Sep
30

Note:  Full working solution is located at the end of the document. :)

Change was in the air, and Bob knew it.   Bob had simply been ignoring the fact that the existing IPSec site to site tunnels that he inherited at his company were old school, and there were better options, especially when plans included bringing up dozens of new sites.   Since his company was going to be purchasing MPLS services, Bob was open to learning better ways of implementing secure tunnels.    In Bob’s studies, he read a article written by Petr Lapukhov on DMVPN and was very interested.    Bob’s glee was short lived when he learned that when the spokes of DMVPN had to build tunnels to other spokes, it was not quick enought for voice traffic.   Bob learned that the latency happens when setting up the IKE phase 1 and 2 tunnels between the spokes.    Then Bob chanced upon one of INE’s blog posts regarding GET VPN, and learned that with GET (Group Encrypted Transport), there was no need to build the tunnels between spokes, and therefore less latency.   This would solve the latency issue for time sensitive traffic, and still have the benefits of encryption!  It sounded almost too good to be true.

Eagerly, Bob set up 4 routers to test DMVPN for dynamic GRE tunnels and GET VPN to provide the encryption services.

Bob’s heart beat a little faster as he thought about the layout of the test;  R1 would be the KEY, CA and NTP server. R2 would be the DMVPN hub with R3 and R4 being spokes.   From the GET VPN side of the house,  R2, R3 and R4 would all be GET VPN group members so no IPSec profiles would be required for the GRE interfaces.

Bob's test bed for DMVPN/GET VPN

Bob's test bed for DMVPN/GET VPN

Bob put the configuration he planned to use into his favorite configuration editor (notepad), and realized that when he eventually pastes this into the routers, he may have to intervene at times to supply manual input for certificate related tasks, and he was ok with that.  Bob also remembered that it is best to allow time to synchronize with peers when using digital certificates.

All the switchports used by R1-4 Fa0/0 were set up correctly as access-ports, and in the same VLAN.  Bob verified that  no L1 or L2 problems were standing between him and success.

In contrast to his anticipation of building the “perfect” new solution for his company, Bob had a sneaking suspicion that something in his proposed configuration wasn’t quite right, or maybe was missing something.  Below is the proposed configuration:

R1 Key, NTP and CA Server

enable
conf t
hostname R1
ip domain-name INE.com
no ip domain-lookup
line con 0
no exec-time
logging sync
privi level 15
exit
int fa 0/0
no shut
ip address 10.0.0.1 255.255.255.0
int loop 0
ip address 1.1.1.1 255.255.255.0
exit
ntp master 2
ntp authentication-key 1 md5 cisco
ntp trusted-key 1
ntp authenticate
clock timezone PST -8
clock summer-time PDT recurring
crypto key generate rsa general-keys  modulus 1024
ip http server
crypto pki server R1-CA_Server
database url nvram:
database level minimum
grant auto
no shutdown
exit
crypto isakmp policy 1
auth rsa-sig
exit
crypto ipsec transform-set TSET esp-aes esp-sha
mode transport
exit
crypto ipsec profile GDOI-PROF
set transform-set TSET
exit
crypto gdoi group group1
identity number 1
server local
address ipv4 10.0.0.1
rekey authentication mypubkey rsa R1.INE.com
rekey transport unicast
sa ipsec 1
profile GDOI-PROF
match address ipv4 100
exit
exit
access-list 100 permit  gre  10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
R2 DMVPN HUB

enable
conf t
hostname R2
ip domain-name INE.com
no ip domain-lookup
line con 0
no exec-time
logging sync
privi level 15
exit
int fa 0/0
no shut
ip address 10.0.0.2 255.255.255.0
int loop 0
ip address 2.2.2.2 255.255.255.0
exit
clock timezone PST -8
clock summer-time PDT recurring
ntp authentication-key 1 md5 cisco
ntp trusted-key 1
ntp authenticate
ntp server 10.0.0.1 key 1
ip domain-name INE.com
crypto key generate rsa general-keys  modulus 1024
crypto isakmp policy 1
auth rsa-sig
exit
interface Tunnel0
bandwidth 1000
delay 1000
ip address 172.168.0.2 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 2210
ip nhrp holdtime 360
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
tunnel source Fa0/0
tunnel mode gre multipoint
tunnel key 6738
exit
router eigrp 1
network 172.16.0.0 0.0.255.255
network 2.2.2.2 0.0.0.0
no auto-summary
exit
crypto pki trustpoint R1-CA
enrollment url http://10.0.0.1:80
revocation-check none
exit
cry pki authenticate R1-CA
crypto pki enroll R1-CA
crypto gdoi group group1
identity number 1
server address ipv4 10.0.0.1
exit
crypto map map-group1 10 gdoi
set group group1
interface FastEthernet0/0
crypto map map-group1
end
R3 DMVPN Spoke

