DMVPN (Phase 3) with OSPF configuration example: Difference between revisions
First version |
No edit summary |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
<p style="color:red">The information on this page is updated in accordance with the [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.07. | |||
<p style="color:red">The information on this page is updated in accordance with the [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.07.2'''] firmware version .</p> | |||
=Introduction= | =Introduction= | ||
DMVPN stands for Dynamic Multipoint VPN. It's a specific type of VPN technology designed for efficiently connecting multiple remote sites (like branch offices) to a central headquarters over the internet. Unlike traditional point-to-point VPNs that require separate tunnels for each branch office to connect to the central hub, DMVPN uses a hub-and-spoke model. Spoke locations (branch offices) can directly communicate with each other and the central hub securely, without needing all traffic to flow through the central hub. | |||
If You have trouble seeing any of the settings, be sure to enable "'''Advanced mode'''" | If You have trouble seeing any of the settings, be sure to enable "'''Advanced mode'''" | ||
| Line 9: | Line 10: | ||
=Topology= | =Topology= | ||
( | [[File:DMVPN (Phase 3) with OSPF topology2.png|none|border|left|class=tlt-border|1100x1100px]] | ||
<ul> | <ul> | ||
| Line 25: | Line 25: | ||
Create a new instance with a name of Your choice. In this example, we will name it '''"HUB"''' | Create a new instance with a name of Your choice. In this example, we will name it '''"HUB"''' | ||
[[File:DMVPN add Hub.png|none|border|left|class=tlt-border|1100x1100px]] | |||
Configure the HUB as shown: | Configure the HUB as shown: | ||
[[File:DMVPN Hub 1.png|none|border|left|class=tlt-border|1100x1100px]] | |||
[[File:DMVPN Hub 2.png|none|border|left|class=tlt-border|1100x1100px]] | |||
<ul> | <ul> | ||
<li>'''Enable''' - On</li> | <li>'''1. Enable''' - On</li> | ||
<li>'''Working mode''' - Hub</li> | <li>'''2. Working mode''' - Hub</li> | ||
<li>'''Local GRE interface IP address''' - 10.0.0.254</li> | <li>'''3. Local GRE interface IP address''' - 10.0.0.254</li> | ||
<li>'''Local GRE interface netmask''' - 255.255.255.255</li> | <li>'''4. Local GRE interface netmask''' - 255.255.255.255</li> | ||
<li>'''Pre-shared key''' - Create a password which will be used in authentication</li> | <li>'''5. Pre-shared key''' - Create a password which will be used in authentication</li> | ||
<li>'''Redirect''' - On</li> | <li>'''6. Redirect''' - On</li> | ||
<li>'''NFLOG group''' - 123</li> | <li>'''7. NFLOG group''' - 123</li> | ||
<li>'''NHRP multicast NFLOG group''' - 124 (different than NFLOG group number)</li> | <li>'''8. NHRP multicast NFLOG group''' - 124 (different than NFLOG group number)</li> | ||
</ul> | </ul> | ||
| Line 50: | Line 49: | ||
Create a new instance with a name of Your choice. In this example, we will name it '''"SPOKE1"''' | Create a new instance with a name of Your choice. In this example, we will name it '''"SPOKE1"''' | ||
Configure the SPOKE1 as shown: | Configure the SPOKE1 as shown: | ||
[[File:DMVPN Spoke1 1.png|none|border|left|class=tlt-border|1100x1100px]] | |||
[[File:DMVPN Spoke1 2.png|none|border|left|class=tlt-border|1100x1100px]] | |||
<ul> | <ul> | ||
<li>'''Enable''' - On</li> | <li>'''1. Enable''' - On</li> | ||
<li>'''Working mode''' - Spoke</li> | <li>'''2. Working mode''' - Spoke</li> | ||
<li>'''Hub address''' - Public IP address of the Hub</li> | <li>'''3. Hub address''' - Public IP address of the Hub</li> | ||
<li>'''Local GRE interface IP address''' - 10.0.0.1</li> | <li>'''4. Local GRE interface IP address''' - 10.0.0.1</li> | ||
<li>'''Remote GRE interface IP address''' - 10.0.0.254</li> | <li>'''5. Remote GRE interface IP address''' - 10.0.0.254</li> | ||
<li>'''Pre-shared key''' - Use the same password that was created in the Hub's configuration</li> | <li>'''6. Pre-shared key''' - Use the same password that was created in the Hub's configuration</li> | ||
<li>'''Redirect''' - On</li> | <li>'''7. Redirect''' - On</li> | ||
<li>'''Multicast''' - On</li> | <li>'''8. Multicast''' - On</li> | ||
<li>'''NHRP multicast NFLOG group''' - 124 (same number that was in the Hub's configuration)</li> | <li>'''9. NHRP multicast NFLOG group''' - 124 (same number that was in the Hub's configuration)</li> | ||
</ul> | </ul> | ||
| Line 99: | Line 96: | ||
On the Hub router, navigate to '''Network → Routing → Dynamic Routes → OSPF''' and configure OSPF as shown: | On the Hub router, navigate to '''Network → Routing → Dynamic Routes → OSPF''' and configure OSPF as shown: | ||
[[File:DMVPN Hub OSPF 1.png|none|border|left|class=tlt-border|1100x1100px]] | |||
[[File:DMVPN Hub OSPF Interface.png|none|border|left|class=tlt-border|1100x1100px]] | |||
[[File:DMVPN Spoke1 OSPF 2.png|none|border|left|class=tlt-border|1100x1100px]] | |||
<ul> | <ul> | ||
<li>'''Enable Service''' - On</li> | <li>'''1. Enable Service''' - On</li> | ||
<li>'''Router ID''' - 10.0.0.254</li> | <li>'''2. Router ID''' - 10.0.0.254</li> | ||
<li>'''Passive interfaces''' - br-lan (all LAN interfaces)</li> | <li>'''3. Passive interfaces''' - br-lan (all LAN interfaces)</li> | ||
<li>'''Redistribution options''' - NHRP </li> | <li>'''4. Redistribution options''' - NHRP </li> | ||
<li>'''OSPF Interfaces''' - Create an entry, choose '''Type''' as '''Point-to-Multipoint''' and choose DMVPN interface as OSPF Interface and enable it</li> | <li>'''5. OSPF Interfaces''' - Create an entry, choose '''Type''' as '''Point-to-Multipoint''' and choose DMVPN interface as OSPF Interface and enable it</li> | ||
<li>'''OSPF Area''' - Create an entry, input '''0''' to the '''Zone''' parameter and enable it </li> | <li>'''6. OSPF Area''' - Create an entry, input '''0''' to the '''Zone''' parameter and enable it </li> | ||
<li>'''OSPF Networks''' - Create 2 entries, one network will be named GRE for VPN addresses '''10.0.0.0/24''', another networking will be named LAN for LAN addresses '''192.168.254.0/24.''' | <li>'''7. OSPF Networks''' - Create 2 entries, one network will be named GRE for VPN addresses '''10.0.0.0/24''', another networking will be named LAN for LAN addresses '''192.168.254.0/24.''' | ||
Choose previously created OSPF Area entry and enable OSPF Networks</li> | Choose previously created OSPF Area entry and enable OSPF Networks</li> | ||
| Line 121: | Line 118: | ||
On the Spoke1 router, navigate to '''Network → Routing → Dynamic Routes → OSPF''' and configure OSPF as shown: | On the Spoke1 router, navigate to '''Network → Routing → Dynamic Routes → OSPF''' and configure OSPF as shown: | ||
[[File:DMVPN Spoke1 OSPF 1.png|none|border|left|class=tlt-border|1100x1100px]] | |||
[[File:DMVPN Hub OSPF Interface.png|none|border|left|class=tlt-border|1100x1100px]] | |||
[[File:DMVPN Spoke1 OSPF 2.png|none|border|left|class=tlt-border|1100x1100px]] | |||
<ul> | <ul> | ||
<li>'''Enable Service''' - On</li> | <li>'''1. Enable Service''' - On</li> | ||
<li>'''Router ID''' - 10.0.0.1</li> | <li>'''2. Router ID''' - 10.0.0.1</li> | ||
<li>'''Passive interfaces''' - br-lan (all LAN interfaces)</li> | <li>'''3. Passive interfaces''' - br-lan (all LAN interfaces)</li> | ||
<li>'''Redistribution options''' - None </li> | <li>'''4. Redistribution options''' - None </li> | ||
<li>'''OSPF Interfaces''' - Create an entry, choose '''Type''' as '''Point-to-Multipoint''' and choose DMVPN interface as OSPF Interface and enable it</li> | <li>'''5. OSPF Interfaces''' - Create an entry, choose '''Type''' as '''Point-to-Multipoint''' and choose DMVPN interface as OSPF Interface and enable it</li> | ||
<li>'''OSPF Area''' - Create an entry, input '''0''' to the '''Zone''' parameter and enable it </li> | <li>'''6. OSPF Area''' - Create an entry, input '''0''' to the '''Zone''' parameter and enable it </li> | ||
