Jump to content
  • EN

RUTX DMVPN: Difference between revisions

From Teltonika Networks Wiki
← Older edit
VisualWikitext
No edit summary
No edit summary
 
(12 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<p style="color:red">The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.19.2'''] firmware version. </p>
==Introduction==
==Introduction==


Line 8: Line 9:


<ul>
<ul>
     <li>At least two RUTXxx routers</li>
     <li>At least two RUTxxx routers</li>
     <li>A PC to configure the routers</li>
     <li>A PC to configure the routers</li>
     <li>HUB has to be reachable from spokes (HUB must have Public IP address, or has to be in the same WAN network as Spokes)</li>
     <li>HUB has to be reachable from spokes (HUB must have Public IP address, or has to be in the same WAN network as Spokes)</li>
</ul>
</ul>
Note: If you are using a RUT2xx or RUT9xx device, you will need to install the “BGP daemon, DMVPN, and NHRP daemon” packages.


==Configuration scheme==
==Configuration scheme==
Line 26: Line 29:
'''STEP 1:''' Connect to router's '''WebUI''', go to '''Services > VPN > DMVPN'''. Enter a name for your DMVPN instance, click '''ADD''' and when instance appears in '''DMVPN CONFIGURATION''' field, click '''Edit'''.
'''STEP 1:''' Connect to router's '''WebUI''', go to '''Services > VPN > DMVPN'''. Enter a name for your DMVPN instance, click '''ADD''' and when instance appears in '''DMVPN CONFIGURATION''' field, click '''Edit'''.


[[File:Rutx dmvpn spoke 1 v1.png|border|class=tlt-border|1095x1095px]]
[[File:Rutx dmvpn spoke example configuration 1 v2.png|border|class=tlt-border|1095x1095px]]
 
----
----
'''STEP 2:''' Configure DMVPN settings.
'''STEP 2:''' Configure DMVPN settings.


[[File:Rutx dmvpn spoke 2 v1.png|border|class=tlt-border|1094x1094px]]
[[File:Rutx dmvpn spoke 2 v5.png|border|class=tlt-border|1094x1094px]]


#'''Enable''' instance.
#'''Enable''' instance.
Line 39: Line 43:
#Write Remote '''GRE interface IP address''' (create GRE tunnel IP address or just use the same as in the example).
#Write Remote '''GRE interface IP address''' (create GRE tunnel IP address or just use the same as in the example).
#Add '''GRE MTU''' (largest PDU size of any single transaction).
#Add '''GRE MTU''' (largest PDU size of any single transaction).
#Write '''GRE keys''' (it must match with HUB and other Spokes).
#(optional) Write '''Inbound and outbound keys''' (Spoke keys should be mirrored from the hub – outbound becomes inbound and et cetera).
#Add '''Pre-shared key''' (it must match HUB and other Spokes).
#Add '''Pre-shared key''' (it must match HUB and other Spokes).
#Write '''IKE lifetime''' (how long the keying channel of a connection should last before being renegotiated). '''P.S.''' do that in '''PHASE 1''' and '''PHASE 2'''.
#(optional) Write '''IKE lifetime''' (how long the keying channel of a connection should last before being renegotiated). Do this in '''PHASE 1''' and '''PHASE 2'''. They should match on HUB and spokes.
#Leave everything else as default and click '''Save & Apply'''.
#Leave everything else as default and click '''Save & Apply'''.


----
----
'''STEP 3:''' Go to '''Network > Routing > Dynamic Routes > BGP''', enable '''BGP''' and '''vty''', and either create a new BGP instance or modify the default '''general''' instance:
[[File:Rutx dmvpn spoke hub bgp 1 v2.png|border|class=tlt-border|1094x1094px]]


'''STEP 3:''' Go to '''Network > Routing > Dynamic Routes > BGP''' and make the necessary configuration.


