HP DVPN Advanced Training TTP v8 2012-10

HP Dynamic VPN
How to Design Flexible Dynamic VPN Solutions with HP

Routers
Tom Sammons and Sue Darte

HP Networking Global Technical Marketing
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
October 10, 2012
Agenda
How to Design Flexible Dynamic VPN Solutions with HP Routers
Overview
• Components, Topologies
• Tunnel Establishment Process
Configuration Example
Scenarios
• Considerations, Configurations
• Scalability
Best Practices
Deploying DVPN with IMC
• BIMS, RADIUS
Deployment Examples
2 © Copyright 2012 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
Overview
© Copyright 2012 Hewlett-Packard Development Company, L.P.

Dynamic Virtual Private Network (DVPN)
Central Private Like a GRE tunnel, DVPN provides a virtual tunnel that
Network
can transport private traffic and use the underlying
Hub public IP network as the link layer. The original private
packet is encapsulated by an outer IP header where the
source address is the local public address and the
destination address is the peer public address.
Spoke 1 Public Spoke 3
Network
DVPN has 2 encapsulation formats:

Branch Private 1. UDP encapsulation: the original IP packet is
Branch Private
Network
Network encapsulated as the payload of a DVPN UDP
packet
Spoke 2
2. GRE encapsulation: original packet is
Branch Private encapsulated into a standard GRE packet
Network • When used with IPsec, the UDP or GRE DVPN
4 © Copyright 2012 Hewlett-Packard Development Company, L.P. packet is encapsulated in an IPsec packet
DVPN Components
VAM (VPN Address Management) is the main
DVPN includes 3 roles: Hub, Spoke, and VAM
server. The Hub and spoke routers are the VAM protocol used by DVPN. The VAM protocol uses
clients. a client/server model.
VAM server(s) collect, maintain and
distribute public and private addresses VAM Server Central Private
for each spoke and hub router. The VAM Network The hub acts as the exchange center for
server can also be used to authenticate routing information, and is the forwarding
spoke/hub routers before providing center in the hub and spoke model. Its
information necessary to join DVPN Hub public IP address can be static or dynamic.
domains.
Every VAM client registers its public and
When a VAM client needs to
DVPN private IP address to the VAM
forward traffic to another private Public server
network, it requests the peer Network
public IP address from the VAM
A spoke acts as the gateway of
server by the peer private address Spoke 1
a branch network. Its public
which should be the next-hop to address can be static or
Spoke 2
the destination. Once it receives Spoke n
… …. dynamic
the information, a connection is Branch Private
Network
initiated. Branch Private
Branch Private Network
The information contained herein is subject to change without notice. Network
DVPN Network Topologies
Full-Mesh Model Hub-Spoke Model
Hub is used to Hub is used to exchange
exchange routing routing information and for data
VAM Server information VAM Server forwarding between spokes
Hub
Hub
Every spoke has

permanent
tunnel(s) to Public
Network Public
Hub(s) Network
Spoke 1 Spoke 2 Spoke 1 Spoke 2

Spokes set up dynamic Spokes cannot set up DVPN
tunnels to other spokes tunnels to other spokes directly,
directly Data between spokes is
6 © Copyright 2012 Hewlett-Packard Development Company, L.P. forwarded by the hub
DVPN Tunnel Establishment Process
Phase 1: connection initialization
Prerequisites on the VAM client for DVPN tunnel

VAM client VAM server
• IP address and port of VAM server
1) Connection request
• Pre-shared-key which is consistent to that of VAM server for
2) Connection response
key negotiation to encrypt the exchanging packet
3) Negotiation acknowledgement • Username/password for authentication
• The tunnel private address and the source interface which is

4) Negotiation acknowledgement
linked to public network
• The public route to access VAM server

Phase 2: Registration phase
VAM client VAM server AAA server

Note: the packets exchanged between
the VAM server and the AAA server are
1) Registration request encrypted, and pre-shared-key should
be configured in advance
2) Identity authentication request
3) Identity information
4) authentication request
5) authentication acknowledgement
6) accounting request
7) accounting acknowledgement
8) Registration acknowledgement

Phase 3: Tunnel establishment
phase
Spoke/Hub Hub
Note:
1. If IPSec is configured on the DVPN tunnel interface, It is
1) Tunnel establishment request the DVPN tunnel establishment request packet that
2) Tunnel established triggers negotiation for the IPSEC SA. An IPSec tunnel is
then set up and all private packets are sent over the
IPSec tunnel.
2. IPSec is not necessary for DVPN . But for security,
usually it is configured

DVPN Packet Forwarding Process
VAM Server
Spoke
Public
Central Private Network Branch Private
Network Network
Hub
The spoke receives a packet from local LAN
network , it checks the FIB for the next hop which
FIB lookup is performed and packet is
should be the private address of a peer tunnel
forwarded to appropriate next hop
Lookup is performed for the peers public address

