DMVPN and IPSEC with Front Door VRF
In this post I want to show how to configure DMVPN with IPSEC, with tunnel source/destination IPs located in a separate VRF. Idea here is to have underlay network running in a VRF, often called FVRF or Front Door VRF.
By using Front Door VRF we are isolating transport network, usually Internet facing, and this allows us to configure default route that won't interfere with routing in our global table. There are other benefits of this design and it's quite commonly used in the SP/Enterprise world.
We will be working with the following topology:
-
R1 is a DMVPN hub
-
R2 and R3 are DMVPN spokes
-
Underlay network: 10.1.123.X/24
-
Overlay network: 172.16.0.X/24
-
Loopbacks: 10.0.0.X/32
First, we will configure VRFs and DMVPN before moving to IPSEC:
!!R1 (HUB) ip vrf FVRF rd 1:1 interface Loopback0 ip address 10.0.0.1 255.255.255.255 interface Ethernet0/0 ip vrf forwarding FVRF ip address 10.1.123.1 255.255.255.0 interface Tunnel123 ip address 172.16.0.1 255.255.255.0 tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel vrf FVRF ip nhrp authentication DMVPN ip nhrp map multicast dynamic ip nhrp network-id 123 ip mtu 1400 ip tcp adjust-mss 1360
Spoke configurations:
!!R2 ip vrf FVRF rd 1:1 interface Loopback0 ip address 10.0.0.2 255.255.255.255 interface Ethernet0/0 ip vrf forwarding FVRF ip address 10.1.123.2 255.255.255.0 interface Tunnel123 ip address 172.16.0.2 255.255.255.0 tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel vrf FVRF ip nhrp authentication DMVPN ip nhrp map 172.16.0.1 10.1.123.1 ip nhrp map multicast 10.1.123.1 ip nhrp network-id 123 ip nhrp nhs 172.16.0.1 ip mtu 1400 ip tcp adjust-mss 1360
!!R3 ip vrf FVRF rd 1:1 interface Loopback0 ip address 10.0.0.3 255.255.255.255 interface Ethernet0/0 ip vrf forwarding FVRF ip address 10.1.123.2 255.255.255.0 interface Tunnel123 ip address 172.16.0.2 255.255.255.0 tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel vrf FVRF ip nhrp authentication DMVPN ip nhrp map 172.16.0.1 10.1.123.1 ip nhrp map multicast 10.1.123.1 ip nhrp network-id 123 ip nhrp nhs 172.16.0.1 ip mtu 1400 ip tcp adjust-mss 1360
This is a pretty standard configuration for DMVPN Phase 1. The only thing that is non-standard is use of a separate VRF for the underlay and having to specify this in the configuration of our tunnels.
Command tunnel vrf FVRF tells IOS that tunnel source and destination will be located in VRF FVRF. This also means that overlay IPs will be located in the default/global VRF as tunnels themselves are not part of this VRF.
Let's check if everything is up and running as it should:
R1#sh dmvpn | b Inter Interface: Tunnel123, IPv4 NHRP Details Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 10.1.123.2 172.16.0.2 UP 00:00:29 D 1 10.1.123.3 172.16.0.3 UP 00:00:27 D R1#ping 172.16.0.2 r 2 Sending 2, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds: !! Success rate is 100 percent (2/2), round-trip min/avg/max = 1/1/1 ms R1#ping 172.16.0.3 r 2 Sending 2, 100-byte ICMP Echos to 172.16.0.3, timeout is 2 seconds: !! Success rate is 100 percent (2/2), round-trip min/avg/max = 1/1/1 ms
R2#ping 172.16.0.1 r 2 Sending 2, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds: !! Success rate is 100 percent (2/2), round-trip min/avg/max = 1/1/1 ms R2#ping 172.16.0.3 r 2 Sending 2, 100-byte ICMP Echos to 172.16.0.3, timeout is 2 seconds: !! Success rate is 100 percent (2/2), round-trip min/avg/max = 1/1/1 ms R2#sh dmvpn | b Inter Interface: Tunnel123, IPv4 NHRP Details Type:Spoke, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 10.1.123.1 172.16.0.1 UP 00:04:47 S 1 10.1.123.3 172.16.0.3 UP 00:00:37 D
R3#ping 172.16.0.1 r 2 Type escape sequence to abort. !! Success rate is 100 percent (2/2), round-trip min/avg/max = 1/1/1 ms R3#ping 172.16.0.2 r 2 Type escape sequence to abort. !! Success rate is 100 percent (2/2), round-trip min/avg/max = 1/1/1 ms R3#sh dmvpn | b Inter Interface: Tunnel123, IPv4 NHRP Details Type:Spoke, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 10.1.123.1 172.16.0.1 UP 00:06:20 S 1 10.1.123.2 172.16.0.2 UP 00:02:12 D
All is looking good, spokes registered with the hub and all three routers can ping each other.
Now we need to configure IPSEC and apply it to DVMPN tunnels. All of our routers will use the same config.
First we will configure isakmp policy and transform-set, nothing special is happening here, just standard IPSEC config:
crypto isakmp policy 10 encr 3des hash md5 authentication pre-share crypto ipsec transform-set TS esp-3des esp-md5-hmac mode transport
Next we need to define keyring in which we will specify our pre-shared key. In the keyring definition we also include VRF which will be used to establish IPSEC sessions.
crypto keyring KEYRING vrf FVRF pre-shared-key address 10.1.123.0 255.255.255.0 key CISCO
Once keyring is defined, we need to configure isakmp profile. In the profile we use the keyring we just created. We also need to specify identity of our peers and set VRF used to reach them.
crypto isakmp profile ISAKMP_PROF keyring KEYRING match identity address 10.1.123.0 255.255.255.0 FVRF
With isakmp profile configured we can now proceed to the definition of ipsec profile, which we then apply to our DVMPN tunnels. We will also enable OSPF on tunnels and loopback interfaces. This is just to show that routing will be established in the global VRF and it will allow us to ping between loopbacks.
!!R1-R3 crypto ipsec profile IPSEC_PROF set transform-set TS set isakmp-profile ISAKMP_PROF
!!R1 interface Loopback0 ip address 10.0.0.1 255.255.255.255 ip ospf 1 area 1 interface Tunnel123 ip ospf network broadcast ip ospf 1 area 0 tunnel protection ipsec profile IPSEC_PROF
!!R2 interface Loopback0 ip ospf 1 area 2 interface Tunnel123 ip ospf network broadcast ip ospf priority 0 ip ospf 1 area 0 tunnel protection ipsec profile IPSEC_PROF
!!R3 interface Loopback0 ip ospf 1 area 3 interface Tunnel123 ip ospf network broadcast ip ospf priority 0 ip ospf 1 area 0 tunnel protection ipsec profile IPSEC_PROF
Now that all of the config is in place we'll check if the tunnels are IPSEC protected:
R1#sh crypto session Interface: Tunnel123 Profile: ISAKMP_PROF Session status: UP-ACTIVE Peer: 10.1.123.3 port 500 Session ID: 0 IKEv1 SA: local 10.1.123.1/500 remote 10.1.123.3/500 Active IPSEC FLOW: permit 47 host 10.1.123.1 host 10.1.123.3 Active SAs: 2, origin: crypto map Interface: Tunnel123 Profile: ISAKMP_PROF Session status: UP-ACTIVE Peer: 10.1.123.2 port 500 Session ID: 0 IKEv1 SA: local 10.1.123.1/500 remote 10.1.123.2/500 Active IPSEC FLOW: permit 47 host 10.1.123.1 host 10.1.123.2 Active SAs: 2, origin: crypto map
R2#sh crypto session Interface: Tunnel123 Profile: ISAKMP_PROF Session status: UP-ACTIVE Peer: 10.1.123.1 port 500 Session ID: 0 IKEv1 SA: local 10.1.123.2/500 remote 10.1.123.1/500 Active IPSEC FLOW: permit 47 host 10.1.123.2 host 10.1.123.1 Active SAs: 2, origin: crypto map
R3
R3#sh crypto session Interface: Tunnel123 Profile: ISAKMP_PROF Session status: UP-ACTIVE Peer: 10.1.123.1 port 500 Session ID: 0 IKEv1 SA: local 10.1.123.3/500 remote 10.1.123.1/500 Active IPSEC FLOW: permit 47 host 10.1.123.3 host 10.1.123.1 Active SAs: 2, origin: crypto map
Then we check the status of OSPF and routing table.
R1#sh ip ospf ne Neighbor ID Pri State Dead Time Address Interface 10.0.0.2 0 FULL/DROTHER 00:00:32 172.16.0.2 Tunnel123 10.0.0.3 0 FULL/DROTHER 00:00:35 172.16.0.3 Tunnel123 R1#sh ip route | b Gate Gateway of last resort is not set 10.0.0.0/32 is subnetted, 3 subnets C 10.0.0.1 is directly connected, Loopback0 O IA 10.0.0.2 [110/1001] via 172.16.0.2, 00:01:36, Tunnel123 O IA 10.0.0.3 [110/1001] via 172.16.0.3, 00:01:31, Tunnel123 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.16.0.0/24 is directly connected, Tunnel123 L 172.16.0.1/32 is directly connected, Tunnel123
R2#sh ip ospf ne Neighbor ID Pri State Dead Time Address Interface 10.0.0.1 1 FULL/DR 00:00:37 172.16.0.1 Tunnel123 R2#sh ip route | b Gate Gateway of last resort is not set 10.0.0.0/32 is subnetted, 3 subnets O IA 10.0.0.1 [110/1001] via 172.16.0.1, 00:01:58, Tunnel123 C 10.0.0.2 is directly connected, Loopback0 O IA 10.0.0.3 [110/1001] via 172.16.0.3, 00:01:53, Tunnel123 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.16.0.0/24 is directly connected, Tunnel123 L 172.16.0.2/32 is directly connected, Tunnel123
R3#sh ip ospf ne Neighbor ID Pri State Dead Time Address Interface 10.0.0.1 1 FULL/DR 00:00:34 172.16.0.1 Tunnel123 R3#sh ip route | b Gate Gateway of last resort is not set 10.0.0.0/32 is subnetted, 3 subnets O IA 10.0.0.1 [110/1001] via 172.16.0.1, 00:01:59, Tunnel123 O IA 10.0.0.2 [110/1001] via 172.16.0.2, 00:01:59, Tunnel123 C 10.0.0.3 is directly connected, Loopback0 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.16.0.0/24 is directly connected, Tunnel123 L 172.16.0.3/32 is directly connected, Tunnel123
Finally we will carry out ping between loopbacks of all of our devices.
R1#ping 10.0.0.2 sour l0 r 2 Sending 2, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds: Packet sent with a source address of 10.0.0.1 !! Success rate is 100 percent (2/2), round-trip min/avg/max = 5/5/6 ms R1#ping 10.0.0.3 sour l0 r 2 Sending 2, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds: Packet sent with a source address of 10.0.0.1 !! Success rate is 100 percent (2/2), round-trip min/avg/max = 5/5/6 ms
R2#ping 10.0.0.1 sour l0 r 2 Sending 2, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: Packet sent with a source address of 10.0.0.2 !! Success rate is 100 percent (2/2), round-trip min/avg/max = 2/3/5 ms R2#ping 10.0.0.3 sour l0 r 2 Sending 2, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds: Packet sent with a source address of 10.0.0.2 !! Success rate is 100 percent (2/2), round-trip min/avg/max = 5/5/6 ms
R3#ping 10.0.0.1 sour l0 r 2 Sending 2, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: Packet sent with a source address of 10.0.0.3 !! Success rate is 100 percent (2/2), round-trip min/avg/max = 5/5/5 ms R3#ping 10.0.0.2 sour l0 r 2 Sending 2, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds: Packet sent with a source address of 10.0.0.3 !! Success rate is 100 percent (2/2), round-trip min/avg/max = 5/5/6 ms
Following ping tests, R2 and R3 established spoke to spoke tunnels, which further confirms that our configuration is correct:
R2#sh crypto session remote 10.1.123.3 Interface: Tunnel123 Profile: ISAKMP_PROF Session status: UP-ACTIVE Peer: 10.1.123.3 port 500 Session ID: 0 IKEv1 SA: local 10.1.123.2/500 remote 10.1.123.3/500 Active Session ID: 0 IKEv1 SA: local 10.1.123.2/500 remote 10.1.123.3/500 Active IPSEC FLOW: permit 47 host 10.1.123.2 host 10.1.123.3 Active SAs: 4, origin: crypto map R2#sh ip nhrp | b 172.16.0.3 172.16.0.3/32 via 172.16.0.3 Tunnel123 created 00:01:53, expire 01:58:06 Type: dynamic, Flags: router used nhop NBMA address: 10.1.123.3
R3#sh crypto session remote 10.1.123.2 Interface: Tunnel123 Profile: ISAKMP_PROF Session status: UP-ACTIVE Peer: 10.1.123.2 port 500 Session ID: 0 IKEv1 SA: local 10.1.123.3/500 remote 10.1.123.2/500 Active Session ID: 0 IKEv1 SA: local 10.1.123.3/500 remote 10.1.123.2/500 Active IPSEC FLOW: permit 47 host 10.1.123.3 host 10.1.123.2 Active SAs: 4, origin: crypto map R3#sh ip nhrp | b 172.16.0.2 172.16.0.2/32 via 172.16.0.2 Tunnel123 created 00:02:10, expire 01:57:49 Type: dynamic, Flags: router used nhop NBMA address: 10.1.123.2
All done. We have achieved our goal. There is a full reachability between all of the devices over the IPSEC protected DMVPN tunnels with underlay network located in a separate VRF.
Overall the configuration of the IPSEC protected DMVPN with Front End VRF is similar to the standard DMVPN with IPSEC scenario. It differs only in a few places, where we need to tell IOS which VRF it needs to use for IPSEC negotiation.