Finding the benefit in GET VPN

VN:F [1.9.6_1107]
Rating: 5.0/5 (1 vote cast)
By Brandon Carroll on April 14th, 2010

One of the issues with DMVPN is that it is IPsec tunnel based. When dynamic spoke to spoke traffic is necessary, the spokes always have to go through standard IPsec negotiation and this introduces a delay. You may have noticed this when pinging spoke to spoke in a DMVPN network. You’ll often see a few of the pings go through (these took the path through the hub), then a dropped packet and finally a few more pings. The drop occurred while the tunnel was being built between the spokes.

GET can eliminate this delay since the IPsec parameters are already set up. The spoke will simply need to send an NHRP query to the hub for the destination address and then send the packets encapsulated within GRE as normal. Now that you understand the theory, here is how you set it up.

We won’t be going into setting up key servers, group members, etc. for GET. Cisco already has excellent documentation for that in their online documentation. As far as the GET portion of our configuration is concerned, we simply need to decide what traffic is going to be encrypted. DMVPN is based on encapsulating with GRE, so we only need to worry about GRE between the group members. This is done with an ACL on the key server like so:

access-list 101 permit gre any any
!
crypto gdoi group dmvpn
server local
sa ipsec 1
match address ipv4 101

In a standard DMVPN implementation the GRE tunnels are encrypted using tunnel protection with an IPsec profile. Since GET has already taken care of the encryption we can simply remove (or not include) the tunnel protection command. Here is a sample tunnel configuration for the hub:

interface Tunnel0
bandwidth 1000
ip address 192.168.1.1 255.255.255.0
ip mtu 1400
no ip next-hop-self eigrp 1
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon eigrp 1
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1

Configured this way, you will have eliminated the IPsec negotiation delay
and built a better DMVPN!

Brandon Carroll – CCIE #23837
Senior Technical Instructor – IPExpert
Mailto: bcarroll@ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130

Finding the benefit in GET VPN, 5.0 out of 5 based on 1 rating
Share and Enjoy:
  • RSS
  • Twitter
  • Facebook
  • Google Bookmarks
  • Digg
  • Print
  • Technorati
  • Slashdot
  • LinkedIn
  • del.icio.us
  • Reddit
  • Sphinn
  • Mixx
  • Blogplay
  • Netvibes
  • NewsVine
  • Live
  • Ping.fm
  • MySpace
  • Yahoo! Bookmarks
  • Yahoo! Buzz

Tags: , , , ,

This entry was posted on Wednesday, April 14th, 2010 at 8:01 am and is filed under Ask the Expert, CCIE, Security, Techtorials. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Finding the benefit in GET VPN”

  1. TacACK says:
    April 14, 2010 at 8:38 am

    Nice write-up! :) I remember when you talked about this on twitter a long time back , i spent a couple of hours figuring out how to squeeze GETVPN with multicast rekeying into an existing DMVPN config.

    Great job again.

    Cheers,
    TacACK

    VA:F [1.9.6_1107]
    Rating: 5.0/5 (1 vote cast)
    Reply
  2. Brandon Carroll says:
    April 14, 2010 at 10:24 pm

    Good to hear. It’s been a hot topic lately and I think it’s an important concept to understand for the test.

    VA:F [1.9.6_1107]
    Rating: 0.0/5 (0 votes cast)
    Reply

Leave a Reply