138
edits
Changes
DMVPN with IPsec Phase 3 (view source)
Revision as of 16:06, 10 January 2023
, 16:06, 10 January 2023Added comments. CTRL+F and search for "###" until no matches are found. Delete comments afterwards.
This article contains instructions on how to configure DMVPN Phase 3 between a "Hub" and two "Spokes" using Teltonika devices.
This article contains instructions on how to configure DMVPN Phase 3 between a "Hub" and two "Spokes" using Teltonika devices.
<nowiki>###</nowiki> Some description about what is DMVPN and benefits of phase 3 would be nice to have here. Probably don't need much, but a summary about what it is should be here.
<nowiki>###</nowiki> Most notably how phase 3 is beneficial - would be great to have a comparison of phase 2 vs phase 3
==Prerequisites and overview==
==Prerequisites and overview==
<li>HUB must have a Public IP address</li>
<li>HUB must have a Public IP address</li>
</ul>
</ul>
<nowiki>###</nowiki> Recommended to segment spokes and hub requirements here. At a minimum we will need 2 spokes to demonstrate this issue, and as a separate requirement, at least 1 hub with a public IP address.
==HUB configuration==
==HUB configuration==
This section contains information on how to configure DMVPN <b>HUB</b>. Firstly, we'll configure the DMVPN instance to make the connection possible. Then we'll set the <b>Border Gateway Protocol</b> (<b>BGP</b>) parameters as our dynamic routing solution.
This section contains information on how to configure DMVPN <b>HUB</b>. Firstly, we'll configure the DMVPN instance to make the connection possible. Then we'll set the <b>Border Gateway Protocol</b> (<b>BGP</b>) parameters as our dynamic routing solution.
<b>Note</b>: at the moment, BGP is the only stable dynamic routing solution that can work with DMVPNs.
<b>Note</b>: at the moment, BGP is the only stable dynamic routing solution that can work with DMVPN.
===HUB configuration: DMVPN===
===HUB configuration: DMVPN===
- Set Local GRE interface IP address (for example, 10.0.0.254)
- Set Local GRE interface IP address (for example, 10.0.0.254)
<nowiki>###</nowiki> GRE netmask should be an entire subnet, /24 or however many spokes we expect to connect to this hub
<nowiki>###</nowiki> We can still use 10.0.0.254, but with a netmask of 255.255.255.0 for example
- Set GRE MTU value to 1476
- Set GRE MTU value to 1476
- Set Pre-shared key (we used simple 123456 for this example)
<nowiki>###</nowiki> One note - if we use mobile, I recommend using lower MTU value, maybe 1420 or even lower, down to 1400 or so. I think using 1420 in this example would be better
<nowiki>###</nowiki> There have been situations when mobile MTU is not consistent, depending on carrier, which would break connections when packets had to be fragmented
<nowiki>###</nowiki> Outbound/inbound keys are optional, but worth to mention why they are here and what they are for
- Set IPsec Pre-shared key (we used simple 123456 for this example)
<br>[[File:DMVP_HUB_phase3_example1.png|border|class=tlt-border]]
<br>[[File:DMVP_HUB_phase3_example1.png|border|class=tlt-border]]
- DH group - MODP1024
- DH group - MODP1024
<nowiki>###</nowiki> I don't recommend these parameters, they are not secure. Anything at or below the following shouldn't be used:
<nowiki>###</nowiki> AES-128
<nowiki>###</nowiki> Auth SHA256
<nowiki>###</nowiki> DH group - MODP3072 or ECP256
<br>[[File:DMVP HUB phase3 example2.png|border|class=tlt-border]]
<br>[[File:DMVP HUB phase3 example2.png|border|class=tlt-border]]
- PFS group -MODP768
- PFS group -MODP768
<nowiki>###</nowiki> Same story here, try to increase security level here to a more secure solution.
<nowiki>###</nowiki> IPsec Phase 2 settings generally uses slightly lower parameters, because those algorithms are responsible for encrypting actual data traffic that we want to send over the IPsec tunnel
<br>[[File:DMVPN HUB Phase3 example3.png|border|class=tlt-border]]
<br>[[File:DMVPN HUB Phase3 example3.png|border|class=tlt-border]]
----
----
<b>Step 4</b>: configure DMVPN NHRP parameters:
<b>Step 4</b>: configure DMVPN NHRP parameters:
<nowiki>###</nowiki> Highlight the importance of "Redirect option here". This is essentially what makes P3 possible.
<br>[[File:DMVPN HUB Phase3 example4.png|border|class=tlt-border]]
<br>[[File:DMVPN HUB Phase3 example4.png|border|class=tlt-border]]
- Set announcement network(s). Routes to these networks will be shared over BGP. We used 192.168.1.0/24
- Set announcement network(s). Routes to these networks will be shared over BGP. We used 192.168.1.0/24
<nowiki>###</nowiki> Highlight the fact that "NHRP routes" selection should exist under "Redistribution options"
<nowiki>###</nowiki> Probably a good idea to set BGP router ID here using GRE interface IPs to avoid confusion and make troubleshooting easier
<br>[[File:DMVPN HUB Phase3 example5.png|border|class=tlt-border]]
<br>[[File:DMVPN HUB Phase3 example5.png|border|class=tlt-border]]
- Add Neighbor address (We used 10.0.0.1 and 10.0.0.2)
- Add Neighbor address (We used 10.0.0.1 and 10.0.0.2)
<nowiki>###</nowiki> Explanation needed what these IP addresses are - this might not be clear enough for end-users that this is spoke devices GRE IP address
<nowiki>###</nowiki> Also need to quickly mention about other settings
<nowiki>###</nowiki> Remote AS is empty here - I don't remember now, but is this intended?
