Introduction to D*** (Dynamic ***)
Very similar to Cisco's DM***, its core protocol is vam, which is mainly responsible for collecting, maintaining, and distributing information such as public network addresses, helping users quickly and easily establish internal security tunnels, and obtain access to other sites through the server. The public network address corresponding to one hop is encapsulated as the destination address of the tunnel, and then sent to several roles of the destination
D***
1. D*** node: It is the device at both ends of the dynamic VPN tunnel, mainly Establish a tunnel as the client function
of VAM 2. VAM Server: D*** server, which receives the registration information from the D*** node, and mainly maintains and manages the information of each D*** node.
3. VAM Client: D*** client, it registers its private network address, public network address, VAM identification and other information with the VAM Server, and will also query the server for other VAM Client information. VAM Client is also a type of D***
(UDP messages sent by Client include connection request message, initialization completion message, registration request message and authentication request message)
4. Hub: It is also a VAM Client, which is a* **The central device of the network, in the Hub-Spoke structure, is also the center of data forwarding.
5. Spoke: a type of VAM Client, usually a branch structure.
6. AAA server: authenticates, authorizes, and bills users. Management [Optional]
Main features of D***
1. Simple configuration: Establish a tunnel relationship with multiple VPNs through a tunnel, which is very convenient for scalability and maintenance.
2. Traversing NAT: D*** adopts UDP mode, so traversing NAT is very easy . Convenience
3. Support for dynamic IP: Under this structure, only the server is a fixed IP, and the rest can be dynamic IP addresses.
4. Support for automatic tunnel establishment: The access between Spokes can be automatically obtained through the redirection function of the Server To the client information of other sites, and automatically establish a tunnel session
5. Encryption of the registration process: must pass CHAP or PAP authentication, and need user name information
6. Support ID card authentication: use Pre-sharekey to authenticate Client and Server
7. Unified policy Management:
8. Session negotiation process encryption: protect the security of the entire session through IPSec
9. Support multiple VPN domains: allow a D*** device to create multiple VPN domains to facilitate isolation
10. Support dynamic routing protocol:
Topology description: In the actual environment, usually a router will not be used as a VAM Server alone. At this time, Center [hub] can be used instead. The AAA server is optional, because it can be configured to make it non-authenticated or Local authentication, so that Center acts as VAM Server, VAM Client, and AAA server.
Center configuration
1. VAM Server configuration
[center]vam server ip-address 202.100.1.1 [Define the IP address of the VAM Server, used to monitor the VAM package of the Client]
[center]vam server *** 1 [*** instance, can be associated with different Client]
[center-vam-server-***-1]hub private-ip 10.1.1.1 [The tunnel interface address of the hub is specified here]
[center-vam-server-***-1]pre- shared-key simple ccieh3c.com [scheduled to direct authentication key with Client VAM]
[center-vam-server-***-1] authentication-method chap [via chap]
[center-vam-server-** *-1]server enable 【Last open service】
2. Define AAA user [Optional]
Local authentication is used here, so the default is local, no need to define Radius server and other configurations, if it is an external server, you need to define AAA, here you can directly create a user, the user The name is used as authentication to the client. If it is not enabled, AAA is not required
[center]local-user ccieh3c
[center-luser-ccieh3c]password simple ccieh3c.com
[center-luser-ccieh3c]service-type d***
3. VAM Client configuration
[center]vam client name hub [Define a Client]
[center-vam-client-name-hub]*** 1 [To associate the *** 1 instance of the Server]
[center-vam-client- name-hub]server primary ip-address 202.100.1.1 [Define where the server address is]
[center-vam-client-name-hub]pre-shared-key simple ccieh3c.com [The key is consistent with the server]
[center-vam -client-name-hub]user ccieh3c password simple ccieh3c.com [Because the server has enabled chap authentication, the user information defined by the server must be entered here]
[center-vam-client-name-hub] client enable [Last open the service]
4. IPSEC *** configuration
[center]ike peer center
[center-ike-peer-center]pre-shared-key simple ccieh3c.com
[There is no need to configure remote-address here, because it does not know where the remote-address is. 】
[Center]ipsec proposal center
[center-ipsec-proposal-center]
[Adopt the default strategy]
[center]ipsec profile center
[center-ipsec-profile-center]ike-peer center
[center-ipsec-profile-center]proposal center
[Call using Profile]
5. Tunnel interface [Call VAM Client and *** Profile]
[center]interface Tunnel 0
[center-Tunnel0]source g0/0/0
[center-Tunnel0]ip address 10.1.1.1 24 [Configuration An address, this address is also specified in the VAM Server]
[center-Tunnel0]tunnel-protocol d*** udp [Tunnel type is d*** udp]
