Build dmVPN using Cisco and S-Terra
It so happened that officially the import of equipment with strict encryption (key length over 56 bits) was practically covered. The topic was discussed a lot, and those who already have networks deployed on Cisco vpn are not particularly worried - they don’t touch, and okay. But organizing a new small branch on Cisco or expanding the existing one became somewhat problematic (routers that go to the End-of-Sale as well as topics with changing software from NPE-K9 to K9 and rolling up SEC licenses will not be considered - this is, after all, illegal ).
What is the classic dmVPN? In a nutshell - we have the Central device - Hub and a bunch of remote Nodes - Spoke, with dynamic routing between them and the copy-paste configuration of new Spoke - the changes in the config are minimal, the central Hub does not need to be touched, the routes will scatter themselves over the network. Beauty!
What do you need to finish and finish, so that the scheme worked not on Cisco, but on a bunch of Cisco plus S-Terra?
')
The classic scheme is complicated by the fact that encryption with Cisco is taken out on a separate device. This can be either a module in a Cisco ISR router or a separate gateway.
In our case, the Cisco 2851 + MCM module is installed in the Center, and the Cisco 1941 + HWIC-4ESW + CSP VPN Gate 100 is installed at the remote site.
I want to note that although the connection is always initiated by the remote node, the tunnel is actually raised all the time due to the OSPF spinning inside.
We organize on the Central router dmVPN Hub.
Now we set up a crypto gateway. You can access it through the Service-Engine interface:
c2851 # service-module Special-Services-Engine 1/0 session
and exit by pressing Ctrl + Shift + 6, then "x" and typing
c2851 # service-module Special-Services-Engine 1/0 session clear
Total: the packet comes to the router, is packaged in GRE on the tunnel interface, sent to the crypto gateway, the crypto gateway encrypts GRE and throws it back to Cisco 2851, where it goes through NAT and flies off to the public network.
Then it arrives at Cisco 1941, and follows the same path as at Cisco 2851, only in the reverse order.
Now it remains to configure CSP VPN Gate 100:
Now when you turn on devices, OSPF will raise tunnels, exchange routes, and users of one network will be able to successfully reach users of another.
Unfortunately, with this scheme, there is no way around the need for a small Hub setting when adding Spoke - so the dmVPN charm is somewhat lost. However, the scale of the settings is much smaller compared to the classic Site-to-Site, and this is good news.
In conclusion, I would like to say that the cisco-like CLI S-Terra is just an interpreter of commands, which are then translated into commands for Linux, installed on all their devices. The interpreter’s work is quite specific, however, technical support from S-Terra is quite responsive and can help if something goes wrong.
In preparing the materials used cisco.com and s-terra.com, as well as correspondence with technical support for S-Terra.
What is the classic dmVPN? In a nutshell - we have the Central device - Hub and a bunch of remote Nodes - Spoke, with dynamic routing between them and the copy-paste configuration of new Spoke - the changes in the config are minimal, the central Hub does not need to be touched, the routes will scatter themselves over the network. Beauty!
What do you need to finish and finish, so that the scheme worked not on Cisco, but on a bunch of Cisco plus S-Terra?
')
The classic scheme is complicated by the fact that encryption with Cisco is taken out on a separate device. This can be either a module in a Cisco ISR router or a separate gateway.
In our case, the Cisco 2851 + MCM module is installed in the Center, and the Cisco 1941 + HWIC-4ESW + CSP VPN Gate 100 is installed at the remote site.
I want to note that although the connection is always initiated by the remote node, the tunnel is actually raised all the time due to the OSPF spinning inside.
We organize on the Central router dmVPN Hub.
!--- LoopBack
!
interface Loopback0
description -- loopback interface
ip address 172.31.100.1 255.255.255.255
!
!---
!
interface Tunnel0
description -- dmvpn hub S-Terra interface
bandwidth 10000
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn172
ip nhrp map multicast dynamic
ip nhrp network-id 172
ip nhrp holdtime 360
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf priority 10
delay 1000
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 100000
!
!--- OSPF
!
router ospf 1
router-id 172.31.100.1
log-adjacency-changes
redistribute connected subnets route-map rm_conn_net
network 172.16.0.0 0.0.0.255 area 0
!
ip access-list extended acl_connected_network
remark -- redistribute networks to ospf
permit ip 192.168.0.0 0.0.0.255 any
permit ip host 172.31.100.1 any
!
route-map rm_conn_net permit 10
match ip address acl_connected_network
!
!
!--- , -.
!--- , loopback -
!
ip route 172.31.100.10 255.255.255.255 172.31.0.2 name c1941-loop
!
!--- -
!
interface Special-Services-Engine1/0
ip address 172.31.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no keepalive
!
!--- NAT
!
ip nat inside source static udp 172.31.0.2 500 10.0.0.1 500 extendable
ip nat inside source static udp 172.31.0.2 4500 10.0.0.1 4500 extendable
!