<br>[[File:DMVPN HUB Phase3 example6.png|border|class=tlt-border]]
<br>[[File:DMVPN HUB Phase3 example6.png|border|class=tlt-border]]
<b>Step 3</b>: Add two BGP peers for each spoke:
<b>Step 3</b>: Add two BGP peers for each spoke:
<nowiki>###</nowiki> Need to mention that "Let's move on to spokes BGP configuration now.", because it looks a bit confusing
Peer 1.
Peer 1.
- Set Remote address as 10.0.0.2
- Set Remote address as 10.0.0.2
<nowiki>###</nowiki> Briefly mention that other fields are not mandatory, but changes can be done if needed (aka "we will keep other settings as their default values for this configuration example" statement)
<br>[[File:DMVPN HUB Phase3 example7.png|border|class=tlt-border]]
<br>[[File:DMVPN HUB Phase3 example7.png|border|class=tlt-border]]
===Spoke 1 configuration: DMVPN===
===Spoke 1 configuration: DMVPN===
----
----
<nowiki>###</nowiki> I think this should be done before dynamic routing configuration on each spoke, just to have IPsec tunnel and GRE IPs set for us
Navigate to the <b>Services → VPN → DMVPN</b> page and follow the instructions provided below.
Navigate to the <b>Services → VPN → DMVPN</b> page and follow the instructions provided below.
<b>Step 1</b>: create a new DMVPN instance:
<b>Step 1</b>: create a new DMVPN instance:
<nowiki>###</nowiki> I recommend to explain each step here in detail, for example:
- Select Tunnel source
- Add HUB address ### - this is the public IP address of previously configured hub device
- Add Local GRE interface IP address
- Select Tunnel source ### - this is the egress interface, which will be able to reach hub device's public IP address over the internet
- Add Remote GRE interface IP address
- Add Local GRE interface IP address ### - this is the GRE IP address of "Spoke 1". It should be unique in the entire VPN network
- Set GRE MTU
- Add Remote GRE interface IP address ### - this is the GRE IP address of the previously configured hub device
- Set Local identifier, Remote identifier as %any and input same Pre-shared key
- Set GRE MTU ### - this value should be set to the same value that was configured on the hub device. In our case, it is "1400"
- Set Local identifier, Remote identifier as %any and input same Pre-shared key ### brief explanation why this is needed would be nice as well
<br>[[File:DMVPN HUB Phase3 spoke1 example1.png|border|class=tlt-border]]
<br>[[File:DMVPN HUB Phase3 spoke1 example1.png|border|class=tlt-border]]
- Select DH group MODP1024
- Select DH group MODP1024
<nowiki>###</nowiki> Same comment from hub section applies, increase security level
<br>[[File:DMVPN HUB Phase3 spoke example2.png|border|class=tlt-border]]
<br>[[File:DMVPN HUB Phase3 spoke example2.png|border|class=tlt-border]]
- Select PFS group MODP768
- Select PFS group MODP768
<nowiki>###</nowiki> Same comment from hub section applies, increase security level
<br>[[File:DMVPN HUB Phase3 spoke example3.png|border|class=tlt-border]]
<br>[[File:DMVPN HUB Phase3 spoke example3.png|border|class=tlt-border]]
- Leave everything by default
- Leave everything by default
<br>[[File:DMVPN HUB Phase3 spoke example4.png|border|class=tlt-border]]
<nowiki>###</nowiki> Once again, highlight importance of "Redirect" option here<br>[[File:DMVPN HUB Phase3 spoke example4.png|border|class=tlt-border]]
----
----
<b>Step 5</b>: save changes
<b>Step 5</b>: save changes
===Spoke 2 configuration: DMVPN===
===Spoke 2 configuration: DMVPN===
<nowiki>###</nowiki> Same points and comments apply here just as it was in Spoke 1 config section
Navigate to the <b>Services → VPN → DMVPN</b> page and follow the instructions provided below.
Navigate to the <b>Services → VPN → DMVPN</b> page and follow the instructions provided below.
===Important Note===
===Important Note===
<nowiki>###</nowiki> Explanation why this is needed is recommended, because naturally a question comes to mind "why" this is needed
For HUB in Network > Firewall GRE zone change from REJECT to ACCEPT on FORWARD.
For HUB in Network > Firewall GRE zone change from REJECT to ACCEPT on FORWARD.
For setups behind NAT specify Local identifier in the <b>Services → VPN → DMVPN → IPsec section </b>
For setups behind NAT specify Local identifier in the <b>Services → VPN → DMVPN → IPsec section </b>
<nowiki>###</nowiki> Didn't we already set this during spoke configuration? It's a good point to mention/explain, but I don't think this should be at the bottom of the article, but instead should be next to IPsec config of each spoke
----
----
[[File:DMVPN HUB Phase3 example Behind NAT.png|border|class=tlt-border]]
[[File:DMVPN HUB Phase3 example Behind NAT.png|border|class=tlt-border]]
<nowiki>###</nowiki> Need to show working configuration with pings or something. Also to verify that Phase 3 DMVPN condition is actually working.