enable
conf t
hostname R3
ip domain-name INE.com
no ip domain-lookup
line con 0
no exec-time
logging sync
privi level 15
exit
int fa 0/0
no shut
ip address 10.0.0.3 255.255.255.0
int loop 0
ip address 3.3.3.3 255.255.255.0
exit
clock timezone PST -8
clock summer-time PDT recurring
ntp authentication-key 1 md5 cisco
ntp trusted-key 1
ntp authenticate
ntp server 10.0.0.1 key 1
ip domain-name INE.com
crypto key generate rsa general-keys  modulus 1024
crypto isakmp policy 1
auth rsa-sig
exit
interface Tunnel0
bandwidth 1000
delay 1000
ip address 172.16.0.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast 10.0.0.2
ip nhrp map 10.0.0.2 172.16.0.2
ip nhrp network-id 2210
ip nhrp holdtime 360
ip nhrp nhs 172.16.0.2
ip tcp adjust-mss 1360
tunnel source FA0/0
tunnel mode gre multipoint
tunnel key 6783
exit
router eigrp 1
network 172.16.0.0 0.0.255.255
network 3.3.3.3 0.0.0.0
no auto-summary
exit
crypto pki trustpoint R1-CA
enrollment url http://10.0.0.1:80
revocation-check none
exit
cry pki authenticate R1-CA
crypto pki enroll R1-CA
crypto gdoi group group1
identity number 1
server address ipv4 10.0.0.1
exit
crypto map map-group1 10 gdoi
set group group1
interface FastEthernet0/0
crypto map map-group1
end
R4 Spoke

enable
conf t
hostname R4
ip domain-name INE.com
no ip domain-lookup
line con 0
no exec-time
logging sync
privi level 15
exit
int fa 0/0
no shut
ip address 10.0.0.4 255.255.255.0
int loop 0
ip address 4.4.4.4 255.255.255.0
exit
clock timezone PST -8
clock summer-time PDT recurring
ntp authentication-key 1 md5 cisco
ntp trusted-key 1
ntp authenticate
ntp server 10.0.0.1 key 1
ip domain-name INE.com
crypto key generate rsa general-keys  modulus 1024
crypto isakmp policy 1
auth rsa-sig
exit
interface Tunnel0
bandwidth 1000
delay 1000
ip address 172.16.0.4 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast 10.0.0.2
ip nhrp map 10.0.0.2 172.16.0.2
ip nhrp network-id 2210
ip nhrp holdtime 360
ip nhrp nhs 172.16.0.2
ip tcp adjust-mss 1360
tunnel source FA0/0
tunnel mode gre multipoint
tunnel key 6783
exit
router eigrp 1
network 172.16.0.0 0.0.255.255
network 4.4.4.4 0.0.0.0
no auto-summary
exit
crypto pki trustpoint R1-CA
enrollment url http://10.0.0.1:80
revocation-check none
exit
cry pki authenticate R1-CA
crypto pki enroll R1-CA
crypto gdoi group group1
identity number 1
server address ipv4 10.0.0.1
exit
crypto map map-group1 10 gdoi
set group group1
interface FastEthernet0/0
crypto map map-group1
end

Your mission, should you choose to accept it, (feel free to hum the tune of mission impossible), is to find the errors regarding this configuration.

Hint:  there are 4 specific configuration related issues based on the proposed configuration.

Will you assist Bob in creating a working DMVPN/GET VPN solution?

PS   Bob passes on his appreciation for all the help he has received from you in the past!   The solutions you provided worked like a charm, and Bob is being treated like a Network Rock Star by his manager.    Keep up the great work!


You can leave a response, or trackback from your own site.

26 Responses to “Bob is back. DMVPN/GET VPN assistance needed!”

 
  1. Tacack says:

    The tunnel interface on the DMVPN hub is configured incorrectly

    There is no tunnel protection configured on the DMVPN hub and the spokes. No IPSEC profile defined too.

    access-list 100 permit gre 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255 -> on the GETVPN GCKS needs to be changed to permit ip traffic.

    • Hello Tacack-

      You are right, there is no IPSec profile on the GRE tunnel interfaces.

