06 VPN Volume Book

i

Table of Contents

1 DVPN Configuration 1-1 DVPN Overview 1-1

Basic Concepts of DVPN 1-1 Operation of DVPN1-2 Networking Structures of DVPN 1-2 Implementation of DVPN1-3 Supported DVPN Features1-5

DVPN Configuration Task List 1-6 Configuring AAA1-7 Configuring the VAM Server 1-7

VAM Server Configuration Task List 1-7 Creating a VPN Domain 1-7 Enabling VAM Server 1-7 Configuring the Listening IP Address and UDP Port Number1-8 Configuring the Security Parameters of VAM Protocol Packets 1-8 Specifying the Client Authentication Mode1-9 Configuring the Hubs1-9 Configuring the Pre-Shared Key of the VAM Server1-10 Configuring Keepalive Parameters1-10

Configuring a VAM Client1-11 VAM Client Configuration Task List1-11 Creating a VAM Client 1-11 Setting the VAM Protocol Packet Retransmission Interval 1-11 Specifying the Primary VAM Server 1-12 Specifying the Secondary VAM Server 1-12 Configuring the Username and Password1-12 Specifying the VPN Domain of the VAM Client1-13 Specifying the Pre-Shared Key of the VAM Client 1-13 Enabling VAM Client1-13

Configuring an IPsec Profile 1-14 Configuration Prerequisites 1-14 Configuration Procedure1-14

Configuring the DVPN Tunnel Parameters1-15 Configuration Prerequisites 1-15 Configuration Procedure1-15

Configuring Routing 1-18 Displaying and Maintaining DVPN1-18 DVPN Configuration Examples1-19

Full Mesh DVPN Configuration Example 1-19 Hub-Spoke DVPN Configuration Example1-32

2 GRE Configuration 2-1 GRE Overview 2-1

Introduction to GRE2-1

ii

GRE Security Options 2-3 GRE Applications 2-3 Protocols and Standards 2-5

Configuring a GRE over IPv4 Tunnel2-5 Configuration Prerequisites 2-5 Configuration Procedure2-5

Configuring a GRE over IPv6 Tunnel2-7 Configuration Prerequisites 2-7 Configuration Procedure2-7

Displaying and Maintaining GRE 2-9 GRE over IPv4 Tunnel Configuration Examples2-9

GRE over IPv4 Tunnel Configuration Example (on Routers)2-9 GRE over IPv4 Tunnel Configuration Example (on Switches)2-12

GRE over IPv6 Tunnel Configuration Examples2-15 GRE over IPv6 Tunnel Configuration Example (on Routers)2-15 GRE over IPv6 Tunnel Configuration Example (on Switches)2-18

Troubleshooting GRE2-22

3 L2TP Configuration 3-1 L2TP Overview3-1

Introduction3-1 Typical L2TP Networking Application3-2 Basic Concepts of L2TP3-3 L2TP Tunnel Modes and Tunnel Establishment Process 3-4 L2TP Features3-7 Protocols and Standards 3-7

L2TP Configuration Task List3-7 Configuring Basic L2TP Capability 3-8 Configuring an LAC3-9

Configuring an LAC to Initiate Tunneling Requests for Specified Users3-9 Configuring an LAC to Transfer AVP Data in Hidden Mode 3-9 Configuring AAA Authentication of VPN Users on LAC Side3-10

Configuring an LNS3-11 Creating a Virtual Interface Template3-11 Configuring the Local Address and the Address Pool for Allocation3-11 Configuring an LNS to Grant Certain L2TP Tunneling Requests 3-12 Configuring User Authentication on an LNS 3-13 Configuring AAA Authentication of VPN Users on LNS Side3-14 Enabling L2TP Multi-Instance 3-14 Specifying to Send ACCM3-15

Configuring L2TP Connection Parameters 3-15 Configuring L2TP Tunnel Authentication3-15 Setting the Hello Interval 3-16 Enabling Tunnel Flow Control 3-16 Disconnecting Tunnels by Force 3-17

Displaying and Maintaining L2TP 3-17 L2TP Configuration Examples 3-17

NAS-Initiated VPN3-17 Client-Initiated VPN 3-19

iii

L2TP Multi-Domain Application 3-21 Complicated Network Application3-24

Troubleshooting L2TP3-24

4 L2TP-Based EAD Configuration4-1 L2TP-Based EAD Overview4-1 Configuring L2TP-Based EAD 4-2

Configuration Prerequisites 4-2 Configuration Procedure4-2

Displaying and Maintaining L2TP-Based EAD 4-2 L2TP-Based EAD Configuration Example 4-2

Network Requirements4-2 Configuration Procedure4-3

5 SSL VPN Configuration4-1 SSL VPN Overview4-1 Configuring SSL VPN4-2

Configuration Prerequisites 4-2 Configuring SSL VPN4-3

SSL VPN Configuration Example 4-3

1-1

1 DVPN Configuration

z Support for some features may vary with device models.

z Support for some commands may vary with device models. For relevant information, refer to the corresponding command manual.

z All the MSR series routers are centralized devices.

z The MSR series routers support VPN instances, therefore supporting the vpn-instance keyword.

When configuring DVPN, go to these sections for information you are interested in:

z DVPN Overview

z DVPN Configuration Task List

z Displaying and Maintaining DVPN

z DVPN Configuration Examples

DVPN Overview

Nowadays, more and more enterprises are demanding for virtual private networks (VPNs) to connect their branches across the public network. However, branches of an enterprise usually use dynamically assigned IP addresses to access the public network and each of them has no way to know the public IP addresses of the other branches in advance. This makes it difficult for establishing VPNs. Dynamic virtual private network (DVPN) is intended to address this issue.

DVPN collects, maintains, and distributes dynamic public addresses through the VPN Address Management (VAM) protocol, making VPN establishment available between enterprise branches that use dynamic addresses to access the public network.

In DVPN, a collection of nodes connected to the public network form a VPN. From the perspective of DVPN, the public network is the link layer of the VPN, and the tunnels which are used as the virtual channels between subnets of an intranet constitute the network layer. Branch devices dynamically access the public network. DVPN can get the public IP addresses of the peers through VAM to set up secure internal tunnels conveniently.

When a DVPN device forwards a packet from a user subnet to another, it performs these operations:

1) Obtaining the next hop on the private network through a routing protocol.

2) Inquiring the public network address of the next hop through the VAM protocol.

3) Encapsulating the packet, using the public address as the destination address of the tunnel.

4) Sending the packet down the tunnel to the destination.

Basic Concepts of DVPN

The following key roles are involved in DVPN:

1-2

DVPN node A DVPN node is a device at an end of a DVPN tunnel. It can be a networking device or a host. A DVPN node takes part in tunnel setup and must implement VAM client.

VAM server A VAM server receives registration information from DVPN nodes and manages and maintains information about DVPN clients. Currently, a VAM server is usually a high performance routing device with VAM server enabled.

VAM client A VAM client registers its private address, public address, and VAM ID with the VAM server and obtains information about other VAM clients from the VAM server. The VAM client function must be implemented on DVPN nodes. Unless otherwise noted, the term VAN client in this document refers to a Hub or a Spoke.

Hub A Hub is a type of VAM client. As a central device of a VPN, it is the exchange center of routing information. A Hub in a Hub-Spoke network is also a data forwarding center.

Spoke A Spoke is a type of VAM client. Usually acting as the gateway of a branch office, a Spoke does not forward data received from other DVPN nodes.

AAA server An Authentication, Authorization, and Accounting (AAA) server is used for user authentication and accounting.

Operation of DVPN

DVPN employs the client/server model. Operating at the application layer of the TCP/IP protocol stack, DVPN uses UDP as its transport layer protocol.

A DVPN consists of one server and multiple clients. The public address of the server in a DVPN must be static. The private address of a client needs to be statically assigned, while the public address of a client can be manually configured or dynamically assigned. All the private addresses of the nodes composing a DVPN must belong to the same network segment.

Each client registers the mapping of its private address and public address with the server. After a client registers its address mapping with the server, other clients can get the public address of this client from the server. This is for DVPN tunnel establishment between clients. Each client uses the VAM protocol to communicate with the server and uses the DVPN tunneling protocol to establish, maintain, and remove tunnels to other clients. Whenever there is a change in the topology, the server will be notified automatically.

Networking Structures of DVPN

DVPN supports two typical networking structures, full mesh and Hub-Spoke.

z Full mesh DVPN: In a full mesh DVPN, Spokes can communicate with each other directly by establishing tunnels between them, and the Hub is mainly used as the routing information exchange center. As shown in Figure 1-1, after the Spokes (the clients) register with the VAM server and get the Hub information in the VPN domain, they establish permanent tunnels with the Hub. Any two Spokes can establish a tunnel directly between them, which is dynamic and will be aged out if no data exchange occurs on it during the specified period of time (the idle timeout for the Spoke-Spoke tunnel).

1-3

Figure 1-1 Full mesh DVPN networking diagram

Site 1 Site 2

VAM server Hub

Spoke 1

Public network

Spoke 2Spoke-Spoke

Hub-Spoke

Data

z Hub-Spoke DVPN. In a Hub-Spoke DVPN, no tunnel can be established between two Spokes, and data between them has to be forwarded through the Hub. That is, the Hub is used as both the routing information exchange center and the data forwarding center. As shown in Figure 1-2, each Spoke establishes a permanent tunnel with the Hub, and data between Spokes is forwarded through the Hub.

Figure 1-2 Hub-Spoke DVPN networking diagram

Site 1 Site 2

VAM server Hub

Spoke 1

Public network

Spoke 2

Hub-Spoke

Data

Data

Implementation of DVPN

DVPN works in three phases: connection initialization, registration, and tunnel establishment. The following is a brief description of the phases:

Connection initialization phase When a client accesses the server for the first time, connection initialization is performed first. During the initialization procedure, the two parties negotiate whether VAM protocol packets should be secured.

1-4

If so, they negotiate the packet encryption and integrity validation algorithms, generate the keys, and acknowledge the negotiated result. After the connection initialization process completes, the client proceeds with the registration phase. Figure 1-3 shows the initialization process.

Figure 1-3 Initialization process

Client Server

1) Connection request

2) Connection response

3) Negotiation acknowledgement

4) Negotiation acknowledgement

2) The client sends the server a connection request, which carries the supported encryption and integrity validation algorithms.

3) Upon reception of the connection request, the server and the client begin to negotiate the algorithms to be used, with the server dominating the negotiation. When negotiating an algorithm to be used, the VAM server first compares the algorithm of the highest priority on its own algorithm list against the algorithm list of the client. If a match is found, the algorithm is used. If not, the server compares its next-highest priority algorithm against the list. The operation continues until a match is found or all the algorithms on the servers algorithm list have been compared. If a match is found, the server sends to the client a connection response, which carries the negotiation result, and at the same time, the server and the client generate the encryption key and integrity validation key.

4) The client and server respectively checks whether the algorithm negotiation and key negotiation are successful through the negotiation acknowledge packets.

Registration phase

Figure 1-4 Registration process

Figure 1-4 shows the registration process:

1) The client sends the server a registration request, which carries information about the client.

2) Upon reception of the registration request, the server first determines whether to authenticate the identity of the client. If identity authentication is not required, the server directly registers the client and sends the client a registration acknowledgement. Otherwise, the server sends the client an identity authentication request, indicating the required authentication algorithm. In the case of CHAP authentication, a random number is also sent.

3) The client submits its identity information to the server.

1-5

4) After receiving the identity information of the client, the server sends an authentication request to the AAA server and, after receiving the expected authentication acknowledgement, sends an accounting request to the AAA server. When the server receives the accounting acknowledgement, it sends the client a registration acknowledgement, telling the client information about the Hubs in the VPN.

Tunnel establishment phase After a Spoke successfully registers itself, it needs to establish a permanent tunnel with a Hub. A Spoke can establish permanent tunnels with up to two Hubs. If there are two Hubs in a VPN domain, a permanent tunnel is required between the Hubs. Figure 1-5 shows the tunnel establishment process.

Figure 1-5 Tunnel establishment process

Spoke/Hub Hub

1) Tunnel establishment request

2) Tunnel established

Spoke Spoke

1) Tunnel establishment request

2) Tunnel established

2) The initiator originates a tunnel establishment request.

z Hub-Spoke tunnel: After a Spoke registers itself successfully, it needs to establish a permanent tunnel with each Hub in the VPN. Upon receiving the registered information of the hubs from the server, the Spoke checks whether a tunnel is present to each Hub. If no tunnel exists between the Spoke and a Hub, the Spoke sends a tunnel establishment request to the Hub.

z Hub-Hub tunnel: After a Hub registers itself successfully, the server sends the registered information of the other Hubs in the VPN to the Hub and the Hub checks whether a tunnel exists to each of its peer Hubs. If not, the Hub sends a tunnel establishment request to the peer Hub.

z Spoke-Spoke tunnel: In a full mesh network, when a Spoke receives a data packet but finds no tunnel for forwarding the packet, it sends an address resolution request to the server and then, after receiving the resolved address, sends a tunnel establishment request to the peer Spoke.

3) The tunnel establishment request receiver saves the tunnel establishment information and sends a response to the sender. If the request sender receives the response, a tunnel is established. Otherwise, tunnel establishment attempt fails.

Supported DVPN Features

NAT traversal of DVPN packets When a Spoke needs to communicate with another Spoke, one of the following cases will occur:

z If neither of the two Spokes is behind a NAT gateway, a direct tunnel will be established between them.

z If only the tunnel initiator resides behind a NAT gateway, a Spoke-Spoke tunnel can be established traversing the NAT gateway.

1-6

z If the tunnel request receiver is behind a NAT gateway, packets must be forwarded by a Hub before the intended receiver originates a tunnel establishment request.

z If both Spokes reside behind NAT gateways, no tunnel can be established between them and packets between them will be forwarded by a Hub.

Support for dynamic VAM client IP address As each VAM client registers its public and private addresses with the VAM server and can get the public address of the peer VAM client from the VAM server, no tunnel destination address needs to be configured on either tunnel interface of a tunnel. When a VAM client has its IP address changed, it reregisters with the VAM server, thus supporting dynamic IP address.

AAA identity authentication of VAM clients on the VAM server After the initialization process completes, a VAM client registers with the VAM server. You can specify to authenticate VAM clients during the registration process. VAM supports PAP authentication and CHAP authentication. The VAM server uses AAA to authenticate clients in the VPN domain. A VAM client must pass authentication to access the VPN.

Identity authentication of the VAM server and VAM client using the pre-shared key A VAM client and the VAM server must be configured with the same pre-shared key to generate the encryption/integrity validation key. The VAM client/VAM server can determine whether the pre-shared keys of both sides are the same by checking the result of packet decryption and integrity validation, so as to implement identity authentication of the VAM server/VAM client.

Encryption of VAM protocol packets VAM protocol packets can be encrypted by using AES-128, DES, or 3DES.

IPsec protection of data packets Data packets in a DVPN tunnel can be protected by IPsec (using the ESP protocol and IKE).

Centralized management of policies A VAM server manages all policies in a VPN domain centrally.

Support for multiple VPN domains A VAM server supports up to 10 VPN domains.

DVPN Configuration Task List

When configuring DVPN, you are recommended to perform configuration in the order of the VAM server, the Hub(s), and the Spokes.

Complete the following tasks to configure DVPN:

Task Remarks

Configuring AAA Optional Server side configuration

Configuring the VAM Server Required

Configuring a VAM Client Required

Configuring an IPsec Profile Optional

Configuring the DVPN Tunnel

Parameters Required

Client side configuration

Configuring Routing Required

1-7

Configuring AAA

A VAM server can employ AAA to authenticate the identities of clients accessing a VPN domain. For AAA configuration, refer to AAA RADIUS HWTACACS Configuration in the Security Volume.

Configuring the VAM Server

VAM Server Configuration Task List

Complete the following tasks to configure a VAM server:

Task Remarks

Creating a VPN Domain Required

Enabling VAM Server Required

Configuring the Listening IP Address and UDP Port Number Required

Configuring the Security Parameters of VAM Protocol Packets Optional

Specifying the Client Authentication Mode Optional

Configuring the Hubs Required

Configuring the Pre-Shared Key of the VAM Server Required

Configuring Keepalive Parameters Optional

Creating a VPN Domain

Follow these steps to create a VPN domain:

To do Use the command Remarks

Enter system view system-view

Create a VPN domain and

enter VPN domain view vam server vpn vpn-name

Required

No VPN domain exists by default.

Enabling VAM Server

Follow these steps to enable VAM server:



Enable VAM server for

one or all VPN domains

vam server enable { all | vpn vpn-name }

vam server vpn vpn-name Enable VAM server

Enable VAM server for

a VPN domain server enable

Required

Use either approach.

Disabled by default

1-8

Configuring the Listening IP Address and UDP Port Number

Follow these steps to configure the listening IP address and UDP port number of the VAM server:



Configure the listening IP address

and UDP port number of the

server

vam server ip-address ip-address [ port port-number ]

Required

Not configured by default

A VAM server listens to packets sent from VAM clients on only the configured IP address and UDP port. A VAM server uses the same listening IP address and UDP port for all VPN domains.

Configuring the Security Parameters of VAM Protocol Packets

Based on the packet integrity authentication algorithm and encryption algorithm configuration, a VAM server negotiates with a client to determine the protocol packets integrity authentication and encryption algorithms to be used between them.

Follow these steps to configure VAM protocol packet security parameters:



Enter VPN domain view vam server vpn vpn-name

Specify the algorithms for protocol

packet authentication and their

priorities

authentication-algorithm { none

| { md5 | sha-1 } * }

Optional

By default, SHA-1 is used for

protocol packet authentication.

Specify the algorithms for protocol

packet encryption and their

priorities

encryption-algorithm { { 3des |

aes-128 | des } * | none }

Optional

By default, three encryption

algorithms are available and

preferred in this order: AES-128,

3DES and DES.

1-9

z In the connection initialization process, SHA-1 is always used for authenticating connection requests from clients and connection responses from the server. Whether subsequent protocol packets are to be authenticated and what algorithms are available for authentication depend on your configuration.

z In the connection initialization process, AES-128 is always used for encrypting connection requests from clients and connection responses from the server. Whether subsequent protocol packets are to be encrypted and what algorithms are available for encryption depend on your configuration.

z The configuration order of the algorithms determines the priorities of the algorithms.

Specifying the Client Authentication Mode

Currently, a VAM server supports only PAP and CHAP authentication.

Follow these steps to configure the client authentication mode:




Specify the client

authentication mode

authentication-method { none | { chap | pap } [ domain name-string ] }

Required

By default, a VAM server

performs CHAP authentication

of clients, using the default

domain configured for the

system.

Configuring the Hubs

Follow these steps to configure a Hub:




Configure a Hub by specifying its

IP addresses

hub private-ip private-ip-address [ public-ip public-ip-address ]

Required

No Hub is configured by default.

1-10

z The public IP address is optional. When a Hub registers, the VAM server will get the public address of the Hub. If you specify both the private and public addresses of a Hub on the server, the server considers a client being a valid Hub only when both the public and private addresses that the client registers with the server match those configured on the server.

z Currently, up to two Hubs and 200 Spokes can be configured in a VPN domain.

Configuring the Pre-Shared Key of the VAM Server

The pre-shared key is used to generate the keys for securing the channels between the server and a client. In the connection initialization process, the pre-shared key is used to generate the initial key for validating and encrypting connection requests and connection responses. If encryption and authentication is needed for subsequent packets, the pre-shared key is also used to generate the connection key for validating and encrypting the subsequent packets.

Follow these steps to configure the pre-shared key of the VAM server:




Configure the pre-shared key of

the VAM server

pre-shared-key { cipher | simple } key-string

Required

No pre-shared key exists by

default.

Configuring Keepalive Parameters

A client sends keepalive packets to the server periodically, while the server sends responses back to prove its existence. If a server receives no keepalive packets from a client within a specified period (which equals the product of the keepalive interval and the maximum number of transmission attempts), the server removes information about the client and logs off the client.

You can set the interval at which a client sends keepalive packets and the maximum number of transmission attempts. After a client registers with the server, the server sends these settings to the client through its response packet.

Follow these steps to configure keepalive parameters:




Set the keepalive interval keepalive interval time-interval Optional

10 seconds by default

Set the maximum number of

transmission attempts keepalive retry retry-times

Optional

3 by default

1-11

Your keepalive settings only apply to the clients registered after the configuration. The clients registered before that continue to use the old settings.

Configuring a VAM Client

VAM Client Configuration Task List

Complete the following tasks to configure a VAM client:

Task Remarks

Creating a VAM Client Required

Setting the VAM Protocol Packet Retransmission Interval Optional

Specifying the Primary VAM Server Required

Specifying the Secondary VAM Server Optional

Configuring the Username and Password Optional

Specifying the VPN Domain of the VAM Client Required

Specifying the Pre-Shared Key of the VAM Client Required

Enabling VAM Client Required

Creating a VAM Client

Follow these steps to create a VAM client:



Create a VAM client and enter

its view vam client name client-name

Required

No client is created by default.

Setting the VAM Protocol Packet Retransmission Interval

If a client sends a VAM protocol packet to the server but receives no response in a specified period of time, it retransmits the packet. A VAM protocol packet can be a connection request, negotiation acknowledgement, registration request, or authentication request.

Follow these steps to set the interval for retransmitting a VAM protocol packet:



1-12

Enter VAM client view vam client name client-name

Set the VAM protocol packet

retransmission interval resend interval time-interval

Optional


The maximum number of attempts to retransmit a VAM protocol packet is always 3; it is unmodifiable.

Specifying the Primary VAM Server

Follow these steps to specify the primary VAM server:




Specify the primary VAM server server primary ip-address

ip-address [ port port-number ]

Required

Not specified by default

Specifying the Secondary VAM Server

Follow these steps to specify the secondary VAM server:




Specify the primary VAM server server secondary ip-address ip-address [ port port-number]

Required


Configuring the Username and Password

A client needs a username and a password to be authenticated by the server. You can configure the username and password for a client by creating a local user.

Follow these steps to configure a username and password for a VAM client:




1-13

Configure a username and

password for the client

user username password { cipher |

simple } string

Required

Not configured by default

Only one local user can be configured for a VAM client.

Specifying the VPN Domain of the VAM Client

Follow these steps to specify the VPN domain of the VAM client:




Specify the VPN domain of the

VAM client vpn vpn-name

Required

A VAM client does not belong to

any VPN domain by default.

Specifying the Pre-Shared Key of the VAM Client

The pre-shared key is used to generate the keys for security of the channels between the server and a client.

Follow these steps to specify the pre-shared key of the VAM client:




Specify the pre-shared key of

the VAM client

pre-shared-key { cipher | simple } key-string

Required


In a VPN domain, all the VAM clients and the VAM server must be configured with the same pre-shared key.

Enabling VAM Client

Follow these steps to enable VAM client:

1-14



Enable VAM client for

all VAM clients or a

specified VAM client

vam client enable { all |

name client-name }

vam client name client-name

Enable VAM client

Enable VAM client for a

VAM client client enable

Required

Use either approach.

Disabled by default

Configuring an IPsec Profile

An IPsec profile can be used to secure the transmission of data packets and control packets over a DVPN tunnel. It uses the security protocol of ESP and employs IKE for security policy negotiation.

Configuration Prerequisites

Complete these tasks before configuring an IPsec profile:

z Configure the IPsec proposals for the IPsec profile to reference

z Configure the IKE peer for the IPsec profile to reference

For detailed configuration information about IPsec and IKE, refer to IPsec Configuration in the Security Volume.

Configuration Procedure

Follow the following steps to configure an IPsec profile:



Create an IPsec profile and enter

IPsec profile view ipsec profile profile-name

Required

By default, no IPsec profile is

created.

Specify the IPsec proposals for the

IPsec profile to reference proposal proposal-name&

Required

By default, an IPsec profile

references no IPsec proposal.

Specify the IKE peer for the IPsec

profile to reference ike-peer peer-name

Required

By default, an IPsec profile

references no IKE peer

1-15

Enable and configure perfect

forward secrecy (PFS)

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 }

Optional

By default, PFS is not used for

negotiation.

For information about PFS, refer to

IPsec Configuration in the Security

Volume.

Configure the SA lifetime sa duration { time-based

seconds | traffic-based kilobytes }

Optional

By default, an IPsec profile uses

the global SA lifetime.

z An IPsec profile depends on IKE for SA negotiation. An IPsec profile can reference up to six IPsec proposals. IKE searches for IPsec proposals that match at both ends during negotiation. If no match is found, SAs cannot be established and the packets requiring IPsec protection will be discarded.

z When IKE uses a security policy to initiate a negotiation, if the local end uses PFS, the remote end must also use PFS for negotiation and both ends must use the same Diffie-Hellman (DH) group; otherwise, the negotiation will fail.

z When an IPsec profile is used to protect DVPN traffic, the IPsec proposals referenced by the IPsec profile must be configured to use the ESP protocol.

z As DVPN addresses are dynamic, the setting by the remote-address keyword for the IKE peer that an IPsec profile references does not take effect on the initiator.

z For information about commands ipsec profile, proposal, ike-peer, pfs and sa duration, refer to IPsec Commands in the Security Volume.

z For information about global SA lifetime, refer to IPsec Configuration in the Security Volume.

Configuring the DVPN Tunnel Parameters

Configuration Prerequisites

IP addresses have been configured for the source interfaces (VLAN interfaces, Ethernet interfaces, or Loopback interfaces) of the virtual tunnel interfaces and there are routes available between the interfaces.

Configuration Procedure

Follow these steps to configure a DVPN tunnel:



1-16

Create a tunnel interface and enter

its view interface tunnel number

Required

No tunnel interface is created by

default.

Configure a private IPv4 address

for the tunnel interface

ip address ip-address { mask |

mask-length } [ sub ]

Required

A tunnel interface has no private

IPv4 address configured by

default.

Configure the tunnel mode as

DVPN tunnel-protocol dvpn udp

Required

The default tunnel mode varies

with device model.

The two ends of a tunnel must

work in the same tunnel mode.

Specify the source address or

interface of the tunnel interface

source { ip-address | interface-type interface-number }

Required

The source IP address is the IP

address of the physical interface

that sends the DVPN packets.

A tunnel interface has no source

address or interface configured by

default.

Bind a VAM client to the tunnel

interface vam client client-name

Required

A DVPN tunnel interface must be

bound to a VAM client; otherwise

the tunnel interface cannot come

up.

The client to be bound must exist

and has not been bound to any

other tunnel interface.

No VAM client is bound to a DVPN

tunnel interface by default.

Set the DVPN keepalive interval

and transmission attempt limit keepalive [ seconds [ times ] ]

Optional

The defaults are as follows:

z 10 seconds for the DVPN

keepalive interval,

z 3 times for the transmission

attempt limit.

Set the idle timeout for the

Spoke-Spoke tunnel

dvpn session idle-time time-interval

Optional


Set the DVPN tunneling quiet

period

dvpn session dumb-time time-interval

Optional


1-17

Specify the network type of the

OSPF interface

ospf network-type { broadcast |

p2mp }

Required


A DVPN tunnel can use only two

types of OSPF interfaces:

broadcast and point to multi-point

(P2MP).

Set the DR priority of the OSPF

interface ospf dr-priority priority

Optional for a Hub, while required

for a Spoke.

By default, the interface DR priority

is 1.

The DR priority of a Hub should be

higher than that of a Spoke. It is

recommended to set the DR

priority of a Spoke to 0 to keep the

Spoke from participating in

DR/BDR election.

Bind an IPsec profile to the DVPN

tunnel interface ipsec profile ipsec-profile-name

Optional

By default, no IPsec profile is

bound to a DVPN tunnel interface.

The IPsec profile to be bound must

already exist.

Associate the tunnel interface with

a VPN instance

ip binding vpn-instance vpn-instance-name

Optional

To isolate individual VPN domains,

you need to configure VPN

multi-instance to distinguish routes

of private networks.

By default, a tunnel interface is

associated with no VPN instance.

1-18

z If you configure the source address of a tunnel interface by specifying the source interface, the tunnel takes the primary IP address of the source interface as its source address.

z Tunnel interfaces of the same VPN domain must be configured with private addresses in the same segment.

z Tunnel interfaces of the same VPN domain must be configured with the same DVPN keepalive interval and transmission attempt limit.

z A DVPN tunnel interface can reference only one IPsec profile. To change the IPsec profile referenced by a DVPN tunnel interface, you need to cancel the reference of the current IPsec profile and then apply a new IPsec profile to the tunnel interface.

z When configuring the network type of an OSPF interface, select broadcast for a full mesh network and P2MP for a Hub-Spoke network.

z For details about commands interface tunnel, tunnel-protocol, and source, refer to Tunneling Commands of the IP Services Volume. For information about command ipsec profile, refer to IPsec Commands in the Security Volume.

z For details about the ospf network-type and ospf dr-priority commands, refer to OSPF Commands of the IP Routing Volume.

z For details about VPN multi-instance configuration, refer to MPLS L3VPN Configuration of the MPLS Volume.

Configuring Routing

After you establish private networks across the public network using DVPN, you need to perform routing configuration for devices in the private networks. In private networks of this type, route-related operations, such as neighbor discovery, route updating, routing table establishment, are done over DVPN tunnels. Routing information is exchanged between Hubs or Hubs and Spokes; it is not exchanged between Spokes. Currently, OSPF can be used in DVPN networks.

For information about OSPF configuration on DVPN clients, refer to OSPF Configuration in the IP Routing Volume.

Displaying and Maintaining DVPN


Display address mapping

information about VAM clients

registered with the VAM server

display vam server address-map { all | vpn

vpn-name [ private-ip private-ip ] }

Available in any view

Display statistics about VAM

clients registered with the VAM

server

display vam server statistic { all

| vpn vpn-name } Available in any view

Display registration information

about VAM clients

display vam client

{ address-map | fsm } [ client-name ]


1-19

Display information about DVPN

tunnels

display dvpn session { all |

interface interface-type

interface-number [ private-ip ip-address ] }


Display information about a

specified or all IPsec profiles

display ipsec profile [ name profile-name ]


Remove DVPN tunnels

reset dvpn session { all |

interface interface-type

interface-number [ private-ip ip-address ] }

Available in user view

For information about command display ipsec profile, refer to IPsec Commands in the Security Volume.

DVPN Configuration Examples

Full Mesh DVPN Configuration Example

Network requirements z In the full mesh networks shown in Figure 1-6, the primary VAM server (main) and the secondary

VAM server (backup) manage and maintain information about the nodes. The AAA server takes charge of VAM client authentication and accounting. With each being the backup of the other, the two Hubs perform data forwarding and routing information exchange.

z Permanent tunnels are established between each Hub-Spoke pair.

z Spokes in the same VPN exchange data through dynamically established tunnels between them.