<li>'''OSPF Networks''' - Create 2 entries, one network will be named GRE for VPN addresses '''10.0.0.0/24''', another networking will be named LAN for LAN addresses '''192.168.1.0/24.''' | <li>'''7. OSPF Networks''' - Create 2 entries, one network will be named GRE for VPN addresses '''10.0.0.0/24''', another networking will be named LAN for LAN addresses '''192.168.1.0/24.''' | ||
Choose previously created OSPF Area entry and enable OSPF Networks</li> | Choose previously created OSPF Area entry and enable OSPF Networks</li> | ||
| Line 147: | Line 144: | ||
Navigate to '''Network -> Firewall -> General settings -> Zones''', set GRE zone to forward traffic to LAN and disable masquerading. | Navigate to '''Network -> Firewall -> General settings -> Zones''', set GRE zone to forward traffic to LAN and disable masquerading. | ||
[[File:DMVPN Firewall LAN zone.png|none|border|left|class=tlt-border|1100x1100px]] | |||
=Testing the setup= | =Testing the setup= | ||
| Line 153: | Line 150: | ||
If You have followed the steps correctly, configuration should be finished. These should be the results that You will be getting: | If You have followed the steps correctly, configuration should be finished. These should be the results that You will be getting: | ||
Routes on Spoke1: | |||
root@RUTX11:~# ip route | |||
default dev qmimux0 proto static scope link src '''WAN IP''' metric 1 | |||
10.0.0.2 nhid 30 via 10.0.0.254 dev gre4-SPOKE1 proto ospf metric 20 onlink | |||
10.0.0.254 dev gre4-SPOKE1 proto static scope link | |||
'''WAN IP''' dev qmimux0 proto static scope link metric 1 | |||
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 | |||
192.168.2.0/24 nhid 30 via 10.0.0.254 dev gre4-SPOKE1 proto ospf metric 20 onlink | |||
192.168.254.0/24 nhid 30 via 10.0.0.254 dev gre4-SPOKE1 proto ospf metric 20 onlink | |||
Routes on Spoke2: | |||
root@RUTX11:~# ip route | |||
default dev qmimux0 proto static scope link src '''WAN IP''' metric 1 | |||
10.0.0.1 nhid 41 via 10.0.0.254 dev gre4-SPOKE2 proto ospf metric 20 onlink | |||
10.0.0.254 dev gre4-SPOKE2 proto static scope link | |||
'''WAN IP''' dev qmimux0 proto static scope link metric 1 | |||
192.168.1.0/24 nhid 41 via 10.0.0.254 dev gre4-SPOKE2 proto ospf metric 20 onlink | |||
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1 | |||
192.168.254.0/24 nhid 41 via 10.0.0.254 dev gre4-SPOKE2 proto ospf metric 20 onlink | |||
OSPF neighbors on HUB (done on '''FRR VTYSH''' package): | |||
[[File:DMVPN OSPF neighbors.png|none|border|left|class=tlt-border|1100x1100px]] | |||
Spoke1 pinging Spoke2, traffic not going through HUB: | |||
Spoke1: | |||
root@RUTX11:~# ping 192.168.2.1 | |||
PING 192.168.2.1 (192.168.2.1): 56 data bytes | |||
64 bytes from 192.168.2.1: seq=0 ttl=63 time=122.731 ms | |||
64 bytes from 192.168.2.1: seq=1 ttl=63 time=123.373 ms | |||
64 bytes from 192.168.2.1: seq=2 ttl=64 time=100.596 ms | |||
64 bytes from 192.168.2.1: seq=3 ttl=64 time=100.323 ms | |||
64 bytes from 192.168.2.1: seq=4 ttl=64 time=100.048 ms | |||
HUB's traffic: | |||
root@RUTXR1:~# tcpdump -i gre4-HUB | |||
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode | |||
listening on gre4-HUB, link-type LINUX_SLL (Linux cooked v1), snapshot length 262144 bytes | |||
11:56:27.429401 IP 10.0.0.254 > ospf-all.mcast.net: OSPFv2, Hello, length 52 | |||
11:56:27.429578 IP 10.0.0.254 > ospf-all.mcast.net: OSPFv2, Hello, length 52 | |||
11:56:28.334054 IP 10.0.0.254 > 10.0.0.2: OSPFv2, LS-Update, length 100 | |||
11:56:29.094679 IP 10.0.0.2 > ospf-all.mcast.net: OSPFv2, Hello, length 52 | |||
11:56:29.095649 IP 10.0.0.2 > ospf-all.mcast.net: OSPFv2, LS-Ack, length 44 | |||
11:56:35.381588 IP 10.0.0.1 > ospf-all.mcast.net: OSPFv2, Hello, length 52 | |||
<br> | <br> | ||
| Line 160: | Line 201: | ||
<ul> | <ul> | ||
<li></li> | <li>[[DMVPN configuration]]</li> | ||
<li></li> | <li>[[DMVPN with IPsec Phase 3]]</li> | ||
<li> | <li>[[OSPF Route Failover]]</li> | ||
</ul> | </ul> | ||