• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 744
  • Last Modified:

DMVPN or IPSEC VPN with Both Ends Dynamic

Hi Experts,

Wonder if someone could help me?

I need to setup a Cisco to Cisco VPN on 2x Cisco 2921 Routers Both running 15.1 IOS.  Problem i have is I dont have a Static IP, both ends are Dynamic.

Is this possible with DMVPN/IPSEC?

The Problem i have setting it up is:-

interface Tunnel0
 ip nhrp map 10.1.1.1 90.26.32.11 - I can only seem to choose a IP Address and not a hostname?

I really need to do something like:

interface Tunnel0
 ip nhrp map 10.1.1.1 90.26.32.11 vpn.domain.com

I have read a few things now but some people are saying it is possible, some are saying it is not. I cant seem to find any example for Dynamic at both ends though.

Many Thanks for any Help in Advance
TME
0
TrustGroup-UAE
Asked:
TrustGroup-UAE
  • 4
  • 2
1 Solution
 
ffleismaSenior Network EngineerCommented:
I found your question interesting and I did my own research on it and found the following document on how you can use FQDN to define the NHS (next-hop server).

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-2mt/sec-conn-dmvpn-conf-using-fqdn.html#GUID-F3959DB7-7E0F-40E4-A038-18F17CF4CDE7

From my understanding, this setup would require the following:
spokes define the NHS with a FQDN
spokes are configured which DNS server to query
DNS server should be updated with the FQDN and NHS IP mapping, looking into DDNS (Dynamic DNS)

I'm a bit new to DMVPN myself, but I'll to lab this up on GNS3 and let you know how it goes. Hopefully other experts can comment more but for now I do hope this helps you out a bit.
0
 
TrustGroup-UAEAuthor Commented:
Hi ffleisma,

Many thanks for your response.

I have read the above but i think this is for the Next Hop Address. Not the Peer Address of the remote router to connect to to bring up the tunnel.

Or am i reading it wrong?

Cheers
SI
0
 
ffleismaSenior Network EngineerCommented:
It will be a combination of two things
At the spoke, we  configuring NHS with a Protocol Address and an FQDN
At the hub, we use Dynamic DNS (DDNS)

At the spoke
Normally, a DMVPN spoke will require two things. The NHS IP (which is the overlay not the NBMA IP) and the mapping for the NHS IP to its NBMA IP. Something like below.
interface tunnel 1
 ip address 10.1.1.2 255.255.255.0
 ip nhrp map 10.1.1.1 nbma-ip
 ip nhrp nhs 10.1.1.1

Open in new window

we do know the IP of NHS (10.1.1.1 for this example) but we do not know the nbma-ip (public ip) to which we could create the nhrp mapping since the hub router has a DHCP provided address.
!Ctrl+F Example Configuring NHS with a Protocol Address and an FQDN
!http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-2mt/sec-conn-dmvpn-conf-using-fqdn.html#GUID-F3959DB7-7E0F-40E4-A038-18F17CF4CDE7
!
enable
 configure terminal
  interface tunnel 1
   ip nhrp nhs 10.1.1.1 nbma examplehub.example1.com

Open in new window

Line 7, defines the NHS 10.1.1.1 and creates the nhrp mapping of its nbma-ip to examplehub.example1.com

At the hub
With DDNS, the hub WAN interfaces updates a public DDNS server (no-ip.com or dyn.com) of its IP. These DDNS servers then creates a FQDN which is then advertised publicly. Great thing is that no-ip offers a free service.
Here is a great example of DDNS configuration
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/811-cisco-router-ddns.html

The spoke part I can test on GNS3.
either I create manual entry for the FQDN on the spoke router
or I use a separate router to act as a DNS server and the spoke then reference this "DNS server" for the FQDN specified in the NHS configuration
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
ffleismaSenior Network EngineerCommented:
So I did a simulation on GNS3 to test the use of FQDN for the NHS NBMA.
DMVPN test using NHS FQDNOn the hub/R1:
interface GigabitEthernet0/0
 ip address 1.1.1.1 255.255.255.0
!
interface Tunnel1234
 ip address 10.1.1.1 255.255.255.0
 ip nhrp network-id 123
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint

Open in new window

On the spoke/R3 (using FQDN for NHS):
interface GigabitEthernet0/0
 ip address 3.3.3.3 255.255.255.0
!
interface Tunnel123
 ip address 10.1.1.3 255.255.255.0
 ip nhrp network-id 123
 ip nhrp nhs dynamic nbma example.com
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
!
ip domain-lookup
ip name-server 8.8.8.8

Open in new window

I've used a router to simulate a DNS server
interface Loopback0
 ip address 8.8.8.8 255.255.255.255
!
ip dns server
ip host example.com 1.1.1.1

Open in new window

Checking if R3 can resolve "example.com"
R3#ping example.com
Translating "example.com"...domain server (8.8.8.8) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/122/156 ms
R3#

Open in new window

Checking if R3 can connect to hub.
R3#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 156/170/188 ms
R3#
R3#show ip nhrp
10.1.1.1/32 via 10.1.1.1
   Tunnel123 created 00:17:51, never expire
   Type: static, Flags: used
   NBMA address: 1.1.1.1  (example.com)
R3#
R3#show ip nhrp nhs
Legend: E=Expecting replies, R=Responding, W=Waiting
Tunnel123:
10.1.1.1  RE NBMA Address: 1.1.1.1 (example.com) priority = 0 cluster = 0

R3#

Open in new window

With this example, the spoke it not configured with NHRP mapping as well as NHS is dynamic and is resolved via FQDN. the next part of the puzzle is for DDNS configuration on the hub WAN interface. Unfortunately, I can't test that part on GNS3 but the following link does provide a simple explanation and example on how to do DDNS.
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/811-cisco-router-ddns.html

Cisco documentation mentioned software version should be above 15.1(2)T. I have used 15.2(4) on my simulation.
0
 
TrustGroup-UAEAuthor Commented:
Hi ffleisma,

Excellent Work! Extremly Impressed and Greatfuly to you!

I will give this a go in out PROD and report back to you:)

Cheers
TME
0
 
ffleismaSenior Network EngineerCommented:
Do note of the IOS version, I think you previously mentioned 15.1 on your device. As per cisco documentation, using FQDN on nhrp nhs configuration are applicable on 15.1(2)T and above. You might need to upgrade your IOS version if the command is not supported yet on your device.

In Cisco IOS Release 15.1(2)T and earlier releases, in Dynamic Multipoint VPN (DMVPN), NHS NBMA addresses were configured with either IPv4 or IPv6 addresses. Because NHS was configured to receive a dynamic NBMA address, it was difficult for NHCs to get the updated NBMA address and register with the NHS. This limitation is addressed with the DMVPN Configuration Using FQDN feature. This feature allows NHC to use an FQDN instead of an IP address to configure NBMA and register with the NHS dynamically.
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-2mt/sec-conn-dmvpn-conf-using-fqdn.html#GUID-F3959DB7-7E0F-40E4-A038-18F17CF4CDE7
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now