Changes

1,206 bytes added , 13:08, 14 September 2023

no edit summary

Line 1: Line 1: −

The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.~~03.2~~'''] firmware version. .

+

The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.05'''] firmware version. .

==Introduction==

Line 23: Line 23:

<ul>

−

<li>2 Teltonika Routers for SPOKES</li>

+

<li>2 Teltonika Routers for '''SPOKES'''</li>

−

<li>1 Teltonika Router for HUB with a public IP address</li>

+

<li>1 Teltonika Router for '''HUB''' with a public IP address</li>

<li>A PC to configure the routers</li>

</ul>

Line 63: Line 63:

5. Set IPsec Pre-shared key (we used simple 123456 for this example)

−

[[File:HUB main.png|~~alt~~=|border]]

+

[[File:HUB main.png|border|class=tlt-border]]

----

−

Step 2: configure DMVPN Phase 1 parameters:

+

Step 2: configure '''DMVPN Phase 1''' parameters:

1. Encryption algorithm - AES 128

Line 73: Line 73:

3. DH group - MODP3072

−

[[File:Hub phase1.png|~~alt~~=|border]]

+

[[File:Hub phase1.png|border|class=tlt-border]]

----

−

Step 3: configure DMVPN Phase 2 parameters:

+

Step 3: configure '''DMVPN Phase 2''' parameters:

1. Encryption algorithm - AES 128

Line 83: Line 83:

3. PFS group -MODP3072

−

[[File:Hub phase2 fix.png|~~alt~~=|border]]

+

[[File:Hub phase2 fix.png|border|class=tlt-border]]

----

−

Step 4: configure DMVPN NHRP parameters:

+

Step 4: configure '''DMVPN NHRP''' parameters:

In the NHRP parameters section, it is important to enable '''REDIRECT''' option, which is essential to our Phase 3 configuration.

−

[[File:Redirect.png|~~alt~~=|border]]

+

[[File:Redirect.png|border|class=tlt-border]]

----

Step 5: save changes

Line 97: Line 97:

Navigate to the Network → Routing → Dynamic Routes → BGP Protocol page and follow the instructions provided below.

−

Step 1: enable BGP and configure General section:

+

Step 1: enable '''BGP''' and configure General section:

1. Enable vty

Line 109: Line 109:

5. "NHRP routes" selection should be applied under the "Redistribution options" section

−

[[File:Hub bgp.png|~~alt~~=|border]]

+

[[File:Hub bgp.png|border|class=tlt-border]]

----

−

Step 2: Create BGP Peer Group:

+

Step 2: Create '''BGP''' Peer Group:

- Add a Neighbor address for SPOKE 1 and SPOKE 2 (We used 10.0.0.1 and 10.0.0.2 which will be in the same subnet as our hub 10.0.0.254)

Line 119: Line 119:

- Leave other settings as default.

−

[[File:Bgp peer grp.png|~~alt~~=|border]]

+

[[File:Bgp peer grp.png|border|class=tlt-border]]

----

−

Step 3: Add two BGP peers for each spoke:

+

Step 3: Add two '''BGP''' peers for each spoke:

Now let's create BGP peers for Spokes on the same page. Add two new BGP peers with the following parameters:

Line 141: Line 141:

We will keep other settings as their default values for this configuration example.

−

[[File:Bgp peer1.png|~~alt~~=|border]]

+

[[File:Bgp peer1.png|border|class=tlt-border]]

----

−

[[File:Bgp peer2.png|~~alt~~=|border]]

+

[[File:Bgp peer2.png|border|class=tlt-border]]

----

Line 167: Line 167:

6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)

−

[[File:Spoke dmvpn.png|~~alt~~=|border]]

+

[[File:Spoke dmvpn.png|border|class=tlt-border]]

----

−

Step 2: configure DMVPN Phase 1 parameters:

+

Step 2: configure '''DMVPN''' '''Phase 1''' parameters:

1. Select the Encryption algorithm - AES 128

Line 179: Line 179:

3. Select DH group MODP3072

−

[[File:Hub phase1.png|~~alt~~=~~spoke phase1|~~border]]

