editor (notepad), and realized that when he eventually pastes this into the routers, he may have to intervene at times to supply manual input for certificate related tasks, and he was ok with that. Bob also remembered that it is best to allow time to synchronize with peers when using digital certificates.
All the switchports used by R1-4 Fa0/0 were set up correctly as access-ports, and in the same VLAN. Bob verified that no L1 or L2 problems were standing between him and success.
In contrast to his anticipation of building the “perfect” new solution for his company, Bob had a sneaking suspicion that something in his proposed configuration wasn’t quite right, or maybe was missing something. Below is the proposed configuration:
R1 Key, NTP and CA Server enable conf t hostname R1 ip domain-name INE.com no ip domain-lookup line con 0 no exec-time logging sync privi level 15 exit int fa 0/0 no shut ip address 10.0.0.1 255.255.255.0 int loop 0 ip address 1.1.1.1 255.255.255.0 exit ntp master 2 ntp authentication-key 1 md5 cisco ntp trusted-key 1 ntp authenticate clock timezone PST -8 clock summer-time PDT recurring crypto key generate rsa general-keys modulus 1024 ip http server crypto pki server R1-CA_Server database url nvram: database level minimum grant auto no shutdown exit crypto isakmp policy 1 auth rsa-sig exit crypto ipsec transform-set TSET esp-aes esp-sha mode transport exit crypto ipsec profile GDOI-PROF set transform-set TSET exit crypto gdoi group group1 identity number 1 server local address ipv4 10.0.0.1 rekey authentication mypubkey rsa R1.INE.com rekey transport unicast sa ipsec 1 profile GDOI-PROF match address ipv4 100 exit exit access-list 100 permit gre 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
R2 DMVPN HUB enable conf t hostname R2 ip domain-name INE.com no ip domain-lookup line con 0 no exec-time logging sync privi level 15 exit int fa 0/0 no shut ip address 10.0.0.2 255.255.255.0 int loop 0 ip address 2.2.2.2 255.255.255.0 exit clock timezone PST -8 clock summer-time PDT recurring ntp authentication-key 1 md5 cisco ntp trusted-key 1 ntp authenticate ntp server 10.0.0.1 key 1 ip domain-name INE.com crypto key generate rsa general-keys modulus 1024 crypto isakmp policy 1 auth rsa-sig exit interface Tunnel0 bandwidth 1000 delay 1000 ip address 172.168.0.2 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 1 ip nhrp authentication DMVPN_NW ip nhrp map multicast dynamic ip nhrp network-id 2210 ip nhrp holdtime 360 ip tcp adjust-mss 1360 no ip split-horizon eigrp 1 tunnel source Fa0/0 tunnel mode gre multipoint tunnel key 6738 exit router eigrp 1 network 172.16.0.0 0.0.255.255 network 2.2.2.2 0.0.0.0 no auto-summary exit crypto pki trustpoint R1-CA enrollment url http://10.0.0.1:80 revocation-check none exit cry pki authenticate R1-CA crypto pki enroll R1-CA crypto gdoi group group1 identity number 1 server address ipv4 10.0.0.1 exit crypto map map-group1 10 gdoi set group group1 interface FastEthernet0/0 crypto map map-group1 end
R3 DMVPN Spoke enable conf t hostname R3 ip domain-name INE.com no ip domain-lookup line con 0 no exec-time logging sync privi level 15 exit int fa 0/0 no shut ip address 10.0.0.3 255.255.255.0 int loop 0 ip address 3.3.3.3 255.255.255.0 exit clock timezone PST -8 clock summer-time PDT recurring ntp authentication-key 1 md5 cisco ntp trusted-key 1 ntp authenticate ntp server 10.0.0.1 key 1 ip domain-name INE.com crypto key generate rsa general-keys modulus 1024 crypto isakmp policy 1 auth rsa-sig exit interface Tunnel0 bandwidth 1000 delay 1000 ip address 172.16.0.3 