Jump to content
  • EN

RUTX DMVPN

From Teltonika Networks Wiki
Main Page > General Information > Configuration Examples > VPN > RUTX DMVPN

The information in this page is updated in accordance with 00.07.19.2 firmware version.

Introduction

Dynamic Multipoint VPN (DMVPN) is a dynamic tunneling form of a virtual private network (VPN) supported on Cisco routers. This article contains step-by-step instructions on how to configure DMVPN between a "HUB" and two "Spokes" using RUTXxx routers.

Prerequisites

You will need:

  • At least two RUTxxx routers
  • A PC to configure the routers
  • HUB has to be reachable from spokes (HUB must have Public IP address, or has to be in the same WAN network as Spokes)

Note: If you are using a RUT2xx or RUT9xx device, you will need to install the “BGP daemon, DMVPN, and NHRP daemon” packages.

Configuration scheme

Spoke configuration

This section contains information on how to configure DMVPN Spokes. Firstly, we'll configure the DMVPN instance to make the connection possible. Then we'll set the Border Gateway Protocol (BGP) parameters as our dynamic routing solution.

Note: at the moment, BGP is the only stable dynamic routing solution that can work with DMVPNs.

STEP 1: Connect to router's WebUI, go to Services > VPN > DMVPN. Enter a name for your DMVPN instance, click ADD and when instance appears in DMVPN CONFIGURATION field, click Edit.

STEP 2: Configure DMVPN settings.

  1. Enable instance.
  2. Select Working mode (Spoke).
  3. Enter HUB Address (HUB WAN IP).
  4. Select Tunnel source (select your WAN interface).
  5. Write Local GRE interface IP address (create GRE tunnel IP address or just use the same as in the example).
  6. Write Remote GRE interface IP address (create GRE tunnel IP address or just use the same as in the example).
  7. Add GRE MTU (largest PDU size of any single transaction).
  8. (optional) Write Inbound and outbound keys (Spoke keys should be mirrored from the hub – outbound becomes inbound and et cetera).
  9. Add Pre-shared key (it must match HUB and other Spokes).
  10. (optional) Write IKE lifetime (how long the keying channel of a connection should last before being renegotiated). Do this in PHASE 1 and PHASE 2. They should match on HUB and spokes.
  11. Leave everything else as default and click Save & Apply.


STEP 3: Go to Network > Routing > Dynamic Routes > BGP, enable BGP and vty, and either create a new BGP instance or modify the default general instance:


STEP 4: Configure BGP instance settings:

  1. Enable instance.
  2. Add AS (Autonomous system name, it must match on all of the devices, including other Spokes and hub).
  3. Write BGP router ID (SPOKE GRE Tunnel IP).
  4. Add Network (SPOKE LAN network IP with subnet mask).
  5. Select Redistribution options. (NHRP routes)
    • Repeat steps 6 to 10 for the hub and for each of the other spokes.
  6. Write the Name of the new BGP peer instance (anything you want).
  7. Press the Add button, and then the new BGP peer configuration window will appear.
  8. Inside the BGP peer configuration window, enable the instance
  9. Set Remote AS (should match previously set AS)
  10. Set the remote address (either of the other spoke or the hub internal DMVPN IPs)
  11. Once saved and applied, the changes should be reflected in the BGP peers configuration section.
  12. Write the Name of the new BGP peer group instance (anything you want).
  13. Press the Add button, and then the new BGP peer group configuration window will appear.
  14. Inside the BGP peer group configuration window, enable the instance.
  15. Set Remote AS (should match previously set AS)
  16. Set the neighbor addresses – they should be the other spokes and your hubs' internal DMVPN IPs.
  17. Set Neighbor configuration to Route Reflector Client.
  18. Once saved and applied, some changes should be seen in BGP peer groups section.
  19. Save the configuration.


STEP 5: Configure forwarding between GRE and LAN zones.

Go to network -> Firewall -> Zones and modify gre => lan zone’s Forwarding inside zone to Accept. Then save & apply.



Repeat this on different routers as many times as the number of Spokes that you need. Remember that other Spokes will have different LAN, WAN and GRE IP addresses.

HUB configuration

This section contains information on how to configure DMVPN HUB.

STEP 1: Connect to router's WebUI, go to Services > VPN > DMVPN. Enter a name for your DMVPN instance, click ADD and when instance appears in DMVPN CONFIGURATION field, click Edit.


STEP 2: Configure DMVPN settings.

  1. Enable instance.
  2. Select Working mode (HUB).
  3. Select Tunnel source (select your WAN interface).
  4. Write Local GRE interface IP address (create GRE tunnel IP address or just use the same as in the example).
  5. Write Local GRE interface netmask.
  6. Add GRE MTU (largest PDU size of any single transaction).
  7. (optional) Write Inbound and outbound keys (hub keys should be mirrored from the spokes – outbound becomes inbound and et cetera).
  8. Add Pre-shared key (it must match with the Spokes).
  9. (optional) Write IKE lifetime (how long the keying channel of a connection should last before being renegotiated). Do this in PHASE 1 and PHASE 2. They should match on spokes too.
  10. Leave everything else as default and click Save & Apply.


STEP 3: Go to Network > Routing > Dynamic Routes > BGP, enable BGP and vty, and either create a new BGP instance or modify the default “general” instance:


STEP 4: Configure BGP instance settings:

  1. Enable instance.
  2. Add AS (Autonomous system name, it must match on all of the devices).
  3. Write BGP router ID (HUB GRE Tunnel IP).
  4. Add Network (HUB LAN network IP with subnet mask).
  5. Select Redistribution options. (NHRP routes)
    • Repeat steps 6 to 10 for each of the other spokes.
  6. Write the Name of the new BGP peer instance (anything you want).
  7. Press the Add button, and then the new BGP peer configuration window will appear.
  8. Inside the BGP peer configuration window, enable the instance
  9. Set Remote AS (should match previously set AS)
  10. Set the remote address (selected spokes IP)
  11. Once saved and applied, the changes should be reflected in the BGP peers configuration section.
  12. Write the Name of the new BGP peer group instance (anything you want).
  13. Press the Add button, and then the new BGP peer group configuration window will appear.
  14. Inside the BGP peer group configuration window, enable the instance.
  15. Set Remote AS (should match previously set AS)
  16. Set the neighbor addresses – they should be spokes internal DMVPN IPs.
  17. Set Neighbor configuration to Route Reflector Client.
  18. Once saved and applied, some changes should be seen in BGP peer groups section.
  19. Save the configuration.


STEP 5: Configure forwarding between GRE and LAN zones.

Go to network -> Firewall -> Zones and modify gre => lan zone’s Forwarding inside zone to Accept. Then save & apply.


Testing configuration

Please keep in mind that network propagation only occurs when another device is connected to the router (for example, via LAN).

The only exception is the RUTXxx series, which always shares its network information with other spokes and hubs automatically.

When testing, make sure that all routers have at least one client device connected to ensure proper network propagation throughout the DMVPN network.


Access HUB or either of the Spokes WebUI, go to Status -> Routes -> Dynamic, and check if there are routes to other device networks:

SPOKE example:

1079x1079p

HUB example:

Another way to test the configuration is to connect to one of the devices over SSH or CLI and check the available routes using ip r command:


Available routes on HUB:


Available routes on spoke:

Retrieved from "https://wiki.teltonika-networks.com/index.php?title=RUTX_DMVPN&oldid=161992"