cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
407
Views
0
Helpful
4
Replies

dynamic mutlipoint GRE without IPSec

TOBY JESSUP
Level 1
Level 1

The DMVPN documentation says that IPSec must be used with DMVPN. Yet the older mGRE IOS feature does offer non-dynamic mGRE without the IPSec layer.

Is there a way to create dynamic (NHRP) mGRE networks without including the IPSec layer that seems to be bundled with the DMVPN feature? Does DMVPN actually work without IPSec? If not, is anything planned in future IOS?

4 Replies 4

roluce
Level 1
Level 1

NHRP has been in IOS for some time. I'm not aware of any IPSec requirement to get NHRP to work.

IPSec would be required to encrypt the GRE tunnels. It doesn't have any other purpose that I'm aware of. DMVPN's "new" function is the dynamic nature of IPSec being used in combination with NHRP. Dynamic ISAKMP/IPSec + NHRP = new marketing term DMVPN. Very cool idea for those organizations that can use it.

1. Yes, you can do NHRP/GRE multipoint in older SW releases, it works fine.

2. Yes, you can do IPSec wiith NHRP/GRE in older software releases using Tunnel Endpoint Discovery. It works fine too.

3. The newer DMVPN IOS releases get away from the need to apply a crypto map to both the tunnel interface and the physical interface. This is a big deal if you want to do say, VPN RAS to the same router.

4. Other improvements in the DMVPN releases are to do with NHS registrations. These were notoriously unreliable in earlier versions, meaning that you couldn't really rely on a site with a dynamically assigned address registering with the NHS and this information then being distributed in a timely manner.

5. Problems with IPSec/GRE multipoint vs standard hard-coded IPSec include that there is no way of determining that encapsulated traffic has come from the correct peer on the VPN mesh, as this is accomplished by virtue of routing within the GRE mesh. Some of us are waiting for enhancements to GRE or RPF so that traffic arriving on the MGRE interface can be confirmed as coming from the correct VPN peer, not just any of them

So, are you saying that you can just remove the tunnel protection argument from the DMVPN documentation example shown below and it still works?

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110ba1.html

I really need to get into a lab and try this .... thanks!

Believe so. Points to keep in mind are:

1 You can do this in earlier versions, that don't have the huge flash/ram requirements of 13t

2 Improvements or not, I would still be looking to use common ip nhrp interest acl's so that routers don't try to resolve anything other than the logical to physical address mappings for the mesh.

3 If using static ip addresses on the spokes, I would still statically define as many of the nhrp mappings on the NHS as possible

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: