Пример настройки DMVPN Dual Hub Single Cloud с динамическим IP-адресом на SPOKE

В текущей статье будут приведены готовые конфигурации схем DMVPN Dual Hub Single Cloud с динамическим IP-адресом на SPOKE. Более подробная и поэтапная настройка DMVPN с динамическим IP-адресом описана в статье https://docs.eltex-co.ru/x/wYO1HQ

В текущей статье рассмотрим пример двух схем DMVPN Dual Hub Single Cloud с динамическим IP-адресом на SPOKE:

1. Два HUB являются отдельными DHCP-серверами для выдачи IP-адресов SPOKE.

Схема:

Задача:

Организовать DMVPN Single Cloud схему с динамическими IP-адресами на SPOKE с двумя HUB. HUB-1 и HUB-2 будут выступать в качестве DHCP-серверов для SPOKE. Firewall отключен.

Используемые алгоритмы для IKE SA:

- IKE version: 1
- Authentication algorithm: sha2-256
- Encryption algorithm: aes256cbc
- DH-group 19

Используемые алгоритмы для IPse SA:

- Authentication algorithm: sha2-256
- Encryption algorithm: aes256cbc
- pfs dh-group 19
- Protocol: ESP

1) Конфигурации маршрутизаторов

Для реализации схемы, в которой HUB-1 и HUB-2 будут выступать в качестве DHCP-серверов для SPOKE, необходимо разделить пул для каждого HUB.

Например, HUB-1 будет выдавать IP-адреса из диапазона 192.0.2.3-192.0.2.128:

ip dhcp-server pool DMVPN_pool_1
network 192.0.2.0/24
address-range 192.0.2.3-192.0.2.128
exit

А HUB-2 будет выдавать IP-адреса из диапазона 192.0.2.129-192.0.2.254:

ip dhcp-server pool DMVPN_pool_2
  network 192.0.2.0/24
  address-range 192.0.2.129-192.0.2.254
exit

Конфигурация HUB-1

HUB-1# show running-config
hostname HUB-1

interface gigabitethernet 1/0/1
ip firewall disable
ip address 203.0.113.2/30
exit

tunnel gre 1
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.2
ip address 192.0.2.1/24
ip tcp adjust-mss 1340
ip nhrp ipsec ipsec_dynamic dynamic
ip nhrp multicast dynamic
ip nhrp enable
enable
exit

security ike proposal ike_proposal
authentication algorithm sha2-256
encryption algorithm aes256
dh-group 19
exit

security ike policy ike_policy
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal ike_proposal
exit

security ike gateway ike_gateway
ike-policy ike_policy
local address 203.0.113.2
local network 203.0.113.2/32 protocol gre
remote address any
remote network any protocol gre
mode policy-based
exit

security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit

security ipsec policy ipsec_policy
proposal ipsec_proposal
exit

security ipsec vpn ipsec_dynamic
type transport
ike establish-tunnel route
ike gateway ike_gateway
ike ipsec-policy ipsec_policy
enable
exit

ip dhcp-server
ip dhcp-server pool DMVPN_pool_1
network 192.0.2.0/24
address-range 192.0.2.3-192.0.2.128
exit

ip route 203.0.113.4/30 203.0.113.1
ip route 203.0.113.8/30 203.0.113.1

Конфигурация HUB-2

HUB-2# show running-config
hostname HUB-2

interface gigabitethernet 1/0/1
ip firewall disable
ip address 203.0.113.14/30
exit

tunnel gre 1
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.14
ip address 192.0.2.2/24
ip tcp adjust-mss 1340
ip nhrp ipsec ipsec_dynamic dynamic
ip nhrp multicast dynamic
ip nhrp enable
enable
exit

security ike proposal ike_proposal
authentication algorithm sha2-256
encryption algorithm aes256
dh-group 19
exit

security ike policy ike_policy
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal ike_proposal
exit