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication DMVPN_NW ip nhrp map multicast 10.0.0.2 ip nhrp map 10.0.0.2 172.16.0.2 ip nhrp network-id 2210 ip nhrp holdtime 360 ip nhrp nhs 172.16.0.2 ip tcp adjust-mss 1360 tunnel source FA0/0 tunnel mode gre multipoint tunnel key 6783 exit router eigrp 1 network 172.16.0.0 0.0.255.255 network 3.3.3.3 0.0.0.0 no auto-summary exit crypto pki trustpoint R1-CA enrollment url http://10.0.0.1:80 revocation-check none exit cry pki authenticate R1-CA crypto pki enroll R1-CA crypto gdoi group group1 identity number 1 server address ipv4 10.0.0.1 exit crypto map map-group1 10 gdoi set group group1 interface FastEthernet0/0 crypto map map-group1 end
R4 Spoke enable conf t hostname R4 ip domain-name INE.com no ip domain-lookup line con 0 no exec-time logging sync privi level 15 exit int fa 0/0 no shut ip address 10.0.0.4 255.255.255.0 int loop 0 ip address 4.4.4.4 255.255.255.0 exit clock timezone PST -8 clock summer-time PDT recurring ntp authentication-key 1 md5 cisco ntp trusted-key 1 ntp authenticate ntp server 10.0.0.1 key 1 ip domain-name INE.com crypto key generate rsa general-keys modulus 1024 crypto isakmp policy 1 auth rsa-sig exit interface Tunnel0 bandwidth 1000 delay 1000 ip address 172.16.0.4 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication DMVPN_NW ip nhrp map multicast 10.0.0.2 ip nhrp map 10.0.0.2 172.16.0.2 ip nhrp network-id 2210 ip nhrp holdtime 360 ip nhrp nhs 172.16.0.2 ip tcp adjust-mss 1360 tunnel source FA0/0 tunnel mode gre multipoint tunnel key 6783 exit router eigrp 1 network 172.16.0.0 0.0.255.255 network 4.4.4.4 0.0.0.0 no auto-summary exit crypto pki trustpoint R1-CA enrollment url http://10.0.0.1:80 revocation-check none exit cry pki authenticate R1-CA crypto pki enroll R1-CA crypto gdoi group group1 identity number 1 server address ipv4 10.0.0.1 exit crypto map map-group1 10 gdoi set group group1 interface FastEthernet0/0 crypto map map-group1 end
Your mission, should you choose to accept it, (feel free to hum the tune of mission impossible), is to find the errors regarding this configuration.
Hint: there are 4 specific configuration related issues based on the proposed configuration.
Will you assist Bob in creating a working DMVPN/GET VPN solution?
PS Bob passes on his appreciation for all the help he has received from you in the past! The solutions you provided worked like a charm, and Bob is being treated like a Network Rock Star by his manager. Keep up the great work!
About Keith Barker, CCIE #6783:
Keith Barker excelled as a Network Engineer beginning in 1986 with EDS. Before opting for a career in IT Education, Keith’s practical experience culminated with the position of IT Manager for Paramount Pictures. Once joining the field of IT Education, Keith became a top-rated Microsoft and Cisco Certified Instructor. Keith Barker, along with Jeremy Cioara and Anthony Sequeira helped to make KnowledgeNet, the most respected Online IT Training organization of its time. You will find Keith Barker in Live Classroom, Live Online, and Self-Paced Route/Switch and Security classes here at INE.
You can leave a response, or trackback from your own site.
24 Responses to “Bob is back. DMVPN/GET VPN assistance needed!”
Leave a Reply
Loading ...
The tunnel interface on the DMVPN hub is configured incorrectly
There is no tunnel protection configured on the DMVPN hub and the spokes. No IPSEC profile defined too.
access-list 100 permit gre 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255 -> on the GETVPN GCKS needs to be changed to permit ip traffic.
