vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Added DMVPN subchapter to VPN

Browse Source
This commit is contained in:
Christian Poessinger 2018-10-03 10:34:59 +02:00
parent 538157c91d
commit 8c87d8f47e
2 changed files with 408 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

409
docs/ch09-vpn.rst
View File

@ -407,5 +407,412 @@ rules. (if you used the default configuration at the top of this page)
DMVPN
-----
Advanced DMVPN configuration examples are available on the [[DMVPN]] page.
**D** ynamic **M** ultipoint **V** irtual **P** rivate **N** etworking
DMVPN is a dynamic VPN technology originally developed by Cisco. While their
implementation was somewhat proprietary, the underlying technologies are
actually standards based. The three technologies are:
* **NHRP** - NBMA Next Hop Resolution Protocol RFC2332_
* **mGRE** - Multipoint Generic Routing Encapsulation / mGRE RFC1702_
* **IPSec** - IP Security (too many RFCs to list, but start with RFC4301_)
NHRP provides the dynamic tunnel endpoint discovery mechanism (endpoint
registration, and endpoint discovery/lookup), mGRE provides the tunnel
encapsulation itself, and the IPSec protocols handle the key exchange, and
crypto mechanism.
In short, DMVPN provides the capability for creating a dynamic-mesh VPN
network without having to pre-configure (static) all possible tunnel end-point
peers.
**NOTE:** DMVPN only automates the tunnel endpoint discovery and setup. A
complete solution also incorporates the use of a routing protocol. BGP is
particularly well suited for use with DMVPN.
Baseline Configuration:
**STEPS:**
#. Create tunnel config (`interfaces tunnel`)
#. Create nhrp (`protocols nhrp`)
#. Create ipsec vpn (optional, but recommended for security) (`vpn ipsec`)
The tunnel will be set to mGRE if for encapsulation `gre` is set, and no
`remote-ip` is set. If the public ip is provided by DHCP the tunnel `local-ip`
can be set to "0.0.0.0"
.. figure:: images/Baseline-DMVPN-Topology.png
:scale: 40 %
:alt: Baseline DMVPN topology
Baseline DMVPN topology
HUB Configuration
^^^^^^^^^^^^^^^^^
.. code-block:: sh
interfaces
tunnel <tunN> {
address <ipv4>
encapsulation gre
local-ip <public ip>
multicast enable
description <txt>
parameters {
ip {
<usual IP options>
}
}
}
}
protocols {
nhrp {
tunnel <tunN> {
cisco-authentication <key phrase>
holding-time <seconds>
multicast dynamic
redirect
}
}
}
vpn {
ipsec {
esp-group <text> {
lifetime <30-86400>
mode tunnel
pfs enable
proposal <1-65535> {
encryption aes256
hash sha1
}
proposal <1-65535> {
encryption 3des
hash md5
}
}
ike-group <text> {
key-exchange ikev1
lifetime <30-86400>
proposal <1-65535> {
encryption aes256
hash sha1
}
proposal <1-65535> {
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface <ethN>
}
profile <text> {
authentication {
mode pre-shared-secret
pre-shared-secret <key phrase>
}
bind {
tunnel <tunN>
}
esp-group <text>
ike-group <text>
}
}
}
HUB Example Configuration:
.. code-block:: sh
set interfaces ethernet eth0 address '1.1.1.1/30'
set interfaces ethernet eth1 address '192.168.1.1/24'
set system host-name 'HUB'
set interfaces tunnel tun0 address 10.0.0.1/24
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 1.1.1.1
set interfaces tunnel tun0 multicast enable
set interfaces tunnel tun0 parameters ip key 1
set protocols nhrp tunnel tun0 cisco-authentication SECRET
set protocols nhrp tunnel tun0 holding-time 300
set protocols nhrp tunnel tun0 multicast dynamic