DVPN packet is de-encapsulated to get according to the private address. The packet is
the original private packet then encapsulated by DVPN with its local public
address and peers public address
IPSec packet is decrypted
The packet is then encrypted by IPSec
The peer router receives the
encrypted packet from the public
A second FIB lookup is performed for the public
network
next-hop, and the encrypted packet is forwarded to
the peer over the public network
DVPN Key Security Features
Data Plane
• Uses UDP encapsulation or GRE, allows configuration of IPsec with IKE
• Encryption algorithm up to: AES-256
• Authentication algorithm: SHA-1
• Supports up to DH14 with Perfect Forward Secrecy (PFS)
Control Plane (VAM Protocol)
• Payload encryption algorithm: up to AES-256
• Payload authentication algorithm: SHA-1
VAM Clients authenticated to an AAA Server inside VAM Tunnel
• Authentication method: Pre-shared key and username/password
• Authentication protocol: PAP or CHAP with RADIUS

Configuration Example

DVPN Typical Network Architecture
AAA Server is
A routing protocol used to
Data Center authenticate the
such as OSPF is
configured inside Network VAM clients.
the Data Center
AAA
network
Server
2 VAM Servers,
2 Hubs for
the secondary
HA and load
acts as backup
balancing Primary Secondary
Hub-1 Hub-2
VAM Server VAM Server
The public IP Network should
ensure that Hubs, VAM Public
Network Routing protocols such
servers and spokes have as OSPF are deployed
public IP reachability with inside the branch
each other network
Spoke-1 Spoke-2 Spoke-3 Spoke-4
Branch Branch
Network Branch Network
Branch
Network
13 © Copyright 2012 Hewlett-Packard Development Company, L.P. Network
DVPN Configuration Example
Data Center
192.168.100.200
Tunnel 1 Network
10.0.1.2/16
Tunnel 1 AAA
10.0.1.1/16 Server
192.168.1.1 192.168.2.1 G0/1 G0/1
G0/0/1 G0/0/1 192.168.102.1 192.168.103.1
Primary Secondary
Hub-1 Hub-2 VAM VAM Server
Server
G5/0/1 G5/0/1 G0/0 G0/0 (MSR50)
122.200.0.1 120.200.0.1 100.100.100.1 100.100.200.1
120.200.0.2 100.100.100.2
122.200.0.2 100.100.200.2
Public
Network
40.1.1.2 40.2.1.2
Spoke-1 Tunnel 1
Spoke-2 10.0.8.1/16
Tunnel 1
G7/1 G0/1
10.0.6.1/16
G7/0 40.1.1.1 40.2.1.1
172.16.1.1/24
Branch Network G0/0
172.16.2.1/24
Branch Network
Configure VAM Servers
1、Basic Configurations 3、Configurations for authentication
# configure the interface connected to the private network
# configure RADIUS scheme
interface GigabitEthernet0/1
radius scheme radsun
ip address 192.168.102.1 255.255.255.0
server-type extended
# configure the interface connected to the public network
primary authentication 192.168.100.200
primary accounting 192.168.100.200
ip address 100.100.100.1 255.255.255.0
# configure share-key to correspond to AAA server
# configure the default route directing to the public network
key authentication simple expert
ip route-static 0.0.0.0 0.0.0.0 100.100.100.2
key accounting simple expert
2、Configurations for VAM server (primary)
user-name-format without-domain
# Specify the listening address and udp port (default 18000)
# specify radius-scheme for dvpn authentication, accounting
VAM server ip 100.100.100.1
domain dmdvpn
# create a DVPN domain
authentication dvpn radius-scheme radsun
VAM server vpn 1
authorization dvpn radius-scheme radsun //necessary
server enable
accounting dvpn radius-scheme radsun
# set the pre-shared key
# specify the default domain
pre-shared-key simple 123
domain default enable dmdvpn
# specify the tunnel private IP addresses of the hubs
hub private-ip 10.0.1.1
hub private-ip 10.0.1.2 The configurations in this page are on the primary server, those on the
15 © Copyright 2012 Hewlett-Packard Development Company, L.P. secondary VAM server are shown below in the notes
Configure Hubs
1、Basic Configuration 2、Configure VAM client
# configure the interface connected to the private network VAM client name dvpn1hub1
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0 # specify the dvpn domain that the VAM client belongs to
vpn 1

interface GigabitEthernet5/0/1 # specify the IP addresses of the VAM servers
ip address 122.200.0.1 255.255.255.0 server primary ip-address 100.100.100.1

server secondary ip-address 100.100.200.1

ip route-static 0.0.0.0 0.0.0.0 122.200.0.2 # set the pre-shared key for encryption
# configure private routing protocol

ospf 1 # username/password for authentication
area 0.0.0.0 user dvpn1hub1 password simple dvpn1hub1 client
network 192.168.1.0 0.0.0.255

client enable

Configure Hubs
4、Configure DVPN tunnel
3、Configure the IPsec profile
interface Tunnel1
# Configure DPD
ike dpd 1 # Specify the service card for forwarding the traffic on the tunnel interface (for
interval-time 10 distributed devices such as SR66)
time-out 10 service slot 5
# Configure the IKE peer
ike peer vam (See Note 1) ip address 10.0.1.1 255.255.0.0
dpd 1 //speed up detection for peers # specify UDP as the encapsulation protocol
# Configure the IPsec proposal tunnel-protocol dvpn udp
The configurations in this and last pages are
ipsec proposal vam
on Hub-1, those on the Hub-2 are shown
esp authentication-algorithm sha1 # specify the source address
below in the notes section (See Note 3)
esp encryption-algorithm aes 256 source GigabitEthernet5/0/1
# Configure the IKE profile
ipsec profile vamp # apply the ipsec profile defined before
pfs dh-group2 ipsec profile vamp (See Note 2)
ike-peer vam
proposal vam # specify the VAM client
17 © Copyright 2012 Hewlett-Packard Development Company, L.P. VAM client dvpn1hub1
Configure Spokes
2、Configure VAM client
1、Basic Configuration
# configure the interface connected to the private network VAM client name dvpn1spoke1
# specify the dvpn domain that the VAM client belongs to
ip address 172.16.1.1 255.255.255.0
vpn 1

