Initial status of the branch office network

Take a look at example of connecting a small office to a DMVPN cloud, where there is one ISP providing Internet access via a white statically assigned IP address assigned to the office router via DHCP:

Design Guides EN > Configuring DMVPN Spoke in a branch office (DHCP) (inter-office network diagram) > guide-dmvpn-sub-office-2.png

Figure 6. Diagram showing how to connect a branch office router to a provider's network with addressing issued via DHCP

The office local area network is provided by a single access switch, which is connected directly to the router at the network border. Assign names to the devices right away for convenience in further configuration.

hostname RT-OFFICE-2

hostname SW-OFFICE-2

Organizing the local network segment of a branch office

As part of this guide, examine a simple access switch configuration for connecting the equipment of a branch office to a border router. The parameters of the office's local network are described in Table 11.

Table 11. Local network parameters for branch office No. 2

Purpose	VLAN	Subnet
Local area network of the branch office No. 2	100	192.168.12.0/24

Configure the client ports on the access switch in general mode and assign the required VLAN ID to untagged traffic:

vlan database
 vlan 100
exit
!
interface range GigabitEthernet1/0/1-24
 switchport mode general
 switchport general allowed vlan add 100 untagged
 switchport general pvid 100
 switchport protected-port
exit

To isolate clients in the broadcast domain, enable the port-protection feature.

And configure the port towards the router as a trunk port for the required VLAN ID:

interface TenGigabitEthernet1/0/1
 switchport mode general
 switchport general allowed vlan add 100 tagged
 switchport forbidden default-vlan 
exit

After that, terminate the tagged traffic on the physical subinterface of the border router:

interface gigabitethernet 1/0/2.100
  description "LAN | CUSTOMER"
  ip address 192.168.12.1/24
exit

Add a security zone for the subinterface and allow ICMP traffic incoming to the router from this security zone:

security zone CUSTOMER
  description "LAN | CUSTOMER"
exit

interface gigabitethernet 1/0/2.100
  security-zone CUSTOMER
exit

security zone-pair CUSTOMER self
  rule 10
    description "Permit | ICMP | From ANY | To ANY"
    action permit
    match protocol icmp
    enable
  exit
exit

Connecting to an Internet service provider using DHCP addressing

Examine connecting to the Internet, taking into account the following parameters issued to us by the Internet provider via DHCP for configuring the network interface.

Table 12. Network configuration parameters provided to the border router of branch office No. 2 by the Internet service provider via DHCP

Parameter	Value
Router IP	203.0.114.130
Network mask	255.255.255.128
Gateway IP	203.0.114.129

In this example, the Internet service provider provides a public (white) IP address via DHCP. In cases where the Internet service provider provides a private (grey) IP address via DHCP for configuration with subsequent NAT conversion to public IP addressing, the configuration will be similar and the presence of the Internet service provider’s NAT will not affect the connection of the branch office to the central office via the DMVPN cloud.

Configure the DHCP client on the network interface, moving the interface to a separate, so-called Front-VRF.

A connection scheme in which the transport network for a certain virtual network is moved to a separate network namespace is called Front-Door VRF. This scheme of organizing transport for a virtual network offers the following advantages:

the ability to use the default route in both virtual and transport networks;
no intersection of routing information between the transport and virtual networks;
an additional level of security for the virtual network, since traffic from it cannot enter the transport network without configured encapsulation into a tunnel.

ip vrf ISP
exit

interface gigabitethernet 1/0/1
  description "ISP | Uplink"
  ip vrf forwarding ISP
  ip address dhcp
exit

Specify a separate security zone for this network interface and allow ICMP traffic incoming to the router from this security zone:

security zone UNTRUSTED
  description "ISP | Uplink"
  ip vrf forwarding ISP
exit

interface gigabitethernet 1/0/1
  security-zone UNTRUSTED
exit

security zone-pair UNTRUSTED self
  rule 10
    description "Permit | ICMP | From ANY | To ANY"
    action permit
    match protocol icmp
    enable
  exit
exit

Configuring IKEv2 and IPsec tunneling on DMVPN Spoke

Configuring IPsec for the future DMVPN cloud is an important part of this guide. Correct IPsec configuration ensures the privacy and security of traffic between offices. IKE and IPsec parameters shown in Table 13 will be used in further configuration.

