8/18/2015

SubodhPachghare:EIGRPoverGREPointtoMultipointDMVPNwithIPSec
0

||High Performance | Networking | Distributed Systems | Linux Life | InfoSec | Virtualization | Storage||
Home

Bookshelf

Contact me

Intention

HardDrives I Own

Good Security tools

Movies for Geeks

Useful links

Cyberspace. A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught
mathematical concepts... A graphic representation of data abstracted from banks of every computer in the human system. Unthinkable complexity.
Lines of light ranged in the nonspace of the mind, clusters and constellations of data. Like city lights, receding..." William Gibson, Neuromancer

T h ur s day, S eptember 1, 2011

EIGRP over GRE PointtoMultipoint DMVPN with IPSec

Who writes this stuff!!!

Subodh Pachghare
Pune, Maharashtra, India
I am Performance fanatic & eat
Packets for breakfast. Enough
said...
View my complete profile

Sponsor >

Start Download

Hi Guys, Back again to bust one moretopology. Lets look into DMVPN (Dynamic Multipoint VPN) technology
with IPSec encryption which is useful when we want to connect multiple branch office to a head office using
VPN. Now either we can go for HubSpoke static VPN where head office is Hub and branch offices are spokes.
In this case, branch office can only communicate to head office, communication to other branch office will
be through head office connection. Other case would be to have SpokeSpoke so that branch offices can form
dynamic tunnels with each other. HubSpoke & SpokeSpoke topology definitely saves bandwidth as
compared to the SpokeHubSpoke topology. But there is a need of NHRP (Next Hop Routing Protocol) for
SpokeSpoke communication to work. I will explain more about this a later in the post.
Above is the typical scenario for implementation of DMVPN where we want to span our Internal Routing
region over the WAN connection to the branch offices with Encryption for security. Lets list some important
considerations related to topology.
EIGRP 510 with 52.1.1.0/24 network is the head office network.
Router R8 is the gateway for all the traffic in head office.
Router R1 is acting as DMVPN router for head office connected to ISP router R6.
Router R1 is running routing processes for both EIGRP 510 & EIGRP 1000.
EIGRP 510 & EIGRP 1000 in Router R1 are redistributed completely. (Please read this post if you
are unclear about Route Redistribution)
Default route for R1 is 11.1.1.2.
Router R1 has IPSec crypto configuration with preshare authentication.
Router R1 is configured with tunnel interface 10.0.0.1. More on this in next section.
ISP region is configured with three routers running EIGRP protocol. It is just to realize the WAN

http://www.thesubodh.com/2011/09/eigrpovergrepointtomultipoint.html

Search Videos &

Articles to Find How to
Do it Yourself - Free!

Blog Archive

2013 (4)
2012 (10)
2011 (28)
December 2011 (1)
November 2011 (1)
October 2011 (1)
September 2011 (1)
EIGRP over GRE Pointto
Multipoint DMVPN with
IPSe...
August 2011 (1)
July 2011 (7)

1/6

8/18/2015

SubodhPachghare:EIGRPoverGREPointtoMultipointDMVPNwithIPSec
connection to branch offices.

June 2011 (1)

Similarly Branch office 2 is with 54.1.1.0/24 network with R2 as the DMVPN router.

May 2011 (3)

Router R2 runs both EIGRP 1000 & EIGRP 530 routing processes which are completely
redistributed.

April 2011 (4)

Branch Office 1 is with 53.1.1.0/24 network. R3 router is DMVPN router for Branch office 1.
Router R3 runs both EIGRP 1000 & EIGRP 520 routing processes completely redistributed.
Router R2 & R3 is configured with tunnel interface IP addresses 10.0.0.3 & 10.0.0.2 respectively.
ISP region sees all Internal IP traffic packets as ESP (Encapsulated Security Payload) packets.

March 2011 (5)

February 2011 (2)
January 2011 (1)
2010 (20)

EIGRP 1000 routing messages are encapsulated over GRE (Generic Routing Encapsulation)
protocol.
Tunnels at the DMVPN routers are protected using IPSec profiles.
Layered diagram :

I support Operating System light

weight virtualization to Hyper
Visor virtualization.

Powered by
BOINC
I support Voluntary computation
contribution for progression of
human knowledge. Currently I am
contributing all my idling
compute power to Primegrid
project.