# specify the IP addresses of the VAM servers
server primary ip-address 100.100.100.1
ip address 40.1.1.1 255.255.255.0
server secondary ip-address 100.100.200.1

# set the pre-shared key for encryption
ip route-static 0.0.0.0 0.0.0.0 40.1.1.2
# username/password for authentication

user dvpn1spoke1 password simple dvpn1spoke1
client enable

Configure Spokes
3、Configure the IPsec profile
4、Configure DVPN tunnel
# Configure the IPsec proposal
ipsec proposal vam interface Tunnel1
esp authentication-algorithm sha1

esp encryption-algorithm aes 256 ip address 10.0.6.1 255.255.0.0
# configure DPD
Ike dpd 1 # specify UDP as the encapsulation protocol
interval-time 10 tunnel-protocol dvpn udp
time-out 10
# Configure the IKE peer # specify the source address
ike peer vam source GigabitEthernet7/1

dpd 1 # apply the ipsec profile
# Configure the IKE profile ipsec profile vamp (See Note 2)
ipsec profile vamp

pfs dh-group2 # specify the VAM client
The configurations in this and last pages are on
ike-peer vam VAM client dvpn1spoke1
spoke-1, those on spoke-2 are shown below in
proposal vam the notes section(See Note 3)
# use the encryption card to encrypt and de-encrypt the packet
interface Encrypt11/0 (See Note 1)
ipsec binding policy vamp primary
Design Scenarios

DVPN Hub and VAM Server Combination
Data Center
HQ
DVPN Hub/DVPN VAM Server HP IMC
Router
AAA Server
In a relatively small
deployment, can combine
DVPN Hub and DVPN VAM
IP Network
DVPN Server on the same router
DVPN Spoke
Spoke Router
Router
Branch
Branch
DVPN
Spoke DVPN Tunnel between Branches
Router
Branch DVPN Tunnel between HQ and Branch
DVPN Local User Authentication
Data Center
HQ
DVPN Hub/DVPN VAM Server If no AAA Server is
Router
available, can configure
local authentication on the
Local User Authentication
DVPN VAM Server
IP Network Helps reduce investment
DVPN
DVPN Spoke Pay attention to maximum
Spoke Router
Router
Branch
number of local users
Branch
DVPN
Router
DVPN Full-Mesh Implementation - OSPF
interface Tunnel1 Data Center Network interface Tunnel1
ip address 10.0.1.1 255.255.0.0 ip address 10.0.8.1 255.255.0.0
tunnel-protocol dvpn udp Tunnel 1
10.0.1.1/16 Tunnel 1 tunnel-protocol dvpn udp
source GigabitEthernet5/0/1
192.168.1.1 192.168.2.1 10.0.1.2/16 source GigabitEthernet0/1
ospf network-type broadcast
G0/0/1 G0/0/1
ospf dr-priority 255 ospf network-type broadcast
ipsec profile vamp
Hub-2 ospf dr-priority 0
Hub-1
VAM client dvpn1hub1 G5/0/1 G5/0/1 ipsec profile vamp
122.200.0.1 120.200.0.1 VAM client dvpn1spoke2
ospf 1
area 0.0.0.0 IP
Network ospf 1
network 192.168.1.0 0.0.0.255
area 0.0.0.1
area 0.0.0.1 Spoke-1 40.2.1.1
G7/1
network 10.0.0.0 0.0.255.255 40.1.1.1
G0/1 network 10.0.0.0 0.0.255.255
Tunnel 1
10.0.6.1/16 network 172.16.2.0 0.0.0.255
Spoke-2
G7/0
Tunnel 1 G0/0
172.16.1.1/24 10.0.8.1/16 172.16.2.1/24
Branch Network Branch Network

DVPN Full-Mesh Implementation - eBGP
bgp 100 Hub-1 has similar
preference 140 255 130 (See Note 1)
Data Center Network configurations
192.168.11.1 network 192.168.11.0 255.255.255.0
AS 100 peer 10.0.6.1 as-number 200
Tunnel 1 peer 10.0.8.1 as-number 300
10.0.1.1/16 Tunnel 1
10.0.1.2/16 group branch1 external For load-balance. The route-
192.168.1.1 192.168.2.1
G0/0/1 peer 10.0.6.1 group branch1 policies aaa, bbb and eee
G0/0/1
group branch2 external have different definitions on
Hub-1 Hub-2
peer 10.0.8.1 group branch2 the two Hubs(See Note 2)
G5/0/1 G5/0/1
peer branch1 route-policy aaa export
122.200.0.1 120.200.0.1 peer branch2 route-policy bbb export
IP ospf 1
Network 10.0.8.1/16
import-route bgp route-policy eee
Spoke-1 Tunnel 1
G0/1 area 0.0.0.0
G7/1 40.2.1.1
Tunnel 1 40.1.1.1 network 192.168.2.0 0.0.0.255
spoke-1 has similar
10.0.6.1/16 Spoke-2 configurations
G7/0
172.16.1.1/24
bgp 300
G0/0
AS 200 AS 300 peer 10.0.1.1 as-number 100
172.16.2.1/24
peer 10.0.1.2 as-number 100
Branch Network 1 Branch Network 2
network 172.16.2.0 255.255.255.0