Table 13. IKE and IPsec parameters used to configure IPsec tunneling on the DMVPN Spoke router of branch office No. 2.

		RT-OFFICE-2
IKE parameters	Encryption algorithm	AES-256
	Hashing algorithm	SHA2-256
	Diffie-Hellman group	19
	IKE session lifetime in seconds	86400
	IKE session identifier	spoke2.company.loc
	Interval for sending DPD messages	40
	Total timeout for DPD message response	160
	Action when DPD timeout occurs	Terminating the IKE session
IPsec parameters	Encryption algorithm	AES-256
	Hashing algorithm	SHA2-256
	Diffie-Hellman group for a PFS mechanism	19
	IPsec session lifetime in seconds	28800
	IPsec session lifetime in kilobytes	4608000
	Early reauthentication interval for IKE session/Early rekeying interval for IPsec session in seconds	3600
	Threshold value of IKE session early reauthentication/Threshold value of IPsec session early rekeying in kilobytes	86400

IPsec configuration begins with configuring encryption algorithm sets for the IKE protocol:

security ike proposal DMVPN_IKE_PROP_1
  description "DMVPN | IKE proposal #1"
  authentication algorithm sha2-256
  encryption algorithm aes256
  dh-group 19
exit

Next, create an IKE authentication keyring. Since domain names are going to be used as IPsec neighbor identifiers in further configuration, domain names will also be used in the keyring:

security ike keyring DMVPN_IKE_KEYRING
  description "DMVPN | IKE keyring"
  identity dns *.company.loc pre-shared-key ascii-text password
exit

Create an IKE policy. It includes encryption algorithm sets, authentication method selection and IKE session lifetime:

security ike policy DMVPN_IKE_POL
  description "DMVPN | IKE policy"
  lifetime seconds 86400
  keyring DMVPN_IKE_KEYRING
  authentication method keyring
  proposal DMVPN_IKE_PROP_1
exit

Create a set of IKE gateways.

Due to the specifics of IPsec configuration in the DMVPN scheme on ESR service routers, multiple IPsec VPN policies must be created on routers acting as DMVPN Spokes: one for connecting to other DMVPN Spokes and one for each configured DMVPN Hub. For example, in this guide, the connection will be established via one Internet service provider to two DMVPN Hubs, which means that three IPsec VPN policies must be created during the configuration and therefore three IKE gateways.

The number of possible settings in IKE gateway is quite large, so focus on the most important configuration items:

To use IKE version 2, the "version v2-only" command is required, otherwise the tunnel will use IKE version 1.
Support for MOBIKE protocol must be disabled, as in the DMVPN scheme it can lead to errors in creating tunnels between DMVPN Hub and DMVPN Spoke.
If the gateway is bound to an interface using the "local interface" command, it is possible to bind the local network to the address on this interface with the "local network dynamic" command.
In the DMVPN scheme, only GRE traffic goes through IPsec tunnels, so it is correct to specify the "protocol gre" key in the "local network" and "remote network" commands.

security ike gateway DMVPN_IKE_GW_HUB_1
  description "DMVPN | RT-HUB-1 IKE gateway"
  version v2-only
  ike-policy DMVPN_IKE_POL
  local interface gigabitethernet 1/0/1
  local network dynamic protocol gre 
  local id dns "spoke2.company.loc"
  remote id dns "hub1.company.loc"
  remote address 203.0.113.4
  remote network 203.0.113.4/32 protocol gre 
  mode policy-based
  mobike disable
  dead-peer-detection action clear
  dead-peer-detection interval 40
  dead-peer-detection timeout 160
exit

security ike gateway DMVPN_IKE_GW_HUB_2
  description "DMVPN | RT-HUB-2 IKE gateway"
  version v2-only
  ike-policy DMVPN_IKE_POL
  local interface gigabitethernet 1/0/1
  local network dynamic protocol gre 
  local id dns "spoke2.company.loc"
  remote id dns "hub2.company.loc"
  remote address 203.0.113.132
  remote network 203.0.113.132/32 protocol gre 
  mode policy-based
  mobike disable
  dead-peer-detection action clear
  dead-peer-detection interval 40
  dead-peer-detection timeout 160
exit

security ike gateway DMVPN_IKE_GW_SPOKES
  description "DMVPN | Spokes IKE gateway"
  version v2-only
  ike-policy DMVPN_IKE_POL
  local interface gigabitethernet 1/0/1
  local network dynamic protocol gre 
  local id dns "spoke2.company.loc"
  remote address any
  remote network any protocol gre 
  mode policy-based
  mobike disable
  dead-peer-detection action clear
  dead-peer-detection interval 40
  dead-peer-detection timeout 160
exit

