Following on from my previous post, I’ll record how to add encryption to an established DMVPN setup.
A word of warning
This will hammer your throughput. For example, the ASR1001 will do 5Gbps of throughput in ideal conditions  but only 1.8Gbps of crypto. This is because traffic which needs to be encrypted needs to be recursively fed back into the Embedded Services Processor (ESP, the card used to manipulate and forward most traffic). Also, unless the size of the packets in your flow is approximately a multiple of the size of the internal cell used to shift traffic around the bus in the ASR, you’ll get padding and achievable throughput will be considerably smaller.
For example, if the cells of data used on the ASRs internal bus were 30 bytes, and your packets were 60 bytes each, then you’d get two cells per packet and 100% efficiency.
| Packet size 60 Bytes | —> ASR Internal BUS —> | 30 Byte Cell | 30 Byte Cell |
61 byte packets would result in three cells per packet and 29 bytes of padding and a waste of something like half the bandwidth.
| Packet size 61 Bytes | —> ASR Internal BUS —> | 30 Byte Cell | 30 Byte Cell | 1 Byte Cell + padding |
This is all rather contrived and the statistical nature of network traffic means that real world performance is likely to be between the two extremes. Cell sizes don’t tend to be published as other vendors could use this data to make equipment seem rather worse than it really is.
We create a crypto map and apply it to our tunnel interface. We’ll use a pre-shared-key and tie it to the physical addresses of the routers in our topology. This introduces a snag: in the lab it is easy as we have a nice summarisable range for our fake public IPs. In real life this won’t be the case as you probably won’t know the real IPs of all your spoke routers at initial deployment. To simplify things and in order that the dynamic nature of DMVPN is possible, you’ll probably need to use 0.0.0.0 0.0.0.0 in the pre-shared key command. For the lab, we just need to cover all the routers (or the spoke-to-spoke tunnels would fail).
Getting to the Config
The following config should be applied to R1, R2, R3 and R4:
crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 ! crypto isakmp key 0 DMVPN_LAB address 192.168.0.0 255.255.0.0 ! crypto ipsec transform-set ESP_AES256_SHA_TRANSPORT esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile DMVPN_IPSEC_PROFILE set transform-set ESP_AES256_SHA_TRANSPORT ! interface Tunnel0 tunnel protection ipsec profile DMVPN_IPSEC_PROFILE !
You’ll need to shut / no shut the tunnel interfaces to re-establish the DMVPN tunnel.
The usual gotcha applies with IPSec tunnels, you need traffic to traverse it to bring the tunnel up. However, we have a nice IGP running so the tunnels to the hub come up:
R4#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 192.168.15.1 192.168.45.1 QM_IDLE 1001 0 ACTIVE R4# R4#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer Tunnel0, Type:Spoke, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 192.168.15.1 172.16.0.1 UP 00:00:17 S
We do a ping to bring up a spoke-to-spoke tunnel:
R4#ping 184.108.40.206 source fa 0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 220.127.116.11, timeout is 2 seconds: Packet sent with a source address of 18.104.22.168 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 36/95/164 ms R4#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 192.168.15.1 192.168.45.1 QM_IDLE 1001 0 ACTIVE 192.168.45.1 192.168.25.1 QM_IDLE 1002 0 ACTIVE R4#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer Tunnel0, Type:Spoke, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 192.168.15.1 172.16.0.1 UP 00:00:49 S 1 192.168.25.1 172.16.0.2 UP never D
A word of thanks
This post was helped hugely by reading an old Jeremy Stretch article.