Information Technology Reference
In-Depth Information
Generic Routing Encapsulation
GRE was developed by Cisco to encapsulate a variety of protocols inside IP tunnels. This
approach consists of minimal configuration for basic IP VPNs but lacks in both security
and scalability. In fact, GRE tunnels do not use any encryption to secure the packets dur-
ing transport.
Using IPsec with GRE tunnels provides for secure VPN tunnels by encrypting the GRE
tunnel. There are many advantages with this approach, such as the support for dynamic
IGP routing protocols, non-IP protocols, and IP multicast support. Other advantages in-
clude support for QoS policies and deterministic routing metrics for headend IPsec termi-
nation points. Because all the primary and backup GRE over IPsec tunnels are
preestablished, there is built-in redundancy to support failure scenarios. The IP addressing
for the remote s ite s c an have dy namic or stat ic addre s s ing, but the headend s ite require s
static IP addressing. Primary tunnels can be differentiated from backup tunnels by modi-
fying the routing metrics slightly to prefer the one of the other.
IPsec DMVPN
DMVPN is a Cisco IOS solution for building IPsec + GRE VPNs in a dynamic and scala-
ble manner.
DMVPN relies on two key technologies called NHRP and mGRE:
Next Hop Resolution Protocol (NHRP) creates a mapping database for all spoke tun-
nels to real public addresses.
■
Multipoint GRE (mGRE) is a single GRE interface, which provides support for multi-
ple GRE, and IPsec tunnels to reduce the complexity and the size of the configuration.
■
DMVPM supports a reduced configuration framework and supports the follow ing feat ure s:
IP unicast, IP multicast, and dynamic routing protocol support
■
Remote spoke routers with dynamic IP addressing
■
Spoke routers behind dynamic Network Address Translation (NAT) and hub routers
behind static NAT
■
Dynamic spoke-to-spoke tunnels for partial scaling or fully meshed VPNs
■
Support for all of the GRE tunnel benefits such as QoS, deterministic routing, and re-
dundancy scenarios
■
Each remote site is connected using a point-to-point (P2P) GRE tunnel interface to a single
mGRE headend interface. The headend mGRE interface dynamically accepts new tunnel
connections.
Redundancy can be achieved by configuring spokes to terminate to multiple headends at
one or more hub locations. IPsec tunnel protection is typically used to map the crypto-
graphic attributes to the tunnel that is originated by the remote peer.
Dead peer detection (DPD) can be used to detect the loss of a peer IPsec connection.
mGRE interfaces.
