« Back
in 安全 VPN 思科 read.

DMVPN(1)

DMVPN两种技术的结合:

Next Hop Resolution Protocol (NHRP):
Creates a distributed mapping database of VPN(tunnel interface) to real (public interface) addresses
 

Multipoint GRE Tunnel Interface:
Single GRE interface to support multipleGRE/IPsec tunnels and endpoints

Simplifies size and complexity of configuration

Supports dynamic tunnel creation
 

NHRP消息类型:

Registrationspokehub注册用的信息

Resolutionspokespoke需要通信时,用resolution消息获取映射

Purge清除失效的nhrp动态映射

Error提示错误
 

NHRP mapping flags

 

DMVPN配置建议:

Use ‘mode transport’ on transform-set

Helps NHRP work with NAT-T and saves 20 bytes(可以更好的和NAT-T一起工作,节省20个字节)
 

MTU issues

ip mtu 1400

ip tcp adjust-mss 1360

crypto ipsec fragmentation after-encryption (global)
 

NHRP

ip nhrp holdtime <seconds> (recommended values 300 - 600)(告诉hub这个nhrp条目在cache中保存多久)

Ip nhrp registration timeout <seconds> (多久发送一次registration消息,如果没有设置,timeout为holdtime的1/3

Ip nhrp registration no-unique (不对nhrp注册信息设置unique标记。默认情况下,spoke发送注册消息时,unique标记是设置的,这就意味着nhs会拒绝任何相同tunnel地址不同nbma地址的注册尝试;如果client收到一个新的NBMA地址,比如通过DHCP获取的,在原有nhrp条目holdtime过期前,nhs都会拒绝它;通过这条命令,nhs可以覆盖老的注册信息)
 

ISAKMP

Call Admission Control (CAC) (on spokes and hubs)

crypto call admission limit { ike sa max-SAs | percent }

 

Keepalives on spokes (GRE tunnel keepalives are not supported)

crypto isakmp keepalive 15(用来检查down掉的hub路由器)