+

[[File:Hub phase1.png|border|class=tlt-border]]

----

−

Step 3: configure DMVPN Phase 2 parameters:

+

Step 3: configure '''DMVPN Phase 2''' parameters:

1. Select the Encryption algorithm AES 128

Line 191: Line 191:

3. Select PFS group MODP3072

−

[[File:Hub phase2 fix.png|~~alt~~=~~spoke phase2|~~border]]

+

[[File:Hub phase2 fix.png|border|class=tlt-border]]

----

−

Step 4: configure DMVPN NHRP parameters:

+

Step 4: configure '''DMVPN NHRP''' parameters:

- In the NHRP parameters section, it is important to enable REDIRECT option, which is essential to our Phase 3 configuration.

Line 201: Line 201:

- Leave everything by default

−

[[File:Redirect.png|~~alt~~=~~Redirect|~~border]]

+

[[File:Redirect.png|border|class=tlt-border]]

----

Step 5: save changes

Line 209: Line 209:

Navigate to the Network → Routing → Dynamic Routes → BGP Protocol page and follow the instructions provided below.

−

Step 1: enable BGP and configure General section:

+

Step 1: enable '''BGP''' and configure General section:

−

- Enable vty

+

1. Enable vty

−

- Set AS to 65001

+

2. Set AS to 65001

−

- Set Network to 192.168.10.0/24

+

3. Set Network to 192.168.10.0/24

−

[[File:~~DMVPN HUB Phase3 spoke example5~~.png|border|class=tlt-border]]

+

[[File:Spoke bgp.png|border|class=tlt-border]]

----

−

Step 2: Create BGP Peer:

+

Step 2: Create '''BGP''' Peer:

- Set Remote AS to 65000

−

- ~~Sethe t~~ Remote address to 10.0.0.254

+

- Set the Remote address to 10.0.0.254

- Leave everything else as default value

−

[[File:~~DMVPN HUB Phase3 spoke example6~~.png|border|class=tlt-border]]

+

[[File:Spoke bgp peer.png|border|class=tlt-border]]

===Spoke 2 configuration: DMVPN===

Line 235: Line 235:

Navigate to the Services → VPN → DMVPN page and follow the instructions provided below.

−

Step 1: create a new DMVPN instance:

+

Step 1: create a new DMVPN instance:

−

- Add HUB address (this is the public IP address of the previously configured hub device)

+

1. Add HUB address (this is the public IP address of the previously configured hub device)

−

- Select Tunnel source (this is the egress interface, which will be able to reach the hub device's public IP address over the internet)

+

2. Select Tunnel source (this is the egress interface, which will be able to reach the hub device's public IP address over the internet)

−

- Add Local GRE interface IP address (this is the GRE IP address of "Spoke 2". It should be unique in the entire VPN network)

+

3. Add Local GRE interface IP address (this is the GRE IP address of "Spoke 2". It should be unique in the entire VPN network)

−

- Add Remote GRE interface IP address (this is the GRE IP address of the previously configured hub device)

+

4. Add Remote GRE interface IP address (this is the GRE IP address of the previously configured hub device)

−

- Set GRE MTU to 1420 (this value should be set to the same value that was configured on the hub device. In our case, it is "1420")

+

5. Set GRE MTU to 1420 (this value should be set to the same value that was configured on the hub device. In our case, it is "1420")

−

- Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)

+

6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)

−

[[File:~~DMVPN phase3 example5~~.png|~~alt~~=|border]]

+

[[File:Spoke2 dmvpn.png|border|class=tlt-border]]

----

−

Step 2: configure DMVPN Phase 1 parameters:

+

Step 2: configure '''DMVPN Phase 1''' parameters:

−

- Select Encryption algorithm - AES 128

+

1. Select Encryption algorithm - AES 128

−

- Select Authentication SHA256

+

2. Select Authentication SHA256

−

- Select DH group MODP3072

+

3. Select DH group MODP3072

−

[[File:~~DMVPN phase3 example2~~.png|~~alt~~=|border]]

+

[[File:Hub phase1.png|border|class=tlt-border]]

----

−

Step 3: configure DMVPN Phase 2 parameters:

+

Step 3: configure '''DMVPN Phase 2''' parameters:

−

- Select Encryption algorithm AES 128

+

1. Select Encryption algorithm AES 128

−

- Select Hash algorithm SHA256

+

2. Select Hash algorithm SHA256

−

- Select PFS group MODP3072

+

3. Select PFS group MODP3072

−

[[File:~~DMVPN phase3 example3~~.png|~~alt~~=|border]]

+

[[File:Hub phase2 fix.png|border|class=tlt-border]]

----

−

Step 4: configure DMVPN NHRP parameters:

+

Step 4: configure '''DMVPN NHRP''' parameters:

- In the NHRP parameters section, it is important to enable REDIRECT option, which is essential to our Phase 3 configuration.

Line 281: Line 281:

- Leave everything by default

−

[[File:~~DMVPN HUB Phase3 spoke2 example4~~.png|border|class=tlt-border]]

+

[[File:Redirect.png|border|class=tlt-border]]

----

Step 5: save changes

Line 289: Line 289:

Navigate to the Network → Routing → Dynamic Routes → BGP Protocol page and follow the instructions provided below.

−

Step 1: enable BGP and configure General section:

+

Step 1: enable '''BGP''' and configure General section:

−

- Enable vty

+

1. Enable vty

−

- Set AS to 65002

+

2. Set AS to 65002

−

- Set Network to 192.168.20.0/24

+

3. Set Network to 192.168.20.0/24

−

[[File:~~DMVPN HUB Phase3 spoke2 example5~~.png|border|class=tlt-border]]

+

[[File:Spoke2 bgp peer.png|border|class=tlt-border]]

----

−

Step 2: Create BGP Peer:

+

Step 2: Create '''BGP''' Peer:

- Set Remote AS to 65000

Line 309: Line 309:

- Leave everything else as default value

−

[[File:~~DMVPN HUB Phase3 spoke2 example6~~.png|border|class=tlt-border]]

+

[[File:Spoke bgp peer.png|border|class=tlt-border]]

----

===Important Note===

+

For '''HUB''' in Network → Firewall GRE zone change from '''REJECT''' to '''ACCEPT''' on '''FORWARD.'''

+

Also, disable '''Masquerading''' on '''HUB''' and '''ALL spokes''' for GRE → LAN zone forwardings

−

~~For HUB in Network > Firewall GRE zone change from REJECT to ACCEPT on FORWARD.~~

+

[[File:Firewall new.png|alt=|border]]

−

[[File:~~DMVPN HUB Phase3 example~~ Firewall.png|~~border~~|~~class=tlt-~~border]]

===Testing configuration===

Line 329: Line 329:

[[File:Ping2.png|alt=|border]]

−

- Check routes in the HUB by executing command '''vtysh -c "show ip nhrp"'''

+

- Check routes in the HUB by executing *command '''vtysh -c "show ip nhrp"'''

+

Note: Vtysh check is unavailable with RUT200, RUT230, RUT240, RUT241, RUT260 devices.

[[File:Vtysh nhrp2.jpg|alt=|border]]

- If you need to reboot tunnel, execute '''/etc/init.d/ipsec retart'''

+

== Summary ==

+

At this point, the basic DMVPN configuration is complete and phase 3 will now take effect in order to dynamically establish connectivity between spokes. Using this method, additional spokes may be configured and added to the current topology. DMVPN Phase 3 technology will ensure that any newly introduced devices will be included in the final topology.

+

== References ==

+

[https://wiki.teltonika-networks.com/view/VPN_Configuration_Examples VPN configuration Examples]

+

[https://wiki.teltonika-networks.com/view/DMVPN_configuration DMVPN configuration example]

+

[https://wiki.teltonika-networks.com/view/IPsec_configuration_examples IPsec configuration example]

+

[https://wiki.teltonika-networks.com/view/Routing#BGP_Protocol BGP routing]

+

[https://docs.strongswan.org/docs/5.9/index.html strongSwan Documentation]

+

[[Category:VPN]]

Vainius.l

Administrators

7,851

edits

Changes

DMVPN with IPsec Phase 3 (view source)

Revision as of 13:08, 14 September 2023