security ike gateway ike_gateway
ike-policy ike_policy
local address 203.0.113.14
local network 203.0.113.14/32 protocol gre
remote address any
remote network any protocol gre
mode policy-based
exit

security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit

security ipsec policy ipsec_policy
proposal ipsec_proposal
exit

security ipsec vpn ipsec_dynamic
type transport
ike establish-tunnel route
ike gateway ike_gateway
ike ipsec-policy ipsec_policy
enable
exit

ip dhcp-server
ip dhcp-server pool DMVPN_pool_2
network 192.0.2.0/24
address-range 192.0.2.129-192.0.2.254
exit

ip route 203.0.113.4/30 203.0.113.13
ip route 203.0.113.8/30 203.0.113.13

Конфигурация SPOKE-1

SPOKE-1# show running-config
hostname SPOKE-1

interface gigabitethernet 1/0/1
ip firewall disable
ip address 203.0.113.6/30
exit

tunnel gre 1
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.6
ip address dhcp
ip tcp adjust-mss 1340
ip nhrp holding-time 360
ip nhrp map 192.0.2.1 203.0.113.2
ip nhrp map 192.0.2.2 203.0.113.14
ip nhrp nhs 192.0.2.1/24
ip nhrp nhs 192.0.2.2/24
ip nhrp ipsec ipsec_static_hub1 static
ip nhrp ipsec ipsec_static_hub2 static
ip nhrp ipsec ipsec_dynamic_spoke dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit

security ike proposal ike_proposal
authentication algorithm sha2-256
encryption algorithm aes256
dh-group 19
exit

security ike policy ike_policy
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal ike_proposal
exit

security ike gateway ike_gateway_hub1
ike-policy ike_policy
local address 203.0.113.6
local network 203.0.113.6/32 protocol gre
remote address 203.0.113.2
remote network 203.0.113.2/32 protocol gre
mode policy-based
exit
security ike gateway ike_gateway_hub2
ike-policy ike_policy
local address 203.0.113.6
local network 203.0.113.6/32 protocol gre
remote address 203.0.113.14
remote network 203.0.113.14/32 protocol gre
mode policy-based
exit
security ike gateway ike_gateway_spoke
ike-policy ike_policy
local address 203.0.113.6
local network 203.0.113.6/32 protocol gre
remote address any
remote network any protocol gre
mode policy-based
exit

security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit

security ipsec policy ipsec_policy
proposal ipsec_proposal
exit

security ipsec vpn ipsec_static_hub1
type transport
ike establish-tunnel route
ike gateway ike_gateway_hub1
ike ipsec-policy ipsec_policy
enable
exit
security ipsec vpn ipsec_static_hub2
type transport
ike establish-tunnel route
ike gateway ike_gateway_hub2
ike ipsec-policy ipsec_policy
enable
exit
security ipsec vpn ipsec_dynamic_spoke
type transport
ike establish-tunnel route
ike gateway ike_gateway_spoke
ike ipsec-policy ipsec_policy
enable
exit

ip route 203.0.113.0/30 203.0.113.5
ip route 203.0.113.12/30 203.0.113.5
ip route 203.0.113.8/30 203.0.113.5

Конфигурация SPOKE-2

SPOKE-2# show running-config
hostname SPOKE-2

interface gigabitethernet 1/0/1
ip firewall disable
ip address 203.0.113.10/30
exit

tunnel gre 1
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.10
ip address dhcp
ip tcp adjust-mss 1340
ip nhrp holding-time 360
ip nhrp map 192.0.2.1 203.0.113.2
ip nhrp map 192.0.2.2 203.0.113.14
ip nhrp nhs 192.0.2.1/24
ip nhrp nhs 192.0.2.2/24
ip nhrp ipsec ipsec_static_hub1 static
ip nhrp ipsec ipsec_static_hub2 static
ip nhrp ipsec ipsec_dynamic_spoke dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit

security ike proposal ike_proposal
authentication algorithm sha2-256
encryption algorithm aes256
dh-group 19
exit

security ike policy ike_policy
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal ike_proposal
exit

security ike gateway ike_gateway_hub1
ike-policy ike_policy
local address 203.0.113.10
local network 203.0.113.10/32 protocol gre
remote address 203.0.113.2
remote network 203.0.113.2/32 protocol gre
mode policy-based
exit
security ike gateway ike_gateway_hub2
ike-policy ike_policy
local address 203.0.113.10
local network 203.0.113.10/32 protocol gre
remote address 203.0.113.14
remote network 203.0.113.14/32 protocol gre
mode policy-based
exit
security ike gateway ike_gateway_spoke
ike-policy ike_policy
local address 203.0.113.10
local network 203.0.113.10/32 protocol gre
remote address any
remote network any protocol gre
mode policy-based
exit

security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit

security ipsec policy ipsec_policy
proposal ipsec_proposal
exit

security ipsec vpn ipsec_static_hub1
type transport
ike establish-tunnel route
ike gateway ike_gateway_hub1
ike ipsec-policy ipsec_policy
enable
exit
security ipsec vpn ipsec_static_hub2
type transport
ike establish-tunnel route
ike gateway ike_gateway_hub2
ike ipsec-policy ipsec_policy
enable
exit
security ipsec vpn ipsec_dynamic_spoke
type transport
ike establish-tunnel route
ike gateway ike_gateway_spoke
ike ipsec-policy ipsec_policy
enable
exit

ip route 203.0.113.0/30 203.0.113.9
ip route 203.0.113.12/30 203.0.113.9
ip route 203.0.113.4/30 203.0.113.9

2) Оперативный вывод команд

В такой схеме выдача IP-адреса будет происходить от двух DHCP-серверов и SPOKE выберет IP-адрес из первого DHCP-Offer. После получения IP-адреса каждый SPOKE будет зарегистрирован на двух HUB.

Вывод оперативных команд с HUB-1. HUB-1 выдал IP-адрес для SPOKE-2:

HUB-1# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
ipsec_dynamic 203.0.113.2 203.0.113.6 0xda0300d138dabc41 0xbc7b6c043ee51ad2 Established
ipsec_dynamic 203.0.113.2 203.0.113.10 0x307a8925564d0624 0x2ba01a0287533685 Established

HUB-1# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, X - undefined

Tunnel address NBMA address Tunnel Expire Created Type Flags
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.4 203.0.113.10 gre 1 00:05:51 0,00:08:12 dynamic ULC
192.0.2.129 203.0.113.6 gre 1 00:04:55 0,00:09:08 dynamic ULC

HUB-1# show ip dhcp binding
IP address MAC / Client ID Binding type Lease expires at
---------------- ------------------------------------------------------------- ------------ -------------------------------
192.0.2.4 0x00656c7465782d613866392e346261612e626537372d6772655f31 active Friday 2024/08/09 10:25:08

Вывод оперативных команд с HUB-2. HUB-2 выдал IP-адрес для SPOKE-1:

HUB-2# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
ipsec_dynamic 203.0.113.14 203.0.113.6 0x59ebcb9097f9e5f5 0x4d29937488287a9a Established
ipsec_dynamic 203.0.113.14 203.0.113.10 0x17f101f75202f394 0x4fa7fa49e50368ca Established

HUB-2# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, X - undefined

Tunnel address NBMA address Tunnel Expire Created Type Flags
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.4 203.0.113.10 gre 1 00:04:05 0,00:14:00 dynamic LC
192.0.2.129 203.0.113.6 gre 1 00:05:10 0,00:14:56 dynamic ULC

HUB-2# show ip dhcp binding
IP address MAC / Client ID Binding type Lease expires at
---------------- ------------------------------------------------------------- ------------ -------------------------------
192.0.2.129 0x00656c7465782d363831332e653237662e353531612d6772655f31 active Saturday 1970/03/07 22:25:04