DMVPN Related
=============
1) On R2 tunnel interface
change IP from 172.168.0.2 to 172.16.0.2
2) On R2 tunnel interface
change tunnel key from 6738 to 6783
3) On R3 and R4 tunnel interfaces change nhrp mapping
FROM
ip nhrp map 10.0.0.2 172.16.0.2
TO
ip nhrp map 172.16.0.2 10.0.0.2
GETVPN Related
==============
1) Because of isakmp policy authentication method is based on rsa-sig
R1 should enroll a certificate from CA server (which is itself)
crypto pki trustpoint R1-CA
enrollment url http://10.0.0.1:80
revocation-check none
cry pki authenticate R1-CA
crypto pki enroll R1-CA
Howdy,
1 – Tunnel keys do not match on DMVPN routers
2 – Looks like a typo on R2 Tun0 IP address 172.168 instead of 172.16
3 – NHRP mappings swapped on the spokes, they have the NBMA first then TUN IPs, should be swapped so TUN is first.
4 – ACL100 says GRE for 10.0.0.0/24, this should be the 172.16 network instead right?
Should R3 and R4 have tunnel key 6738, not 6783 ?
Good Day,
1. R2 – Wrong IP address on tunnel 0 interface
2. R1 – Lack of CA Trustpoint for identity
certificate
3. R3 and R4 – Bad Logical-Physical resolution
for NHS – should be “ip nhrp map
172.16.0.2 10.0.0.2″
4. R2 – Bad tunnel key – should be 6783
Regards,
Piotr
and why DMVPN spokes map physical addresses to tunnel (NBMA) address of hub ? Shouldn’t be ‘ip nhrp map 172.16.0.2 10.0.0.2′ on both spokes ? I would map hub tunnel address to its loopback not ethernet, so ‘ip nhrp map 172.16.0.2 2.2.2.2′
and Tunnel on DMVPN hub should be 172.16.0.2 , not 172.168.0.2
On R1:
Was the key R1.INE.com generated as it is not showing in the command.
rekey authentication mypubkey rsa R1.INE.com
crypto key generate rsa general-keys modulus 1024
In addition R1 needs to enroll with the CA server (AKA himself/itself) else the isakmp policy will never complete. R1 needs to get a digi cert to exchange with the GMs.
with this config GET/VPN will not work. On R1 he need to enroll with its own IOS CA server using its own RSA key “R1.INE.com”. without this Key server will invalidate the Certificate from Member server.
Shain nailed it!!! Thanks for everyone’s work!
You may have noticed, Bob’s skills are getting better and better, with a little help from his friends.
Again, great job!
Hello Tacack-
You are right, there is no IPSec profile on the GRE tunnel interfaces.
In this scenario, we are using GET VPN to encrypt the GRE traffic from anyone on the 10 network to anyone else on the 10 network. From the network perspective, all the GRE traffic is flowing between the FA0/0 interfaces of R2, R3 and R4.
Thanks.
Hi Tim- Thank you for taking time to go through the configuration! You are right on 1, 2 and 3. The CA server (R1) needs to also authenticate and enroll with itself, and that was the 4th piece. If we put a protocol analyzer on VLAN x (the 10.0.0.0 network), we would see that the GRE traffic for the DMVPN is GRE to and from the Fa0/0 interfaces, (the 10.0.0.x addresses). Once the encryption kicks in, we would no longer see the GRE with a sniffer, but only IPSec packets (IP pointing to protocol 50 ESP) between the 10.0.0.x interfaces of R2, R3 and R4.
irom- Excellent eye! The key was transposed, and that indeed is one of the issues with the configuration, GREAT JOB!
One of the tips a lot of CCIE candidates use is copy/paste from notepad. Not only may that help with speed, but also assists with less transposing of values, like this key. One word of caution with failover and copy/paste on the ASA. If you issue a “show run fail” on the primary ASA, please double check that you have changed the keyword in the config from primary to secondary before you paste it into the config on the secondary ASA.
Thanks for taking the time to look at the configuration!
Piotr- Excellent work!
