VPN, full coverage
Imagine your company is gaining momentum, sales are growing, many branches are opening, and these branches are actively working with each other. This means that you need to link them all together! As equipment, we have Cisco routers, which, by the way, cancels only final configuration examples, if you don’t have Cisco, I found an OpenNHRP project on the network.
So, let's begin. To begin with, we will link the center with the first branch using IPSEC.
We introduce addressing — the company's internal network is 10.0.0.0/8, the head office network is 10.0.0.0/24, and the network of the first branch is 10.1.0.0/24. The external address of the head office router is 172.16.0.2/30, and its default route goes, respectively, to 172.16.0.1. For better distinction, we will issue the branch an “external” address 192.168.45.14/30, and the gateway will be the only remaining address from the range - 192.168.45.13.
')
Head Office Router:
The branch office router is configured by analogy, and the main thing here is to analyze the shortcomings of the solution. Based on our assumption, the number of branches is growing rapidly, so when you connect the second branch, you will need to configure two more tunnels, when you connect the third - 3, the fourth - 4, and so on. Can you stop at the 20th for example and think about it - is it really the way it should be?
And in such cases, there should be orders of magnitude more dynamics — we need routing protocols and multipoint VPN, and Cisco collectively calls DMVPN Dynamic Multipoint VPN. At the beginning of development, few people understand why he needs OSPF and certificates - after all, it is much easier to register ip route 10.1.0.0 ... and bothering with certificates, when there is an opportunity to just drive a key at two ends, this is generally a perversion. But to drive one key at all points is unacceptable, and to drive a key pair at all is unrealistic. Thus, certificates will have to be mastered.
However, the topic of certificates in Cisco IPSEC is beyond the scope of this habratopic - here I will show you what DMVPN is and how remarkable it is.
So, DMVPN is a combination of NHRP, dynamic routing protocol (EIGRP, OSPF, IS-IS - this is not limited to you) and a multipoint GRE tunnel. DMVPN allows you to reduce the configuration of additional points to a minimum, clients can have dynamic addresses (the server needs a constant, this is an entry point), tunnels between clients will rise automatically, on demand.
The NHRP protocol, the NBMA Next Hop Resolution Protocol, serves to resolve addresses on non-broadcast networks — in our case it helps to determine the external address of the router to which the packet is intended. Permission is carried out by “hub”, the server, to which its addresses are communicated and requested information about other “spokes”, by clients.
I used DMVPN when the company began implementing VoIP - so as not to drive voice traffic through the center. For example, Vasya from Tomsk needed to call Petya from Krasnoyarsk - the tunnel between the routers will be established dynamically. Each router has an IP address of the ad hoc network (for example, 10.0.1.0/24), and the routers are registered on the center's NHRP server (10.0.1.1). When Tomsk is required to connect to Krasnoyarsk, it looks at the routing table and sees that the route to this network lies through the 10.0.1.7 point. Through NHRP, the router learns the public IP address of the router and can begin to establish an IPSEC tunnel. It doesn't sound very complicated in my opinion.
Let's take OSPF as a dynamic routing protocol, based on personal preferences. It can easily be replaced by any other according to your desire.
The example uses a common key, one for all. But you can’t do this in the real world - be sure to read the topic of certificates.
The configuration of the central router relevant to:
Branch Router:
As you can see, the basic settings relate to the Tunnel7 tunnel interface. The first block is the NHRP settings.
The ip nhrp map commands set the order of address resolution. Here we set the correspondence of the NHRP server's internal address and its WAN address - ip nhrp map 10.0.1.1 172.16.0.2. Also by analogy, all multicast requests are addressed to the same. Well, ip nhrp nhs sets the server address.
Note that the addresses of all DMVPN interfaces are from the same network.
The ip ospf commands set the dynamic routing settings on the interface. There may be ip eigrp of your choice.
Well, tunnel protection ipsec profile BIGCOMPANY-TRSET includes encryption, as you might guess, the step is optional.
Here, the spoke-spoke version is considered, that is, a direct connection between DMVPN clients. There is an option hub-spoke, which serves to connect clients with the center.
I hope someone who is faced with the explosive growth of the business, reading this topic will know what to do in such a situation. The settings here are just an example, do not use the article as a HOW-TO, read cisco.com.
Additionally, I can say that setting up the router took us no more than half an hour - this is generating the certificate, uploading it to the router, generating the config (a simple bash script), editing the config with a file, packing it in a box.
Home reading on the official site . From the document you download there, it is clear that the possibilities of using DMVPN are somewhat broader than presented here.
So, let's begin. To begin with, we will link the center with the first branch using IPSEC.
We introduce addressing — the company's internal network is 10.0.0.0/8, the head office network is 10.0.0.0/24, and the network of the first branch is 10.1.0.0/24. The external address of the head office router is 172.16.0.2/30, and its default route goes, respectively, to 172.16.0.1. For better distinction, we will issue the branch an “external” address 192.168.45.14/30, and the gateway will be the only remaining address from the range - 192.168.45.13.
')
Head Office Router:
! ISAKMP. , ! . ! crypto isakmp policy 1 encr aes authentication pre-share group 2 lifetime 3600 ! ! . ! crypto isakmp key MEGAKEY123 address 192.168.45.14 ! crypto ipsec transform-set BIGCOMPANY-TRSET esp-aes esp-sha-hmac ! crypto ipsec profile BIGCOMPANY-profile set transform-set BIGCOMPANY-TRSET ! interface FastEthernet0/0 ip address 172.16.0.2 255.255.255.252 ! ! , â„–1 ! interface Tunnel1 description Tunnel to filial â„–1 10.1.0.0/24 ip address 10.55.0.1 255.255.255.252 tunnel source FastEthernet0/0 tunnel destination 192.168.45.14 tunnel mode ipsec ipv4 tunnel protection ipsec profile BIGCOMPANY-profile ! ip route 0.0.0.0 0.0.0.0 172.16.0.1 ! . ip route 10.1.0.0 255.255.255.0 10.55.0.2 The branch office router is configured by analogy, and the main thing here is to analyze the shortcomings of the solution. Based on our assumption, the number of branches is growing rapidly, so when you connect the second branch, you will need to configure two more tunnels, when you connect the third - 3, the fourth - 4, and so on. Can you stop at the 20th for example and think about it - is it really the way it should be?
And in such cases, there should be orders of magnitude more dynamics — we need routing protocols and multipoint VPN, and Cisco collectively calls DMVPN Dynamic Multipoint VPN. At the beginning of development, few people understand why he needs OSPF and certificates - after all, it is much easier to register ip route 10.1.0.0 ... and bothering with certificates, when there is an opportunity to just drive a key at two ends, this is generally a perversion. But to drive one key at all points is unacceptable, and to drive a key pair at all is unrealistic. Thus, certificates will have to be mastered.
However, the topic of certificates in Cisco IPSEC is beyond the scope of this habratopic - here I will show you what DMVPN is and how remarkable it is.
So, DMVPN is a combination of NHRP, dynamic routing protocol (EIGRP, OSPF, IS-IS - this is not limited to you) and a multipoint GRE tunnel. DMVPN allows you to reduce the configuration of additional points to a minimum, clients can have dynamic addresses (the server needs a constant, this is an entry point), tunnels between clients will rise automatically, on demand.
The NHRP protocol, the NBMA Next Hop Resolution Protocol, serves to resolve addresses on non-broadcast networks — in our case it helps to determine the external address of the router to which the packet is intended. Permission is carried out by “hub”, the server, to which its addresses are communicated and requested information about other “spokes”, by clients.
I used DMVPN when the company began implementing VoIP - so as not to drive voice traffic through the center. For example, Vasya from Tomsk needed to call Petya from Krasnoyarsk - the tunnel between the routers will be established dynamically. Each router has an IP address of the ad hoc network (for example, 10.0.1.0/24), and the routers are registered on the center's NHRP server (10.0.1.1). When Tomsk is required to connect to Krasnoyarsk, it looks at the routing table and sees that the route to this network lies through the 10.0.1.7 point. Through NHRP, the router learns the public IP address of the router and can begin to establish an IPSEC tunnel. It doesn't sound very complicated in my opinion.
Let's take OSPF as a dynamic routing protocol, based on personal preferences. It can easily be replaced by any other according to your desire.
The example uses a common key, one for all. But you can’t do this in the real world - be sure to read the topic of certificates.
The configuration of the central router relevant to:
crypto isakmp policy 1 encr aes authentication pre-share group 2 lifetime 3600 ! ! , ! crypto isakmp key MEGAKEY123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set BIGCOMPANY-TRSET esp-aes esp-sha-hmac ! crypto ipsec profile BIGCOMPANY-profile set transform-set BIGCOMPANY-TRSET ! interface FastEthernet0/0 description WAN interface ip address 172.16.0.2 255.255.255.252 ! interface Tunnel101 ip address 10.0.1.1 255.255.0.0 no ip redirects ip mtu 1440 ip nhrp authentication KUKU321 ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 3600 ip nhrp cache non-authoritative ip tcp adjust-mss 1360 no ip mroute-cache ip ospf network broadcast ip ospf hello-interval 30 ip ospf priority 2 delay 1000 tunnel source Vlan1 tunnel mode gre multipoint tunnel key KUKU tunnel protection ipsec profile BIGCOMPANY-TRSET ! ip route 0.0.0.0 0.0.0.0 172.16.0.1 ! Branch Router:
interface Tunnel7 ip address 10.0.1.2 255.255.255.0 no ip redirects ip nhrp authentication KUKU321 ip nhrp map multicast dynamic ip nhrp map multicast 172.16.0.2 ip nhrp map 10.0.1.1 172.16.0.2 ip nhrp network-id 1 ip nhrp holdtime 3600 ip nhrp nhs 10.0.1.1 no ip route-cache cef no ip route-cache ip tcp adjust-mss 1360 no ip mroute-cache ip ospf network broadcast ip ospf hello-interval 30 ip ospf priority 0 delay 1000 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key KUKU tunnel protection ipsec profile BIGCOMPANY-TRSET As you can see, the basic settings relate to the Tunnel7 tunnel interface. The first block is the NHRP settings.
The ip nhrp map commands set the order of address resolution. Here we set the correspondence of the NHRP server's internal address and its WAN address - ip nhrp map 10.0.1.1 172.16.0.2. Also by analogy, all multicast requests are addressed to the same. Well, ip nhrp nhs sets the server address.
Note that the addresses of all DMVPN interfaces are from the same network.
The ip ospf commands set the dynamic routing settings on the interface. There may be ip eigrp of your choice.
Well, tunnel protection ipsec profile BIGCOMPANY-TRSET includes encryption, as you might guess, the step is optional.
Here, the spoke-spoke version is considered, that is, a direct connection between DMVPN clients. There is an option hub-spoke, which serves to connect clients with the center.
I hope someone who is faced with the explosive growth of the business, reading this topic will know what to do in such a situation. The settings here are just an example, do not use the article as a HOW-TO, read cisco.com.
Additionally, I can say that setting up the router took us no more than half an hour - this is generating the certificate, uploading it to the router, generating the config (a simple bash script), editing the config with a file, packing it in a box.
Home reading on the official site . From the document you download there, it is clear that the possibilities of using DMVPN are somewhat broader than presented here.
Source: https://habr.com/ru/post/51365/
All Articles