Вывод оперативных команд с SPOKE-1 и SPOKE-2:

SPOKE-1# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
ipsec_static_hub2 203.0.113.6 203.0.113.14 0x59ebcb9097f9e5f5 0x4d29937488287a9a Established
ipsec_static_hub1 203.0.113.6 203.0.113.2 0xda0300d138dabc41 0xbc7b6c043ee51ad2 Established

SPOKE-1# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, X - undefined

Tunnel address NBMA address Tunnel Expire Created Type Flags
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.2 gre 1 -- -- static RLC
192.0.2.2 203.0.113.14 gre 1 -- -- static RLC

SPOKE-1# show ip interfaces gre
IP address Interface Admin Link Type
--------------------------------------------------- -------------------- ----- ----- -------
192.0.2.129/24 gre 1 Up Up DHCP
Expires at: Friday 2024/08/09 10:24:47

SPOKE-2# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
ipsec_static_hub2 203.0.113.10 203.0.113.14 0x17f101f75202f394 0x4fa7fa49e50368ca Established
ipsec_static_hub1 203.0.113.10 203.0.113.2 0x307a8925564d0624 0x2ba01a0287533685 Established

SPOKE-2# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, X - undefined

Tunnel address NBMA address Tunnel Expire Created Type Flags
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.2 gre 1 -- -- static RLC
192.0.2.2 203.0.113.14 gre 1 -- -- static RLC

SPOKE-2# show ip interfaces gre
IP address Interface Admin Link Type
--------------------------------------------------- -------------------- ----- ----- -------
192.0.2.4/24 gre 1 Up Up DHCP

Например, если HUB-1 вышел из строя и истекло время аренды IP-адреса на SPOKE-2, то SPOKE-2 получит новый IP-адрес из пула HUB-2:

SPOKE-2# show ip interfaces gre
IP address Interface Admin Link Type
--------------------------------------------------- -------------------- ----- ----- -------
192.0.2.130/24 gre 1 Up Up DHCP

SPOKE-2# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, X - undefined

Tunnel address NBMA address Tunnel Expire Created Type Flags
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.2 gre 1 -- -- static RUL
192.0.2.2 203.0.113.14 gre 1 -- -- static RULC

HUB-2# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, X - undefined

Tunnel address NBMA address Tunnel Expire Created Type Flags
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.129 203.0.113.6 gre 1 00:05:39 0,01:19:00 dynamic LC
192.0.2.130 203.0.113.10 gre 1 00:05:40 0,00:00:37 dynamic LC

HUB-2# show ip dhcp binding
IP address MAC / Client ID Binding type Lease expires at
---------------- ------------------------------------------------------------- ------------ -------------------------------
192.0.2.129 0x00656c7465782d363831332e653237662e353531612d6772655f31 active Saturday 1970/03/07 22:25:04
192.0.2.130 0x00656c7465782d613866392e346261612e626537372d6772655f31 active Saturday 1970/03/07 23:43:27

2. Два HUB являются DHCP-Relay агентами и для выдачи IP-адресов SPOKE используется внешний DHCP-server.

Схема:

Задача:

Организовать DMVPN Single Cloud схему с динамическими IP-адресами на SPOKE с двумя HUB. HUB-1 и HUB-2 будут выступать в качестве DHCP-Relay агентов и будут перенаправлять DHCP-запросы на DHCP-сервер. Firewall отключен.

