DMVPN

提供: VyOS jp
移動: 案内検索

DMVPN — dynamic tunneling form of a VPN.

DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers.

STEPS:
1. Create tunnel config

  (interfaces tunnel)

2. Create nhrp

  (protocols nhrp)

3. Create ipsec vpn (optional, but recommended for security)

  (vpn ipsec)

The tunnel wil be set to mGRE if for encapsulation 'gre' is set, and no 'remote-ip' is set.
If the public ip is provided by DHCP the tunnel "local-ip" can be set to "0.0.0.0"



Configuration commands HUB:

interfaces
     tunnel <tunN> {
         address <ipv4>
         encapsulation gre
         local-ip <public ip>
         multicast enable
         description <txt>
         parameters {
             ip {
                 <usual IP options>
             }
         }
     }
 }
 protocols {
     nhrp {
         tunnel <tunN> {
             cisco-authentication <key phrase>
             holding-time <seconds>
             multicast dynamic
             redirect
         }
     }
 }
 vpn {
     ipsec {
         esp-group <text> {
             lifetime <30-86400>
             mode tunnel
             pfs enable
             proposal <1-65535> {
                 encryption aes256
                 hash sha1
             }
             proposal <1-65535> {
                 encryption 3des
                 hash md5
             }
         }
         ike-group <text> {
             key-exchange ikev1
             lifetime <30-86400>
             proposal <1-65535> {
                 encryption aes256
                 hash sha1
             }
             proposal <1-65535> {
                 encryption aes128
                 hash sha1
             }
         }
         ipsec-interfaces {
             interface <ethN>
         }
         profile <text> {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret <key phrase>
             }
             bind {
                 tunnel <tunN>
             }
             esp-group <text>
             ike-group <text>
         }
     }
 }


Example:

set interfaces ethernet eth0 address '1.1.1.1/30'
set interfaces ethernet eth1 address '192.168.1.1/24'
set system host-name 'hub'

set interfaces tunnel tun0 address 200.0.0.1/24
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 1.1.1.1
set interfaces tunnel tun0 multicast enable
set interfaces tunnel tun0 parameters ip key 1

set protocols nhrp tunnel tun0 cisco-authentication SECRET
set protocols nhrp tunnel tun0 holding-time  300
set protocols nhrp tunnel tun0 multicast dynamic
set protocols nhrp tunnel tun0 redirect

set vpn ipsec ipsec-interfaces interface eth0 
set vpn ipsec ike-group IKE-HUB1 proposal 1
set vpn ipsec ike-group IKE-HUB1 proposal 1 encryption aes256
set vpn ipsec ike-group IKE-HUB1 proposal 1 hash sha1 
set vpn ipsec ike-group IKE-HUB1 proposal 2 encryption aes128 
set vpn ipsec ike-group IKE-HUB1 proposal 2 hash sha1 
set vpn ipsec ike-group IKE-HUB1 lifetime 3600
set vpn ipsec esp-group ESP-HUB1 proposal 1 encryption aes256 
set vpn ipsec esp-group ESP-HUB1 proposal 1 hash sha1 
set vpn ipsec esp-group ESP-HUB1 proposal 2 encryption 3des 
set vpn ipsec esp-group ESP-HUB1 proposal 2 hash md5 
set vpn ipsec esp-group ESP-HUB1 lifetime 1800

set vpn ipsec profile NHRPVPN
set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret
set vpn ipsec profile NHRPVPN authentication pre-shared-secret SECRET
set vpn ipsec profile NHRPVPN bind tunnel tun0 
set vpn ipsec profile NHRPVPN esp-group ESP-HUB1
set vpn ipsec profile NHRPVPN ike-group IKE-HUB1

set protocols static route 192.168.2.0/24 next-hop 200.0.0.2
set protocols static route 192.168.3.0/24 next-hop 200.0.0.3


Configuration commands SPOKE1:

interfaces
     tunnel <tunN> {
         address <ipv4>
         encapsulation gre
         local-ip <public ip>
         multicast enable
         description <txt>
         parameters {
             ip {
                 <usual IP options>
             }
         }
     }
 }
 protocols {
     nhrp {
         tunnel <tunN> {
             cisco-authentication <key phrase>
             map <ipv4/net> {
                 nbma-address <ipv4>
                 register
             }
             holding-time <seconds>
             multicast nhs
             redirect
             shortcut
         }
     }
 }
 vpn {
     ipsec {
         esp-group <text> {
             lifetime <30-86400>
             mode tunnel
             pfs enable
             proposal <1-65535> {
                 encryption aes256
                 hash sha1
             }
             proposal <1-65535> {
                 encryption 3des
                 hash md5
             }
         }
         ike-group <text> {
             key-exchange ikev1
             lifetime <30-86400>
             proposal <1-65535> {
                 encryption aes256
                 hash sha1
             }
             proposal <1-65535> {
                 encryption aes128
                 hash sha1
             }
         }
         ipsec-interfaces {
             interface <ethN>
         }
         profile <text> {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret <key phrase>
             }
             bind {
                 tunnel <tunN>
             }
             esp-group <text>
             ike-group <text>
         }
     }
 }


Example:

set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth1 address '192.168.2.1/24'
set system host-name 'spoke1'

set interfaces tunnel tun0 address 200.0.0.2/24
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 0.0.0.0
set interfaces tunnel tun0 multicast enable
set interfaces tunnel tun0 parameters ip key 1

set protocols nhrp tunnel tun0 cisco-authentication 'SECRET'
set protocols nhrp tunnel tun0 map 200.0.0.1/24 nbma-address 1.1.1.1
set protocols nhrp tunnel tun0 map 200.0.0.1/24 'register'
set protocols nhrp tunnel tun0 multicast 'nhs'
set protocols nhrp tunnel tun0 'redirect'
set protocols nhrp tunnel tun0 'shortcut'

set vpn ipsec ipsec-interfaces interface eth0 
set vpn ipsec ike-group IKE-SPOKE1 proposal 1
set vpn ipsec ike-group IKE-SPOKE1 proposal 1 encryption aes256
set vpn ipsec ike-group IKE-SPOKE1 proposal 1 hash sha1 
set vpn ipsec ike-group IKE-SPOKE1 proposal 2 encryption aes128 
set vpn ipsec ike-group IKE-SPOKE1 proposal 2 hash sha1 
set vpn ipsec ike-group IKE-SPOKE1 lifetime 3600
set vpn ipsec esp-group ESP-SPOKE1 proposal 1 encryption aes256 
set vpn ipsec esp-group ESP-SPOKE1 proposal 1 hash sha1 
set vpn ipsec esp-group ESP-SPOKE1 proposal 2 encryption 3des 
set vpn ipsec esp-group ESP-SPOKE1 proposal 2 hash md5 
set vpn ipsec esp-group ESP-SPOKE1 lifetime 1800

set vpn ipsec profile NHRPVPN
set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret
set vpn ipsec profile NHRPVPN authentication pre-shared-secret SECRET
set vpn ipsec profile NHRPVPN bind tunnel tun0 
set vpn ipsec profile NHRPVPN esp-group ESP-SPOKE1 
set vpn ipsec profile NHRPVPN ike-group IKE-SPOKE1

set protocols static route 192.168.1.0/24 next-hop 200.0.0.1
set protocols static route 192.168.3.0/24 next-hop 200.0.0.3


Configuration commands SPOKE2:

interfaces
     tunnel <tunN> {
         address <ipv4>
         encapsulation gre
         local-ip <public ip>
         multicast enable
         description <txt>
         parameters {
             ip {
                 <usual IP options>
             }
         }
     }
 }
 protocols {
     nhrp {
         tunnel <tunN> {
             cisco-authentication <key phrase>
             map <ipv4/net> {
                 nbma-address <ipv4>
                 register
             }
             holding-time <seconds>
             multicast nhs
             redirect
             shortcut
         }
     }
 }
 vpn {
     ipsec {
         esp-group <text> {
             lifetime <30-86400>
             mode tunnel
             pfs enable
             proposal <1-65535> {
                 encryption aes256
                 hash sha1
             }
             proposal <1-65535> {
                 encryption 3des
                 hash md5
             }
         }
         ike-group <text> {
             key-exchange ikev1
             lifetime <30-86400>
             proposal <1-65535> {
                 encryption aes256
                 hash sha1
             }
             proposal <1-65535> {
                 encryption aes128
                 hash sha1
             }
         }
         ipsec-interfaces {
             interface <ethN>
         }
         profile <text> {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret <key phrase>
             }
             bind {
                 tunnel <tunN>
             }
             esp-group <text>
             ike-group <text>
         }
     }
 }


Example:

set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth1 address '192.168.3.1/24'
set system host-name 'spoke2'

set interfaces tunnel tun0 address 200.0.0.3/24
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 0.0.0.0
set interfaces tunnel tun0 multicast enable
set interfaces tunnel tun0 parameters ip key 1

set protocols nhrp tunnel tun0 cisco-authentication SECRET
set protocols nhrp tunnel tun0 map 200.0.0.1/24 nbma-address 1.1.1.1
set protocols nhrp tunnel tun0 map 200.0.0.1/24 register
set protocols nhrp tunnel tun0 multicast nhs
set protocols nhrp tunnel tun0 redirect
set protocols nhrp tunnel tun0 shortcut

set vpn ipsec ipsec-interfaces interface eth0 
set vpn ipsec ike-group IKE-SPOKE1 proposal 1
set vpn ipsec ike-group IKE-SPOKE1 proposal 1 encryption aes256
set vpn ipsec ike-group IKE-SPOKE1 proposal 1 hash sha1 
set vpn ipsec ike-group IKE-SPOKE1 proposal 2 encryption aes128 
set vpn ipsec ike-group IKE-SPOKE1 proposal 2 hash sha1 
set vpn ipsec ike-group IKE-SPOKE1 lifetime 3600
set vpn ipsec esp-group ESP-SPOKE1 proposal 1 encryption aes256 
set vpn ipsec esp-group ESP-SPOKE1 proposal 1 hash sha1 
set vpn ipsec esp-group ESP-SPOKE1 proposal 2 encryption 3des 
set vpn ipsec esp-group ESP-SPOKE1 proposal 2 hash md5 
set vpn ipsec esp-group ESP-SPOKE1 lifetime 1800

set vpn ipsec profile NHRPVPN
set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret
set vpn ipsec profile NHRPVPN authentication pre-shared-secret SECRET
set vpn ipsec profile NHRPVPN bind tunnel tun0 
set vpn ipsec profile NHRPVPN esp-group ESP-SPOKE1 
set vpn ipsec profile NHRPVPN ike-group IKE-SPOKE1

set protocols static route 192.168.1.0/24 next-hop 200.0.0.1
set protocols static route 192.168.2.0/24 next-hop 200.0.0.2