7,851
edits
Changes
DMVPN with IPsec Phase 3 (view source)
Revision as of 13:08, 14 September 2023
, 13:08, 14 September 2023no edit summary
<p style="color:red">The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.03.2'''] firmware version. .</p>
<p style="color:red">The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.05'''] firmware version. .</p>
==Introduction==
==Introduction==
<ul>
<ul>
<li>2 Teltonika Routers for SPOKES</li>
<li>2 Teltonika Routers for '''SPOKES'''</li>
<li>1 Teltonika Router for HUB with a public IP address</li>
<li>1 Teltonika Router for '''HUB''' with a public IP address</li>
<li>A PC to configure the routers</li>
<li>A PC to configure the routers</li>
</ul>
</ul>
5. Set IPsec Pre-shared key (we used simple 123456 for this example)
5. Set IPsec Pre-shared key (we used simple 123456 for this example)
<br>[[File:HUB main.png|alt=|border]]
<br>[[File:HUB main.png|border|class=tlt-border]]
----
----
<b>Step 2</b>: configure DMVPN Phase 1 parameters:
<b>Step 2</b>: configure '''DMVPN Phase 1''' parameters:
1. Encryption algorithm - AES 128
1. Encryption algorithm - AES 128
3. DH group - MODP3072
3. DH group - MODP3072
<br>[[File:Hub phase1.png|alt=|border]]
<br>[[File:Hub phase1.png|border|class=tlt-border]]
----
----
<b>Step 3</b>: configure DMVPN Phase 2 parameters:
<b>Step 3</b>: configure '''DMVPN Phase 2''' parameters:
1. Encryption algorithm - AES 128
1. Encryption algorithm - AES 128
3. PFS group -MODP3072
3. PFS group -MODP3072
<br>[[File:Hub phase2 fix.png|alt=|border]]
<br>[[File:Hub phase2 fix.png|border|class=tlt-border]]
----
----
<b>Step 4</b>: configure DMVPN NHRP parameters:
<b>Step 4</b>: configure '''DMVPN NHRP''' parameters:
In the NHRP parameters section, it is important to enable '''REDIRECT''' option, which is essential to our Phase 3 configuration.
In the NHRP parameters section, it is important to enable '''REDIRECT''' option, which is essential to our Phase 3 configuration.
<br>[[File:Redirect.png|alt=|border]]
<br>[[File:Redirect.png|border|class=tlt-border]]
----
----
<b>Step 5</b>: save changes
<b>Step 5</b>: save changes
Navigate to the <b>Network → Routing → Dynamic Routes → BGP Protocol</b> page and follow the instructions provided below.
Navigate to the <b>Network → Routing → Dynamic Routes → BGP Protocol</b> page and follow the instructions provided below.
<b>Step 1</b>: enable BGP and configure General section:
<b>Step 1</b>: enable '''BGP''' and configure General section:
1. Enable vty
1. Enable vty
5. "NHRP routes" selection should be applied under the "Redistribution options" section
5. "NHRP routes" selection should be applied under the "Redistribution options" section
<br>[[File:Hub bgp.png|alt=|border]]
<br>[[File:Hub bgp.png|border|class=tlt-border]]
----
----
<b>Step 2</b>: Create BGP Peer Group:
<b>Step 2</b>: Create '''BGP''' Peer Group:
- Add a Neighbor address for SPOKE 1 and SPOKE 2 (We used 10.0.0.1 and 10.0.0.2 which will be in the same subnet as our hub 10.0.0.254)
- Add a Neighbor address for SPOKE 1 and SPOKE 2 (We used 10.0.0.1 and 10.0.0.2 which will be in the same subnet as our hub 10.0.0.254)
- Leave other settings as default.
- Leave other settings as default.
<br>[[File:Bgp peer grp.png|alt=|border]]
<br>[[File:Bgp peer grp.png|border|class=tlt-border]]
----
----
<b>Step 3</b>: Add two BGP peers for each spoke:
<b>Step 3</b>: Add two '''BGP''' peers for each spoke:
Now let's create BGP peers for Spokes on the same page. Add two new BGP peers with the following parameters:
Now let's create BGP peers for Spokes on the same page. Add two new BGP peers with the following parameters:
We will keep other settings as their default values for this configuration example.
We will keep other settings as their default values for this configuration example.
