Rockhopper VPN

IPsec/IKEv2-based VPN software for Linux

• Top
• About
• Getting Started
• Screenshots
• Download
• Documents
• Contact

Dynamic Multipoint VPN (DMVPN) - Shortcut Switching Enhancements for NHRP

- Version: 0.2.b1-022 or later

Rockhopper supports Shortcut Switching Enhancements for NHRP in Dynamic Multipoint VPN (DMVPN) Networks based on the Intenet-Draft "Flexible Dynamic Mesh VPN" by Cisco.

By configuring Dynamic Multipoint VPN (DMVPN), an initial partial mesh (hub-and-spoke) expands to dynamically create direct connections called Shortcut Tunnels between endpoints (spoke nodes) that need to exchange data but are not directly connected in the initial state. For more details, please read the following documents:

• Flexible Dynamic Mesh VPN
• Shortcut Switching Enhancements for NHRP in DMVPN Networks
• DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device

DMVPN technology is based on the following protocols:

• Generic Routing Encapsulation (GRE)
• Next Hop Resolution Protocol (NHRP)

To deploy DMVPN networks, you need to configure static routing information or enable dynamic routing service like OSPF (e.g. Quagga) on the hub and spoke nodes. Instead, the hub node can also push the static routing information to the spoke nodes by IKE's remote configuration service after the VPN connection is established. (See the Internet-Draft "Flexible Dynamic Mesh VPN: 9.2. Using Configuration Attributes" for more details).


See also GRE over IPsec and Peer address registration by NHRP.

- Configure Hub node - Next-Hop Server (hub.example.com)

If you want to enable IKEv1, see IKEv1 configuration.

1. Open Rockhopper Web Console and login.
   
   
2. Load a VPN realm's configuration.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree]

3. Setup VPN Interface.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree] > VPN Interface[Left-Tree]:
   Click this tree node and show VPN Tunnel/TAP Interface pane.

   - Enter the following.

   Internal Address Type: Static Address
   Internal Address: IPv4: 192.168.0.100 and Netmask: 255.255.255.0
   
   This internal IP address is also used as a NHRP's Next-Hop Server (NHS) address.
   
   

   Encapsulation Mode: Generic Routing Encapsulation (GRE)
   GRE Key: 1000 (if needed)
   NHRP (Next Hop Resolution Protocol) Key: testnhrpkey (if needed)

4. Setup Service.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
   > Service[Left-Tree]: Click this tree node and show Service pane.

   - Network Deployment: Select Hub (Concentrator / Gateway / NHS) Node.

   - NHRP (Next Hop Resolution Protocol): Check Enable (Internal Address Registration).

   - DMVPN (Dynamic Multipoint VPN): Check Enable (Shortcut Switching Enhancements for NHRP).
   
   

5. Save this realm's configuration.

   - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, Remove or Load)[Left-Tree]:
   Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

   - Click Save Configuration button.

- Configure Spoke1 node - Next-Hop Client (spoke1.example.com)

1. Open Rockhopper Web Console and login.
   
   
2. Load a VPN realm's configuration.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree]

3. Setup VPN Interface.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree] > VPN Interface[Left-Tree]:
   Click this tree node and show VPN Tunnel/TAP Interface pane.

   - Enter the following.

   Internal Address Type: Static Address
   Internal Address: IPv4: 192.168.0.1 and Netmask: 255.255.255.0
   
   This internal IP address is also used as a NHRP's Next-Hop Client (NHC) address.
   
   

   Encapsulation Mode: Generic Routing Encapsulation (GRE)
   GRE Key: 1000 (if needed)
   NHRP (Next Hop Resolution Protocol) Key: testnhrpkey (if needed)

4. Setup Service.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
   > Service[Left-Tree]: Click this tree node and show Service pane.

   - Network Deployment: Select Spoke Node / Client / NHC / Other.

   - NHRP (Next Hop Resolution Protocol): Check Enable (Internal Address Registration).

   - DMVPN (Dynamic Multipoint VPN): Check Enable (Shortcut Switching Enhancements for NHRP).

5. Setup Peers.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree] > Peers[Left-Tree]:
   Click this tree node and show Peers pane.

   First, add a remote peer for the Hub (hub.example.com).

   - Click Add Peer button.

   - Add a New Peer[Dialog]: Enter the following, then click OK button.

   Peer ID Type: Host Name(FQDN)
   Peer ID: hub.example.com
   
   

   Next, add "any" peer to allow shortcut connections with other spoke nodes.

   - Click Add Peer button.

   - Add a New Peer[Dialog]: Enter the following, then click OK button.

   Peer ID Type: Any
   Peer ID: any
   
   

6. Setup the Hub's information.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree] > Peers[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
   Click this tree node and show Remote Peer: hub.example.com(FQDN) pane.

   - Enter the following.

   Peer's IPv4 Address: 10.0.0.100 (If address resolution by DNS is not available)
   

   If you want to use IKEv1, check Connect by using IKEv1 (initiator). See IKEv1 configuration for more details.
   

   Also, you may need to check Enable always-on connection if this node is deployed as a gateway.
   

   
   When this remote peer (hub) is non-Rockhopper node like a Cisco device, enter the following address. This internal address is used as a NHRP's Next-Hop Server (NHS) address. If the peer is also Rockhopper, the address is automatically exchanged and so you don't need to specify it.
   
   This remote peer's Internal Address: 192.168.0.100
   
   

7. Save this realm's configuration.

   - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, Remove or Load)[Left-Tree]:
   Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

   - Click Save Configuration button.

- Configure Spoke2 node - Next-Hop Client (spoke2.example.com)

1. Open Rockhopper Web Console and login.
   
   
2. Load a VPN realm's configuration.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree]

3. Setup VPN Interface.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree] > VPN Interface[Left-Tree]:
   Click this tree node and show VPN Tunnel/TAP Interface pane.

   - Enter the following.

   Internal Address Type: Static Address
   Internal Address: IPv4: 192.168.0.2 and Netmask: 255.255.255.0
   
   

   Encapsulation Mode: Generic Routing Encapsulation (GRE)
   GRE Key: 1000 (if needed)
   NHRP (Next Hop Resolution Protocol) Key: testnhrpkey (if needed)

4. Setup Service.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
   > Service[Left-Tree]: Click this tree node and show Service pane.

   - Network Deployment: Select Spoke Node / Client / NHC / Other.

   - NHRP (Next Hop Resolution Protocol): Check Enable (Internal Address Registration).

   - DMVPN (Dynamic Multipoint VPN): Check Enable (Shortcut Switching Enhancements for NHRP).

5. Setup Peers.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree] > Peers[Left-Tree]:
   Click this tree node and show Peers pane.

   - Click Add Peer button.

   - Add a New Peer[Dialog]: Enter the following, then click OK button.

   Peer ID Type: Host Name(FQDN)
   Peer ID: hub.example.com

   Similarly, add any peer.

   Peer ID Type: Any
   Peer ID: any

6. Setup the Peer's information.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree] > Peers[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
   Click this tree node and show Remote Peer: hub.example.com(FQDN) pane.

   - Enter the following.

   Peer's IPv4 Address: 10.0.0.100 (If address resolution by DNS is not available)
   

   Check Connect by using IKEv1 (initiator) (if needed).
   

   Check Enable always-on connection (if needed).
   

   
   Enter the following address (if needed).
   
   This remote peer's Internal Address: 192.168.0.100
   
   

7. Save this realm's configuration.

   - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, Remove or Load)[Left-Tree]:
   Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

   - Click Save Configuration button.

---

- Configure static routing information for Hub (hub.example.com)

1. Open Rockhopper Web Console and login.
   
   
2. Load a VPN realm's configuration.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree]

3. Setup Internal Route Map.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
   > Internal Route Map[Left-Tree]:
   Click this tree node and show Internal Route Map pane.

   First, configure routing information to Remote Site 1.

   - Click Add Route button.

   - Add a New Internal Route[Dialog]: Enter the following, then click OK button.

   Destination IPv4 Network: 192.168.1.0
   Netmask: 255.255.255.0
   Forwarding Type: Gateway IPv4 Address
   Forward To: 192.168.0.1

   
   Similarly, configure routing information to Remote Site 2.

   - Click Add Route button.

   - Add a New Internal Route[Dialog]: Enter the following, then click OK button.

   Destination IPv4 Network: 192.168.2.0
   Netmask: 255.255.255.0
   Forwarding Type: Gateway IPv4 Address
   Forward To: 192.168.0.2

4. Save this realm's configuration.

   - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, Remove or Load)[Left-Tree]:
   Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

   - Click Save Configuration button.

- Configure static routing information for Spoke1 (spoke1.example.com) and Spoke2 (spoke2.example.com)

1. Open Rockhopper Web Console and login.
   
   
2. Load a VPN realm's configuration.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree]

3. Setup Internal Route Map.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
   > Internal Route Map[Left-Tree]:
   Click this tree node and show Internal Route Map pane.

   First, configure routing information via Hub node.

   - Click Add Route button.

   - Add a New Internal Route[Dialog]: Enter the following, then click OK button.

   Destination IPv4 Network: 192.168.0.0
   Netmask: 255.255.0.0
   Forwarding Type: Gateway IPv4 Address
   Forward To: 192.168.0.100

4. Save this realm's configuration.

   - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, Remove or Load)[Left-Tree]:
   Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

   - Click Save Configuration button.

---

- Configure dynamic routing service.

By enabling dynamic routing service like OSPF (e.g. Quagga), each node can dynamically distribute internal routing information via GRE/IPsec tunnels. See Configuration examples for more details.

---

- Configure IKE remote configuration service for Hub (hub.example.com) to push internal routing information

1. Open Rockhopper Web Console and login.
   
   
2. Load a VPN realm's configuration.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree]

3. Setup Service.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree] > Service[Left-Tree]: Click this tree node and show Service pane.

   - Remote Configuration (IKE): Select Remote Configuration Server.

4. Setup Remote Configuration Server.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree] >Service[Left-Tree] > Remote Config Server[Left-Tree]:
   

   Click this tree node and show Remote Configuration Server (IKE) pane.

5. Setup Remote Configuration Server (IKE) - Internal Route Map.

   - Remote Config Server (IKE)[Pane] > Internal Route Map[Tab]:
   
   - Click Add Destination IPv4 Network button.
   
   Add a New Internal Route[Dialog]: Enter the following, then click OK button.
   
   Destination IPv4 Network: 192.168.0.0
   Netmask: 255.255.0.0
   

6. Save this realm's configuration.

   - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, Remove or Load)[Left-Tree]:
   Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

   - Click Save Configuration button.

- Configure IKE remote configuration service for Spoke1 (spoke1.example.com) and Spoke2 (spoke2.example.com)

1. Open Rockhopper Web Console and login.
   
   
2. Load a VPN realm's configuration.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree]

3. Setup Service.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree] > Service[Left-Tree]: Click this tree node and show Service pane.

   - Remote Configuration (IKE): Select Remote Access Client.

4. Save this realm's configuration.

   - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, Remove or Load)[Left-Tree]:
   Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

   - Click Save Configuration button.

---

- Configuration examples

• tmp
  
  

- RFCs

• Generic Routing Encapsulation (GRE) [RFC2784]
• Key and Sequence Number Extensions to GRE [RFC2890]
• Next Hop Resolution Protocol (NHRP) [RFC2332]
• Flexible Dynamic Mesh VPN [draft-detienne-dmvpn-01]

Back to Top

Copyright © 2011 T.HANADA All Rights Reserved.