      In this scenario, we are using GET VPN to encrypt the GRE traffic from anyone on the 10 network to anyone else on the 10 network. From the network perspective, all the GRE traffic is flowing between the FA0/0 interfaces of R2, R3 and R4.

      Thanks.

  2. shain says:

    DMVPN Related
    =============
    1) On R2 tunnel interface
    change IP from 172.168.0.2 to 172.16.0.2

    2) On R2 tunnel interface
    change tunnel key from 6738 to 6783

    3) On R3 and R4 tunnel interfaces change nhrp mapping
    FROM
    ip nhrp map 10.0.0.2 172.16.0.2
    TO
    ip nhrp map 172.16.0.2 10.0.0.2

    GETVPN Related
    ==============

    1) Because of isakmp policy authentication method is based on rsa-sig
    R1 should enroll a certificate from CA server (which is itself)

    crypto pki trustpoint R1-CA
    enrollment url http://10.0.0.1:80
    revocation-check none
    cry pki authenticate R1-CA
    crypto pki enroll R1-CA

  3. Tim Rowley says:

    Howdy,

    1 – Tunnel keys do not match on DMVPN routers
    2 – Looks like a typo on R2 Tun0 IP address 172.168 instead of 172.16
    3 – NHRP mappings swapped on the spokes, they have the NBMA first then TUN IPs, should be swapped so TUN is first.
    4 – ACL100 says GRE for 10.0.0.0/24, this should be the 172.16 network instead right?

    • Hi Tim- Thank you for taking time to go through the configuration! You are right on 1, 2 and 3. The CA server (R1) needs to also authenticate and enroll with itself, and that was the 4th piece. If we put a protocol analyzer on VLAN x (the 10.0.0.0 network), we would see that the GRE traffic for the DMVPN is GRE to and from the Fa0/0 interfaces, (the 10.0.0.x addresses). Once the encryption kicks in, we would no longer see the GRE with a sniffer, but only IPSec packets (IP pointing to protocol 50 ESP) between the 10.0.0.x interfaces of R2, R3 and R4.

  4. irom says:

    Should R3 and R4 have tunnel key 6738, not 6783 ?

    • irom- Excellent eye! The key was transposed, and that indeed is one of the issues with the configuration, GREAT JOB!

      One of the tips a lot of CCIE candidates use is copy/paste from notepad. Not only may that help with speed, but also assists with less transposing of values, like this key. One word of caution with failover and copy/paste on the ASA. If you issue a “show run fail” on the primary ASA, please double check that you have changed the keyword in the config from primary to secondary before you paste it into the config on the secondary ASA.

      Thanks for taking the time to look at the configuration!

  5. Piotr Kaluzny says:

    Good Day,

    1. R2 – Wrong IP address on tunnel 0 interface
    2. R1 – Lack of CA Trustpoint for identity
    certificate
    3. R3 and R4 – Bad Logical-Physical resolution
    for NHS – should be “ip nhrp map
    172.16.0.2 10.0.0.2″
    4. R2 – Bad tunnel key – should be 6783

    Regards,
    Piotr

  6. irom says:

    and why DMVPN spokes map physical addresses to tunnel (NBMA) address of hub ? Shouldn’t be ‘ip nhrp map 172.16.0.2 10.0.0.2′ on both spokes ? I would map hub tunnel address to its loopback not ethernet, so ‘ip nhrp map 172.16.0.2 2.2.2.2′

    • irom-

      In the configuration, before we added the EIGRP for use with DMVPN, the loopbacks were not reachable. If they were reachable, I agree that we could use them to terminate the endpoints of the GRE instead of the Fa0/0 interfaces.

      Thank you.

  7. irom says:

    and Tunnel on DMVPN hub should be 172.16.0.2 , not 172.168.0.2

  8. puneet says:

    On R1:

    Was the key R1.INE.com generated as it is not showing in the command.
    rekey authentication mypubkey rsa R1.INE.com
    crypto key generate rsa general-keys modulus 1024

    In addition R1 needs to enroll with the CA server (AKA himself/itself) else the isakmp policy will never complete. R1 needs to get a digi cert to exchange with the GMs.

    • Hello puneet-

      The RSA keypair was generated on R1, but you are right about the lack of an identity certificate for R1.

      The rekey information is also present in the proposed configuration.

      Thanks!

  9. Abu Hayat Khan says:

    with this config GET/VPN will not work. On R1 he need to enroll with its own IOS CA server using its own RSA key “R1.INE.com”. without this Key server will invalidate the Certificate from Member server.