Thank you.
irom-
In the configuration, before we added the EIGRP for use with DMVPN, the loopbacks were not reachable. If they were reachable, I agree that we could use them to terminate the endpoints of the GRE instead of the Fa0/0 interfaces.
Thank you.
irom- Yes you are right on, the DMVPN hub had a issue with a transposed IP address. Excellent catch.
Hello puneet-
The RSA keypair was generated on R1, but you are right about the lack of an identity certificate for R1.
The rekey information is also present in the proposed configuration.
Thanks!
Abu- Right on the money! Great job.
Here is the configuration, which includes the solutions you provided, thanks again! Keith.
R1 Key, NTP and CA Server
enable
conf t
hostname R1
ip domain-name INE.com
no ip domain-lookup
line con 0
no exec-time
logging sync
privi level 15
exit
int fa 0/0
no shut
ip address 10.0.0.1 255.255.255.0
int loop 0
ip address 1.1.1.1 255.255.255.0
exit
ntp master 2
ntp authentication-key 1 md5 cisco
ntp trusted-key 1
ntp authenticate
clock timezone PST -8
clock summer-time PDT recurring
crypto key generate rsa general-keys modulus 1024
ip http server
crypto pki server R1-CA_Server
database url nvram:
database level minimum
grant auto
no shutdown
exit
crypto pki trustpoint R1-MYSELF-CA
enrollment url http://10.0.0.1:80
revocation-check none
exit
cryp pki authenticate R1-MYSELF-CA
cryp pki enroll R1-MYSELF-CA
crypto isakmp policy 1
auth rsa-sig
exit
crypto ipsec transform-set TSET esp-aes esp-sha
mode transport
exit
crypto ipsec profile GDOI-PROF
set transform-set TSET
exit
crypto gdoi group group1
identity number 1
server local
address ipv4 10.0.0.1
rekey authentication mypubkey rsa R1.INE.com
rekey transport unicast
sa ipsec 1
profile GDOI-PROF
match address ipv4 100
exit
exit
access-list 100 permit gre 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
R2 DMVPN HUB
enable
conf t
hostname R2
ip domain-name INE.com
no ip domain-lookup
line con 0
no exec-time
logging sync
privi level 15
exit
int fa 0/0
no shut
ip address 10.0.0.2 255.255.255.0
int loop 0
ip address 2.2.2.2 255.255.255.0
exit
clock timezone PST -8
clock summer-time PDT recurring
ntp authentication-key 1 md5 cisco
ntp trusted-key 1
ntp authenticate
ntp server 10.0.0.1 key 1
ip domain-name INE.com
crypto key generate rsa general-keys modulus 1024
crypto isakmp policy 1
auth rsa-sig
exit
interface Tunnel0
bandwidth 1000
delay 1000
ip address 172.16.0.2 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 2210
ip nhrp holdtime 360
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
tunnel source Fa0/0
tunnel mode gre multipoint
tunnel key 6783
exit
router eigrp 1
network 172.16.0.0 0.0.255.255
network 2.2.2.2 0.0.0.0
no auto-summary
exit
crypto pki trustpoint R1-CA
enrollment url http://10.0.0.1:80
revocation-check none
exit
cry pki authenticate R1-CA
crypto pki enroll R1-CA
crypto gdoi group group1
identity number 1
server address ipv4 10.0.0.1
exit
crypto map map-group1 10 gdoi
set group group1
interface FastEthernet0/0
crypto map map-group1
end
R3 DMVPN Spoke
enable
conf t
hostname R3
ip domain-name INE.com
no ip domain-lookup
line con 0
no exec-time
logging sync
privi level 15
exit
int fa 0/0
no shut
ip address 10.0.0.3 255.255.255.0
int loop 0
ip address 3.3.3.3 255.255.255.0
exit
clock timezone PST -8
clock summer-time PDT recurring
ntp authentication-key 1 md5 cisco
ntp trusted-key 1
ntp authenticate
ntp server 10.0.0.1 key 1
ip domain-name INE.com
crypto key generate rsa general-keys modulus 1024
crypto isakmp policy 1