[[File:Rutx dmvpn spoke 3 v1.png|border|class=tlt-border|1085x1085px]]
----
'''STEP 4:''' Configure BGP instance settings:
 
[[File:Rutx dmvpn spoke bgp 2 v2.png|border|class=tlt-border|1094x1094px]]


#'''Enable''' instance.
#'''Enable''' instance.
#'''Enable vty''' instance.
#Add '''AS''' ('''Autonomous system name''', it must match on all of the devices, including other Spokes and hub).
#Enable '''BGP Instance'''.
#Write '''BGP router ID''' (SPOKE GRE Tunnel IP).
#Add '''AS''' (Autonomous system name, it must match with other Spokes).
#Add '''Network''' (SPOKE LAN network IP with subnet mask).
#Write '''BGP router ID''' (HUB GRE Tunnel IP).
#Select '''Redistribution options'''. (NHRP routes)
#Add '''Network''' (HUB LAN network IP with subnet mask).
#*'''Repeat steps 6 to 10 for the hub and for each of the other spokes.'''
#Select '''Redistribution options'''.
#Write the Name of the new '''BGP peer instance''' (anything you want).
#Write a '''Name''' of the new instance (anything you want).
#Press the '''Add''' button, and then the new BGP peer configuration window will appear. [[File:Dmvpn bgp peer spoke v3.png|border|class=tlt-border|1094x1094px]]
#Press '''Add''' button and then new BGP peer will appear.
#Inside the BGP peer configuration window, '''enable''' the instance
#Add '''REMOTE AS''' (it must match AS in BGP instance).
#Set Remote '''AS''' (should match previously set AS)
#Write '''REMOTE ADDRESS''' (HUB GRE IP).
#Set the '''remote address''' (either of the other spoke or the hub internal DMVPN IPs)
#'''Enable''' peer.
#:
#Leave everything else as default and click '''Save & Apply'''.
#Once saved and applied, the changes should be reflected in the '''BGP peers''' configuration section.
#Write the Name of the new '''BGP peer group''' instance (anything you want).
#Press the '''Add''' button, and then the new BGP peer group configuration window will appear.[[File:Dmvpn bgp peergroup spoke v2.png|border|class=tlt-border|1094x1094px]]
#Inside the BGP peer group configuration window, '''enable''' the instance.
#Set Remote '''AS''' (should match previously set AS)
#Set the '''neighbor addresses''' – they should be the other spokes and your hubs' internal DMVPN IPs.
#Set Neighbor configuration to '''Route Reflector Client'''.
#:
#Once saved and applied, some changes should be seen in BGP peer groups section.
#Save the configuration.
 
 
----
'''STEP 5:''' Configure forwarding between GRE and LAN zones.
 
Go to '''network -> Firewall -> Zones''' and modify''' gre => lan''' zone’s '''Forwarding inside zone''' to '''Accept'''. Then '''save & apply'''.
 
 
[[File:Rutx dmvpn zones_v2.png|border|class=tlt-border|1094x1094px]]
 


----
----
Line 72: Line 101:


----
----
'''STEP 1:''' Connect to router's '''WebUI''', go to '''Services > VPN > DMVPN'''. Enter a name for your DMVPN instance, click '''ADD''' and when instance appears in '''DMVPN CONFIGURATION''' field, click '''Edit'''.


'''STEP 1:''' Connect to router's '''WebUI''', go to '''Services > VPN > DMVPN'''. Enter a name for your DMVPN instance, click '''ADD''' and when instance appears in '''DMVPN CONFIGURATION''' field, click '''Edit'''.
[[File:Rutx dmvpn hub 1 v5.png|border|class=tlt-border|1073x1073px]]


[[File:Rutx dmvpn spoke 1 v1.png|border|class=tlt-border|1073x1073px]]


----
----
'''STEP 2:''' Configure DMVPN settings.
'''STEP 2:''' Configure DMVPN settings.


[[File:Rutx dmvpn spoke 4 v1.png|border|class=tlt-border|1094x1094px]]
[[File:Rutx dmvpn hub 2 v5.png|border|class=tlt-border|1094x1094px]]


#'''Enable''' instance.
#'''Enable''' instance.
#Select '''Working mode'''.
#Select '''Working mode''' (HUB).
#Select '''Tunnel source''' (select your WAN interface).
#Select '''Tunnel source''' (select your WAN interface).
#Write '''Local GRE interface IP address''' (create GRE tunnel IP address or just use the same as in the example).
#Write '''Local GRE interface IP address''' (create GRE tunnel IP address or just use the same as in the example).
#Write '''Local GRE interface netmask'''.
#Write '''Local GRE interface netmask'''.
#Add '''GRE MTU''' (largest PDU size of any single transaction).
#Add '''GRE MTU''' (largest PDU size of any single transaction).
#Write '''GRE keys''' (it must match with HUB and other Spokes).
#(optional) Write '''Inbound and outbound keys''' (hub keys should be mirrored from the spokes – outbound becomes inbound and et cetera).
#Add '''Pre-shared key''' (it must match HUB and other Spokes).
#Add '''Pre-shared key''' (it must match with the Spokes).
#Write '''IKE lifetime''' (how long the keying channel of a connection should last before being renegotiated). '''P.S.''' do that in '''PHASE 1''' and '''PHASE 2'''.
#(optional) Write '''IKE lifetime''' (how long the keying channel of a connection should last before being renegotiated). Do this in '''PHASE 1''' and '''PHASE 2'''. They should match on spokes too.
#Leave everything else as default and click '''Save & Apply'''.
#Leave everything else as default and click '''Save & Apply'''.