1) Specify the interface facing the ISP as the "local interface."
2) Using "local id" and "remote id" is a convenient way to identify IKE neighbors. Since domain names are used in "security ike keyring," the same type of ID should be used here.
3) Three gateways will be created — for connecting to RT-HUB-1, RT-HUB-2 and other DMVPN Spokes in the cloud.

Configure the policy for duplicate IKE sessions to replace existing IKE sessions when duplicates occur:

security ike session uniqueids replace

Create a set of encryption algorithms specifically for the IPsec tunnel:

security ipsec proposal DMVPN_IPSEC_PROP_1
  description "DMVPN | IPsec proposal #1"
  authentication algorithm sha2-256
  encryption algorithm aes256
  pfs dh-group 19
exit

Next create an IPsec policy. It includes sets of encryption algorithms and the lifetime of the IPsec session directly responsible for encrypting user traffic:

security ipsec policy DMVPN_IPSEC_POL
  description "DMVPN | IPsec policy"
  lifetime seconds 28800
  lifetime kilobytes 4608000
  proposal DMVPN_IPSEC_PROP_1
exit

Finally, all IKE and IPsec settings can be combined into general VPN profiles. As with IKE gateways, three IPsec VPN profiles will be created. For IPsec VPN profiles used on GRE tunnels in the DMVPN scheme, it is necessary to enable transport mode:

security ipsec vpn DMVPN_IPSEC_VPN_HUB_1
  description "DMVPN | RT-HUB-1 IPsec VPN profile"
  type transport
  ip vrf forwarding ISP
  ike establish-tunnel route
  ike gateway DMVPN_IKE_GW_HUB_1
  ike ipsec-policy DMVPN_IPSEC_POL
  ike rekey margin kilobytes 86400
  ike rekey margin seconds 3600
  enable
exit

security ipsec vpn DMVPN_IPSEC_VPN_HUB_2
  description "DMVPN | RT-HUB-2 IPsec VPN profile"
  type transport
  ip vrf forwarding ISP
  ike establish-tunnel route
  ike gateway DMVPN_IKE_GW_HUB_2
  ike ipsec-policy DMVPN_IPSEC_POL
  ike rekey margin kilobytes 86400
  ike rekey margin seconds 3600
  enable
exit

security ipsec vpn DMVPN_IPSEC_VPN_SPOKES
  description "DMVPN | Spokes IPsec VPN profile"
  type transport
  ip vrf forwarding ISP
  ike establish-tunnel route
  ike gateway DMVPN_IKE_GW_SPOKES
  ike ipsec-policy DMVPN_IPSEC_POL
  ike rekey margin kilobytes 86400
  ike rekey margin seconds 3600
  enable
exit

Allow traffic associated with IPsec tunnels to pass through. To do this, first describe the port profiles for the IKE protocol as well as the encrypted traffic of the IKE and ESP protocols packaged in UDP:

object-group service IKE_AND_IPSEC
  description "IKE, IKE encrypted, ESP encap UDP"
  port-range 500
  port-range 4500
exit

1) UDP/500 port is used by the IKEv2 protocol during the initial packet exchange with a remote IKE neighbor.
2) The UDP/4500 port is used to send IKEv2 protocol messages when determining the presence of NAT between the peers.
3) The UDP/4500 port is also used to send ESP protocol messages encapsulated in UDP, which are encrypted user traffic in the tunnel.