Now we set up a crypto gateway. You can access it through the Service-Engine interface:
c2851 # service-module Special-Services-Engine 1/0 session
and exit by pressing Ctrl + Shift + 6, then "x" and typing
c2851 # service-module Special-Services-Engine 1/0 session clear
!
crypto isakmp identity hostname
ip host csp-c1941 10.0.0.10
hostname csp-nmervpn
!
!
crypto isakmp policy 100
hash sha
encr aes
authentication pre-share
group 2
!
crypto isakmp key dmvpn172 hostname csp-c1941
!
crypto ipsec transform-set ts_dmvpn172 esp-aes esp-sha-hmac
!
ip access-list extended acl_crypto
permit gre host 172.31.100.1 any
!
crypto dynamic-map dm_vpn 100
match address acl_crypto
set transform-set ts_dmvpn172
!
crypto map cm_vpn 100 ipsec-isakmp dynamic dm_vpn
!
interface FastEthernet0/0
ip address 172.31.0.2 255.255.255.0
crypto map cm_vpn
!
ip route 0.0.0.0 0.0.0.0 172.31.0.1
!
Total: the packet comes to the router, is packaged in GRE on the tunnel interface, sent to the crypto gateway, the crypto gateway encrypts GRE and throws it back to Cisco 2851, where it goes through NAT and flies off to the public network.
Then it arrives at Cisco 1941, and follows the same path as at Cisco 2851, only in the reverse order.
!--- LoopBack
!
interface Loopback0
description -- router id
ip address 172.31.100.10 255.255.255.255
!
!---
!
interface Tunnel0
description -- dmvpn spoke interface
bandwidth 10000
ip address 172.16.0.10 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn172
ip nhrp map 172.16.0.1 172.31.100.1
ip nhrp map multicast 172.31.100.1
ip nhrp network-id 172
ip nhrp nhs 172.16.0.1
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf priority 0
delay 1000
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 100000
!
!--- -
!
interface Vlan2
description -- to S-Terra Gate100
ip address 172.31.10.1 255.255.255.0
ip nat inside
!
!--- 0/0/0 VPN Gate 100
!
interface FastEthernet0/0/0
description -- to S-Terra Gate100
switchport access vlan 2
!
!--- –
!
interface FastEthernet0/0/1
description -- local net
!
interface FastEthernet0/0/2
description -- local net
!
interface FastEthernet0/0/3
description -- local net
!
interface Vlan1
description -- to local net
ip address 192.168.10.1 255.255.255.0
ip nat inside
!
!--- OSPF
!
router ospf 2
router-id 172.31.100.10
log-adjacency-changes
redistribute connected subnets route-map rm_conn_net
network 172.16.0.0 0.0.0.255 area 0
!
ip access-list extended acl_conn_net
remark -- redistribute networks to ospf
permit ip 192.168.10.0 0.0.0.255 any
permit ip host 172.31.100.10 any
!
route-map rm_conn_net permit 10
match ip address acl_conn_net
!
!--- NAT
!
ip nat inside source static udp 172.31.10.2 500 10.0.0.10 500 extendable
ip nat inside source static udp 172.31.10.2 4500 10.0.0.10 4500 extendable
!Now it remains to configure CSP VPN Gate 100:
!
crypto isakmp identity hostname
ip host csp-nmervpn 10.0.0.1
hostname csp-c1941
!
crypto isakmp policy 100
hash sha
encr aes
authentication pre-share
group 2
!
crypto isakmp key dmvpn172 hostname csp-nmervpn
!
crypto ipsec transform-set ts_dmvpn172 esp-aes esp-sha-hmac
!
ip access-list extended acl_crypto
permit gre host 172.31.100.10 host 172.31.100.1
!
crypto map cm_vpn 100 ipsec-isakmp
match address acl_crypto
set transform-set ts_dmvpn172
set peer 10.0.0.1
!
interface FastEthernet0/1
description – to c1941-1
ip address 172.31.10.1 255.255.255.0
crypto map cm_vpn
!
ip route 0.0.0.0 0.0.0.0 172.31.10.1
!
crypto isakmp peer address 10.0.0.1
set aggressive-mode client-endpoint ipv4-address 10.0.0.1
!
Now when you turn on devices, OSPF will raise tunnels, exchange routes, and users of one network will be able to successfully reach users of another.
Unfortunately, with this scheme, there is no way around the need for a small Hub setting when adding Spoke - so the dmVPN charm is somewhat lost. However, the scale of the settings is much smaller compared to the classic Site-to-Site, and this is good news.
In conclusion, I would like to say that the cisco-like CLI S-Terra is just an interpreter of commands, which are then translated into commands for Linux, installed on all their devices. The interpreter’s work is quite specific, however, technical support from S-Terra is quite responsive and can help if something goes wrong.
In preparing the materials used cisco.com and s-terra.com, as well as correspondence with technical support for S-Terra.
Source: https://habr.com/ru/post/114328/
All Articles