----
----
'''STEP 3:''' Go to '''Network > Routing > Dynamic Routes > BGP''', enable '''BGP''' and '''vty''', and either create a new BGP instance or modify the default “general” instance:


'''STEP 3:''' Go to '''Network > Routing > Dynamic Routes > BGP''' and make the necessary configuration.
[[File:Rutx dmvpn spoke hub bgp 1_v2.png|border|class=tlt-border|1085x1085px]]


[[File:Rutx dmvpn spoke 5 v1.png|border|class=tlt-border|1085x1085px]]
 
----
'''STEP 4:''' Configure BGP instance settings:
 
[[File:Rutx dmvpn hub bgp 2_v2.png|border|class=tlt-border|1085x1085px]]


#'''Enable''' instance.
#'''Enable''' instance.
#'''Enable vty''' instance.
#Add '''AS''' ('''Autonomous system name''', it must match on all of the devices).
#Enable '''BGP Instance'''.
#Add '''AS''' (Autonomous system name, it must match with other Spokes).
#Write '''BGP router ID''' (HUB GRE Tunnel IP).
#Write '''BGP router ID''' (HUB GRE Tunnel IP).
#Add '''Network''' (HUB LAN network IP with subnet mask).
#Add '''Network''' (HUB LAN network IP with subnet mask).
#Select '''Redistribution options'''.
#Select '''Redistribution options'''. (NHRP routes)
#Write '''BGP PEER GROUP NAME''' (anything you want).
#*'''Repeat steps 6 to 10 for each of the other spokes.'''
#Press '''ADD''' button and then new BGP PEER GROUP will appear.
#Write the Name of the new '''BGP peer instance''' (anything you want).  
#Add '''REMOTE AS''' (it must match AS in BGP instance).
#Press the '''Add''' button, and then the new BGP peer configuration window will appear.[[File:Dmvpn bgp peer spoke v3.png|border|class=tlt-border|1085x1085px]]
#Leave everything else as default and click '''Save & Apply'''.
#Inside the BGP peer configuration window, '''enable''' the instance
#Set Remote '''AS''' (should match previously set AS)
#Set the '''remote address''' (selected spokes IP)
#:
#Once saved and applied, the changes should be reflected in the '''BGP peers''' configuration section.
#Write the Name of the new '''BGP peer group''' instance (anything you want).
#Press the '''Add''' button, and then the new BGP peer group configuration window will appear.[[File:Rutx dmvpn bgp peergroup hub_v2.png|border|class=tlt-border|1085x1085px]]
#Inside the BGP peer group configuration window, '''enable''' the instance.
#Set Remote '''AS''' (should match previously set AS)
#Set the '''neighbor addresses''' – they should be spokes internal DMVPN IPs.
#Set Neighbor configuration to '''Route Reflector Client'''.
#:
#Once saved and applied, some changes should be seen in BGP peer groups section.
#Save the configuration.
 
 
----
'''STEP 5:''' Configure forwarding between GRE and LAN zones.
 
Go to '''network -> Firewall -> Zones''' and modify''' gre => lan''' zone’s '''Forwarding inside zone''' to '''Accept'''. Then '''save & apply'''.
 
[[File:Rutx dmvpn zones_v2.png|border|class=tlt-border|1094x1094px]]
 
 


==Testing configuration==
==Testing configuration==


Access '''HUB''' and '''Spoke WebUI''', check whether new routes appeared (it should look similar to the examples).
'''Please keep in mind that network propagation only occurs when another device is connected to the router (for example, via LAN).'''
 
'''The only exception is the RUTXxx series, which always shares its network information with other spokes and hubs automatically.'''
 