Allow incoming IPsec tunnel traffic:

security zone-pair UNTRUSTED self
   rule 20
    description "Permit | IKE/IPsec | From ISP | To ANY"
    action permit
    match protocol udp
    match destination-port object-group IKE_AND_IPSEC
    enable
  exit
  rule 30
    description "Permit | ESP | From ISP | To ANY"
    action permit
    match protocol esp
    enable
  exit
exit

User traffic is encapsulated in the ESP protocol and if there is NAT between IPsec neighbors, ESP protocol messages are in turn encapsulated in the UDP protocol, port 4500.

Since tunnels between DMVPN Spokes can be established without NAT between them, allow ESP packets to pass through using a separate rule.

Configuring mGRE tunnels on DMVPN Spoke

Configure GRE tunnels in multipoint mode with NHRP protocol support on DMVPN Spoke. Since two DMVPN Hubs are deployed in the central office with addresses from two different ISPs, the connection to them will be made using two separate mGRE tunnels. The main parameters of the GRE tunnels for connecting to both DMVPN Hubs are shown in Table 14.

Table 14. GRE tunnel parameters on the DMVPN Spoke router of branch office No. 2

DMVPN Hub	DMVPN Cloud	GRE tunnel number	DMVPN Spoke tunnel addressing	DMVPN Hub tunnel address	NBMA address of DMVPN Hub	GRE tunnel key	Lifetime of NHRP entries in seconds
RT-HUB-1	ISP-1 Cloud	11	172.16.1.12/24	172.16.1.1	203.0.113.4	1000	600
RT-HUB-2	ISP-2 Cloud	12	172.16.2.12/24	172.16.2.1	203.0.113.132	2000	600

First, change the general settings for GRE tunnels on each DMVPN Hub. These settings include:

multipoint mode;
key value;
TTL value;
MTU size;
adjust-mss TCP value;
tunnel IP address;
interface from which the GRE tunnel will be established;
transport VRF name.

tunnel gre 11
  description "DMVPN | Cloud 1"
  key 1000
  ttl 64
  mtu 1400
  multipoint
  tunnel-source vrf ISP
  local interface gigabitethernet 1/0/1
  ip address 172.16.1.12/24
  ip tcp adjust-mss 1360
  enable
exit

tunnel gre 12
  description "DMVPN | Cloud 2"
  key 2000
  ttl 64
  mtu 1400
  multipoint
  tunnel-source vrf ISP
  local interface gigabitethernet 1/0/1
  ip address 172.16.2.12/24
  ip tcp adjust-mss 1360
  enable
exit

From the perspective of the NHRP protocol, DMVPN Spoke routers act as NHRP clients, which, after registering in the DMVPN cloud on one or more DMVPN Hubs, can request information about other members of the DMVPN cloud from them. In this regard, for DMVPN Spoke to work correctly, it is necessary to describe the NHRP protocol settings for connecting to both DMVPN Hubs.

To correctly establish Spoke-to-Spoke tunnels, where routing directs all traffic to the DMVPN Hub, enable the “ip nhrp shortcut” option, which activates the DMVPN Spoke's response to special NHRP “Traffic Indication” messages that the DMVPN Hub will send in response to packets destined for another DMVPN Spoke. Processing such a message will result in the construction of a Spoke-to-Spoke tunnel and traffic between DMVPN Spokes will flow directly, bypassing the DMVPN Hub.

This scheme for organizing routing and establishing Spoke-to-Spoke tunnels in DMVPN clouds is commonly referred to as DMVPN Phase 3.

tunnel gre 11
  ip nhrp authentication password
  ip nhrp holding-time 600
  ip nhrp shortcut
  ip nhrp ipsec DMVPN_IPSEC_VPN_HUB_1 static
  ip nhrp ipsec DMVPN_IPSEC_VPN_SPOKES dynamic
  ip nhrp map 172.16.1.1 203.0.113.4
  ip nhrp nhs 172.16.1.1
  ip nhrp multicast nhs
  ip nhrp enable
exit

tunnel gre 12
  ip nhrp authentication password
  ip nhrp holding-time 600
  ip nhrp shortcut
  ip nhrp ipsec DMVPN_IPSEC_VPN_HUB_2 static
  ip nhrp ipsec DMVPN_IPSEC_VPN_SPOKES dynamic
  ip nhrp map 172.16.2.1 203.0.113.132
  ip nhrp nhs 172.16.2.1
  ip nhrp multicast nhs
  ip nhrp enable
exit