1-20

Figure 1-6 Network diagram for full mesh DVPN configuration

Hub 1 Hub 2

Spoke 1 Spoke 3

Site 1 Site 3

Spoke 2

Site 2

IP networkVPN 1 Hub-to-Spoke static tunnel

VPN 2 Hub-to-Spoke static tunnel

Spoke-to-Spoke dynamic tunnelMain server

Backup server

Eth1/1 Eth1/1

Eth1/1 Eth1/1 Eth1/1

Tunnel1Tunnel2

Tunnel1Tunnel2

Tunnel1 Tunnel1Tunnel2 Tunnel2

Eth1/1

Eth1/1

AAA server

Eth1/2 Eth1/2 Eth1/2

VPN 1 and VPN 2 Hub-to-Hub static tunnel

Device Interface IP address Device Interface IP address Hub 1 Eth1/1 192.168.1.1/24 Spoke 1 Eth1/1 192.168.1.3/24 Tunnel1 10.0.1.1/24 Eth1/2 10.0.3.1/24 Tunnel2 10.0.2.1/24 Tunnel1 10.0.1.3/24 Hub 2 Eth1/1 192.168.1.2/24 Spoke 2 Eth1/1 192.168.1.4/24 Tunnel1 10.0.1.2/24 Eth1/2 10.0.4.1/24 Tunnel2 10.0.2.2/24 Tunnel1 10.0.1.4/24 Main server Eth1/1 192.168.1.22/24 Tunnel2 10.0.2.4/24 Backup server Eth1/1 192.168.1.33//24 Spoke 3 Eth1/1 192.168.1.5/24 AAA server 192.168.1.11/24 Eth1/2 10.0.5.1/24 Tunnel2 10.0.2.3/24

Configuration procedure 1) Configure the primary VAM server (main)

z Configure IP addresses for the interfaces (omitted)

z Configure AAA system-view # Configure RADIUS scheme radsun. [MainServer] radius scheme radsun [MainServer-radius-radsun] primary authentication 192.168.1.11 1812 [MainServer-radius-radsun] primary accounting 192.168.1.11 1813 [MainServer-radius-radsun] key authentication expert [MainServer-radius-radsun] key accounting expert [MainServer-radius-radsun] server-type standard [MainServer-radius-radsun] user-name-format with-domain [MainServer-radius-radsun] quit # Configure ISP domain domain1 to use RADIUS scheme radsun. [MainServer] domain domain1 [MainServer-isp-domain1] authentication default radius-scheme radsun [MainServer-isp-domain1] accounting default radius-scheme radsun [MainServer-isp-domain1] quit [MainServer] domain default enable domain1 z Configure the VAM server

# Specify the listening address of the server.

1-21

[MainServer] vam server ip-address 192.168.1.22 # Create VPN domain 1. [MainServer] vam server vpn 1 # Set the pre-shared key to 123. [MainServer-vam-server-vpn-1] pre-shared-key simple 123 # Set the VAM client authentication mode to CHAP. [MainServer-vam-server-vpn-1] authentication-method chap # Specify the IP addresses of the Hubs for VPN 1. [MainServer-vam-server-vpn-1] hub private-ip 10.0.1.1 [MainServer-vam-server-vpn-1] hub private-ip 10.0.1.2 [MainServer-vam-server-vpn-1] quit # Create VPN domain 2. [MainServer] vam server vpn 2 # Set the pre-shared key to 456. [MainServer-vam-server-vpn-2] pre-shared-key simple 456 # Set the VAM client authentication mode to PAP. [MainServer-vam-server-vpn-2] authentication-method pap # Specify the IP addresses of the Hubs for VPN 2. [MainServer-vam-server-vpn-2] hub private-ip 10.0.2.1 [MainServer-vam-server-vpn-2] hub private-ip 10.0.2.2 [MainServer-vam-server-vpn-1] quit # Enable VAM server for all VPNs. [MainServer] vam server enable all 2) Configure the secondary VAM server (backup)

Except for the listening IP address configuration, the configurations for the secondary VAM server are the same as those for the primary VAM server and are thus omitted.

3) Configure Hub 1

z Configure IP addresses for the interfaces (omitted)

z Configure the VAM clients system-view # Create a VAM client named dvpn1hub1 for VPN 1. [Hub1] vam client name dvpn1hub1 [Hub1-vam-client-name-dvpn1hub1] vpn 1 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Hub1-vam-client-name-dvpn1hub1] server primary ip-address 192.168.1.22 [Hub1-vam-client-name-dvpn1hub1] server secondary ip-address 192.168.1.33 [Hub1-vam-client-name-dvpn1hub1] pre-shared-key simple 123 # Create a local user named dvpn1hub1, setting the password as dvpn1hub1. [Hub1-vam-client-name-dvpn1hub1] user dvpn1hub1 password simple dvpn1hub1 [Hub1-vam-client-name-dvpn1hub1] client enable [Hub1-vam-client-name-dvpn1hub1] quit # Create a VAM client named dvpn2hub1 for VPN 2. [Hub1] vam client name dvpn2hub1 [Hub1-vam-client-name-dvpn2hub1] vpn 2 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Hub1-vam-client-name-dvpn2hub1] server primary ip-address 192.168.1.22 [Hub1-vam-client-name-dvpn2hub1] server secondary ip-address 192.168.1.33 [Hub1-vam-client-name-dvpn2hub1] pre-shared-key simple 456

1-22

# Create a local user named dvpn2hub1, setting the password as dvpn2hub1. [Hub1-vam-client-name-dvpn2hub1] user dvpn2hub1 password simple dvpn2hub1 [Hub1-vam-client-name-dvpn2hub1] client enable [Hub1-vam-client-name-dvpn2hub1] quit z Configure the IPsec profile

# Configure the IPsec proposal. [Hub1] ipsec proposal vam [Hub1-ipsec-proposal-vam] encapsulation-mode tunnel [Hub1-ipsec-proposal-vam] transform esp [Hub1-ipsec-proposal-vam] esp encryption-algorithm des [Hub1-ipsec-proposal-vam] esp authentication-algorithm sha1 [Hub1-ipsec-proposal-vam] quit # Configure the IKE peer. [Hub1] ike peer vam [Hub1-ike-peer-vam] pre-shared-key abcde [Hub1-ike-peer-vam] quit # Configure the IPsec profile. [Hub1] ipsec profile vamp [Hub1-ipsec-profile-vamp] proposal vam [Hub1-ipsec-profile-vamp] ike-peer vam [Hub1-ipsec-profile-vamp] sa duration time-based 600 [Hub1-ipsec-profile-vamp] pfs dh-group2 [Hub1-ipsec-profile-vamp] quit z Configure DVPN tunnels

# Configure tunnel interface Tunnel 1 for VPN 1. [Hub1] interface tunnel 1 [Hub1-Tunnel1] tunnel-protocol dvpn udp [Hub1-Tunnel1] vam client dvpn1hub1 [Hub1-Tunnel1] ip address 10.0.1.1 255.255.255.0 [Hub1-Tunnel1] source ethernet 1/1 [Hub1-Tunnel1] ospf network-type broadcast [Hub1-Tunnel1] ipsec profile vamp [Hub1-Tunnel1] quit # Configure tunnel interface Tunnel 2 for VPN 2. [Hub1] interface tunnel 2 [Hub1-Tunnel2] tunnel-protocol dvpn udp [Hub1-Tunnel2] vam client dvpn2hub1 [Hub1-Tunnel2] ip address 10.0.2.1 255.255.255.0 [Hub1-Tunnel2] source ethernet 1/1 [Hub1-Tunnel2] ospf network-type broadcast [Hub1-Tunnel2] ipsec profile vamp [Hub1-Tunnel2] quit z Configure OSPF

# Configure OSPF for the public network. [Hub1] ospf 100 [Hub1-ospf-100] area 0 [Hub1-ospf-100-area-0.0.0.0] network 192.168.1.1 0.0.0.255 [Hub1-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private networks. [Hub1] ospf 200 [Hub1-ospf-200] area 0

1-23

[Hub1-ospf-200-area-0.0.0.0] network 10.0.1.1 0.0.0.255 [Hub1-ospf-200-area-0.0.0.0] quit [Hub1] ospf 300 [Hub1-ospf-300] area 0 [Hub1-ospf-300-area-0.0.0.0] network 10.0.2.1 0.0.0.255 4) Configure Hub 2

z Configure IP addresses for the interfaces (omitted).

z Configure the VAM clients. system-view # Create a VAM client named dvpn1hub2 for VPN 1. [Hub2] vam client name dvpn1hub2 [Hub2-vam-client-name-dvpn1hub2] vpn 1 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Hub2-vam-client-name-dvpn1hub2] server primary ip-address 192.168.1.22 [Hub2-vam-client-name-dvpn1hub2] server secondary ip-address 192.168.1.33 [Hub2-vam-client-name-dvpn1hub2] pre-shared-key simple 123 # Create a local user named dvpn1hub2, setting the password as dvpn1hub2. [Hub2-vam-client-name-dvpn1hub2] user dvpn1hub2 password simple dvpn1hub2 [Hub2-vam-client-name-dvpn1hub2] client enable [Hub2-vam-client-name-dvpn1hub2] quit # Create a VAM client named dvpn2hub2 for VPN 2. [Hub2] vam client name dvpn2hub2 [Hub2-vam-client-name-dvpn2hub2] vpn 2 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Hub2-vam-client-name-dvpn2hub2] server primary ip-address 192.168.1.22 [Hub2-vam-client-name-dvpn2hub2] server secondary ip-address 192.168.1.33 [Hub2-vam-client-name-dvpn2hub2] pre-shared-key simple 456 # Create a local user named dvpn2hub2, setting the password as dvpn2hub2. [Hub2-vam-client-name-dvpn2hub2] user dvpn2hub2 password simple dvpn2hub2 [Hub2-vam-client-name-dvpn2hub2] client enable [Hub2-vam-client-name-dvpn2hub2] quit z Configure the IPsec profile

# Configure the IPsec proposal. [Hub2] ipsec proposal vam [Hub2-ipsec-proposal-vam] encapsulation-mode tunnel [Hub2-ipsec-proposal-vam] transform esp [Hub2-ipsec-proposal-vam] esp encryption-algorithm des [Hub2-ipsec-proposal-vam] esp authentication-algorithm sha1 [Hub2-ipsec-proposal-vam] quit # Configure the IKE peer. [Hub2] ike peer vam [Hub2-ike-peer-vam] pre-shared-key abcde [Hub2-ike-peer-vam] quit # Configure the IPsec profile. [Hub2] ipsec profile vamp [Hub2-ipsec-profile-vamp] proposal vam [Hub2-ipsec-profile-vamp] ike-peer vam [Hub2-ipsec-profile-vamp] sa duration time-based 600 [Hub2-ipsec-profile-vamp] pfs dh-group2 [Hub2-ipsec-profile-vamp] quit

1-24

z Configure the DVPN tunnels.