When testing, make sure that all routers have at least one client device connected to ensure proper network propagation throughout the DMVPN network.
 
 
Access '''HUB''' or either of the '''Spokes WebUI''', go to '''Status -> Routes -> Dynamic''', and check if there are routes to other device networks:
 
'''SPOKE example:'''
 
[[File:Rutx dmvpn test route spoke v2.png|border|class=tlt-border|1079x1079p]]
 
'''HUB example:'''
[[File:Rutx dmvpn test route hub v2.png|border|class=tlt-border|1082x1082px]]
 
Another way to test the configuration is to connect to one of the devices over '''SSH''' or '''CLI''' and check the available routes using '''ip r''' command:
 
 
 
'''Available routes on HUB:'''


'''SPOKE:'''
[[File:rutx_dmvpn_text_ipr_hub_v2.png|border|class=tlt-border|1082x1082px]]


[[File:Rutx dmvpn spoke 6 v1.png|border|class=tlt-border|1079x1079px]]


'''HUB:'''
'''Available routes on spoke:'''


[[File:Rutx dmvpn spoke 7 v1.png|border|class=tlt-border|1082x1082px]]
[[File:rutx_dmvpn_text_ipr_spoke_v2.png|border|class=tlt-border|1082x1082px]]
[[Category:VPN]]

Latest revision as of 09:26, 1 December 2025

Main Page > General Information > Configuration Examples > VPN > RUTX DMVPN

The information in this page is updated in accordance with 00.07.19.2 firmware version.

Introduction

Dynamic Multipoint VPN (DMVPN) is a dynamic tunneling form of a virtual private network (VPN) supported on Cisco routers. This article contains step-by-step instructions on how to configure DMVPN between a "HUB" and two "Spokes" using RUTXxx routers.

Prerequisites

You will need:

  • At least two RUTxxx routers
  • A PC to configure the routers
  • HUB has to be reachable from spokes (HUB must have Public IP address, or has to be in the same WAN network as Spokes)

Note: If you are using a RUT2xx or RUT9xx device, you will need to install the “BGP daemon, DMVPN, and NHRP daemon” packages.

Configuration scheme

Spoke configuration

This section contains information on how to configure DMVPN Spokes. Firstly, we'll configure the DMVPN instance to make the connection possible. Then we'll set the Border Gateway Protocol (BGP) parameters as our dynamic routing solution.

Note: at the moment, BGP is the only stable dynamic routing solution that can work with DMVPNs.

STEP 1: Connect to router's WebUI, go to Services > VPN > DMVPN. Enter a name for your DMVPN instance, click ADD and when instance appears in DMVPN CONFIGURATION field, click Edit.

STEP 2: Configure DMVPN settings.

  1. Enable instance.
  2. Select Working mode (Spoke).
  3. Enter HUB Address (HUB WAN IP).
  4. Select Tunnel source (select your WAN interface).
  5. Write Local GRE interface IP address (create GRE tunnel IP address or just use the same as in the example).
  6. Write Remote GRE interface IP address (create GRE tunnel IP address or just use the same as in the example).
  7. Add GRE MTU (largest PDU size of any single transaction).
  8. (optional) Write Inbound and outbound keys (Spoke keys should be mirrored from the hub – outbound becomes inbound and et cetera).
  9. Add Pre-shared key (it must match HUB and other Spokes).
  10. (optional) Write IKE lifetime (how long the keying channel of a connection should last before being renegotiated). Do this in PHASE 1 and PHASE 2. They should match on HUB and spokes.
  11. Leave everything else as default and click Save & Apply.


STEP 3: Go to Network > Routing > Dynamic Routes > BGP, enable BGP and vty, and either create a new BGP instance or modify the default general instance:


STEP 4: Configure BGP instance settings:

  1. Enable instance.
  2. Add AS (Autonomous system name, it must match on all of the devices, including other Spokes and hub).
  3. Write BGP router ID (SPOKE GRE Tunnel IP).
  4. Add Network (SPOKE LAN network IP with subnet mask).
  5. Select Redistribution options. (NHRP routes)
    • Repeat steps 6 to 10 for the hub and for each of the other spokes.
  6. Write the Name of the new BGP peer instance (anything you want).
  7. Press the Add button, and then the new BGP peer configuration window will appear.
  8. Inside the BGP peer configuration window, enable the instance
  9. Set Remote AS (should match previously set AS)
  10. Set the remote address (either of the other spoke or the hub internal DMVPN IPs)
  11. Once saved and applied, the changes should be reflected in the BGP peers configuration section.
  12. Write the Name of the new BGP peer group instance (anything you want).
  13. Press the Add button, and then the new BGP peer group configuration window will appear.
  14. Inside the BGP peer group configuration window, enable the instance.
  15. Set Remote AS (should match previously set AS)
  16. Set the neighbor addresses – they should be the other spokes and your hubs' internal DMVPN IPs.
  17. Set Neighbor configuration to Route Reflector Client.
  18. Once saved and applied, some changes should be seen in BGP peer groups section.
  19. Save the configuration.


STEP 5: Configure forwarding between GRE and LAN zones.

Go to network -> Firewall -> Zones and modify gre => lan zone’s Forwarding inside zone to Accept. Then save & apply.



Repeat this on different routers as many times as the number of Spokes that you need. Remember that other Spokes will have different LAN, WAN and GRE IP addresses.

HUB configuration

This section contains information on how to configure DMVPN HUB.

STEP 1: Connect to router's WebUI, go to Services > VPN > DMVPN. Enter a name for your DMVPN instance, click ADD and when instance appears in DMVPN CONFIGURATION field, click Edit.


STEP 2: Configure DMVPN settings.

  1. Enable instance.
  2. Select Working mode (HUB).
  3. Select Tunnel source (select your WAN interface).
  4. Write Local GRE interface IP address (create GRE tunnel IP address or just use the same as in the example).
  5. Write Local GRE interface netmask.
  6. Add GRE MTU (largest PDU size of any single transaction).
  7. (optional) Write Inbound and outbound keys (hub keys should be mirrored from the spokes – outbound becomes inbound and et cetera).
  8. Add Pre-shared key (it must match with the Spokes).
  9. (optional) Write IKE lifetime (how long the keying channel of a connection should last before being renegotiated). Do this in PHASE 1 and PHASE 2. They should match on spokes too.
  10. Leave everything else as default and click Save & Apply.


STEP 3: Go to Network > Routing > Dynamic Routes > BGP, enable BGP and vty, and either create a new BGP instance or modify the default “general” instance:


STEP 4: Configure BGP instance settings:

  1. Enable instance.
  2. Add AS (Autonomous system name, it must match on all of the devices).
  3. Write BGP router ID (HUB GRE Tunnel IP).
  4. Add Network (HUB LAN network IP with subnet mask).
  5. Select Redistribution options. (NHRP routes)
    • Repeat steps 6 to 10 for each of the other spokes.
  6. Write the Name of the new BGP peer instance (anything you want).
  7. Press the Add button, and then the new BGP peer configuration window will appear.
  8. Inside the BGP peer configuration window, enable the instance
  9. Set Remote AS (should match previously set AS)
  10. Set the remote address (selected spokes IP)
  11. Once saved and applied, the changes should be reflected in the BGP peers configuration section.
  12. Write the Name of the new BGP peer group instance (anything you want).
  13. Press the Add button, and then the new BGP peer group configuration window will appear.
  14. Inside the BGP peer group configuration window, enable the instance.
  15. Set Remote AS (should match previously set AS)
  16. Set the neighbor addresses – they should be spokes internal DMVPN IPs.
  17. Set Neighbor configuration to Route Reflector Client.
  18. Once saved and applied, some changes should be seen in BGP peer groups section.
  19. Save the configuration.


STEP 5: Configure forwarding between GRE and LAN zones.

Go to network -> Firewall -> Zones and modify gre => lan zone’s Forwarding inside zone to Accept. Then save & apply.


Testing configuration

Please keep in mind that network propagation only occurs when another device is connected to the router (for example, via LAN).

The only exception is the RUTXxx series, which always shares its network information with other spokes and hubs automatically.

When testing, make sure that all routers have at least one client device connected to ensure proper network propagation throughout the DMVPN network.


Access HUB or either of the Spokes WebUI, go to Status -> Routes -> Dynamic, and check if there are routes to other device networks:

SPOKE example:

1079x1079p

HUB example:

Another way to test the configuration is to connect to one of the devices over SSH or CLI and check the available routes using ip r command:


Available routes on HUB:


Available routes on spoke:

Retrieved from "https://wiki.teltonika-networks.com/index.php?title=RUTX_DMVPN&oldid=161992"