DVPN Full-Mesh Implementation - iBGP
bgp 100
preference 255 140 130 (See Note 1)
Data Center Network reflector cluster-id 100
192.168.11.1 peer 10.0.1.2 as-number 100
AS 100
Hub-1 network 192.168.11.0 255.255.255.0
Tunnel 1
group branch1 internal
10.0.1.1/16 Tunnel 1
peer branch1 reflect-client For load-balance. The
192.168.1.1 192.168.2.1 10.0.1.2/16
peer 10.0.6.1 group branch1 route-policies aaa, bbb
G0/0/1 G0/0/1
peer branch1 route-policy aaa export and eee have different
Hub-1 Hub-2 group branch2 internal definitions on the two
peer branch2 reflect-client Hubs (See Note 2)
G5/0/1 G5/0/1 peer 10.0.8.1 group branch2
122.200.0.1 120.200.0.1 peer branch2 route-policy bbb export
ospf 1
IP import-route bgp allow-ibgp route-policy eee
Network Tunnel 1 area 0.0.0.0
Spoke-1 10.0.8.1/16 network 192.168.2.0 0.0.0.255
G7/1 G0/1
40.2.1.1
Tunnel 1 40.1.1.1
10.0.6.1/16 Spoke-2 bgp 100
G7/0
172.16.1.1/24 G0/0 peer 10.0.1.1 as-number 100
AS 100 AS 100
172.16.2.1/24 peer 10.0.1.2 as-number 100
Branch Network Branch Network network 172.16.2.0 255.255.255.0

DVPN Hub-Spoke Implementation - OSPF
Data Center Network
interface Tunnel1
ip address 10.0.1.1 255.255.0.0 interface Tunnel1
Tunnel 1
tunnel-protocol dvpn udp 10.0.1.1/16 Tunnel 1 ip address 10.0.8.1 255.255.0.0
192.168.1.1 192.168.2.1 10.0.1.2/16
source GigabitEthernet5/0/1 tunnel-protocol dvpn udp
G0/0/1 G0/0/1
ospf network-type p2mp source GigabitEthernet0/1
Hub-2
ipsec profile vamp Hub-1
ospf network-type p2mp
VAM client dvpn1hub1 G5/0/1 G5/0/1
ipsec profile vamp
122.200.0.1 120.200.0.1
VAM client dvpn1spoke2
ospf 1 IP
area 0.0.0.0 Network
network 192.168.1.0 0.0.0.255
ospf 1
area 0.0.0.1 area 0.0.0.1

network 10.0.0.0 0.0.255.255 Spoke-1 network 10.0.0.0 0.0.255.255
40.2.1.1
G7/1
G0/1
Tunnel 1 40.1.1.1 network 172.16.2.0 0.0.0.255
10.0.6.1/16 Spoke-2
G7/0
172.16.1.1/24 G0/0
10.0.8.1/16 172.16.2.1/24
Branch Network Tunnel 1
Branch Network
DVPN Hub-Spoke Implementation - eBGP
bgp 100
preference 140 255 130
network 192.168.11.0 255.255.255.0
Data Center Network peer 10.0.8.1 as-number 300
192.168.11.
AS 100 1
group branch1 external
Tunnel 1
10.0.1.1/16
peer 10.0.6.1 group branch1
Tunnel 1 For load-balance. The
group branch2 external
192.168.1.1 192.168.2.1 10.0.1.2/16 route-policies aaa, bbb
G0/0/1 G0/0/1 and eee have different
Hub-1 Hub-2 peer branch1 route-policy aaa export definitions on different
peer branch2 route-policy bbb export Hubs (See Note 1)
G5/0/1 G5/0/1 peer branch1 next-hop-local
122.200.0.1 120.200.0.1 peer branch2 next-hop-local
ospf 1
IP
Network 10.0.8.1/16 import-route bgp route-policy eee
Spoke-1 Tunnel 1 area 0.0.0.0
G0/1 Note:
G7/1 40.2.1.1 network 192.168.2.0 0.0.0.255
Tunnel 1 40.1.1.1 in order to accelerate
10.0.6.1/16 Spoke-2 BGP convergence,
G7/0 bgp 300 BFD can be used (See
172.16.1.1/24 G0/0 Note 2)
AS 200 172.16.2.1/24
Branch Network Branch Network
network 172.16.2.0 255.255.255.0
The information contained herein is subject to change without notice. AS 300
DVPN Hub-Spoke Implementation - iBGP
bgp 100
preference 255 140 130
reflector cluster-id 100
network 192.168.11.0 255.255.255.0 For load-balance.
Data Center Network group branch1 internal
The route-policies
192.168.11.1 peer branch1 reflect-client
AS 100 peer 10.0.6.1 group branch1
aaa, bbb and eee
Tunnel 1 peer branch1 route-policy aaa export have different
10.0.1.1/16 Tunnel 1 group branch2 internal definitions on
192.168.1.1 192.168.2.1 10.0.1.2/16 peer branch2 reflect-client different Hubs (See Note
1)
G0/0/1 peer 10.0.8.1 group branch2
G0/0/1
peer branch2 route-policy bbb export
Hub-1 Hub-2 ospf 1
import-route bgp allow-ibgp route-policy eee
G5/0/1 G5/0/1
area 0.0.0.0
122.200.0.1 120.200.0.1 network 192.168.2.0 0.0.0.255
Note:
in order to accelerate IP
BGP convergence, route-policy aaa permit node 0
Network 10.0.8.1/16
BFD can be used (See apply ip-address next-hop 10.0.1.1
Note 2) Tunnel 1
Spoke-1
G7/1 G0/1 route-policy bbb permit node 0
40.2.1.1
Tunnel 1 40.1.1.1 apply ip-address next-hop 10.0.1.2
10.0.6.1/16 Spoke-2 bgp 100
G7/0
172.16.1.1/24 G0/0 peer 10.0.1.1 as-number 100
AS 100 172.16.2.1/24 peer 10.0.1.2 as-number 100
peer 10.0.1.1 route-policy aaa import
Branch Network Branch Network peer 10.0.1.2 route-policy bbb import
28 © Copyright 2012 Hewlett-Packard Development Company, L.P. network 172.16.2.0 255.255.255.0
The information contained herein is subject to change without notice. AS 100
DVPN Hub-Spoke Implementation - iBGP
ip vpn-instance branch
route-distinguisher 100:101
Data Center Network
192.168.11.1
ip binding vpn-instance branch AS 100
ip address 172.16.1.1 Hub-1
Tunnel 1 bgp 100
255.255.255.0
10.0.1.1/16 Tunnel 1 network 192.168.11.0 255.255.255.0
interface GigabitEthernet7/1 192.168.1.1 192.168.2.1 10.0.1.2/16
ip address 40.1.1.1 group branch1 internal
G0/0/1 G0/0/1
255.255.255.0 peer 10.0.6.1 group branch1
Hub-1 Hub-2 peer branch1 update-no-advertise (1)
ospf 1 vpn-instance branch peer branch1 default-route-advertise route-policy
default-route-advertise G5/0/1 G5/0/1 aaa
area 0.0.0.0
network 172.16.1.0 0 0.0.0.255 122.200.0.1 120.200.0.1
group branch2 internal
bgp 100 IP
ipv4-family vpn-instance branch peer branch2 update-no-advertise
peer 10.0.1.1 as-number 100 Network Tunnel 1 peer branch2 default-route-advertise route-policy
peer 10.0.1.2 as-number 100 Spoke-1 10.0.8.1/16 bbb
G7/1 G0/1
network 172.16.1.0 40.2.1.1
255.255.255.0 Tunnel 1 40.1.1.1 ospf 1
10.0.6.1/16 Spoke-2 import-route bgp allow-ibgp route-policy eee
interface Tunnel1 G7/0
172.16.1.1/24 G0/0 area 0.0.0.0
ip binding vpn-instance branch AS 100
ip address 10.0.6.1 255.255.0.0 AS 100 172.16.2.1/24 network 192.168.2.0 0.0.0.255
tunnel-protocol dvpn udp
source GigabitEthernet7/1 Branch Network Branch Network
ipsec profile vamp
VAM client dvpn1spoke1
ip route 0.0.0.0 0.0.0.0 40.1.1.2
DVPN Through MPLS Network
Server
Central Network
VAM Server-1 VAM Server-2

Hub-1 Hub-2 (CE)
(CE) (CE)
(CE)
On the Hubs and spokes, DVPN is deployed, the private PE

routes are transferred by routing protocol on the DVPN PE MPLS network need provide
tunnel reachability between Hubs,
MPLS Network by SP Spokes and VAM servers
Public Network
The private traffic should be forwarded PE PE
through DVPN tunnel and encrypted by
IPSEC, then forwarded via MPLS VPN Spoke-1 Spoke-2
(CE)
(CE)
Branch Network 2
Branch Network 1
DVPN Backups MPLS VPN
Central Network 1. In the central network, both C-CE and Hub import
Server eBGP routes into OSPF, route-policies should be
used to ensure that the routes imported by C-CE
have higher preference
2. On C-CE and Hub, heighten eBGP protocol
preference, so that it has higher priority than
O_ASE (1)
C-CE VAM Server
Hub eBGP is applied between CEs and PEs , also between
spokes and Hubs
PE
1. each branch CE (spoke) can get center routes and

MPLS Network by SP IP Public Network
other branch routes from both the peer to PE and
PE
Public Network the peer to Hub, route-policy is used to ensure that
the routes from PE have higher preference.
B1-CE 2. each spoke sends only local routes to PE via
(Spoke-1) B2-CE eBGP to avoid loop
Spoke-2
Branch 1
31 © Copyright 2012 Hewlett-Packard Development Company, L.P. Branch 2
DVPN Deployment Using 3G as Backup Link
Central Network
VAM Server
On each Hub，two DVPN tunnels are
bound to the same public interface but Hub-1 Hub-2
belong to different DVPN domain. So the
DVPN tunnel have to have UDP
encapsulation
IP Public Network
• Two default routes are configured, one uses a cable
interface as the output interface, the other specifies
Cable
Cable the 3G interface as the output interface. The former
interface
interface has higher priority, so normally the spoke uses the
3G interface Spoke-2
Spoke-1 cable interface to access the public network
• When the cable interface is broken，the second

default route takes effect (note that even if the 3G
Branch Network Branch Network interface doesn’t get up, the second default route
can still take effect), the spoke uses 3G interface to
access the public network
3G interface acts as the backup of cable interface
the 3G interface is triggered by traffic, if no traffic, the 3G
interface is down.
Best Practices