[center-Tunnel0] vam client hub [call the previous VAM Client 】
[center-Tunnel0]ipsec profile center 【调用IPSEC Profile】
6. Route
[center]ip route-static 0.0.0.0 0.0.0.0 202.100.1.10
Branch configuration
1、VAM Client
[spoke1]vam client name spoke1
[spoke1-vam-client-name-spoke1]*** 1
[spoke1-vam-client-name-spoke1]server primary ip-address 202.100.1.1
[spoke1-vam-client-name-spoke1]pre-shared-key simple ccieh3c.com
[spoke1-vam-client-name-spoke1]user ccieh3c password simple ccieh3c.com
[spoke1-vam-client-name-spoke1]client enable
2、IPSEC 配置
[spoke1]ike peer spoke1
[spoke1-ike-peer-spoke1]pre-shared-key simple ccieh3c.com
[spoke1]ipsec proposal spoke1
[spoke1-ipsec-proposal-spoke1]
[spoke1]ipsec profile spoke1
[spoke1-ipsec-profile-spoke1]ike-peer spoke1
[spoke1-ipsec-profile-spoke1]proposal spoke1
3. Tunnel interface configuration
[spoke1]interface Tunnel 0
[spoke1-Tunnel0]source g0/0 /1 [In order to simplify the environment, PPPOE dial-up is not defined here. If it is PPPOE, it is the dial-up interface]
[spoke1-Tunnel0]ip address 10.1.1.2 24
[spoke1-Tunnel0]tunnel-protocol d*** udp
[ spoke1-Tunnel0]vam client spoke1
[spoke1-Tunnel0]ipsec profile spoke1
4. Route
[spoke1]ip route-static 0.0.0.0 0.0.0.0 202.100.2.10 [If it is a PPPOE environment, it is a dial-up interface]
VAM view【check】
You can see that there are 3 mapping lists, one is hub [Center itself], and the other 2 are Spoke. It declares the correspondence between its Tunnel interface and the public network interface through the VAM Client.
It can be seen that Spoke and hub have a permanent relationship. Then, when Spoke communicates with each other, Spoke will have a corresponding mapping relationship with other Spokes. This is on-demand.
It can be seen that the public network address corresponding to 10.1.1.3 is found directly through the VAM message to the Server side, and the corresponding relationship appears immediately, here is 170s by default.
IPSEC ***
IPSEC *** will automatically establish a tunnel. The difficulty here is not ***, but VAM. Note that in all VPN configurations, no remote-address and tunnel destination address are specified, then How does Spoke know who the hub end address is? Then all the implementations are realized through the VAM function. The Client establishes a connection relationship with the Server through the specified Server address [Authentication], and the Server will notify the hub end of the mapping relationship to Spoke. And it is permanent. In this way, the hub knows what the public network address of the hub is, and when the VPN initiates the establishment, it will be sent directly to the IP address.
Routing problem
The routing problem here can be solved by static routing and dynamic routing protocols. Static routing is naturally easy to configure. Here we mainly talk about OSPF issues.
In OSPF, there are network types, and the Tunnel interface is point-to-point by default. This is obviously not possible here, because hub and Spoke are point-to-N, then there is a choice between broadcast and P2MP. Broadcast requires the election of DR. BDR, so Spoke cannot act as DR in this case. Otherwise, there are likely to be many DRs. Hub will treat Spoke as DR [maybe the Loo address of Spoke is large]. In this case, there will be problems with routing. So here only hub can act as dr
In this case, there will be no problems, and there are no problems with P2MP that need attention.
You can see that all routes have been received.
Mutual visits between Spoke and Spoke
It can be seen that there is only the permanent mapping relationship of the hub, and whether the mutual visits between Spoke and Spoke pass through the hub.
It can be seen that the communication is normal, and what we are concerned about is whether it is to establish IPSEC neighbors directly between spokes or to forward through IPSEC.
It can be seen that it is completed in one hop directly, if it passes through the hub, then it is 2 hops.
There is also a new mapping relationship between VAM, which is spoken by the other party, that is to say, when Spoke2 accesses 2.2.2.2, it will look for the next hop of the route.
Here is 10.1.1.2, then it will query the correspondence table relationship of 10.1.1.2 through the vam client like Server to know the corresponding public network address, and then establish *** with the other party through IPSEC.
It can be seen that Spoke2 and hub respectively, and then spoke1 also established IPSEC ***, in this case *** will not be forwarded through the headquarters.
Some things to pay attention to
1. The existence of the AAA server depends entirely on whether the VAM Server is enabled for authentication. It can be defined as none through the authentication-method. If it is not authenticated, then the client does not need to be authenticated by the user name, and it does not matter AAA Server, the default is chap mode.
2. This technology supports dual hubs. If it is a dual hub, you need to define multiple hub end addresses in the VAM Server.
3. Pay attention to the interface type when using OSPF routing protocol. If you use RIP, pay attention to split horizon. If the address planning is better, you can use static to save resources.
4. If you use dynamic routing protocol, you can slightly increase the Hello time. Point, so as to reduce equipment consumption.
This article is reproduced in the public account: Network Road Blog