September 2013 | Reading Time: 8 minutes
As enterprises increasingly rely on branch connectivity over the public Internet, securing dynamic VPN architectures like DMVPN becomes a top design priority. By September 2013, DMVPN had become a go-to solution for scalable, resilient WAN deployments—especially for organizations seeking cost-effective alternatives to MPLS. In this post, we explore how to combine IPsec encryption and EIGRP routing in a robust DMVPN design that ensures data integrity and reachability across distributed networks.
Understanding DMVPN in Enterprise WAN
DMVPN (Dynamic Multipoint VPN) enables secure communication between multiple sites without needing full mesh tunnels defined manually. It uses a combination of NHRP (Next Hop Resolution Protocol), GRE tunnels, and IPsec to dynamically build tunnels between spokes, significantly reducing configuration complexity.
In a basic DMVPN deployment:
- The hub acts as the NHRP server
- Spokes register with the hub and build dynamic GRE tunnels with other spokes when needed
- IPsec secures these GRE tunnels to provide confidentiality and integrity
Designing with IPsec for Secure Transport
IPsec is essential to protect GRE tunnels from eavesdropping. A typical IPsec configuration for DMVPN uses pre-shared keys and tunnel protection. The configuration example below illustrates the approach used on Cisco routers:
crypto isakmp policy 10
encryption aes 256
hash sha
authentication pre-share
group 2
!
crypto isakmp key MySharedKey address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-Profile
set transform-set ESP-AES-SHA
!
interface Tunnel0
ip address 10.10.10.1 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile DMVPN-Profile
This approach enables each spoke to dynamically encrypt GRE traffic with the appropriate parameters while maintaining transport security over untrusted networks.
EIGRP as the Dynamic Routing Protocol
Routing within a DMVPN topology benefits from EIGRP’s fast convergence and native support for multi-point GRE. EIGRP can dynamically discover routes between spokes without needing a full mesh of static routes.
Important considerations include:
- Ensure split-horizon is disabled on the hub tunnel interface
- Use route summarization to reduce unnecessary routing updates
- Implement passive interfaces for better control over advertisements
Example:
router eigrp 100
network 10.10.10.0 0.0.0.255
no auto-summary
!
interface Tunnel0
no ip split-horizon eigrp 100
Hub-and-Spoke vs. Spoke-to-Spoke Designs
The original DMVPN model focused on hub-and-spoke communication, but modern networks demand direct spoke-to-spoke tunnels for voice, video, and inter-branch file replication. This can be accomplished using NHRP and dynamic IPsec sessions initiated upon need.
Security policies must account for this dynamic behavior, ensuring ACLs, QoS, and NAT traversal are handled correctly across the public WAN.
Best Practices
- Use robust pre-shared keys or consider digital certificates for stronger authentication
- Keep tunnel keys and profiles consistent across spokes
- Monitor tunnel stability and NHRP registration events via SNMP or syslog
- Limit exposure by using firewalls and ACLs to restrict Internet-side access
Conclusion
By integrating DMVPN with IPsec and EIGRP, enterprises in 2013 were able to create agile and secure WAN topologies that scaled far beyond the limitations of static VPNs or MPLS. While new technologies like SD-WAN are emerging, DMVPN remains a resilient and cost-effective option—especially for businesses with a Cisco infrastructure footprint.
No comments:
Post a Comment