# Configure tunnel interface Tunnel 1 for VPN 1. [Hub2] interface tunnel 1 [Hub2-Tunnel1] tunnel-protocol dvpn udp [Hub2-Tunnel1] vam client dvpn1hub2 [Hub2-Tunnel1] ip address 10.0.1.2 255.255.255.0 [Hub2-Tunnel1] source ethernet 1/1 [Hub2-Tunnel1] ospf network-type broadcast [Hub2-Tunnel1] ipsec profile vamp [Hub2-Tunnel1] quit # Configure tunnel interface Tunnel 2 for VPN 2. [Hub2] interface tunnel 2 [Hub2-Tunnel2] tunnel-protocol dvpn udp [Hub2-Tunnel2] vam client dvpn2hub2 [Hub2-Tunnel2] ip address 10.0.2.2 255.255.255.0 [Hub2-Tunnel2] source ethernet 1/1 [Hub2-Tunnel2] ospf network-type broadcast [Hub2-Tunnel2] ipsec profile vamp [Hub2-Tunnel2] quit z Configure OSPF

# Configure OSPF for the public network. [Hub2] ospf 100 [Hub2-ospf-100] area 0 [Hub2-ospf-100-area-0.0.0.0] network 192.168.1.2 0.0.0.255 [Hub2-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private networks. [Hub2] ospf 200 [Hub2-ospf-200] area 0 [Hub2-ospf-200-area-0.0.0.0] network 10.0.1.2 0.0.0.255 [Hub2-ospf-200-area-0.0.0.0] quit [Hub2] ospf 300 [Hub2-ospf-300] area 0 [Hub2-ospf-300-area-0.0.0.0] network 10.0.2.2 0.0.0.255 5) Configure Spoke 1


z Configure the VAM client. system-view # Create a VAM client named dvpn1spoke1 for VPN 1. [Spoke1] vam client name dvpn1spoke1 [Spoke1-vam-client-name-dvpn1spoke1] vpn 1 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Spoke1-vam-client-name-dvpn1spoke1] server primary ip-address 192.168.1.22 [Spoke1-vam-client-name-dvpn1spoke1] server secondary ip-address 192.168.1.33 [Spoke1-vam-client-name-dvpn1spoke1] pre-shared-key simple 123 # Create a local user named dvpn1spoke1, setting the password as dvpn1spoke1. [Spoke1-vam-client-name-dvpn1spoke1] user dvpn1spoke1 password simple dvpn1spoke1 [Spoke1-vam-client-name-dvpn1spoke1] client enable [Spoke1-vam-client-name-dvpn1spoke1] quit z Configure the IPsec profile

# Configure the IPsec proposal.

1-25

[Spoke1] ipsec proposal vam [Spoke1-ipsec-proposal-vam] encapsulation-mode tunnel [Spoke1-ipsec-proposal-vam] transform esp [Spoke1-ipsec-proposal-vam] esp encryption-algorithm des [Spoke1-ipsec-proposal-vam] esp authentication-algorithm sha1 [Spoke1-ipsec-proposal-vam] quit # Configure the IKE peer. [Spoke1] ike peer vam [Spoke1-ike-peer-vam] pre-shared-key abcde [Spoke1-ike-peer-vam] quit # Configure the IPsec profile. [Spoke1] ipsec profile vamp [Spoke1-ipsec-profile-vamp] proposal vam [Spoke1-ipsec-profile-vamp] sa duration time-based 600 [Spoke1-ipsec-profile-vamp] pfs dh-group2 [Spoke1-ipsec-profile-vamp] quit z Configure the DVPN tunnel.

# Configure tunnel interface Tunnel 1 for VPN 1. [Spoke1] interface tunnel 1 [Spoke1-Tunnel1] tunnel-protocol dvpn udp [Spoke1-Tunnel1] vam client dvpn1spoke1 [Spoke1-Tunnel1] ip address 10.0.1.3 255.255.255.0 [Spoke1-Tunnel1] source ethernet 1/1 [Spoke1-Tunnel1] ospf network-type broadcast [Spoke1-Tunnel1] ospf dr-priority 0 [Spoke1-Tunnel1] ipsec profile vamp [Spoke1-Tunnel1] quit z Configure OSPF

# Configure OSPF for the public network. [Spoke1] ospf 100 [Spoke1-ospf-100] area 0 [Spoke1-ospf-100-area-0.0.0.0] network 192.168.1.3 0.0.0.255 [Spoke1-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private network. [Spoke1] ospf 200 [Spoke1-ospf-200] area 0 [Spoke1-ospf-200-area-0.0.0.0] network 10.0.1.3 0.0.0.255 [Spoke1-ospf-200-area-0.0.0.0] network 10.0.3.1 0.0.0.255 6) Configure Spoke 2


z Configure the VAM client. system-view # Create a VAM client named dvpn1spoke2 for VPN 1. [Spoke2] vam client name dvpn1spoke2 [Spoke2-vam-client-name-dvpn1spoke2] vpn 1 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Spoke2-vam-client-name-dvpn1spoke2] server primary ip-address 192.168.1.22 [Spoke2-vam-client-name-dvpn1spoke2] server secondary ip-address 192.168.1.33 [Spoke2-vam-client-name-dvpn1spoke2] pre-shared-key simple 123 # Create a local user named dvpn1spoke2, setting the password as dvpn1spoke2.

1-26

[Spoke2-vam-client-name-dvpn1spoke2] user dvpn1spoke2 password simple dvpn1spoke2 [Spoke2-vam-client-name-dvpn1spoke2] client enable [Spoke2-vam-client-name-dvpn1spoke2] quit # Create a VAM client named dvpn2spoke2 for VPN 2. [Spoke2] vam client name dvpn2spoke2 [Spoke2-vam-client-name-dvpn1spoke2] vpn 2 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Spoke2-vam-client-name-dvpn2spoke2] server primary ip-address 192.168.1.22 [Spoke2-vam-client-name-dvpn2spoke2] server secondary ip-address 192.168.1.33 [Spoke2-vam-client-name-dvpn2spoke2] pre-shared-key simple 456 # Create a local user named dvpn2spoke2, setting the password as dvpn2spoke2. [Spoke2-vam-client-name-dvpn1spoke2] user dvpn2spoke2 password simple dvpn2spoke2 [Spoke2-vam-client-name-dvpn1spoke2] client enable [Spoke2-vam-client-name-dvpn1spoke2] quit z Configure the IPsec profile

# Configure the IPsec proposal. [Spoke2] ipsec proposal vam [Spoke2-ipsec-proposal-vam] encapsulation-mode tunnel [Spoke2-ipsec-proposal-vam] transform esp [Spoke2-ipsec-proposal-vam] esp encryption-algorithm des [Spoke2-ipsec-proposal-vam] esp authentication-algorithm sha1 [Spoke2-ipsec-proposal-vam] quit # Configure the IKE peer. [Spoke2] ike peer vam [Spoke2-ike-peer-vam] pre-shared-key abcde [Spoke2-ike-peer-vam] quit # Configure the IPsec profile. [Spoke2] ipsec profile vamp [Spoke2-ipsec-profile-vamp] proposal vam [Spoke2-ipsec-profile-vamp] ike-peer vam [Spoke2-ipsec-profile-vamp] sa duration time-based 600 [Spoke2-ipsec-profile-vamp] pfs dh-group2 [Spoke2-ipsec-profile-vamp] quit z Configure the DVPN tunnels.

# Configure tunnel interface Tunnel 1 for VPN 1. [Spoke2] interface tunnel 1 [Spoke2-Tunnel1] tunnel-protocol dvpn udp [Spoke2-Tunnel1] vam client dvpn1spoke2 [Spoke2-Tunnel1] ip address 10.0.1.4 255.255.255.0 [Spoke2-Tunnel1] source ethernet 1/1 [Spoke2-Tunnel1] ospf network-type broadcast [Spoke2-Tunnel1] ospf dr-priority 0 [Spoke2-Tunnel1] ipsec profile vamp [Spoke2-Tunnel1] quit # Configure tunnel interface Tunnel 2 for VPN 2. [Spoke2] interface tunnel 2 [Spoke2-Tunnel2] tunnel-protocol dvpn udp [Spoke2-Tunnel2] vam client dvpn2spoke2 [Spoke2-Tunnel2] ip address 10.0.2.4 255.255.255.0 [Spoke2-Tunnel2] source ethernet 1/1 [Spoke2-Tunnel2] ospf network-type broadcast

1-27

[Spoke2-Tunnel2] ipsec profile vamp [Spoke2-Tunnel2] quit z Configure OSPF

# Configure OSPF for the public network. [Spoke2] ospf 100 [Spoke2-ospf-100] area 0 [Spoke2-ospf-100-area-0.0.0.0] network 192.168.1.4 0.0.0.255 [Spoke2-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private networks. [Spoke2] ospf 200 [Spoke2-ospf-200] area 0 [Spoke2-ospf-200-area-0.0.0.0] network 10.0.1.4 0.0.0.255 [Spoke2-ospf-200-area-0.0.0.0] quit [Spoke2] ospf 300 [Spoke2-ospf-300] area 0 [Spoke2-ospf-300-area-0.0.0.0] network 10.0.2.4 0.0.0.255 [Spoke2-ospf-300-area-0.0.0.0] network 10.0.4.1 0.0.0.255 7) Configure Spoke 3



# Configure the IPsec proposal. [Spoke3] ipsec proposal vam [Spoke3-ipsec-proposal-vam] encapsulation-mode tunnel [Spoke3-ipsec-proposal-vam] transform esp [Spoke3-ipsec-proposal-vam] esp encryption-algorithm des [Spoke3-ipsec-proposal-vam] esp authentication-algorithm sha1 [Spoke3-ipsec-proposal-vam] quit # Configure the IKE peer. [Spoke3] ike peer vam [Spoke3-ike-peer-vam] pre-shared-key abcde [Spoke3-ike-peer-vam] quit # Configure the IPsec profile. [Spoke3] ipsec profile vamp [Spoke3-ipsec-profile-vamp] proposal vam [Spoke3-ipsec-profile-vamp] ike-peer vam [Spoke3-ipsec-profile-vamp] sa duration time-based 600 [Spoke3-ipsec-profile-vamp] pfs dh-group2

1-28

[Spoke3-ipsec-profile-vamp] quit z Configure the DVPN tunnel.