<br>[[File:Bgp peer1.png|alt=|border]]
<br>[[File:Bgp peer1.png|border|class=tlt-border]]
----
----
[[File:Bgp peer2.png|alt=|border]]
[[File:Bgp peer2.png|border|class=tlt-border]]
----
----
6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)
6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)
<br>[[File:Spoke dmvpn.png|alt=|border]]
<br>[[File:Spoke dmvpn.png|border|class=tlt-border]]
----
----
<b>Step 2</b>: configure DMVPN Phase 1 parameters:
<b>Step 2</b>: configure '''DMVPN''' '''Phase 1''' parameters:
1. Select the Encryption algorithm - AES 128
1. Select the Encryption algorithm - AES 128
3. Select DH group MODP3072
3. Select DH group MODP3072
<br>[[File:Hub phase1.png|alt=spoke phase1|border]]
<br>[[File:Hub phase1.png|border|class=tlt-border]]
----
----
<b>Step 3</b>: configure DMVPN Phase 2 parameters:
<b>Step 3</b>: configure '''DMVPN Phase 2''' parameters:
1. Select the Encryption algorithm AES 128
1. Select the Encryption algorithm AES 128
3. Select PFS group MODP3072
3. Select PFS group MODP3072
<br>[[File:Hub phase2 fix.png|alt=spoke phase2|border]]
<br>[[File:Hub phase2 fix.png|border|class=tlt-border]]
----
----
<b>Step 4</b>: configure DMVPN NHRP parameters:
<b>Step 4</b>: configure '''DMVPN NHRP''' parameters:
- In the NHRP parameters section, it is important to enable REDIRECT option, which is essential to our Phase 3 configuration.
- In the NHRP parameters section, it is important to enable REDIRECT option, which is essential to our Phase 3 configuration.
- Leave everything by default
- Leave everything by default
<br>[[File:Redirect.png|alt=Redirect|border]]
<br>[[File:Redirect.png|border|class=tlt-border]]
----
----
<b>Step 5</b>: save changes
<b>Step 5</b>: save changes
Navigate to the <b>Network → Routing → Dynamic Routes → BGP Protocol</b> page and follow the instructions provided below.
Navigate to the <b>Network → Routing → Dynamic Routes → BGP Protocol</b> page and follow the instructions provided below.
<b>Step 1</b>: enable BGP and configure General section:
<b>Step 1</b>: enable '''BGP''' and configure General section:
1. Enable vty
2. Set AS to 65001
3. Set Network to 192.168.10.0/24
<br>[[File:Spoke bgp.png|alt=|border]]
<br>[[File:Spoke bgp.png|border|class=tlt-border]]
----
----
<b>Step 2</b>: Create BGP Peer:
<b>Step 2</b>: Create '''BGP''' Peer:
- Set Remote AS to 65000
- Set Remote AS to 65000
- Sethe t Remote address to 10.0.0.254
- Set the Remote address to 10.0.0.254
- Leave everything else as default value
- Leave everything else as default value
<br>[[File:Spoke bgp peer.png|alt=|border]]
<br>[[File:Spoke bgp peer.png|border|class=tlt-border]]
===Spoke 2 configuration: DMVPN===
===Spoke 2 configuration: DMVPN===
2. Select Tunnel source (this is the egress interface, which will be able to reach the hub device's public IP address over the internet)
2. Select Tunnel source (this is the egress interface, which will be able to reach the hub device's public IP address over the internet)
3. Add Local GRE interface IP address (this is the GRE IP address of "Spoke 2". It should be unique in the entire VPN network)
3. Add Local GRE interface IP address (this is the GRE IP address of "Spoke 2". It should be unique in the entire VPN network)
4. Add Remote GRE interface IP address (this is the GRE IP address of the previously configured hub device)
4. Add Remote GRE interface IP address (this is the GRE IP address of the previously configured hub device)
5. Set GRE MTU to 1420 (this value should be set to the same value that was configured on the hub device. In our case, it is "1420")
5. Set GRE MTU to 1420 (this value should be set to the same value that was configured on the hub device. In our case, it is "1420")
6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)
6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)
<br>[[File:Spoke2 dmvpn.png|alt=|border]]
<br>[[File:Spoke2 dmvpn.png|border|class=tlt-border]]
----
----
<b>Step 2</b>: configure DMVPN Phase 1 parameters:
<b>Step 2</b>: configure '''DMVPN Phase 1''' parameters:
1. Select Encryption algorithm - AES 128
2. Select Authentication SHA256
3. Select DH group MODP3072
<br>[[File:Hub phase1.png|alt=spoke phase1|border]]
<br>[[File:Hub phase1.png|border|class=tlt-border]]
----
----
<b>Step 3</b>: configure DMVPN Phase 2 parameters:
<b>Step 3</b>: configure '''DMVPN Phase 2''' parameters:
1. Select Encryption algorithm AES 128
2. Select Hash algorithm SHA256
3. Select PFS group MODP3072
<br>[[File:Hub phase2 fix.png|alt=spoke phase2|border]]
<br>[[File:Hub phase2 fix.png|border|class=tlt-border]]
----
----
<b>Step 4</b>: configure DMVPN NHRP parameters:
<b>Step 4</b>: configure '''DMVPN NHRP''' parameters:
- In the NHRP parameters section, it is important to enable REDIRECT option, which is essential to our Phase 3 configuration.
- In the NHRP parameters section, it is important to enable REDIRECT option, which is essential to our Phase 3 configuration.
- Leave everything by default
- Leave everything by default
<br>[[File:Redirect.png|alt=Redirect|border]]
<br>[[File:Redirect.png|border|class=tlt-border]]
----
----
<b>Step 5</b>: save changes
<b>Step 5</b>: save changes
Navigate to the <b>Network → Routing → Dynamic Routes → BGP Protocol</b> page and follow the instructions provided below.
Navigate to the <b>Network → Routing → Dynamic Routes → BGP Protocol</b> page and follow the instructions provided below.
<b>Step 1</b>: enable BGP and configure General section:
<b>Step 1</b>: enable '''BGP''' and configure General section:
1. Enable vty
2. Set AS to 65002
3. Set Network to 192.168.20.0/24
<br>[[File:Spoke2 bgp peer.png|alt=|border]]
<br>[[File:Spoke2 bgp peer.png|border|class=tlt-border]]
----
----
<b>Step 2</b>: Create BGP Peer:
<b>Step 2</b>: Create '''BGP''' Peer:
- Set Remote AS to 65000
- Set Remote AS to 65000
- Leave everything else as default value
- Leave everything else as default value
<br>[[File:Spoke bgp peer.png|alt=Spoke bgp peer|border]]
<br>[[File:Spoke bgp peer.png|border|class=tlt-border]]
----
----
===Important Note===
===Important Note===
For '''HUB''' in Network <b>→</b> Firewall GRE zone change from '''REJECT''' to '''ACCEPT''' on '''FORWARD.'''
Also, disable '''Masquerading''' on '''HUB''' and '''ALL spokes''' for GRE <b>→</b> LAN zone forwardings
[[File:Firewall new.png|alt=|border]]
[[File:Firewall.png|alt=|border]]
===Testing configuration===
===Testing configuration===
[[File:Ping2.png|alt=|border]]
[[File:Ping2.png|alt=|border]]
- Check routes in the HUB by executing command '''vtysh -c "show ip nhrp"'''
- Check routes in the HUB by executing *command '''vtysh -c "show ip nhrp"'''
<b>Note</b>: Vtysh check is unavailable with RUT200, RUT230, RUT240, RUT241, RUT260 devices.
[[File:Vtysh nhrp2.jpg|alt=|border]]
[[File:Vtysh nhrp2.jpg|alt=|border]]
- If you need to reboot tunnel, execute '''/etc/init.d/ipsec retart'''
- If you need to reboot tunnel, execute '''/etc/init.d/ipsec retart'''
== Summary ==
At this point, the basic DMVPN configuration is complete and phase 3 will now take effect in order to dynamically establish connectivity between spokes. Using this method, additional spokes may be configured and added to the current topology. DMVPN Phase 3 technology will ensure that any newly introduced devices will be included in the final topology.
== References ==
[https://wiki.teltonika-networks.com/view/VPN_Configuration_Examples VPN configuration Examples]
[https://wiki.teltonika-networks.com/view/DMVPN_configuration DMVPN configuration example]
[https://wiki.teltonika-networks.com/view/IPsec_configuration_examples IPsec configuration example]
[https://wiki.teltonika-networks.com/view/Routing#BGP_Protocol BGP routing]
[https://docs.strongswan.org/docs/5.9/index.html strongSwan Documentation]
[[Category:VPN]]