はじめに
世間にはVPNという技術があります。
Virtual Private Networkの略で、複数拠点間を仮想的な専用回線で接続することができます。
VPNには大きく分けてインターネットVPNとIP-VPNの2種類があります。
ざっくり解説すると以下の通りとなります。
- インターネットVPN
- インターネット上に仮想の専用回線を構築する
- どこを経由するか管理できないため実質的に暗号化が必須
- インターネットの通信状況によってVPNの通信品質が左右される
- 主としてカプセル化にGREあるいはESP、暗号化にESPを使用する
- IP-VPN
- 通信事業者から提供されるIP-VPN網に接続する
- 物理的に2拠点間が直接つながっているわけではなく、通信事業者がVPN網内で通信を論理的に分割することで実質的に専用回線として使用できる
- トラフィックの経由地が明確なため暗号化は必須ではない
- 通信事業者とSLAを締結することで通信品質を担保できる
- 主としてMPLS、MP-BGP、VRFが使用される
今回はインターネットVPNの中でも、Cisco機器でのみ設定可能なDMVPNについて取り上げます。
DMVPNとは
Dynamic Multipoint VPNの略で、複数拠点間で動的に通信路(SA)を確立できる技術です。
NHRPを使用して、インターネット上のグローバルIPアドレスとトンネル上のプライベートIPアドレスを紐づけており、各ルータは動的にSAを確立できます。カプセル化としてmGREを使用します。
各ルータは設定値によってハブ、スポークとして動作します。
疑問点
Cisco公式サイトやブログ記事などでは、時折Tunnelインターフェースに対してtunnel keyを設定していることがあります。
恥ずかしながら長らくこの設定値の意図が分からず、とりあえず毎回設定していましたが、一つのルータ上で複数のDMVPNに参加していると不具合が起こるという話を聞きました。なので、どういった不具合が起こるのか実際に検証してみたいと思い立ちました。
検証環境
- メインPC: Windows 11 Pro
- ハイパーバイザ: VMWare Workstation 17 Pro
- シミュレータ: EVE-NG Community Edition 6.2.0-4
- ルータ: Cisco IOSv 15.9(3)M6
Windows11のPCにVMWare Workstationをインストールし、VMとしてEVE-NGを起動しています。
構成図
RT1, 3, 4でDMVPN1を、RT2, 3, 4でDMVPN2を構築します。
INTERNETとRT間はBGPで、RT間のDMVPNはOSPFで経路交換します。
構築①(正常時)
いままで通り、Tunnel keyありで構築します。
暗号化のためにIKEv2(PSK)、ESP(AES256, SHA256)を使用します。
INTERNET
en
conf t
hostname INTERNET
no ip domain lookup
line con 0
exec-ti 0 0
logging sync
line vty 0 4
exec-ti 0 0
logging sync
tran in all
no login
privile le 15
int gi0/0
ip add 101.0.0.254 255.255.255.0
no sh
int gi0/1
ip add 102.0.0.254 255.255.255.0
no sh
int gi0/2
ip add 103.0.0.254 255.255.255.0
no sh
int gi0/3
ip add 104.0.0.254 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 Null0
router bgp 65000
neighbor 101.0.0.1 remote-as 65001
neighbor 102.0.0.1 remote-as 65002
neighbor 103.0.0.1 remote-as 65003
neighbor 104.0.0.1 remote-as 65004
network 101.0.0.0 mask 255.255.255.0
network 102.0.0.0 mask 255.255.255.0
network 103.0.0.0 mask 255.255.255.0
network 104.0.0.0 mask 255.255.255.0
network 0.0.0.0
end
wr
RT1
en
conf t
hostname RT1
no ip domain lookup
line con 0
exec-ti 0 0
logging sync
line vty 0 4
exec-ti 0 0
logging sync
tran in all
no login
privile le 15
int gi0/0
ip add 101.0.0.1 255.255.255.0
no sh
int gi0/1
ip add 192.168.1.254 255.255.255.0
no sh
router bgp 65001
neighbor 101.0.0.254 remote-as 65000
router ospf 1
network 192.168.1.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0
crypto ikev2 proposal VPN
encryption aes-cbc-256
integrity sha256
group 14
crypto ikev2 policy VPN
proposal VPN
crypto ikev2 keyring VPN
peer ALL
address 0.0.0.0 0.0.0.0
pre-shared-key local CISCO123
pre-shared-key remote CISCO123
!