# Configure tunnel interface Tunnel 2 for VPN 2. [Spoke3] interface tunnel 2 [Spoke3-Tunnel2] tunnel-protocol dvpn udp [Spoke3-Tunnel2] vam client dvpn2spoke3 [Spoke3-Tunnel2] ip address 10.0.2.3 255.255.255.0 [Spoke3-Tunnel2] source ethernet 1/1 [Spoke3-Tunnel2] ospf network-type broadcast [Spoke3-Tunnel2] ospf dr-priority 0 [Spoke3-Tunnel2] ipsec profile vamp [Spoke3-Tunnel2] quit z Configure OSPF

# Configure OSPF for the public network. [Spoke3] ospf 100 [Spoke3-ospf-100] area 0 [Spoke3-ospf-100-area-0.0.0.0] network 192.168.1.5 0.0.0.255 [Spoke3-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private network. [Spoke3] ospf 200 [Spoke3-ospf-200] area 0 [Spoke3-ospf-200-area-0.0.0.0] network 10.0.2.3 0.0.0.255 [Spoke3-ospf-200-area-0.0.0.0] network 10.0.5.1 0.0.0.255 8) Verify the configuration

# Display the address mapping information of all VAM clients registered with the primary VAM server (main). [MainServer] display vam server address-map all VPN name: 1 Total address-map number: 4 Private-ip Public-ip Type Holding time 10.0.1.1 192.168.1.1 Hub 0H 52M 7S 10.0.1.2 192.168.1.2 Hub 0H 47M 31S 10.0.1.3 192.168.1.3 Spoke 0H 28M 25S 10.0.1.4 192.168.1.4 Spoke 0H 19M 15S VPN name: 2 Total address-map number: 4 Private-ip Public-ip Type Holding time 10.0.2.1 192.168.1.1 Hub 0H 51M 44S 10.0.2.2 192.168.1.2 Hub 0H 46M 45S 10.0.2.3 192.168.1.5 Spoke 0H 11M 25S 10.0.2.4 192.168.1.4 Spoke 0H 18M 32S # Display the address mapping information of all VAM clients registered with the secondary VAM server (backup). [BackupServer] display vam server address-map all VPN name: 1 Total address-map number: 4 Private-ip Public-ip Type Holding time 10.0.1.1 192.168.1.1 Hub 0H 55M 3S 10.0.1.2 192.168.1.2 Hub 0H 50M 30S

1-29

10.0.1.3 192.168.1.3 Spoke 0H 31M 24S 10.0.1.4 192.168.1.4 Spoke 0H 22M 15S VPN name: 2 Total address-map number: 4 Private-ip Public-ip Type Holding time 10.0.2.1 192.168.1.1 Hub 0H 54M 43S 10.0.2.2 192.168.1.2 Hub 0H 49M 44S 10.0.2.3 192.168.1.5 Spoke 0H 14M 24S 10.0.2.4 192.168.1.4 Spoke 0H 21M 32S The above output indicates that Hub 1, Hub 2, Spoke 1, Spoke 2, and Spoke 3 all have registered their address mapping information with the VAM servers.

# Display the DVPN tunnel information of Hub 1. [Hub1] display dvpn session all Interface: Tunnel1 VPN name: 1 Total number: 3 Private IP: 10.0.1.2 Public IP: 192.168.1.2 Session type: Hub-Hub State: SUCCESS Holding time: 0h 1m 44s Input: 101 packets, 100 data packets, 1 control packets 87 multicasts, 0 errors Output: 106 packets, 99 data packets, 7 control packets 87 multicasts, 10 errors Private IP: 10.0.1.3 Public IP: 192.168.1.3 Session type: Hub-Spoke State: SUCCESS Holding time: 0h 8m 7s Input: 164 packets, 163 data packets, 1 control packets 54 multicasts, 0 errors Output: 77 packets, 76 data packets, 1 control packets 55 multicasts, 0 errors Private IP: 10.0.1.4 Public IP: 192.168.1.4 Session type: Hub-Spoke State: SUCCESS Holding time: 0h 27m 13s Input: 174 packets, 167 data packets, 7 control packets 160 multicasts, 0 errors Output: 172 packets, 171 data packets, 1 control packets 165 multicasts, 0 errors Interface: Tunnel2 VPN name: 2 Total number: 3 Private IP: 10.0.2.2 Public IP: 192.168.1.2 Session type: Hub-Hub

1-30

State: SUCCESS Holding time: 0h 12m 10s Input: 183 packets, 182 data packets, 1 control packets 0 multicasts, 0 errors Output: 186 packets, 185 data packets, 1 control packets 155 multicasts, 0 errors Private IP: 10.0.2.4 Public IP: 192.168.1.4 Session type: Hub-Spoke State: SUCCESS Holding time: 0h 26m 39s Input: 174 packets, 169 data packets, 5 control packets 162 multicasts, 0 errors Output: 173 packets, 172 data packets, 1 control packets 167 multicasts, 0 errors Private IP: 10.0.2.3 Public IP: 192.168.1.5 Session type: Hub-Spoke State: SUCCESS Holding time: 0h 19m 30s Input: 130 packets, 127 data packets, 3 control packets 120 multicasts, 0 errors Output: 127 packets, 126 data packets, 1 control packets 119 multicasts, 0 errors The above information indicates that:

z In VPN 1, Hub 1 has established a permenent tunnel with Hub 2, Spoke 1, and Spoke 2 respectively.

z In VPN 2, Hub 1 has established a permenent tunnel with Hub 2, Spoke 2, and Spoke 3 respectively.

The DVPN tunnel information of Hub 2 is similar to that of Hub 1.

# Display the DVPN tunnel information of Spoke 2. [Spoke2] display dvpn session all Interface: Tunnel1 VPN name: 1 Total number: 2 Private IP: 10.0.1.1 Public IP: 192.168.1.1 Session type: Spoke-Hub State: SUCCESS Holding time: 1h 1m 22s Input: 381 packets, 380 data packets, 1 control packets 374 multicasts, 0 errors Output: 384 packets, 376 data packets, 8 control packets 369 multicasts, 0 errors Private IP: 10.0.1.2 Public IP: 192.168.1.2 Session type: Spoke-Hub State: SUCCESS Holding time: 0h 21m 53s Input: 251 packets, 249 data packets, 1 control packets

1-31

230 multicasts, 0 errors Output: 252 packets, 240 data packets, 7 control packets 224 multicasts, 0 errors Interface: Tunnel2 VPN name: 2 Total number: 2 Private IP: 10.0.2.1 Public IP: 192.168.1.1 Session type: Spoke-Hub State: SUCCESS Holding time: 0h 2m 47s Input: 383 packets, 382 data packets, 1 control packets 377 multicasts, 0 errors Output: 385 packets, 379 data packets, 6 control packets 372 multicasts, 0 errors Private IP: 10.0.2.2 Public IP: 192.168.1.2 Session type: Spoke-Hub State: SUCCESS Holding time: 0h 1m 50s Input: 242 packets, 241 data packets, 1 control packets 231 multicasts, 0 errors Output: 251 packets, 241 data packets, 7 control packets 225 multicasts, 0 errors The above information indicates that Spoke 2 has established a permenent Hub-Spoke tunnel with Hub 1 and Hub 2 respectively in both VPN 1 and VPN 2.

The DVPN tunnel information of Spoke 1 and Spoke 3 is similar to that of Spoke 2.

# On Spoke 2, ping private address 10.0.5.1 of Spoke 3. [Spoke2] ping 10.0.5.1 PING 10.0.5.1: 56 data bytes, press CTRL_C to break Reply from 10.0.5.1: bytes=56 Sequence=1 ttl=254 time=5 ms Reply from 10.0.5.1: bytes=56 Sequence=2 ttl=254 time=5 ms Reply from 10.0.5.1: bytes=56 Sequence=3 ttl=254 time=5 ms Reply from 10.0.5.1: bytes=56 Sequence=4 ttl=254 time=4 ms Reply from 10.0.5.1: bytes=56 Sequence=5 ttl=254 time=4 ms --- 10.0.5.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/4/5 ms # Display the DVPN tunnel information of interface Tunnel 2 on Spoke 2. [Spoke2] display dvpn session interface tunnel 2 Interface: Tunnel2 VPN name: 2 Total number: 3 Private IP: 10.0.2.1 Public IP: 192.168.1.1 Session type: Spoke-Hub State: SUCCESS Holding time: 1h 10m 0s Input: 451 packets, 450 data packets, 1 control packets

1-32

435 multicasts, 0 errors Output: 453 packets, 447 data packets, 6 control packets 430 multicasts, 0 errors Private IP: 10.0.2.2 Public IP: 192.168.1.2 Session type: Spoke-Hub State: SUCCESS Holding time: 0h 1m 50s Input: 242 packets, 241 data packets, 1 control packets 231 multicasts, 0 errors Output: 251 packets, 241 data packets, 7 control packets 225 multicasts, 0 errors Private IP: 10.0.2.3 Public IP: 192.168.1.5 Session type: Spoke-Spoke State: SUCCESS Holding time: 0h 0m 0s Input: 1 packets, 0 data packets, 1 control packets 0 multicasts, 0 errors Output: 1 packets, 0 data packets, 1 control packets 0 multicasts, 0 errors The above information indicates that a Spoke-Spoke tunnel has been established dynamically between Spoke 2 and Spoke 3.

Hub-Spoke DVPN Configuration Example

Network requirements z In the Hub-Spoke networks shown in Figure 1-7, data is forwarded along Hub-Spoke tunnels. The

primary and secondary VAM servers (the main and backup servers in the following figure) manage and maintain information about the nodes. The AAA server takes charge of VAM client authentication and accounting. With each being the backup of the other, the two Hubs perform data forwarding and routing information exchange.

z Permanent tunnels are established between each Hub-Spoke pair.

1-33

Figure 1-7 Network diagram for Hub-Spoke DVPN configuration

Hub 1 Hub 2

Spoke 1

Site 1

IP network

VPN 1 Hub-to-Spoke static tunnel

Main server

Backup server

Eth1/1 Eth1/1

Eth1/1

Tunnel1 Tunnel1

Tunnel1

Eth1/1

Eth1/1

AAA server

Spoke 2

Site 1

Eth1/1 Tunnel1VPN 1 and VPN 2 Hub-to-Hub static tunnel

Eth1/2 Eth1/2

Device Interface IP address Device Interface IP address Hub 1 Eth1/1 192.168.1.1/24 Spoke 1 Eth1/1 192.168.1.3/24 Tunnel1 10.0.1.1/24 Eth1/2 10.0.2.1/24 Hub 2 Eth1/1 192.168.1.2/24 Tunnel1 10.0.1.3/24 Tunnel1 10.0.1.2/24 Spoke 2 Eth1/1 192.168.1.4/24 Main server Eth1/1 192.168.1.22/24 Eth1/2 10.0.3.1/24 Backup server Eth1/1 192.168.1.33//24 Tunnel1 10.0.1.4/24 AAA server 192.168.1.11/24

Configuration procedure 1) Configure the primary VAM server (main)


z Configure AAA. system-view # Configure RADIUS scheme radsun. [MainServer] radius scheme radsun [MainServer-radius-radsun] primary authentication 192.168.1.11 1812 [MainServer-radius-radsun] primary accounting 192.168.1.11 1813 [MainServer-radius-radsun] key authentication expert [MainServer-radius-radsun] key accounting expert [MainServer-radius-radsun] server-type standard [MainServer-radius-radsun] user-name-format with-domain [MainServer-radius-radsun] quit # Configure ISP domain domain1 to use RADIUS scheme radsun. [MainServer] domain domain1 [MainServer-isp-domain1] authentication default radius-scheme radsun [MainServer-isp-domain1] accounting default radius-scheme radsun [MainServer-isp-domain1] quit [MainServer] domain default enable domain1 z Configure the VAM server

# Specify the listening address of the server. [MainServer] vam server ip-address 192.168.1.22 # Create VPN domain 1. [MainServer] vam server vpn 1

1-34

# Set the pre-shared key to 123. [MainServer-vam-server-vpn-1] pre-shared-key simple 123 # Set VAM client authentication mode to CHAP. [MainServer-vam-server-vpn-1] authentication-method chap # Specify the IP addresses of the Hubs for VPN 1. [MainServer-vam-server-vpn-1] hub private-ip 10.0.1.1 [MainServer-vam-server-vpn-1] hub private-ip 10.0.1.2 # Enable VAM server for all VPNs. [MainServer] vam server enable all 2) Configure the secondary VAM server (backup)

Except for the listening IP address configuration, the configurations for the secondary VAM server are the same as those for the primary VAM server and are thus omitted.

3) Configure Hub 1


z Configure the VAM client. system-view # Create a VAM client named dvpn1hub1 for VPN 1. [Hub1] vam client name dvpn1hub1 [Hub1-vam-client-name-dvpn1hub1] vpn 1 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Hub1-vam-client-name-dvpn1hub1] server primary ip-address 192.168.1.22 [Hub1-vam-client-name-dvpn1hub1] server secondary ip-address 192.168.1.33 [Hub1-vam-client-name-dvpn1hub1] pre-shared-key simple 123 # Create a local user named dvpn1hub1, setting the password as dvpn1hub1. [Hub1-vam-client-name-dvpn1hub1] user dvpn1hub1 password simple dvpn1hub1 [Hub1-vam-client-name-dvpn1hub1] client enable [Hub1-vam-client-name-dvpn1hub1] quit z Configure the IPsec profile

# Configure the IPsec proposal. [Hub1] ipsec proposal vam [Hub1-ipsec -proposal-vam] encapsulation-mode tunnel [Hub1-ipsec -proposal-vam] transform esp [Hub1-ipsec -proposal-vam] esp encryption-algorithm des [Hub1-ipsec -proposal-vam] esp authentication-algorithm sha1 [Hub1-ipsec -proposal-vam] quit # Configure the IKE peer. [Hub1] ike peer vam [Hub1-ike-peer-vam] pre-shared-key abcde [Hub1-ike-peer-vam] quit # Configure the IPsec profile. [Hub1] ipsec profile vamp [Hub1-ipsec-profile-vamp] proposal vam [Hub1-ipsec-profile-vamp] ike-peer vam [Hub1-ipsec-profile-vamp] sa duration time-based 600 [Hub1-ipsec-profile-vamp] pfs dh-group2 [Hub1-ipsec-profile-vamp] quit z Configure DVPN tunnels.

# Configure tunnel interface Tunnel 1 for VPN 1. [Hub1] interface tunnel 1

1-35

[Hub1-Tunnel1] tunnel-protocol dvpn udp [Hub1-Tunnel1] vam client dvpn1hub1 [Hub1-Tunnel1] ip address 10.0.1.1 255.255.255.0 [Hub1-Tunnel1] source ethernet 1/1 [Hub1-Tunnel1] ospf network-type p2mp [Hub1-Tunnel1] ipsec profile vamp [Hub1-Tunnel1] quit z Configure OSPF

# Configure OSPF for the public network. [Hub1] ospf 100 [Hub1-ospf-100] area 0 [Hub1-ospf-100-area-0.0.0.0] network 192.168.1.1 0.0.0.255 [Hub1-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private network. [Hub1] ospf 200 [Hub1-ospf-200] area 0 [Hub1-ospf-200-area-0.0.0.0] network 10.0.1.1 0.0.0.255 4) Configure Hub 2


z Configure the VAM client. system-view # Create a VAM client named dvpn1hub2 for VPN 1. [Hub2] vam client name dvpn1hub2 [Hub2-vam-client-name-dvpn1hub2] vpn 1 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Hub2-vam-client-name-dvpn1hub2] server primary ip-address 192.168.1.22 [Hub2-vam-client-name-dvpn1hub2] server secondary ip-address 192.168.1.33 [Hub2-vam-client-name-dvpn1hub2] pre-shared-key simple 123 # Create a local user named dvpn1hub2, setting the password as dvpn1hub2. [Hub2-vam-client-name-dvpn1hub2] user dvpn1hub2 password simple dvpn1hub2 [Hub2-vam-client-name-dvpn1hub2] client enable [Hub2-vam-client-name-dvpn1hub2] quit z Configure the IPsec profile

# Configure the IPsec proposal. [Hub2] ipsec proposal vam [Hub2-ipsec-proposal-vam] encapsulation-mode tunnel [Hub2-ipsec-proposal-vam] transform esp [Hub2-ipsec-proposal-vam] esp encryption-algorithm des [Hub2-ipsec-proposal-vam] esp authentication-algorithm sha1 [Hub2-ipsec-proposal-vam] quit # Configure the IKE peer. [Hub2] ike peer vam [Hub2-ike-peer-vam] pre-shared-key abcde [Hub2-ike-peer-vam] quit # Configure the IPsec profile. [Hub2] ipsec profile vamp [Hub2-ipsec-profile-vamp] proposal vam [Hub2-ipsec-profile-vamp] ike-peer vam [Hub2-ipsec-profile-vamp] sa duration time-based 600 [Hub2-ipsec-profile-vamp] pfs dh-group2

1-36

[Hub2-ipsec-profile-vamp] quit z Configure the DVPN tunnel.

# Configure tunnel interface Tunnel 1 for VPN 1. [Hub2] interface tunnel 1 [Hub2-Tunnel1] tunnel-protocol dvpn udp [Hub2-Tunnel1] vam client dvpn1hub2 [Hub2-Tunnel1] ip address 10.0.1.2 255.255.255.0 [Hub2-Tunnel1] source ethernet 1/1 [Hub2-Tunnel1] ospf network-type p2mp [Hub2-Tunnel1] ipsec profile vamp [Hub2-Tunnel1] quit z Configure OSPF

# Configure OSPF for the public network. [Hub2] ospf 100 [Hub2-ospf-100] area 0 [Hub2-ospf-100-area-0.0.0.0] network 192.168.1.2 0.0.0.255 [Hub2-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private network. [Hub2] ospf 200 [Hub2-ospf-200] area 0 [Hub2-ospf-200-area-0.0.0.0] network 10.0.1.2 0.0.0.255 5) Configure Spoke 1



# Configure the IPsec proposal. [Spoke1] ipsec proposal vam [Spoke1-ipsec-proposal-vam] encapsulation-mode tunnel [Spoke1-ipsec-proposal-vam] transform esp [Spoke1-ipsec-proposal-vam] esp encryption-algorithm des [Spoke1-ipsec-proposal-vam] esp authentication-algorithm sha1 [Spoke1-ipsec-proposal-vam] quit # Configure the IKE peer. [Spoke1] ike peer vam [Spoke1-ike-peer-vam] pre-shared-key abcde [Spoke1-ike-peer-vam] quit # Configure the IPsec profile. [Spoke1] ipsec profile vamp

1-37

[Spoke1-ipsec-profile-vamp] proposal vam [Spoke1-ipsec-profile-vamp] ike-peer vam [Spoke1-ipsec-profile-vamp] sa duration time-based 600 [Spoke1-ipsec-profile-vamp] pfs dh-group2 z Configure the DVPN tunnel.

# Configure tunnel interface Tunnel 1 for VPN 1. [Spoke1] interface tunnel 1 [Spoke1-Tunnel1] tunnel-protocol dvpn udp [Spoke1-Tunnel1] vam client dvpn1spoke1 [Spoke1-Tunnel1] ip address 10.0.1.3 255.255.255.0 [Spoke1-Tunnel1] source ethernet 1/1 [Spoke1-Tunnel1] ospf network-type p2mp [Spoke1-Tunnel1] ospf dr-priority 0 [Spoke1-Tunnel1] ipsec profile vamp [Spoke1-Tunnel1] quit z Configure OSPF

# Configure OSPF for the public network. [Spoke1] ospf 100 [Spoke1-ospf-100] area 0 [Spoke1-ospf-100-area-0.0.0.0] network 192.168.1.3 0.0.0.255 [Spoke1-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private network. [Spoke1] ospf 200 [Spoke1-ospf-200] area 0 [Spoke1-ospf-200-area-0.0.0.0] network 10.0.1.3 0.0.0.255 [Spoke1-ospf-200-area-0.0.0.0] network 10.0.2.1 0.0.0.255 6) Configure Spoke 2



# Configure the IPsec proposal. [Spoke2] ipsec proposal vam [Spoke2-ipsec-proposal-vam] encapsulation-mode tunnel [Spoke2-ipsec-proposal-vam] transform esp [Spoke2-ipsec-proposal-vam] esp encryption-algorithm des [Spoke2-ipsec-proposal-vam] esp authentication-algorithm sha1 [Spoke2-ipsec-proposal-vam] quit # Configure the IKE peer.

1-38

[Spoke2] ike peer vam [Spoke2-ike-peer-vam] pre-shared-key abcde [Spoke2-ike-peer-vam] quit # Configure the IPsec profile. [Spoke2] ipsec profile vamp [Spoke2-ipsec-profile-vamp] proposal vam [Spoke2-ipsec-profile-vamp] ike-peer vam [Spoke2-ipsec-profile-vamp] sa duration time-based 600 [Spoke2-ipsec-profile-vamp] pfs dh-group2 [Spoke2-ipsec-profile-vamp] quit z Configure the DVPN tunnel.

