This document provides a sample configuration for configuring Dial backup on a Dynamic Multipoint spoke router in a Dynamic Multipoint VPN (DMVPN) Hub-and-spoke network. The DMVPN solution is used to build large Cisco IOS® IP Security (IPsec) VPNs. DMVPN combines generic routing encapsulation (GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP). Dial backup enables the spoke router to try alternative path to reach the hub router, when the direct primary path to the hub router fails. This configuration relies on Dial back up, Reliable Static Routing Backup Using Object Tracking, and Policy Based Routing. This sample configuration shows how to enable the failover over a dial-up modem, when the primary path to the hub router fails and how to recover from the backup path, when the primary path is recovered.
Figure 1. Network Diagram
Simplification of IPsec VPN Configuration
Adding or removing a spoke does not require configuration changes on the hub router. The configuration on all the spokes is identical, except for the site specific addresses. The same configuration template can be used at all the spoke routers.
Support for Dynamically Addressed Spoke Routers
To configure the hub router using point-to-point GRE and IPsec hub-and-spoke VPN networks, the physical interface IP address of the spoke routers must be known, because IP address must be configured as the GRE tunnel destination address. This feature allows spoke routers to have dynamic physical interface IP addresses (common for cable and DSL connections). When the spoke router comes online it sends registration packets to the hub router. Current physical interface IP address of this spoke is located within these registration packets.
Support for Enterprise Class Remote Sites
Using DMVPN provides support for routing protocols to the remote sites. Using routing protocols to remote sites enables dynamic propagation of routing information and optimized route selection. Also, remote sites can utilize multicast traffic for supporting multimedia, video, and distant learning applications.
This network is using hub to spoke configuration topology. This configuration is using an alternate DMVPN configuration, which does not use the new tunnel protection configuration.
The sample configuration is based on the following assumptions:
• Public IP address of the hub (this configuration is using 172.16.32.124)
• IP address of the IPsec tunnel on the hub (this configuration is using 192.168.0.1)
• IP address of the IPsec tunnel on the local spoke (this configuration is using 192.168.0.10)
• A static IP address on the wan interface of the spoke
• The Routing protocol to be used with the hub router (this configuration is using Open Shortest Path First (OSPF))
• An assigned pre-shared key that will be used on the hub and all the spokes
• Dial-up account to an Internet service provider (ISP) to provide an alternate path to the hub router
• This guide describes the spoke router for hub and spoke DMVPN configurations only.
• Full security audit on the router configuration is not covered. It is recommended to run Security Audit in the wizard mode to lock down and secure the router.
• An initial router configuration step is not covered in the steps. The full configuration is shown in the next section.
• This network is using hub to spoke configuration topology. Traffic from a spoke to another spoke is required to pass via the hub first.
• This configuration is using the alternate DMVPN configuration, which uses a crypto map on the physical interface rather then the new tunnel protection configuration.
Prepare to Begin
Before beginning the configurations, make sure that:
• The spoke router can reach the DMVPN hub directly over the internet, and the DMVPN hub is configured and operational
• The spoke router can reach the DMVPN hub via the dial-up modem and the ISP
The sample configuration uses the following Cisco IOS Software releases and Cisco hardware:
• Cisco IOS Software Release 12.3(8)T1 and Cisco 831 Series Router (Cisco 831-K9O3SY6-M Series Router)
• Cisco IOS Software Release 12.3(10) and Cisco 3700 Series Multiservice Access Router (Cisco 3745-IK9O3S-M Series Router)
Figure 1 illustrates the network for the sample configuration.
The information presented in this document was obtained from devices in a specific lab environment. All of the devices started with a cleared (default) configuration. In a live network, it is imperative to understand the potential impact of any command before implementing it.
The idea is to use Internet Control Message Protocol (ICMP) pings to track the reachability of the Hub via the Spokes primary interface. It is assumed that the spoke router must use different source addresses for tunnel packets going out of the primary interface and for tunnel packets going out of the backup interface. Cisco uses a tunnel mode IPsec and loopback interface as the GRE tunnel source, this allows the local IPsec peer address to dynamically match the outbound (primary or backup) interface address. Only DMVPN hub and spoke networks will be supported.
This sample configuration also used the following software features:
• DMVPN Configuration with Crypto Map-This DMVPN configuration uses traditional "crypto map" command instead of the new "tunnel protection" command. This configuration method is required on both hub and spoke routers.
• Reliable Static Routing Backup Using Object Tracking-The Reliable Static Routing Backup Using Object Tracking feature introduces the ability for Cisco IOS Software to use Internet Control Message Protocol (ICMP) pings to identify when an IPsec VPN hub become unreachable and allows the initiation of a backup connection from any alternative path with a floating static path. For the complete documentation, check out the Reliable Static Routing Backup Using Object Tracking link in the related information section of this document.
• Policy Based Routing-The policy based routing is only required when the reliable static Routing is required to track the IP address of the DMVPN hub router. If tracking of different IP address, such as a secondary IP address on the DMVPN hub, is possible, then a host static route can be used instead of PBR.
The Policy based routing is needed on the spoke router only. It is used to direct local ICMP packets, sent only from the spoke router to the hub router, to go through the WAN interface, even during the failover. These packets are sent by the Reliable Static Routing Backup Using Object Tracking feature to determine the reachability via the direct Internet path. Following are the configuration used for the Policy Based Routing:
ip address 172.18.132.186 255.255.255.248
ip local policy route-map MY_LOCAL_POLICY
ip route 172.16.32.124 255.255.255.255 172.18.132.185 track 123
Dial backup enables the establishment of an alternative path using the auxiliary port of the spoke router. Cisco 831 Series Router with a virtual aux port configuration is used in this case. For complete information on virtual aux port, check the Virtual auxiliary port Feature documentation.
CONFIGURATION OF THE SPOKE ROUTER
Following are the configurations on the spoke router: