Monthly Archives: March 2014

DMVPN with Crypto

Following on from my previous post, I’ll record how to add encryption to an established DMVPN setup.

A word of warning

This will hammer your throughput. For example, the ASR1001 will do 5Gbps of throughput in ideal conditions [1] but only 1.8Gbps of crypto. This is because traffic which needs to be encrypted needs to be recursively fed back into the Embedded Services Processor (ESP, the card used to manipulate and forward most traffic). Also, unless the size of the packets in your flow is approximately a multiple of the size of the internal cell used to shift traffic around the bus in the ASR, you’ll get padding and achievable throughput will be considerably smaller.

For example, if the cells of data used on the ASRs internal bus were 30 bytes, and your packets were 60 bytes each, then you’d get two cells per packet and 100% efficiency.

| Packet size 60 Bytes |  —> ASR Internal BUS  —> | 30 Byte Cell | 30 Byte Cell |

61 byte packets would result in three cells per packet and 29 bytes of padding and a waste of something like half the bandwidth.

| Packet size 61 Bytes |  —> ASR Internal BUS  —> | 30 Byte Cell | 30 Byte Cell | 1 Byte Cell + padding |

This is all rather contrived and the statistical nature of network traffic means that real world performance is likely to be between the two extremes. Cell sizes don’t tend to be published as other vendors could use this data to make equipment seem rather worse than it really is.

Principals

We create a crypto map and apply it to our tunnel interface. We’ll use a pre-shared-key and tie it to the physical addresses of the routers in our topology. This introduces a snag: in the lab it is easy as we have a nice summarisable range for our fake public IPs. In real life this won’t be the case as you probably won’t know the real IPs of all your spoke routers at initial deployment. To simplify things and in order that the dynamic nature of DMVPN is possible, you’ll probably need to use 0.0.0.0 0.0.0.0 in the pre-shared key command. For the lab, we just need to cover all the routers (or the spoke-to-spoke tunnels would fail).

Getting to the Config

The following config should be applied to R1, R2, R3 and R4:

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key 0 DMVPN_LAB address 192.168.0.0 255.255.0.0
!
crypto ipsec transform-set ESP_AES256_SHA_TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN_IPSEC_PROFILE
set transform-set ESP_AES256_SHA_TRANSPORT
!
interface Tunnel0
tunnel protection ipsec profile DMVPN_IPSEC_PROFILE
!

You’ll need to shut / no shut the tunnel interfaces to re-establish the DMVPN tunnel.

Verification

The usual gotcha applies with IPSec tunnels, you need traffic to traverse it to bring the tunnel up. However, we have a nice IGP running so the tunnels to the hub come up:

R4#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.15.1 192.168.45.1 QM_IDLE 1001 0 ACTIVE
R4#
R4#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.168.15.1 172.16.0.1 UP 00:00:17 S

We do a ping to bring up a spoke-to-spoke tunnel:

R4#ping 20.20.20.254 source fa 0/1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.254, timeout is 2 seconds:
Packet sent with a source address of 40.40.40.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/95/164 ms

R4#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.15.1 192.168.45.1 QM_IDLE 1001 0 ACTIVE
192.168.45.1 192.168.25.1 QM_IDLE 1002 0 ACTIVE

R4#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.168.15.1 172.16.0.1 UP 00:00:49 S
1 192.168.25.1 172.16.0.2 UP never D

A word of thanks

This post was helped hugely by reading an old Jeremy Stretch article.