  10. Here is the configuration, which includes the solutions you provided, thanks again!
    R1 Key, NTP and CA Server

    enable
    conf t
    hostname R1
    ip domain-name INE.com
    no ip domain-lookup
    line con 0
    no exec-time
    logging sync
    privi level 15
    exit
    int fa 0/0
    no shut
    ip address 10.0.0.1 255.255.255.0
    int loop 0
    ip address 1.1.1.1 255.255.255.0
    exit
    ntp master 2
    ntp authentication-key 1 md5 cisco
    ntp trusted-key 1
    ntp authenticate
    clock timezone PST -8
    clock summer-time PDT recurring
    crypto key generate rsa general-keys  modulus 1024
    ip http server
    crypto pki server R1-CA_Server
    database url nvram:
    database level minimum
    grant auto
    no shutdown
    exit
    crypto pki trustpoint R1-MYSELF-CA
    enrollment url http://10.0.0.1:80
    revocation-check none
    exit
    cryp pki authenticate R1-MYSELF-CA
    cryp pki enroll R1-MYSELF-CA
    crypto isakmp policy 1
    auth rsa-sig
    exit
    crypto ipsec transform-set TSET esp-aes esp-sha
    mode transport
    exit
    crypto ipsec profile GDOI-PROF
    set transform-set TSET
    exit
    crypto gdoi group group1
    identity number 1
    server local
    address ipv4 10.0.0.1
    rekey authentication mypubkey rsa R1.INE.com
    rekey transport unicast
    sa ipsec 1
    profile GDOI-PROF
    match address ipv4 100
    exit
    exit
    access-list 100 permit gre 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255

    R2 DMVPN HUB

    enable
    conf t
    hostname R2
    ip domain-name INE.com
    no ip domain-lookup
    line con 0
    no exec-time
    logging sync
    privi level 15
    exit
    int fa 0/0
    no shut
    ip address 10.0.0.2 255.255.255.0
    int loop 0
    ip address 2.2.2.2 255.255.255.0
    exit
    clock timezone PST -8
    clock summer-time PDT recurring
    ntp authentication-key 1 md5 cisco
    ntp trusted-key 1
    ntp authenticate
    ntp server 10.0.0.1 key 1
    ip domain-name INE.com
    crypto key generate rsa general-keys  modulus 1024
    crypto isakmp policy 1
    auth rsa-sig
    exit
    interface Tunnel0
    bandwidth 1000
    delay 1000
    ip address 172.16.0.2 255.255.255.0
    no ip redirects
    ip mtu 1400
    no ip next-hop-self eigrp 1
    ip nhrp authentication DMVPN_NW
    ip nhrp map multicast dynamic
    ip nhrp network-id 2210
    ip nhrp holdtime 360
    ip tcp adjust-mss 1360
    no ip split-horizon eigrp 1
    tunnel source Fa0/0
    tunnel mode gre multipoint
    tunnel key 6783
    exit
    router eigrp 1
    network 172.16.0.0 0.0.255.255
    network 2.2.2.2 0.0.0.0
    no auto-summary
    exit
    crypto pki trustpoint R1-CA
    enrollment url http://10.0.0.1:80
    revocation-check none
    exit
    cry pki authenticate R1-CA
    crypto pki enroll R1-CA
    crypto gdoi group group1
    identity number 1
    server address ipv4 10.0.0.1
    exit
    crypto map map-group1 10 gdoi
    set group group1
    interface FastEthernet0/0
    crypto map map-group1
    end