set protocols nhrp tunnel tun0 redirect
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec ike-group IKE-HUB proposal 1
set vpn ipsec ike-group IKE-HUB proposal 1 encryption aes256
set vpn ipsec ike-group IKE-HUB proposal 1 hash sha1
set vpn ipsec ike-group IKE-HUB proposal 2 encryption aes128
set vpn ipsec ike-group IKE-HUB proposal 2 hash sha1
set vpn ipsec ike-group IKE-HUB lifetime 3600
set vpn ipsec esp-group ESP-HUB proposal 1 encryption aes256
set vpn ipsec esp-group ESP-HUB proposal 1 hash sha1
set vpn ipsec esp-group ESP-HUB proposal 2 encryption 3des
set vpn ipsec esp-group ESP-HUB proposal 2 hash md5
set vpn ipsec esp-group ESP-HUB lifetime 1800
set vpn ipsec esp-group ESP-HUB pfs dh-group2
set vpn ipsec profile NHRPVPN
set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret
set vpn ipsec profile NHRPVPN authentication pre-shared-secret SECRET
set vpn ipsec profile NHRPVPN bind tunnel tun0
set vpn ipsec profile NHRPVPN esp-group ESP-HUB
set vpn ipsec profile NHRPVPN ike-group IKE-HUB
set protocols static route 0.0.0.0/0 next-hop 1.1.1.2
set protocols static route 192.168.2.0/24 next-hop 10.0.0.2
set protocols static route 192.168.3.0/24 next-hop 10.0.0.3
SPOKE Configuration
^^^^^^^^^^^^^^^^^^^
SPOKE1 Configuration:
.. code-block:: sh
interfaces
tunnel <tunN> {
address <ipv4>
encapsulation gre
local-ip <public ip>
multicast enable
description <txt>
parameters {
ip {
<usual IP options>
}
}
}
}
protocols {
nhrp {
tunnel <tunN> {
cisco-authentication <key phrase>
map <ipv4/net> {
nbma-address <ipv4>
register
}
holding-time <seconds>
multicast nhs
redirect
shortcut
}
}
}
vpn {
ipsec {
esp-group <text> {
lifetime <30-86400>
mode tunnel
pfs enable
proposal <1-65535> {
encryption aes256
hash sha1
}
proposal <1-65535> {
encryption 3des
hash md5
}
}
ike-group <text> {
key-exchange ikev1
lifetime <30-86400>
proposal <1-65535> {
encryption aes256
hash sha1
}
proposal <1-65535> {
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface <ethN>
}
profile <text> {
authentication {
mode pre-shared-secret
pre-shared-secret <key phrase>
}
bind {
tunnel <tunN>
}
esp-group <text>
ike-group <text>
}
}
}
SPOKE1 Example Configuration
.. code-block:: sh
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth1 address '192.168.2.1/24'
set system host-name 'SPOKE1'
set interfaces tunnel tun0 address 10.0.0.2/24
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 0.0.0.0
set interfaces tunnel tun0 multicast enable
set interfaces tunnel tun0 parameters ip key 1
set protocols nhrp tunnel tun0 cisco-authentication 'SECRET'
set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 1.1.1.1
set protocols nhrp tunnel tun0 map 10.0.0.1/24 'register'
set protocols nhrp tunnel tun0 multicast 'nhs'
set protocols nhrp tunnel tun0 'redirect'
set protocols nhrp tunnel tun0 'shortcut'
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec ike-group IKE-SPOKE proposal 1
set vpn ipsec ike-group IKE-SPOKE proposal 1 encryption aes256
set vpn ipsec ike-group IKE-SPOKE proposal 1 hash sha1
set vpn ipsec ike-group IKE-SPOKE proposal 2 encryption aes128
set vpn ipsec ike-group IKE-SPOKE proposal 2 hash sha1
set vpn ipsec ike-group IKE-SPOKE lifetime 3600
set vpn ipsec esp-group ESP-SPOKE proposal 1 encryption aes256
set vpn ipsec esp-group ESP-SPOKE proposal 1 hash sha1
set vpn ipsec esp-group ESP-SPOKE proposal 2 encryption 3des
set vpn ipsec esp-group ESP-SPOKE proposal 2 hash md5