# Configure tunnel interface Tunnel 1 for VPN 1. [Spoke2] interface tunnel 1 [Spoke2-Tunnel1] tunnel-protocol dvpn udp [Spoke2-Tunnel1] vam client dvpn1spoke2 [Spoke2-Tunnel1] ip address 10.0.1.4 255.255.255.0 [Spoke2-Tunnel1] source ethernet 1/1 [Spoke2-Tunnel1] ospf network-type p2mp [Spoke2-Tunnel1] ospf dr-priority 0 [Spoke2-Tunnel1] ipsec profile vamp [Spoke2-Tunnel1] quit z Configure OSPF

# Configure OSPF for the public network. [Spoke2] ospf 100 [Spoke2-ospf-100] area 0 [Spoke2-ospf-100-area-0.0.0.0] network 192.168.1.4 0.0.0.255 [Spoke2-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private network. [Spoke2] ospf 200 [Spoke2-ospf-200] area 0 [Spoke2-ospf-200-area-0.0.0.0] network 10.0.1.4 0.0.0.255 [Spoke2-ospf-200-area-0.0.0.0] network 10.0.3.1 0.0.0.255 7) Verify the configuration

# Display the address mapping information of all VAM clients registered with the primary VAM server (main). [MainServer] display vam server address-map all VPN name: 1 Total address-map number: 4 Private-ip Public-ip Type Holding time 10.0.1.1 192.168.1.1 Hub 0H 7M 35S 10.0.1.2 192.168.1.2 Hub 0H 13M 8S 10.0.1.3 192.168.1.3 Spoke 0H 3M 58S 10.0.1.4 192.168.1.4 Spoke 0H 0M 29S # Display the address mapping information of all VAM clients registered with the secondary VAM server (backup). [BackupServer] display vam server address-map all VPN name: 1 Total address-map number: 4

1-39

Private-ip Public-ip Type Holding time 10.0.1.1 192.168.1.1 Hub 0H 8M 46S 10.0.1.2 192.168.1.2 Hub 0H 14M 58S 10.0.1.3 192.168.1.3 Spoke 0H 5M 9S 10.0.1.4 192.168.1.4 Spoke 0H 1M 40S The above output indicates that Hub 1, Hub 2, Spoke 1, and Spoke 2 all have registered their address mapping information with the VAM servers.

# Display the DVPN tunnel information of Hub 1. [Hub1] display dvpn session all Interface: Tunnel1 VPN name: 1 Total number: 3 Private IP: 10.0.1.2 Public IP: 192.168.1.2 Session type: Hub-Hub State: SUCCESS Holding time: 0h 1m 44s Input: 101 packets, 100 data packets, 1 control packets 87 multicasts, 0 errors Output: 106 packets, 99 data packets, 7 control packets 87 multicasts, 10 errors Private IP: 10.0.1.3 Public IP: 192.168.1.3 Session type: Hub-Spoke State: SUCCESS Holding time: 0h 4m 32s Input: 36 packets, 18 data packets, 18 control packets 10 multicasts, 0 errors Output: 35 packets, 17 data packets, 18 control packets 11 multicasts, 0 errors Private IP: 10.0.1.4 Public IP: 192.168.1.4 Session type: Hub-Spoke State: SUCCESS Holding time: 0h 3m 15s Input: 20 packets, 0 data packets, 20 control packets 0 multicasts, 0 errors Output: 20 packets, 6 data packets, 14 control packets 6 multicasts, 0 errors The above information indicates that in VPN 1, Hub 1 has established a permenent tunnel with Hub 2, Spoke 1, and Spoke 2 respectively. The DVPN tunnel information of Hub 2 is similar to that of Hub 1.

# Display the DVPN tunnel information of Spoke 1. [Spoke1] display dvpn session all Interface: Tunnel1 VPN name: 1 Total number: 2 Private IP: 10.0.1.1 Public IP: 192.168.1.1 Session type: Spoke-Hub State: SUCCESS Holding time: 1h 1m 22s

1-40

Input: 381 packets, 380 data packets, 1 control packets 374 multicasts, 0 errors Output: 384 packets, 376 data packets, 8 control packets 369 multicasts, 0 errors Private IP: 10.0.1.2 Public IP: 192.168.1.2 Session type: Spoke-Hub State: SUCCESS Holding time: 0h 21m 53s Input: 251 packets, 249 data packets, 1 control packets 230 multicasts, 0 errors Output: 252 packets, 240 data packets, 7 control packets 224 multicasts, 0 errors The above information indicates that in VPN 1, Spoke 1 has established a permenent Hub-Spoke tunnel with Hub 1 and Hub 2 respectively. The DVPN tunnel information of Spoke 2 is similar to that of Spoke 1.

# On Spoke 1, ping private address 10.0.3.1 of Spoke 2. [Spoke1] ping 10.0.3.1 PING 10.0.3.1: 56 data bytes, press CTRL_C to break Reply from 10.0.3.1: bytes=56 Sequence=1 ttl=254 time=6 ms Reply from 10.0.3.1: bytes=56 Sequence=2 ttl=254 time=54 ms Reply from 10.0.3.1: bytes=56 Sequence=3 ttl=254 time=5 ms Reply from 10.0.3.1: bytes=56 Sequence=4 ttl=254 time=6 ms Reply from 10.0.3.1: bytes=56 Sequence=5 ttl=254 time=37 ms --- 10.0.3.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 5/21/54 ms # Display the DVPN tunnel information of Spoke 1. [Spoke1] display dvpn session all Interface: Tunnel2 VPN name: 2 Total number: 2 Private IP: 10.0.2.1 Public IP: 192.168.1.1 Session type: Spoke-Hub State: SUCCESS Holding time: 1h 10m 0s Input: 451 packets, 450 data packets, 1 control packets 435 multicasts, 0 errors Output: 453 packets, 447 data packets, 6 control packets 430 multicasts, 0 errors Private IP: 10.0.2.2 Public IP: 192.168.1.2 Session type: Spoke-Hub State: SUCCESS Holding time: 0h 1m 50s Input: 242 packets, 241 data packets, 1 control packets 231 multicasts, 0 errors Output: 251 packets, 241 data packets, 7 control packets

1-41

225 multicasts, 0 errors The above information indicates that Spoke 1 and Spoke 2 have no dynamic Spoke-Spoke tunnel established between them, and they exchange data through the Hub.

2-1

2 GRE Configuration Support for some features on the MSR series is shown below:

Feature MSR 900 MSR 20-1X MSR 20 MSR 30 MSR 50

GRE-IPSec tunnel application Yes Yes Yes Yes Yes

z Support for some commands may vary with device models. For relevant information, refer to the corresponding command manual.

z All the MSR series routers are centralized devices. z The MSR series routers support VPN instances, therefore supporting the vpn-instance keyword.

When configuring GRE, go to these sections for information you are interested in:

z GRE Overview z Configuring a GRE over IPv4 Tunnel z Configuring a GRE over IPv6 Tunnel z Displaying and Maintaining GRE z GRE over IPv4 Tunnel Configuration Examples z GRE over IPv6 Tunnel Configuration Examples z Troubleshooting GRE

GRE Overview

Introduction to GRE

Generic Routing Encapsulation (GRE) is a protocol designed for encapsulating and carrying the packets of one network layer protocol (for example, IP or IPX) over another network layer protocol (for example, IP). GRE is a tunneling technology and serves as a Layer 3 tunneling protocol.

A GER tunnel is a virtual point-to-point connection for transferring encapsulated packets. Packets are encapsulated at one end of the tunnel and de-encapsulated at the other end. Figure 2-1 depicts the encapsulation and de-encapsulation processes.

Figure 2-1 X protocol networks interconnected through the GRE tunnel

2-2

The following takes the network shown in Figure 2-1 as an example to describe how an X protocol packet traverses the IP network through a GRE tunnel.

Encapsulation process

1) After receiving an X protocol packet through the interface connected to Group 1, Router A submits it to the X protocol for processing.

2) The X protocol checks the destination address field in the packet header to determine how to route the packet.

3) If the packet must be tunneled to reach its destination, Router A sends it to the tunnel interface. 4) Upon receipt of the packet, the tunnel interface encapsulates it in a GRE packet. Then, the system

encapsulates the packet in an IP packet and forwards the IP packet based on its destination address and the routing table.

Format of an encapsulated packet

Figure 2-2 shows the format of an encapsulated packet.

Figure 2-2 Format of an encapsulated packet

As an example, Figure 2-3 shows the format of an X packet encapsulated for transmission over an IP tunnel.

Figure 2-3 Format of an X packet encapsulated for transmission over an IP tunnel

These are the terms involved:

z Payload: Packet that needs to be encapsulated and transmitted. z Passenger protocol: Protocol that the payload packet uses, IPX in the example. z Encapsulation or carrier protocol: Protocol used to encapsulate the payload packet, that is, GRE. z Delivery or transport protocol: Protocol used to encapsulate the GRE packet and then forward the

packet to the other end of the tunnel, IP in this example.

Depending on the transport protocol, two tunnel modes are present: GRE over IPv4 and GRE over IPv6.

De-encapsulation process

De-encapsulation is the reverse process of encapsulation:

1) Upon receiving an IP packet from the tunnel interface, Router B checks the destination address.

2-3

2) If the destination is itself, Router B strips off the IP header of the packet and submits the resulting packet to the GRE protocol.

3) The GRE protocol checks the key, checksum and sequence number in the packet, and then strips off the GRE header and submits the payload to the X protocol for forwarding.

Encapsulation and de-encapsulation processes on both ends of the GRE tunnel and the resulting increase in data volumes will degrade the forwarding efficiency for the GRE-enabled device to some extent.

GRE Security Options

For the purpose of tunnel security, GRE provides two options: tunnel interface key and end-to-end checksum.

According to RFC 1701,

z If the Key Present field of a GRE packet header is set to 1, the Key field will carry the key for the receiver to authenticate the source of the packet. This key must be the same at both ends of a tunnel. Otherwise, packets delivered over the tunnel will be discarded.

z If the Checksum Present bit of a GRE packet header is set to 1, the Checksum field contains valid information. The sender calculates the checksum for the GRE header and the payload and sends the packet containing the checksum to the peer. The receiver calculates the checksum for the received packet and compar

06 VPN Volume Book

Documents

Transcript of 06 VPN Volume Book