This work by Subodh Pachghare is

licensed under a Creative
Commons Attribution
NoncommercialShare Alike 3.0
Unported License. Permission can
be given if informed, Contact
information on "Contact me" page.

Subscribe To

Posts
Comments

Now lets look into the configuration part of topology.

Popular Posts by Subodh

Hub Section :
Lets look into Router R1 configurations
Encryption/Authentication configuration :
cryptoisakmppolicy1
encraes
authenticationpreshare
cryptoisakmpkeyawesomeaddress0.0.0.00.0.0.0
!
!
cryptoipsectransformsetawesomesetespaesespshahmac
!
cryptoipsecprofileawesomeprofile
settransformsetawesomeset
First we need to setup the ISAKMP (Internet Security Association Key Management Protocol). This protocol is
needed to set the key exchange formats, SA (Security Associations) format. Encryption is AES (Advance
Encryption System), authentication mode is preshare. Key used is "awesome" for all the connections as this
is DMVPN configuration. IPSec SA is based on Encryption algorithm, Authentication algorithm & the shared
session key.
Transform set statement provides authentication mechanism along with data compression mode to be used.
Then IPSec profile is created with "awesomeset" transform set. Later we can use this profile at different
stages for enforcing IPSec policy.
Tunnel configuration :
interfaceTunnel0
ipaddress10.0.0.1255.255.255.0
noipredirects
noipnexthopselfeigrp1000

http://www.thesubodh.com/2011/09/eigrpovergrepointtomultipoint.html

Metasploit 101
with
Meterpreter
Payload & VNC
Injection
The Metasploit
framework is well known in the
realm of exploit development.
It is a standalone tool for
security researchers,
penetration te...
What are
exactly
O_DIRECT,
O_SYNC Flags,
Buffers &
Cached in Linux
Storage I/O?
Feels good to post after a long
time. I always hear HPC
systems people flapping their
mouths in context of I/O
performance measures in dis...
SYN Packet
Generation by
Scapy & SYN
Flood Prevention
using iptables
Recently I
played with iptables & got into
situation to prevent SYN Floods
using iptables. So here is my
solution for this. SYN Flood P...
EIGRP over GRE Pointto

2/6

8/18/2015

SubodhPachghare:EIGRPoverGREPointtoMultipointDMVPNwithIPSec

ipnhrpmapmulticastdynamic
ipnhrpnetworkid1
noipsplithorizoneigrp1000
tunnelsource11.1.1.1
tunnelmodegremultipoint
tunnelprotectionipsecprofileawesomeprofile
Tunnel interface is configured with 10.0.0.0/24 network. First lets analyze the NHRP (Next Hop Resolution
Protocol) protocol. NHRP is layer2 protocol used for address resolution. It is used by branch routers
connected to NBMA (Non Broadcast MultiAccess) networks to determine the IP address of another branch
router.
Note Do not consider tunnel interface IP as the actual IP address traversing in the IP Packet Header.
Consider it as the Tunnel pipe on the same router where packets destined to tunnel network enters and gets
mapped to actual networks. Receiving router does exactly the mirror image operation of this.
Packets destined to 10.0.0.0/24 network from R8 goes through R1 tunnel interface where NHRP protocol
maps the next hop tunnel interface IP address to actual interface IP of next hop DMVPN router. To elaborate
this, R8 router sees the 53.1.1.0/24 network at Branch Office 1 location at 10.0.0.0/24 network through
redistribution, R8 forwards packet to R1 router. R1 router has NHRP table maintained for mapping the next
hop tunnel interface IP address 10.0.0.2 to 13.1.1.2 actual IP address.
Lets summarize it again,

Multipoint
DMVPN with
IPSec
Hi Guys, Back
again to bust
one
moretopology. Lets look into
DMVPN (Dynamic Multipoint
VPN) technology with IPSec
encryption which is u...
TOE: TCP Offload
Engine on NIC &
Packet Capture

Misinterpretations
A quick post about TOE (TCP
Offload Engine) present these
days in about all NIC's. If
enabled TCP/IP operations of
packets are process...

Labels
64B/66B 64bit
Swartz

registers

8B/10B Aaron

access restrictions Aircrackng

Backup Theories

Router R8 sees 53.1.1.0/24 network through 10.0.0.2 (EIGRP 1000 Network) IP address.

AT&T

Route Redistribution at router R1 helps to learn the routes in the EIGRP 1000 network.