auth rsa-sig
exit
interface Tunnel0
bandwidth 1000
delay 1000
ip address 172.16.0.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast 10.0.0.2
ip nhrp map 172.16.0.2 10.0.0.2
ip nhrp network-id 2210
ip nhrp holdtime 360
ip nhrp nhs 172.16.0.2
ip tcp adjust-mss 1360
tunnel source FA0/0
tunnel mode gre multipoint
tunnel key 6783
exit
router eigrp 1
network 172.16.0.0 0.0.255.255
network 3.3.3.3 0.0.0.0
no auto-summary
exit
crypto pki trustpoint R1-CA
enrollment url http://10.0.0.1:80
revocation-check none
exit
cry pki authenticate R1-CA
crypto pki enroll R1-CA
crypto gdoi group group1
identity number 1
server address ipv4 10.0.0.1
exit
crypto map map-group1 10 gdoi
set group group1
interface FastEthernet0/0
crypto map map-group1
end
R4 Spoke
enable
conf t
hostname R4
ip domain-name INE.com
no ip domain-lookup
line con 0
no exec-time
logging sync
privi level 15
exit
int fa 0/0
no shut
ip address 10.0.0.4 255.255.255.0
int loop 0
ip address 4.4.4.4 255.255.255.0
exit
clock timezone PST -8
clock summer-time PDT recurring
ntp authentication-key 1 md5 cisco
ntp trusted-key 1
ntp authenticate
ntp server 10.0.0.1 key 1
ip domain-name INE.com
crypto key generate rsa general-keys modulus 1024
crypto isakmp policy 1
auth rsa-sig
exit
interface Tunnel0
bandwidth 1000
delay 1000
ip address 172.16.0.4 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast 10.0.0.2
ip nhrp map 172.16.0.2 10.0.0.2
ip nhrp network-id 2210
ip nhrp holdtime 360
ip nhrp nhs 172.16.0.2
ip tcp adjust-mss 1360
tunnel source FA0/0
tunnel mode gre multipoint
tunnel key 6783
exit
router eigrp 1
network 172.16.0.0 0.0.255.255
network 4.4.4.4 0.0.0.0
no auto-summary
exit
crypto pki trustpoint R1-CA
enrollment url http://10.0.0.1:80
revocation-check none
exit
cry pki authenticate R1-CA
crypto pki enroll R1-CA
crypto gdoi group group1
identity number 1
server address ipv4 10.0.0.1
exit
crypto map map-group1 10 gdoi
set group group1
interface FastEthernet0/0
crypto map map-group1
end
@Keith. This is awesome! You’re taking something that’s complex and can be frustrating sometimes and adding more fun to it. Not to mention all the stuff you get to learn from the very knowledgible members here and of course yourself. Keep it up!
I can assure you i’ll try and answer everything. Good job again Keith, thanks!
Hi, I’ve got the following message after typing command ‘cryp pki authenticate R1-MYSELF-CA’ on R1:
R1(config)#cryp pki authenticate R1-MYSELF-CA
% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0
Any idea ?
Hello irom-
I would check the following:
Did R2 or any of the other routers successfully get a certificate from R1? If not, perhaps the CA server needs the “no shutdown” command, or needs to have http enabled. Sometimes, it takes a several seconds before the CA server will allow a “no shutdown”, and it is possible with a cut/paste a console message saying CA Server Busy came up. If the no shutdown is successful, the router will prompt you for a password for the CA server.
If the other routers did receive certificates from R1, but R1 didn’t, check to see that the CA name (as the server) and the PKI name (as the client) are NOT exactly the same name. The config I posted (near the end of the thread) has all the parts and pieces required for success.
Let me know what you find.
thanks, Keith.
Tacack-
Thanks for the positive feedback!
[...] months. He smiled to himself as he remembered how much he has learned about the technologies of DMVPN, the ASA Firewall and IPSec, including GET [...]