crypto ikev2 profile VPN
match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local VPN
crypto ipsec transform-set VPN esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec profile VPN
set transform-set VPN
set ikev2-profile VPN
interface Tunnel1
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip nhrp authentication CISCO123
ip nhrp network-id 1
ip nhrp redirect
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile VPN
ip ospf network broadcast
ip ospf priority 255
end
wr
RT2
en
conf t
hostname RT2
no ip domain lookup
line con 0
exec-ti 0 0
logging sync
line vty 0 4
exec-ti 0 0
logging sync
tran in all
no login
privile le 15
int gi0/0
ip add 102.0.0.1 255.255.255.0
no sh
int gi0/1
ip add 192.168.2.254 255.255.255.0
no sh
router bgp 65002
neighbor 102.0.0.254 remote-as 65000
router ospf 1
network 192.168.2.0 0.0.0.255 area 0
network 172.16.2.0 0.0.0.255 area 0
crypto ikev2 proposal VPN
encryption aes-cbc-256
integrity sha256
group 14
crypto ikev2 policy VPN
proposal VPN
crypto ikev2 keyring VPN
peer ALL
address 0.0.0.0 0.0.0.0
pre-shared-key local CISCO123
pre-shared-key remote CISCO123
!
crypto ikev2 profile VPN
match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local VPN
crypto ipsec transform-set VPN esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec profile VPN
set transform-set VPN
set ikev2-profile VPN
interface Tunnel2
ip address 172.16.2.2 255.255.255.0
no ip redirects
ip nhrp authentication CISCO123
ip nhrp network-id 2
ip nhrp redirect
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile VPN
ip ospf network broadcast
ip ospf priority 255
end
wr
RT3
en
conf t
hostname RT3
no ip domain lookup
line con 0
exec-ti 0 0
logging sync
line vty 0 4
exec-ti 0 0
logging sync
tran in all
no login
privile le 15
int gi0/0
ip add 103.0.0.1 255.255.255.0
no sh
int gi0/1
ip add 192.168.3.254 255.255.255.0
no sh
router bgp 65003
neighbor 103.0.0.254 remote-as 65000
router ospf 1
network 192.168.3.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0
network 172.16.2.0 0.0.0.255 area 0
crypto ikev2 proposal VPN
encryption aes-cbc-256
integrity sha256
group 14
crypto ikev2 policy VPN
proposal VPN
crypto ikev2 keyring VPN
peer ALL
address 0.0.0.0 0.0.0.0
pre-shared-key local CISCO123
pre-shared-key remote CISCO123
!
crypto ikev2 profile VPN
match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local VPN
crypto ipsec transform-set VPN esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec profile VPN
set transform-set VPN
set ikev2-profile VPN
interface Tunnel1
ip address 172.16.1.3 255.255.255.0
no ip redirects
ip nhrp authentication CISCO123
ip nhrp map 172.16.1.1 101.0.0.1
ip nhrp map multicast 101.0.0.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip nhrp shortcut
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile VPN shared
ip ospf network broadcast
ip ospf priority 0
interface Tunnel2
ip address 172.16.2.3 255.255.255.0
no ip redirects
ip nhrp authentication CISCO123
ip nhrp map 172.16.2.2 102.0.0.1
ip nhrp map multicast 102.0.0.1
ip nhrp network-id 2
ip nhrp nhs 172.16.2.2
ip nhrp shortcut
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile VPN shared
ip ospf network broadcast
ip ospf priority 0
end
wr
RT4
en
conf t
hostname RT4
no ip domain lookup
line con 0
exec-ti 0 0
logging sync
line vty 0 4
exec-ti 0 0
logging sync
tran in all
no login
privile le 15
int gi0/0
ip add 104.0.0.1 255.255.255.0
no sh
int gi0/1
ip add 192.168.4.254 255.255.255.0
no sh
router bgp 65004
neighbor 104.0.0.254 remote-as 65000
router ospf 1
network 192.168.4.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0
network 172.16.2.0 0.0.0.255 area 0
crypto ikev2 proposal VPN
encryption aes-cbc-256
integrity sha256
group 14
crypto ikev2 policy VPN
proposal VPN
crypto ikev2 keyring VPN
peer ALL
address 0.0.0.0 0.0.0.0
pre-shared-key local CISCO123
pre-shared-key remote CISCO123
!
crypto ikev2 profile VPN
match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local VPN
crypto ipsec transform-set VPN esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec profile VPN
set transform-set VPN
set ikev2-profile VPN
interface Tunnel1
ip address 172.16.1.4 255.255.255.0
no ip redirects
ip nhrp authentication CISCO123
ip nhrp map 172.16.1.1 101.0.0.1
ip nhrp map multicast 101.0.0.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip nhrp shortcut
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile VPN shared
ip ospf network broadcast
ip ospf priority 0
interface Tunnel2
ip address 172.16.2.4 255.255.255.0
no ip redirects
ip nhrp authentication CISCO123
ip nhrp map 172.16.2.2 102.0.0.1
ip nhrp map multicast 102.0.0.1
ip nhrp network-id 2
ip nhrp nhs 172.16.2.2
ip nhrp shortcut
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile VPN shared
ip ospf network broadcast
ip ospf priority 0
end
wr
R3、R4でTunnel2を設定するときに以下のログが出ました。送信元インターフェースが同じだと転送に問題があるかもしれないよ~という感じでしょうか。
*Oct 7 12:14:51.540: %TUN-4-VALIDATE_TUNNEL_CONFIG: The configured tunnel src is being shared by multiple features on the device. Ex: Tunnel1 & Tunnel2. This configuration has the potential to introduce forwarding issues.
確認
RT1
R1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel1, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 103.0.0.1 172.16.1.3 UP 00:04:24 D
1 104.0.0.1 172.16.1.4 UP 00:04:09 D
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.3.254 0 FULL/DROTHER 00:00:32 172.16.1.3 Tunnel1
192.168.4.254 0 FULL/DROTHER 00:00:38 172.16.1.4 Tunnel1
RT3
R3#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 101.0.0.1 172.16.1.1 UP 00:05:02 S
Interface: Tunnel2, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 102.0.0.1 172.16.2.2 UP 00:05:01 S
R3#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.2.254 255 FULL/DR 00:00:31 172.16.2.2 Tunnel2
192.168.1.254 255 FULL/DR 00:00:39 172.16.1.1 Tunnel1
RT4
R4#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 101.0.0.1 172.16.1.1 UP 00:05:05 S
Interface: Tunnel2, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 102.0.0.1 172.16.2.2 UP 00:05:03 S
R4#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.2.254 255 FULL/DR 00:00:35 172.16.2.2 Tunnel2
192.168.1.254 255 FULL/DR 00:00:35 172.16.1.1 Tunnel1
※RT2は省略
全拠点間で通信可能です。
vPC-1
vPC-1> ping 192.168.2.1
84 bytes from 192.168.2.1 icmp_seq=1 ttl=61 time=10.114 ms
84 bytes from 192.168.2.1 icmp_seq=2 ttl=61 time=6.934 ms
84 bytes from 192.168.2.1 icmp_seq=3 ttl=61 time=7.369 ms
84 bytes from 192.168.2.1 icmp_seq=4 ttl=61 time=7.266 ms
84 bytes from 192.168.2.1 icmp_seq=5 ttl=61 time=7.490 ms
vPC-1> ping 192.168.3.1
84 bytes from 192.168.3.1 icmp_seq=1 ttl=62 time=7.355 ms
84 bytes from 192.168.3.1 icmp_seq=2 ttl=62 time=4.835 ms
84 bytes from 192.168.3.1 icmp_seq=3 ttl=62 time=3.942 ms
84 bytes from 192.168.3.1 icmp_seq=4 ttl=62 time=4.172 ms
84 bytes from 192.168.3.1 icmp_seq=5 ttl=62 time=3.936 ms
vPC-1> ping 192.168.4.1
84 bytes from 192.168.4.1 icmp_seq=1 ttl=62 time=5.745 ms
84 bytes from 192.168.4.1 icmp_seq=2 ttl=62 time=4.479 ms
84 bytes from 192.168.4.1 icmp_seq=3 ttl=62 time=4.240 ms
84 bytes from 192.168.4.1 icmp_seq=4 ttl=62 time=4.000 ms
84 bytes from 192.168.4.1 icmp_seq=5 ttl=62 time=3.835 ms
vPC-2
vPC-2> ping 192.168.3.1
84 bytes from 192.168.3.1 icmp_seq=1 ttl=62 time=5.917 ms
84 bytes from 192.168.3.1 icmp_seq=2 ttl=62 time=4.009 ms
84 bytes from 192.168.3.1 icmp_seq=3 ttl=62 time=4.091 ms
84 bytes from 192.168.3.1 icmp_seq=4 ttl=62 time=4.035 ms
84 bytes from 192.168.3.1 icmp_seq=5 ttl=62 time=4.217 ms
vPC-2> ping 192.168.4.1
84 bytes from 192.168.4.1 icmp_seq=1 ttl=62 time=5.421 ms
84 bytes from 192.168.4.1 icmp_seq=2 ttl=62 time=4.290 ms
84 bytes from 192.168.4.1 icmp_seq=3 ttl=62 time=4.301 ms
84 bytes from 192.168.4.1 icmp_seq=4 ttl=62 time=4.490 ms
84 bytes from 192.168.4.1 icmp_seq=5 ttl=62 time=4.078 ms
vPC-3
vPC-3> ping 192.168.4.1
84 bytes from 192.168.4.1 icmp_seq=1 ttl=61 time=14.074 ms
84 bytes from 192.168.4.1 icmp_seq=2 ttl=62 time=8.929 ms
84 bytes from 192.168.4.1 icmp_seq=3 ttl=62 time=4.335 ms
84 bytes from 192.168.4.1 icmp_seq=4 ttl=62 time=4.109 ms
84 bytes from 192.168.4.1 icmp_seq=5 ttl=62 time=4.047 ms
詳細は割愛しますがスポーク間の通信はハブを経由せず通信できています。
構築②(tunnel keyなし)
先ほどの環境からtunnel keyを削除します。
RT1
interface Tunnel1
no tunnel key 1
RT2
interface Tunnel2
no tunnel key 2
RT3, RT4
interface Tunnel1
no tunnel key 1
interface Tunnel2
no tunnel key 2
念のため全機器を再起動します
RT1, RT2, RT3, RT4
wr
reload
確認
RT1
R1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel1, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 103.0.0.1 172.16.1.3 UP 00:00:01 D
1 104.0.0.1 172.16.1.4 UP 00:00:06 D
R1#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.3.254 0 INIT/DROTHER 00:00:37 172.16.1.3 Tunnel1
192.168.4.254 0 INIT/DROTHER 00:00:34 172.16.1.4 Tunnel1
RT3
R3#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 101.0.0.1 172.16.1.1 NHRP 00:01:14 S
Interface: Tunnel2, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 102.0.0.1 172.16.2.2 UP 00:00:31 S
R3#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.2.254 255 FULL/DR 00:00:36 172.16.2.2 Tunnel2
RT4
R4#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 101.0.0.1 172.16.1.1 NHRP 00:01:27 S
Interface: Tunnel2, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 102.0.0.1 172.16.2.2 UP 00:00:43 S
R4#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.2.254 255 FULL/DR 00:00:35 172.16.2.2 Tunnel2
RT1にてOSPFネイバーが確立できていません。
RT3、RT4ではRT2のみとネイバーが確立しています。
一応RT2の出力は以下の通りです。
RT2
R2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel2, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 103.0.0.1 172.16.2.3 UP 00:00:19 D
1 104.0.0.1 172.16.2.4 UP 00:00:21 D
R2#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.3.254 0 FULL/DROTHER 00:00:35 172.16.2.3 Tunnel2
192.168.4.254 0 FULL/DROTHER 00:00:32 172.16.2.4 Tunnel2
事前情報通り、複数のDMVPNが実行されているときはtunnel keyが必須のようです。
まとめ
トンネルをKeyで識別しているので、Tunnel keyを削除するとどちらか片方しか認識されず、片方のDMVPNのみしか使用できなくなるようです。
特に他と干渉するわけでもないので、DMVPNを設定するときは常にやっておいた方がよさそうです。