Batch Job Systems BIND9 Bonding buffers

R1 router maps the 10.0.0.2 address to NBMA Address 13.1.1.2.

Syntax

cache Cache Coherent Non Uniform Memory

Access

Cisco/Enterasys

Then it is routed through ISP network to reach 13.1.1.2.

Latency

Router R3 again maps it according to the NHRP table.

At last, Route Redistribution at router R3 helps to learn routes in the EIGRP 520 network.

cpufreq

cpuspeed

cisco

ccNUMA

catchsegv

To reach 13.1.1.2 R1 forwards its packet to default route 11.1.1.2.

CPU

Transition

cpufreq_stats

Creative

cpuset

Commons

License

Cryptanalysis CUDA CXFS Deauth debugging

dentries Differential Pair dirty DMVPN DMZ
DNS DNSSEC DOS dplace drop_caches Dual

Moving on, tunnel source statement specifies the out interface for the tunnel. GRE (Generic Routing
Encapsulation) protocol is used to carry the routing related information such as multicast messages over the
WAN to the branch offices. EIGRP 1000 area is spanned over multiple areas. Here GRE is configured in
multipoint mode. Tunnel protection is applied to encrypt all the traffic (IP and NonIP) going out on WAN.

EMC

Hub EFI EIGRP ELF ELF32 EMC

Networker

Enterasys ESXi ethtool

offload Exception Handling fat tree model

File System Performance File Type Firewall
fork Frame Relay Free and Open Culture
free command freeradius gdb Geek GLBP

As I have already discussed, NHRP protocol provides a mapping between inside and outside interface IP
addresses of a tunnel. These mapping can be static or dynamic. NHS (Next Hop Server) is used in case of
Dynamic. Statement at R1 for nhrp map multicast provides dynamic multicast mapping for NHRP protocol.
NHRP network id is 1 here. "ip nhrp map multicast dynamic" statement automatically adds routers to
multicast NHRP mappings. Multicast dynamic mapping is also required when branch end router initiates the
connection with GRE. Dynamic routing protocols such as IGP protocols which sends multicast messages also
requires multicast mapping.
EIGRP Split Horizon and NextHopSelf configuration :
For dynamic routing protocols, certain configuration needs to be done to enable the SpoketoSpoke
communication in DMVPN.
Note Routing protocols use IP Multicast to discover other routers participating in routing process. Static
map is configured on the branch routers R3 & R2 pointing towards public address of the head office router
which is configured for multicast dynamic map. This allows only branchhead to exchange the broadcast
information to each other. Spokes does not receive broadcasts from each other.

Performance Computing

noipnexthopselfeigrp1000
This statement prevents advertising DMVPN routers as NextHop to be itself. It must contain original next hop
router for SpoketoSpoke to work. By default every EIGRP hub advertises IP NextHop value to be itself.
After applying this statement EIGRP uses the received NextHop value when advertising the routes.

Huge

Pages IB Encoding IB FDR IB QDR IB SDR

Infiniband
Infiniband

Infiniband

Effective

Lanes

Rate

InfinibandDiags

Information Security Intel Syntax

Internet Activism IPoIB IPoIB Bonding IPSec

iptables

Kernel

IRIX

Kernel

LACP
libnuma libsegfault.so Link Speed Link
Architecture.

Kernel

Linux
Linux/Unix
Width

cache

Matrix

Signals

Linux

for

you

LTFS LTO Lustre

Multiplication

Mellanox

memcpy memory zones MemoryMappedI/O

Metasploit

Isolation

MPI

mprotect()

O_DIRECT

O_SYNC

MultiCore

network

netfilter

Networking
Knowledge

noipsplithorizoneigrp1000
This statement allows the DMVPN routers to advertise the routes received again on the same subnet.
Generally this operation is prevented by splithorizon.