Due to the nature of decapsulation of traffic from IPsec tunnels operating in transport encapsulation mode, decrypted traffic ends up on the same network interface that terminates the IPsec tunnel. Therefore, the firewall rules on the DMVPN Spoke must allow not only encrypted IPsec packets, but also GRE packets that arrive at the interface after decryption.

security zone-pair UNTRUSTED self
   rule 40
    description "Permit | ESP | From GRE | To ANY"
    action permit
    match protocol gre
    enable
  exit 
exit

To filter traffic within the DMVPN cloud, a separate security zone must be created and assigned to GRE tunnels. Allow incoming ICMP traffic to pass through this zone:

security zone DMVPN_NET
  description "DMVPN | Cloud"
exit

tunnel gre 11
  security-zone DMVPN_NET
exit
tunnel gre 12
  security-zone DMVPN_NET
exit
 
security zone-pair DMVPN_NET self
   rule 10
    description "Permit | ICMP | From ANY | To ANY"
    action permit
    match protocol icmp
    enable
  exit
exit

Configuring routing for DMVPN cloud operation at the central office

Configure BGP neighbors facing the DMVPN Hub:

router bgp log-neighbor-changes

router bgp 65000
  neighbor 172.16.1.1
    description "DMVPN | RT-HUB-1"
    remote-as 65001
    update-source gre 11
    address-family ipv4 unicast
      enable
    exit
    enable
  exit
  neighbor 172.16.2.1
    description "DMVPN | RT-HUB-2"
    remote-as 65002
    update-source gre 12
    address-family ipv4 unicast
      enable
    exit
    enable
  exit
  enable
exit

Since DMVPN Spoke and DMVPN Hub are located in different autonomous systems, route information will not be advertised by default. Create a route map that allows sending routes to local network on DMVPN Hub.

Specify the created route map for the IPv4 route family in the created BGP neighbors. Also, add the local network to the advertised routes:

route-map DMVPN_NET_OUT
  rule 10
    description "DMZ | LAN for DMVPN Hub"
    match ip address 192.168.12.0/24
  exit
exit

router bgp 65000
  neighbor 172.16.1.1
    address-family ipv4 unicast
      route-map DMVPN_NET_OUT out
    exit
  exit
  neighbor 172.16.2.1
    address-family ipv4 unicast
      route-map DMVPN_NET_OUT out
    exit
  exit
  address-family ipv4 unicast
    network 192.168.12.0/24
  exit
exit

Enable BFD support for created BGP neighbors. Increase BFD timers, taking into account the convergence speed of IPsec and mGRE tunnels:

ip bfd log-adjacency-changes
ip bfd min-rx-interval 1000
ip bfd min-tx-interval 1000
ip bfd multiplier 8

router bgp 65000
  neighbor 172.16.1.1
    fall-over bfd
  exit
  neighbor 172.16.2.1
    fall-over bfd
  exit
exit

Allow incoming BGP and BFD traffic to pass through the security zone configured on GRE tunnels:

object-group service BGP
  description "BGP"
  port-range 179
exit
object-group service BFD
  description "BFD"
  port-range 3784
exit

security zone-pair DMVPN_NET self
  rule 20
    description "Permit | BGP | From ANY | To ANY"
    action permit
    match protocol tcp
    match destination-port object-group BGP
    enable
  exit
  rule 30
    description "Permit | BFD | From ANY | To ANY"
    action permit
    match protocol udp
    match destination-port object-group BFD
    enable
  exit
exit

Configuring Zone-Based Firewall for local area network

Since the DMVPN cloud that has now been created allows traffic of local users at the branch office to exit via the central office's Internet gateway, additional firewall settings are required.

Allow transit traffic from the local network to pass to the DMVPN cloud:

security zone-pair DMVPN_NET CUSTOMER
  rule 10
    description "Permit | ANY | From DMVPN Cloud | To CUSTOMER"
    action permit
    enable
  exit
exit
security zone-pair CUSTOMER DMVPN_NET
  rule 10
    description "Permit | ANY | From CUSTOMER | To DMVPN Cloud"
    action permit
    enable
  exit
exit

At this point, DMVPN configuration in the branch office can be considered complete.