NETSHe firmware user guide
DM VPN implementation
2018 © NETSHe Lab Ltd.
DM VPN is a technology to establish secured VPN over public IP networks such as Internet.
DM VPN operates with two types of nodes:
DM VPN implements star (all traffic in VPN goes through HUB) or full mesh (traffic goes between branches) topologies.
It is possible to prohibit spoke-to-spoke communications by firewall or advanced routing rules in star topology. This case may be useful to meet different enterprise requirements.
I other way, mesh topology allows to unload hub channels, to reduce hub load (and hub hardware requirements), to reduce spoke-to-spoke delay.
Spokes may have static or dynamically assigned IP address, may be behind NAT (*).
Hub must have static IP address and must not be behind NAT (). Hub may be addressed through FQDN (Full Qualified Domain Name). In case of FQDN addressing, using of dynamically assigned IP addresses is allowed with understanding and agreement about service interruption when Hub address is changing. * Some types of NAT or NAT settings may prohibit DM VPN Spoke functionality. Hub may be behind properly configured NAT with multi-point GRE and IPSec bypassing.
Typical DM VPN application is shown below.
DMVPN Tunnels btween Spokes
Traditional Static Tunnels and DM VPN tunnels which match traditional
Static and known IP Addresses
Dynamically assigned IP Addresses
DM VPN relies on three proven technologies:
To simplify and automate routing management, DM VPN also uses dynamic routing service like OSPF or BGP.
Provides registration, resolution and redirect services.
NHRP resolutions and redirects
Provides single tunnel interface and NHRP source.
Single tunnel interface (multi-point)
Next Hop Resolution Protocol (NHRP)
DM VPN builds out a dynamic tunnel overlay network.
IPSec is triggered through “tunnel protection” and works with NHRP together:
Dynamic routing service such as BGP or OSPF is used to establich right routing rules to Hub and every Spoke automatically.
Each available routing services have own advantages:
Star topology. Spoke-to-spoke communications are prohibited (or controlled) by firewall or routing rules.
Meshed topology. Spoke-to-spoke communications are allowed to reduce latency and hub load.
Meshed topology. Spoke-to-spoke communications are allowed to reduce latency and hub load. DM VPN is used only when primary MPLS network is down.
NETSHe firmware provides:
* - Work is in progress.
Current implementation supports next DM VPN topology:
This topologies will be adressed below.
Spoke can be configured in two ways:
This way allow to configure SPOKE with single tunnel to single HUB in the network (topology 1) or primary tunnel for SPOKE for topologies 2,3 and 4 (second tunnel configuration will require to access full web-interface).
Please keep in mind that this way allows to configure cellular connection as backup or second WAN link for topologies 2 and 4.
To configure spoke, go through setup wizard till DM VPN configuration question as shown below.
Choose „Yes. I want to setup DM VPN spoke» option then fill DM VPN Hub address, Spoke private address, passphrase for IPSec, AS number if you want to use BGP routing and mandatory tunnel key.
Please keep in mind that Hub address may be FQDN as show below or
static IP address as shown below
Some optional parameters can be configured here like authentication secret and hold time for NHRP, tunnel cost, area, hello and dead time for OSPF, metric for BGP.
Complete setup wizard and reboot device. Enjoy running DM VPN spoke.
This way allows to configure SPOKE to any available topologies.
To configure DM VPN Spoke through expert web-interface, please select menu „Services→Access concentrator→DM VPN» as shown below.
Tick „Enable SPOKE“ checkbox and fill related fields as shown below.
To configure second tunnel to another HUB, please select second tab.
It should be noted! Second tunnel can be configured through the same WAN interface as primary tunnel or through another WAN interface.
If system does not see second WAN interface, it will not offer to select source interface for second tunnel and will use primary WAN interface automatically.
It should be noted! Configuring DM VPN SPOKE with two concurrent tunnels through two WAN interfaces (topology 4) with concurrent default-routes will provide non predicable result.
We offer to implement topology 4 in next manner:
Press «Save» button. If you will tick «Restart service..» checkbox, you will be prompted to reboot device.
Hub configuration is available in full web-interface only.
To configure DM VPN Hub, select menu «Services→Access concentrator→DM VPN». Tick «Enable HUB» checkbox and fill related fields as shown below.
Please keep in mind that when you used BGP routing (AS number is not zero), you must specify every SPOKE address. Of course, when you use OSPF routing (AS number is zero), you may not specify any SPOKE addresses.
Please keep inf mind that you must specify private network netmask for HUB setup. Any SPOKE addresses must be from network which is specified by HUB private address and netmask.
Another field which is specific for HUB setup is «Does HUB act as VPN node?». When this field is ticked, networks behind HUB LAN interfaces will be introduced to overlay network.
We tried to simplify DM VPN setup process as possible:
The security has never been so affordable!