High

glibc gnuplot GPGPU gprof GRE

NHRP numactl nvcc

Objdump

Open Source

Open
Openssh

openMP Oracle Oracle Performance OS

OSPF Page align boundary Page Tables

Page Walk Parallel Programming Peap

performance Perfquery pmap Point

toMultipoint Programming protocol
python Random RDMA readelf

Reverse

Engineering Route Redistribution Scaling

Governor scapy sched_affinity Scheduler
SCSI RDMA Security sftp

SGI SGI XVM

Shared

Routing configuration :
routereigrp1000
redistributeeigrp510metric56000102552551500
network10.0.0.00.0.0.255
autosummary
!
routereigrp510
redistributeeigrp1000metric56000102552551500

http://www.thesubodh.com/2011/09/eigrpovergrepointtomultipoint.html

Memory Model shell script

Signaling Rate SIGSEGV SMP SpeedStep SRP
ssh Storage SYN SYN Flood system taskset
tcp TCP Offload TCP Segmentation TCP/IP
THP Threads TLB TOE Translational Look
aside Buffers Transparent Huge Pages uasm

virtualbox Virtualization Virtuozzo

VLAN Vmware VNC injection VPN VPN.
VRF VRF Lite VRRP Wireless Security
Wireshark x86 executable x86_64 xfs

3/6

8/18/2015

SubodhPachghare:EIGRPoverGREPointtoMultipointDMVPNwithIPSec

network52.1.1.00.0.0.255
autosummary
!
iproute0.0.0.00.0.0.011.1.1.2

Hits

139531

EIGRP 510 and EIGRP 1000 are redistributed. Default route is 11.1.1.2
Spoke section :
Now lets look into Router R3 for branch router configuration
IPSec configuration is same as that of hub router.
Tunnel configuration :
interfaceTunnel0
ipaddress10.0.0.2255.255.255.0
noipredirects
noipnexthopselfeigrp1000
ipnhrpmap10.0.0.111.1.1.1
ipnhrpmapmulticast11.1.1.1
ipnhrpnetworkid1
ipnhrpnhs10.0.0.1
noipsplithorizoneigrp1000
tunnelsource13.1.1.2
tunnelmodegremultipoint
tunnelprotectionipsecprofileawesomeprofile
NHRP is mapped to tunnel interface of the hub followed by the corresponding NBMA address. Multicast is
mapped to NBMA address of hub router to forward all the routing messages through tunnel. NHS (Next Hop
Server) is pointed towards the tunnel interface IP address of the hub router. Rest of the statements are pretty
much same to hub router.
Router configuration :
routereigrp1000
redistributeeigrp520metric56000102552551500
network10.0.0.00.0.0.255
autosummary
!
routereigrp520
redistributeeigrp1000metric56000102552551500
network53.1.1.00.0.0.255
autosummary
!
iproute0.0.0.00.0.0.013.1.1.1
EIGRP 1000 and EIGRP 520 are redistributed. Default route is 13.1.1.1
Router R2 has the similar configuration like router R3.
SpoketoSpoke Dynamic tunnel formation :
Check on R3 for flags "DDynamic" & "SStatic" using "sh dmvpn" command. If SpoketoSpoke entry is not
present then try to ping spoke and then check again. SpokeSpoke dynamic tunnel will form. IPSec crypto
can be checked using "sh crypto isakmp sa".
Some interesting packet capture snapshots :
Tunnel formation at Router R1 for both spoke routers :

http://www.thesubodh.com/2011/09/eigrpovergrepointtomultipoint.html

4/6

8/18/2015

SubodhPachghare:EIGRPoverGREPointtoMultipointDMVPNwithIPSec

SpokeSpoke dynamic tunnel formation :

http://www.thesubodh.com/2011/09/eigrpovergrepointtomultipoint.html

5/6

8/18/2015

SubodhPachghare:EIGRPoverGREPointtoMultipointDMVPNwithIPSec

This is really cool topology & this got my routing abstraction level concepts cleared.
Thats it guys, I will explore more about IPSec in upcoming posts.
Happy Networking. Do write me regarding any suggestions or problems.
Allroutersconfigurationswithpacketcapturescanbedownloadedhere.

Posted by Subodh Pachghare

Recommend this on Google

Labels: cisco, Cisco/Enterasys, DMVPN, EIGRP, GRE, Information Security, IPSec, network, Networking, NHRP, VPN.

No comments:
Post a Comment
Enteryourcomment...

Commentas:

Publish

Unknown(Google)

Signout

Notifyme

Preview

Newer Post

Home

Older Post

Subscribe to: Post Comments (Atom)

License CCBYNCSA3.0Unported, unless otherwise noted by end of post. @2010 2013 Subodh Pachghare. Powered by Blogger.

http://www.thesubodh.com/2011/09/eigrpovergrepointtomultipoint.html

6/6