set vpn ipsec esp-group ESP-SPOKE lifetime 1800
set vpn ipsec esp-group ESP-SPOKE pfs dh-group2
set vpn ipsec profile NHRPVPN
set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret
set vpn ipsec profile NHRPVPN authentication pre-shared-secret SECRET
set vpn ipsec profile NHRPVPN bind tunnel tun0
set vpn ipsec profile NHRPVPN esp-group ESP-SPOKE
set vpn ipsec profile NHRPVPN ike-group IKE-SPOKE
set protocols static route 192.168.1.0/24 next-hop 10.0.0.1
set protocols static route 192.168.3.0/24 next-hop 10.0.0.3
SPOKE2 Configuration
.. code-block:: sh
interfaces
tunnel <tunN> {
address <ipv4>
encapsulation gre
local-ip <public ip>
multicast enable
description <txt>
parameters {
ip {
<usual IP options>
}
}
}
}
protocols {
nhrp {
tunnel <tunN> {
cisco-authentication <key phrase>
map <ipv4/net> {
nbma-address <ipv4>
register
}
holding-time <seconds>
multicast nhs
redirect
shortcut
}
}
}
vpn {
ipsec {
esp-group <text> {
lifetime <30-86400>
mode tunnel
pfs enable
proposal <1-65535> {
encryption aes256
hash sha1
}
proposal <1-65535> {
encryption 3des
hash md5
}
}
ike-group <text> {
key-exchange ikev1
lifetime <30-86400>
proposal <1-65535> {
encryption aes256
hash sha1
}
proposal <1-65535> {
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface <ethN>
}
profile <text> {
authentication {
mode pre-shared-secret
pre-shared-secret <key phrase>
}
bind {
tunnel <tunN>
}
esp-group <text>
ike-group <text>
}
}
}
SPOKE2 Example Configuration
.. code-block:: sh
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth1 address '192.168.3.1/24'
set system host-name 'SPOKE2'
set interfaces tunnel tun0 address 10.0.0.3/24
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 0.0.0.0
set interfaces tunnel tun0 multicast enable
set interfaces tunnel tun0 parameters ip key 1
set protocols nhrp tunnel tun0 cisco-authentication SECRET
set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 1.1.1.1
set protocols nhrp tunnel tun0 map 10.0.0.1/24 register
set protocols nhrp tunnel tun0 multicast nhs
set protocols nhrp tunnel tun0 redirect
set protocols nhrp tunnel tun0 shortcut
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec ike-group IKE-SPOKE proposal 1
set vpn ipsec ike-group IKE-SPOKE proposal 1 encryption aes256
set vpn ipsec ike-group IKE-SPOKE proposal 1 hash sha1
set vpn ipsec ike-group IKE-SPOKE proposal 2 encryption aes128
set vpn ipsec ike-group IKE-SPOKE proposal 2 hash sha1
set vpn ipsec ike-group IKE-SPOKE lifetime 3600
set vpn ipsec esp-group ESP-SPOKE proposal 1 encryption aes256
set vpn ipsec esp-group ESP-SPOKE proposal 1 hash sha1
set vpn ipsec esp-group ESP-SPOKE proposal 2 encryption 3des
set vpn ipsec esp-group ESP-SPOKE proposal 2 hash md5
set vpn ipsec esp-group ESP-SPOKE lifetime 1800
set vpn ipsec esp-group ESP-SPOKE pfs dh-group2
set vpn ipsec profile NHRPVPN
set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret
set vpn ipsec profile NHRPVPN authentication pre-shared-secret SECRET
set vpn ipsec profile NHRPVPN bind tunnel tun0
set vpn ipsec profile NHRPVPN esp-group ESP-SPOKE
set vpn ipsec profile NHRPVPN ike-group IKE-SPOKE
set protocols static route 192.168.1.0/24 next-hop 10.0.0.1
set protocols static route 192.168.2.0/24 next-hop 10.0.0.2
.. _RFC2332: https://tools.ietf.org/html/rfc2332
.. _RFC1702: https://tools.ietf.org/html/rfc1702
.. _RFC4301: https://tools.ietf.org/html/rfc4301

BIN
docs/images/Baseline-DMVPN-Topology.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 92 KiB