    R3 DMVPN Spoke

    enable
    conf t
    hostname R3
    ip domain-name INE.com
    no ip domain-lookup
    line con 0
    no exec-time
    logging sync
    privi level 15
    exit
    int fa 0/0
    no shut
    ip address 10.0.0.3 255.255.255.0
    int loop 0
    ip address 3.3.3.3 255.255.255.0
    exit
    clock timezone PST -8
    clock summer-time PDT recurring
    ntp authentication-key 1 md5 cisco
    ntp trusted-key 1
    ntp authenticate
    ntp server 10.0.0.1 key 1
    ip domain-name INE.com
    crypto key generate rsa general-keys  modulus 1024
    crypto isakmp policy 1
    auth rsa-sig
    exit
    interface Tunnel0
    bandwidth 1000
    delay 1000
    ip address 172.16.0.3 255.255.255.0
    no ip redirects
    ip mtu 1400
    ip nhrp authentication DMVPN_NW
    ip nhrp map multicast 10.0.0.2
    ip nhrp map 172.16.0.2 10.0.0.2
    ip nhrp network-id 2210
    ip nhrp holdtime 360
    ip nhrp nhs 172.16.0.2
    ip tcp adjust-mss 1360
    tunnel source FA0/0
    tunnel mode gre multipoint
    tunnel key 6783
    exit
    router eigrp 1
    network 172.16.0.0 0.0.255.255
    network 3.3.3.3 0.0.0.0
    no auto-summary
    exit
    crypto pki trustpoint R1-CA
    enrollment url http://10.0.0.1:80
    revocation-check none
    exit
    cry pki authenticate R1-CA
    crypto pki enroll R1-CA
    crypto gdoi group group1
    identity number 1
    server address ipv4 10.0.0.1
    exit
    crypto map map-group1 10 gdoi
    set group group1
    interface FastEthernet0/0
    crypto map map-group1
    end

    R4 Spoke

    enable
    conf t
    hostname R4
    ip domain-name INE.com
    no ip domain-lookup
    line con 0
    no exec-time
    logging sync
    privi level 15
    exit
    int fa 0/0
    no shut
    ip address 10.0.0.4 255.255.255.0
    int loop 0
    ip address 4.4.4.4 255.255.255.0
    exit
    clock timezone PST -8
    clock summer-time PDT recurring
    ntp authentication-key 1 md5 cisco
    ntp trusted-key 1
    ntp authenticate
    ntp server 10.0.0.1 key 1
    ip domain-name INE.com
    crypto key generate rsa general-keys  modulus 1024
    crypto isakmp policy 1
    auth rsa-sig
    exit
    interface Tunnel0
    bandwidth 1000
    delay 1000
    ip address 172.16.0.4 255.255.255.0
    no ip redirects
    ip mtu 1400
    ip nhrp authentication DMVPN_NW
    ip nhrp map multicast 10.0.0.2
    ip nhrp map 172.16.0.2 10.0.0.2
    ip nhrp network-id 2210
    ip nhrp holdtime 360
    ip nhrp nhs 172.16.0.2
    ip tcp adjust-mss 1360
    tunnel source FA0/0
    tunnel mode gre multipoint
    tunnel key 6783
    exit
    router eigrp 1
    network 172.16.0.0 0.0.255.255
    network 4.4.4.4 0.0.0.0
    no auto-summary
    exit
    crypto pki trustpoint R1-CA
    enrollment url http://10.0.0.1:80
    revocation-check none
    exit
    cry pki authenticate R1-CA
    crypto pki enroll R1-CA
    crypto gdoi group group1
    identity number 1
    server address ipv4 10.0.0.1
    exit
    crypto map map-group1 10 gdoi
    set group group1
    interface FastEthernet0/0
    crypto map map-group1
    end

  11. Tacack says:

    This is awesome! You’re taking something that’s complex and can be frustrating sometimes and adding more fun to it. Not to mention all the stuff you get to learn from the very knowledgible members here and of course yourself. Keep it up! :) I can assure you i’ll try and answer everything. Good job again, thanks!

  12. irom says:

    Hi, I’ve got the following message after typing command ‘cryp pki authenticate R1-MYSELF-CA’ on R1:

    R1(config)#cryp pki authenticate R1-MYSELF-CA
    % Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

    Any idea ?

    • Hello irom-

      I would check the following:

      Did R2 or any of the other routers successfully get a certificate from R1? If not, perhaps the CA server needs the “no shutdown” command, or needs to have http enabled. Sometimes, it takes a several seconds before the CA server will allow a “no shutdown”, and it is possible with a cut/paste a console message saying CA Server Busy came up. If the no shutdown is successful, the router will prompt you for a password for the CA server.

      If the other routers did receive certificates from R1, but R1 didn’t, check to see that the CA name (as the server) and the PKI name (as the client) are NOT exactly the same name. The config I posted (near the end of the thread) has all the parts and pieces required for success.

      Let me know what you find.

      thanks.

  13. Tacack-

    Thanks for the positive feedback!

  14. [...] months. He smiled to himself as he remembered how much he has learned about the technologies of  DMVPN, the ASA Firewall and IPSec, including GET [...]

  15. This is a great scenario. Thank you very much. You rock

  16. Would you be able to combine the Key Server router with the DMVPN hub into one router?

    And how do you approach this? Make the key server a group member of itself?

    Just a thought.

 

Leave a Reply

Categories

CCIE Bloggers