Where to use DVPN?
Where Payment Card Industry (PCI) requirements exist

• Examples: Bank ATM networks and Retail stores
Customers want lower cost connectivity for remote sites
• Examples: Enterprise Branch offices
Customers are moving away from MPLS based VPN’s to an
Open WAN
Customers want lower cost backup connectivity for the MPLS
WAN
Where data traffic over private networks must be encrypted

Best Practices
Watch your scaling
• Have a conversation with R&D
• When you combine other functions like NAT or FW, won’t reach maximum performance
levels
In PoCs, challenges around tunnels getting “stuck” (1 side “up”, the other side
“down”)
• Shut down tunnel at head end
HP 6600 Series does not have ability to ignore the do-not-fragment bit
• This causes problems with packets exceeding the MTU on any link on the path
• Limited to only non-TCP protocols
• We have a CRC request submitted for this – may be available shortly
When configuring BGP make sure that your network statement is correct
• Some providers do not give you access to their routing table, so you have no way to
HP DVPN and Multicast Traffic
Data Center
HQ
Multicast
DVPN Hub Server
Router AAA Server DVPN supports multicast
protocols
DVPN VAM
Server • If security requirements are not
stringent, can disable IPsec on
IP Network
DVPN
tunnels to improve multicast
Spoke forwarding performance
Router
Branch
DVPN
Spoke
DVPN
Router Multicast Traffic
Spoke
Branch Router
DVPN Data Forwarding Tunnel
Branch
HP DVPN Scalability
DVPN OSPF
Hub (VAM client) Minimum software version BGP peers
Tunnels neighbors
6616 6600 R2603P08 3000 3000 500

6608 6600 R2603P08 3000 3000 500
6604 6600 R2603P08 3000 3000 500
6602 6600 R2603P08 1500 1500 500
MSR 50 MPU G2 MSR R2207P38 256 256 200
MSR 30，MSR20 MSR R2207P38 200 64 200
VAM Server Software version DVPN domain Hub Clients

6602 6600 R2603P08 10 20 30,000
MSR 50 MPU G2 MSR R2207P38 10 20 30,000
NMS Software version Devices

IMC BIMS Server IMC BIMS 5.1 (E0201) 10000
IMC IVM Server IMC IVM 5.1 (E0201L02) 10000
Using IMC for
DVPN Deployments

HP DVPN Management with IMC BIMS
Zero touch configuration and
software upgrades for branch
device deployments
• Out of path from DVPN
• Secure with SSL
• Scheduled ad-hoc configuration
and software upgrades
• Comprehensive monitoring of
physical links
• Scales to 10,000 branches (MSR’s)

Spoke Communication
Using CWMP Configuration
ssl client-policy mgmt
version SSL3.0
prefer-cipher RSA_AES_256_CBC_SHA
#
cwmp
cwmp enable
cwmp acs url https://10.10.10.220:9443
cwmp acs username bims
cwmp acs password simple bims
cwmp cpe inform interval enable
cwmp cpe inform interval 60
cwmp cpe connect interface Ethernet0/0
ssl client-policy mgmt.

Add CPE
Define the MSR Router
Using display device man(uinfo) on the
router
• Device Name
• OUI is 000FE2
• Serial ID

Configuration Templates

Building Configuration File
CPE Classes

Populated Configuration File
Note that variables can be inserted for bulk loads

Deploy Configurations
Configuration Templates List
Pick the configuration that you want to deploy and under Operation click
deploy

Configuration Deployed
Router now shows DVPN Connection

Compare Configurations
Configuration History

Configuration Comparison
Between Startup and Running Configurations

BIMS Software Library
Keep a complete library of software versions for various routers
• Upgrades
• Downgrades

BIMS Software Deployment

DVPN for RADIUS Authentication using IMC
HQ Data Center
HP IMC
DVPN Hub/DVPN
VAM Server CE AAA Server
Router
IMC supports RADIUS,

using UAM, which would
IP Network
support the VAM
DVPN
DVPN Spoke Server/VAM Client
Spoke Router
Router
Authentication
Branch
Branch
DVPN
Router
Router Configuration for RADIUS
# configure RADIUS scheme
radius scheme radsun
server-type extended
primary authentication 10.10.10.221
primary accounting 192.168.100.200
# configure share-key to correspond to AAA server
key authentication simple expert
key accounting simple expert
user-name-format without-domain
# specify radius-scheme for dvpn authentication, accounting
domain dmdvpn
authentication dvpn radius-scheme radsun
authorization dvpn radius-scheme radsun //necessary
accounting dvpn radius-scheme radsun
# specify the default domain
domain default enable dmdvpn
# username/password for authentication
user dvpn1hub1 password simple dvpn1hub1

Configure AAA server
AAA server is a component of IMC. To configure it for user authentication, we can follow “Authentication Configuration Wizard “ in the
view “Service >> User Access Manager >>Access Service Manager Home Page” shown below.
We need configure 3 items:
1. Access Device
2. Service Configuration
3. Adding Account

Configure AAA server
In the view “User>>Access User
View>>All Online User”, we can check
the online user. If necessary, we can kick
out an online user(s) or clear online
information about online users
In the view “User>>Access User

View>>Log Management”, click “Authen
Failure Log” , we can check why some
accounts fail to authenticate

Deployment Examples
of DVPN Wins

Major Global Financial Services Client-EMEA
Project Description:
$460K FOB through FY13 Demonstrate DVPN capabilities in a full
AAA/SNMP Servers
mesh for ~10 campus sites. OSPF
Firewalls must be supported.
Key requirements:
HUB VAM 1. Must support IPsec and dynamic
Routers main backup main backup Servers tunneling
2. Must support OSPF in full-mesh
3. Must scale to ~25 branch sites
MPLS DVPN Control Tunnels (2) 4. Use MPLS transport
DVPN Data Tunnels (2)
Network
Other Details
1. Using 6602’s for all “spoke” sites
Main link Backup link 2. Using 6604 for 4 hubs
3. Dual DVPN domains
DVPN Spoke EMEA Corpnet 200k to date with another 60k this FY
and approximately 200k FY13.
DVPN Data Tunnel
The information contained herein is subject to change without notice. DVPN Control Tunnel
Major Global Financial Services Client
$760K FOB through FY14 2000-3000 routers
Demonstrate DVPN capabilities for ~2000-
3000 remote Retail sites. BGP is used
over the DVPN. MSR20-12’s will be used
Key requirements:
1. Must use BGP over DVPN
2. Must support 500 remote sites per
hub given configuration templates
provided
3. Use Internet broadband transport
Timeline:
1. Prod Pilot roll out has begun on
ClientNet in US
2. Head ends are up, spokes will be
brought online in the coming months.
3. After successful testing, both projects
will be signed by client.
Government agency in Brazil
$360K list Project Description:
2040 – 10/100 or V.35 to the Telefonica’s IP/MPLS Backbone DVPN support for ~250 remote sites.
5040 – 2xGE to the Telefonica’s IP/MPLS Backbone MSR5040 used as hub/VAM server.
1 x MSR-5040 with SNDE encryption card Connect to Telefonica IP/MPLS
240 x MSR-2040 backbone
Data Center Key requirements/factors:

HQ
VPN Hub/DVPN VAM Server 1. Product homologated at Telefonica
Router 2. Single OS (ComWare)
3. All features enabled by default
without additional licensing for
advanced features
MPLS Network 4. IPsec support and performance
DVPN
Spoke (DVPN)
Router 5. Value (features and price)
Branch
Branch 6. Strength of HP’s relationship with
DVPN Tunnel between BranchesTelefonica
DVPN 7. Ability to control the routing plane
Spoke DVPN Tunnel between HQ and Branch over the DVPN separate from provider
Router
Branch network
Retail client in Brazil
$155K list Project Description:
2011 – V.35 to the Telefonica’s IP/MPLS Backbone or 3G DVPN support for ~200 Retail sites.
2040 – 1xFE to the Telefonica’s IP/MPLS Backbone MSR2011 and MSR20-40 used in this
2 x MSR-2040 deployment. Connect to Telefonica IP/MPLS
183 x MSR-2011
backbone and support for 3G
HQ Data Center HP Key requirements:
CE IMC
AAA Server 1. 3G support through USB modem
2. 4x10/100 built-in
DVPN Hub 3. 1xV.35 built-in
PE
Router
MPLS 4. Product homologated at Telefonica
Network 5. Value (features and price)
IP Network 6. Support for DVPN
Backup ISP Circuit
Primary Circuit
CE DVPN
Spoke DVPN Tunnel
Branch Router
DVPN Tunnel
Government agency in Columbia
$2.2M list
DVPN capabilities for ~800 remote sites. 6604, MSR30-20, MSR50-
40 used in this deployment.
800 x MSR-30-20 Key requirements:
4 x 6604 1. IPsec support and performance
2 x MSR50-40 2. Value (features and price)
3. Single OS (ComWare)
4. Firewall capabilities
5. Product homologated with Telefonica
The information contained herein is subject to change without notice. 6. DVPN was the key, Cisco had GetVPN in the old network
Top DVPN Opportunities

Large Retail Chain in Europe Project Description:
10,200 routers Hierarchical network deployment with
~9500 locations using MPLS and
Internet. Planning refresh of WAN, hub
and spoke/full-mesh.
Warehouses
Internet Key requirements:

1. Each branch requires connection to
Standard
International warehouse
Country
Headquarter National 2. Cost effectively support 9500
Headquarter
locations
International
National
Property 3. Spoke to spoke is a requirement
MPLS Office
MPLS 4. Each warehouse requires
connection to country HQ
5. Each Country HQ requires
connection to International HQ
Stores
Timeline:
1. SA has positioned solution and
client is very impressed with the
The information contained herein is subject to change without notice. flexibility of the solution
Large Consumer Bank in Brazil Project Description:
14,000 routers Current DMVPN customer with 14,000
Data Center AAA/SNMP Servers locations using SLB on 6500 and 32
Cisco 7206’s for hubs. Planning
Firewalls refresh of WAN, pure hub and spoke.
Key requirements:
HUB VAM 1. Each branch requires dual SP
Routers main backup main backup Servers connections with HQ
2. Cost effectively support 14,000
locations
MPLS DVPN Control Tunnels (2) 3. Spoke to spoke is not a
DVPN Data Tunnels (2) Network requirement
4. All encryption and equipment must
be owned by bank (kept internal)
Main link Backup link
Timeline:
DVPN Spoke 1. Initial stages - SA is collecting
additional information from client
DVPN Data Tunneland positioning
The information contained herein is subject to change without notice. DVPN Control Tunnel
Branch
Summary

Summary
Features
1) Scalability Keep other factors in mind when
Best
2) FlexiblePractices
transport options to reduce WAN costs designing a large deployment
3) Can be deployed over MPLS too • NAT
4) Only requires a single hub tunnel interface to
• Firewall
terminate 3000 BGP tunnels
5) Routing protocols run on single tunnel interface • QoS
6) Supports dynamic WAN edge addressing, if a • Multicast, etc.
service provider changes your WAN router IP All can affect the CPU of the
address, not a problem, the tunnel will automatically router.
recover without admin intervention
7) Separation of control and data plane for better
Don’t just use the scaling numbers
reliability and scalability when compared to other provided by HP.
vendor implementations No deployment follows the rules
8) Data plane is IPsec based (DVPN operates inside of exactly!
the IPsec tunnel) Flexibility is key because no two
clients are the same.

Thank you


HP DVPN Advanced Training TTP v8 2012-10

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HP DVPN Advanced Training TTP v8 2012-10

Uploaded by

Copyright:

Available Formats

HP Dynamic VPN

How to Design Flexible Dynamic VPN Solutions with HP

Tom Sammons and Sue Darte

© Copyright 2012 Hewlett-Packard Development Company, L.P.

DVPN has 2 encapsulation formats:

Every spoke has

Spoke 1 Spoke 2 Spoke 1 Spoke 2

Prerequisites on the VAM client for DVPN tunnel

3) Negotiation acknowledgement • Username/password for authentication

• The tunnel private address and the source interface which is

• The public route to access VAM server

7 © Copyright 2012 Hewlett-Packard Development Company, L.P.

VAM client VAM server AAA server

8 © Copyright 2012 Hewlett-Packard Development Company, L.P.

9 © Copyright 2012 Hewlett-Packard Development Company, L.P.

Lookup is performed for the peers public address

11 © Copyright 2012 Hewlett-Packard Development Company, L.P.

© Copyright 2012 Hewlett-Packard Development Company, L.P.

# configure the interface connected to the public network

ip address 122.200.0.1 255.255.255.0 server primary ip-address 100.100.100.1

# configure the default route directing to the public network

# configure private routing protocol

area 0.0.0.0 user dvpn1hub1 password simple dvpn1hub1 client

network 192.168.1.0 0.0.0.255

16 © Copyright 2012 Hewlett-Packard Development Company, L.P.

# configure the interface connected to the public network

# configure the default route directing to the public network

# username/password for authentication

18 © Copyright 2012 Hewlett-Packard Development Company, L.P.

esp authentication-algorithm sha1

interval-time 10 tunnel-protocol dvpn udp

ike peer vam source GigabitEthernet7/1

pre-shared-key simple 123456

# Configure the IKE profile ipsec profile vamp (See Note 2)

ipsec profile vamp

© Copyright 2012 Hewlett-Packard Development Company, L.P.

23 © Copyright 2012 Hewlett-Packard Development Company, L.P.

24 © Copyright 2012 Hewlett-Packard Development Company, L.P.

25 © Copyright 2012 Hewlett-Packard Development Company, L.P.

area 0.0.0.1 area 0.0.0.1

VAM Server-1 VAM Server-2

On the Hubs and spokes, DVPN is deployed, the private PE

1. each branch CE (spoke) can get center routes and

• When the cable interface is broken，the second

© Copyright 2012 Hewlett-Packard Development Company, L.P.

Where Payment Card Industry (PCI) requirements exist

34 © Copyright 2012 Hewlett-Packard Development Company, L.P.

6616 6600 R2603P08 3000 3000 500

VAM Server Software version DVPN domain Hub Clients

NMS Software version Devices

© Copyright 2012 Hewlett-Packard Development Company, L.P.

39 © Copyright 2012 Hewlett-Packard Development Company, L.P.

40 © Copyright 2012 Hewlett-Packard Development Company, L.P.

41 © Copyright 2012 Hewlett-Packard Development Company, L.P.

42 © Copyright 2012 Hewlett-Packard Development Company, L.P.

43 © Copyright 2012 Hewlett-Packard Development Company, L.P.

44 © Copyright 2012 Hewlett-Packard Development Company, L.P.

45 © Copyright 2012 Hewlett-Packard Development Company, L.P.

46 © Copyright 2012 Hewlett-Packard Development Company, L.P.

47 © Copyright 2012 Hewlett-Packard Development Company, L.P.

48 © Copyright 2012 Hewlett-Packard Development Company, L.P.

49 © Copyright 2012 Hewlett-Packard Development Company, L.P.

50 © Copyright 2012 Hewlett-Packard Development Company, L.P.

IMC supports RADIUS,