DMVPN: setup instructions
Dynamic Multipoint Virtual Private Network, DMVPN - a dynamic multipoint virtual private network, is a way to create a VPN without first configuring all possible tunnel endpoints. It is usually configured to form a hub-to-point network, where each new point can join the network with minimal effort. The main advantages of DMVPN include simplified router configuration, high scalability, good performance with increased throughput, and secure routing using IPsec.
What does DMVPN consist of and how to configure
DMVPN has three options that determine how data is routed:
- Phase 1: All traffic is directed from the points to and through the center.
- Phase 2: Starts from Phase 1 and allows tunnels between points. In this case, routing is carried out through the IP routing table, and points reach other networks using the next hop IP address for a particular network.
- Phase 3: Improves scalability and has fewer restrictions than Phase 2. It allows you to summarize routes from the center to points. In this case, the points do not even need their own routes, but can use the default gateway to the central router.
Today we will look at the instructions for setting up DMVPN Phase 3 between the “center” and and two "dots".
Instructions for setting up DMVPN center - 2 points
Currently, BGP is the only stable dynamic routing solution that can work with DMVPN. If you're having trouble finding a specific page or options on your device's web interface, turn on "Enhanced Web Interface" (Advanced WebUI). This can be done by clicking the "Basic" button. under "Mode" in the upper right corner of the web interface.
First, let's configure a DMVPN instance to establish a connection. Next, we'll set BGP (Border Gateway Protocol) parameters as a dynamic routing solution.
Currently, BGP is the only stable dynamic routing solution that can work with DMVPN. If you're having trouble finding a specific page or options on your device's web interface, turn on "Enhanced Web Interface" (Advanced WebUI). This can be done by clicking the "Basic" button. under "Mode" in the upper right corner of the web interface.
- Go to the Services page in the device web interface → VPN → DMVPN.
- Select the HUB interface (center) in the "Tunnel source" field.
- Specify the local IP address of the GRE interface (for example, 10.0.0.254).
- Set the GRE interface subnet mask to 255.255.255.255.
- Set the GRE interface MTU value to 1420 (or even lower, for example 1400 if using a mobile interface).
- The outgoing/incoming keys are optional and will be left as default in this example.
- Specify the IPsec shared key (for example, simple 654321).
- Configuring DMVPN Parameters Phase 1: Set the encryption algorithm to AES 128, select SHA256 authentication, set the DH group to MODP3072.
- Configure DMVPN parameters Phase 2: encryption algorithm - AES 128, hash algorithm - SHA256, set PFS group - MODP3072.
- Configuring DMVPN NHRP parameters. In the NHRP options section, it is important to enable the REDIRECT option, which is required for our Phase 3 configuration. Save your changes.
- Configuring Spoke 1 BGP: Go to the "Network" section → "Routing" → "Dynamic routes" → "BGP Protocol" and enable BGP, configure basic settings. Enable vty, set autonomous system (AS) to 65001, specify network as 192.168.10.0/24. Next, create a BGP peer: set the remote autonomous system (AS) as 65000, set the remote address as 10.0.0.254, leave the rest as default.
- Configuring Spoke 2 DMVPN: go to the "Services" section → "VPN" → "DMVPN" and create a new DMVPN instance. Add the HUB address (the public IP address of the HUB device). Select the source tunnel (the outgoing interface that is reachable to the HUB IP address over the Internet). Specify the local IP-address GRE interface ( unique in the VPN network). Add the remote GRE interface IP address (HUB device IP address). Set the GRE MTU to 1420. Set the local ID (for settings behind NAT), remote ID and enter the same pre-shared key. Configure the DMVPN Phase 1 and Phase 2 parameters. Enable the REDIRECT option in the NHRP parameters.
- Configuring Spoke 2 BGP: Go to the "Network" section → "Routing" → "Dynamic routes" → "BGP Protocol" and follow the instructions provided. Enable BGP and configure basic settings: enable vty, set autonomous system (AS) to 65002, set network as 192.168.20.0/24, create peer for BGP, set remote autonomous system (AS) as 65000, set remote address as 10.0.0.254 . Leave the rest of the settings as default.
Important note: for HUB in the "Network" section → "Firewall" change the GRE zone from REJECT to ACCEPT in the FORWARD section. Also disable masking on the HUB and all spokes for GRE forwarding → LAN zones.
Testing the performance of DMVPN
You can use the ipsec statusall command in the command line interface (CLI) or via SSH to check the status of the tunnel. It will provide detailed information about the current state of the connection, or all connections if no argument is given. If configured correctly, it should display that the tunnel is established.
To check availability between HUB and SPOKES, you can use the ping command. To check the routes on the HUB, run the command vtysh -c "show ip nhrp". If you need to restart the tunnel, run the command /etc/init.d/ipsec restart.
At this point, the basic configuration of DMVPN is completed and Phase 3 is activated, allowing dynamic establishment of the link between spokes. This method allows you to add new nodes and endpoints to the existing topology without changes on the HUB.
Your DMVPN network should now be ready to use. If you have trouble setting up or understanding any step, you can always refer to the documentation or support community.
Private VPN server: effective at any position of the network infrastructure
A private VPN server can be integrated into a DMVPN network, acting as a HUB (central node) that provides communication with other devices (for example, mobile devices, remote offices, etc.) located at the spoke position ( points), through dynamically established tunnels. Also, a private VPN server can be one of the endpoints in the DMVPN network.
Buying a private VPN server and choosing the best service that suits specific tasks has now become easier thanks to Private VPN server. This website not only offers great deals on purchasing a VPN server, but also offers comprehensive information on various aspects of using it, from payment options to frequently asked questions in the FAQ.