Используемые алгоритмы для IKE SA:

- IKE version: 1
- Authentication algorithm: sha2-256
- Encryption algorithm: aes256cbc
- DH-group 19

Используемые алгоритмы для IPse SA:

- Authentication algorithm: sha2-256
- Encryption algorithm: aes256cbc
- pfs dh-group 19
- Protocol: ESP

1) Конфигурации маршрутизаторов:

Для настройки HUB в качестве DHCP-Relay агента необходимо использовать следующие команды:
- ip helper-address A.B.C.D, с помощью которой указывается IP DHCP-сервера, которому будут отправляться DHCP Discover пакеты, перехваченные DHCP Relay-агентом.
- ip dhcp information option-insert, с помощью которой включается вставка DHCP Relay агентом, работающим на multipoint GRE туннеле ESR в роли NHRP NHS, 82 опции в DHCP-запросы от NHRP NHC. В добавляемой опции указывается NBMA-адрес NHRP NHC.
- ip dhcp-relay, с помощью которой включается агент DHCP-relay на маршрутизаторе ESR.

tunnel gre 1
ip dhcp information option-insert
ip helper-address 198.51.100.2
exit

ip dhcp-relay

Конфигурация HUB-1

HUB-1# show running-config
hostname HUB-1

interface gigabitethernet 1/0/1
ip firewall disable
ip address 203.0.113.2/30
exit
interface gigabitethernet 1/0/2
ip firewall disable
ip address 198.51.100.1/30
exit

tunnel gre 1
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.2
ip dhcp information option-insert
ip address 192.0.2.1/24
ip helper-address 198.51.100.2
ip tcp adjust-mss 1340
ip nhrp ipsec ipsec_dynamic dynamic
ip nhrp multicast dynamic
ip nhrp enable
enable
exit

security ike proposal ike_proposal
authentication algorithm sha2-256
encryption algorithm aes256
dh-group 19
exit

security ike policy ike_policy
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal ike_proposal
exit

security ike gateway ike_gateway
ike-policy ike_policy
local address 203.0.113.2
local network 203.0.113.2/32 protocol gre
remote address any
remote network any protocol gre
mode policy-based
exit

security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit

security ipsec policy ipsec_policy
proposal ipsec_proposal
exit

security ipsec vpn ipsec_dynamic
type transport
ike establish-tunnel route
ike gateway ike_gateway
ike ipsec-policy ipsec_policy
enable
exit

nat source
ruleset s_nat
to interface gigabitethernet 1/0/2
rule 1
action source-nat interface
enable
exit
exit
exit

ip dhcp-relay

ip route 203.0.113.4/30 203.0.113.1
ip route 203.0.113.8/30 203.0.113.1

Конфигурация HUB-2

HUB-2# show running-config
hostname HUB-2

interface gigabitethernet 1/0/1
ip firewall disable
ip address 203.0.113.14/30
exit
interface gigabitethernet 1/0/2
ip firewall disable
ip address 198.51.100.5/30
exit

tunnel gre 1
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.14
ip dhcp information option-insert
ip address 192.0.2.2/24
ip helper-address 198.51.100.6
ip tcp adjust-mss 1340
ip nhrp ipsec ipsec_dynamic dynamic
ip nhrp multicast dynamic
ip nhrp enable
enable
exit

security ike proposal ike_proposal
authentication algorithm sha2-256
encryption algorithm aes256
dh-group 19
exit

security ike policy ike_policy
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal ike_proposal
exit

security ike gateway ike_gateway
ike-policy ike_policy
local address 203.0.113.14
local network 203.0.113.14/32 protocol gre
remote address any
remote network any protocol gre
mode policy-based
exit

security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit

security ipsec policy ipsec_policy
proposal ipsec_proposal
exit

security ipsec vpn ipsec_dynamic
type transport
ike establish-tunnel route
ike gateway ike_gateway
ike ipsec-policy ipsec_policy
enable
exit

nat source
ruleset s_nat
to interface gigabitethernet 1/0/2
rule 1
action source-nat interface
enable
exit
exit
exit

ip dhcp-relay

ip route 203.0.113.4/30 203.0.113.13
ip route 203.0.113.8/30 203.0.113.13

Конфигурация SPOKE-1

SPOKE-1# show running-config
hostname SPOKE-1

interface gigabitethernet 1/0/2
ip firewall disable
ip address 203.0.113.6/30
exit