GRE VPN & DMVPN
There are several types of VPN (Virtual Private Network) technologies, each designed to meet different needs and provide varying levels of security, privacy, and performance. Here’s an overview of the most common types:
1. Remote Access VPN:
– Purpose: Allows individual users to connect securely to a remote network from their own device, usually over the internet.
– Use Case: Employees accessing their company’s network from home or while traveling.
Example Protocols: OpenVPN, L2TP/IPsec, PPTP, SSTP.
2. Site-to-Site VPN:
– Purpose: Connects entire networks to each other. It’s often used to link branch offices with a central office.
– Use Case: Connecting multiple office locations so they can share resources securely.
– Example Protocols: IPsec, MPLS, GRE.
3. Client-to-Site VPN:
– Purpose: Allows individual users to connect to a central network (like a company’s intranet) from a remote location.
– Use Case: Employees working remotely who need access to internal network resources.
– Example Protocols: OpenVPN, L2TP/IPsec, PPTP.
4. Site-to-Site VPN (Corporate VPN):
– Purpose: Connects different office locations securely over the internet or private lines.
– Use Case: Secure communication between branch offices and headquarters.
– Example Protocols: IPsec, MPLS, GRE.
5. MPLS VPN (Multiprotocol Label Switching VPN):
– Purpose: Uses MPLS to create VPNs over a service provider’s network, offering secure and efficient data transfer.
– Use Case: Businesses needing high-performance and scalable VPN solutions.
– Example Protocols: MPLS VPN, L3VPN, L2VPN.
6. SSL/TLS VPN:
– Purpose: Uses SSL/TLS protocols to provide secure access to web-based applications and services.
– Use Case: Secure access to specific applications or resources via a web browser.
– Example Protocols: SSL, TLS, HTTPS.
7. IPsec VPN (Internet Protocol Security VPN):
– Purpose: Uses IPsec to encrypt data at the network layer, providing secure communication between two endpoints.
– Use Case: Secure site-to-site or remote access connections.
– Example Protocols: IPsec, IKEv2.
8. PPTP VPN (Point-to-Point Tunneling Protocol):
– Purpose: An older VPN protocol that creates a secure tunnel through which data is transmitted.
– Use Case: Basic remote access, though it is considered less secure compared to modern protocols.
– Example Protocols: PPTP.
9. L2TP/IPsec VPN (Layer 2 Tunneling Protocol with IPsec):
– Purpose: Combines L2TP and IPsec for secure and encrypted VPN connections.
– Use Case: Remote access with higher security than PPTP.
– Example Protocols: L2TP/IPsec.
10. OpenVPN:
– Purpose: An open-source VPN protocol known for its flexibility and strong security.
– Use Case: Remote access and site-to-site connections with customizable encryption and authentication.
– Example Protocols: OpenVPN.
DMVPN MGRE
DMVPN (Dynamic Multipoint Virtual Private Network) is a Cisco-developed VPN technology designed to simplify the deployment and management of VPNs over the internet or other IP networks. It allows multiple remote sites to communicate with each other directly while maintaining a secure connection.
Key Features of DMVPN:
1. Dynamic Routing:
– DMVPN uses dynamic routing protocols like EIGRP, OSPF, or BGP to automatically establish VPN tunnels between remote sites. This means that routes are updated dynamically as the network changes, simplifying management.
2. Hub-and-Spoke Topology:
– In a DMVPN setup, there is a central hub and multiple spoke sites. Initially, all communications go through the central hub. However, DMVPN can dynamically establish direct spoke-to-spoke tunnels for more efficient communication.
3. Scalability:
– DMVPN is highly scalable because new sites can be added to the network without needing to manually configure new VPN connections between all sites. The dynamic nature of DMVPN allows it to adapt to network changes with minimal manual intervention.
4. Flexibility:
– DMVPN can support multiple types of VPN traffic and protocols, such as IPsec for encryption and GRE (Generic Routing Encapsulation) for encapsulation. It can also work with various types of IP networks, including IPv4 and IPv6.
5. Enhanced Security:
– DMVPN leverages IPsec encryption to ensure secure communication between sites. It can also use different security mechanisms to protect data as it travels across the network.
Components of DMVPN:
1. Hub Router:
– The central router that acts as the point of communication for all remote spokes. It maintains the configuration and routing information for the entire network.
2. Spoke Routers:
– Remote routers that connect to the hub and, if needed, establish direct communication with other spokes.
3. NHRP (Next Hop Resolution Protocol):
– A key component of DMVPN, NHRP is used to map and resolve IP addresses between hub and spoke routers. It helps in dynamically discovering the IP addresses of remote peers and setting up direct tunnels.
4. GRE Tunnels:
– Generic Routing Encapsulation tunnels are used to encapsulate data packets for transmission across the network. In DMVPN, GRE is used in conjunction with IPsec to provide a secure and flexible tunneling solution.
5. IPsec Encryption:
– Used to encrypt data transmitted over the VPN to ensure privacy and security.
How DMVPN Works:
1. Initial Connection:
– Spoke routers initially establish VPN tunnels to the hub router. Communication between spokes is not direct at this stage.
2. Dynamic Tunnel Establishment:
– When two spoke routers need to communicate directly, they use NHRP to discover each other’s IP addresses and establish a direct GRE tunnel between them, bypassing the hub.
3. Data Transmission:
– Once the direct tunnel is established, data can flow directly between spokes without routing through the hub, improving efficiency and reducing latency.
4. Dynamic Adjustments:
– If network conditions change or new spokes are added, DMVPN dynamically adjusts routing and tunnel configurations to accommodate these changes.
Use Cases:
– Branch Office Connectivity: Ideal for connecting multiple branch offices securely with minimal configuration.
– Remote Workforce: Facilitates secure remote access for employees working from various locations.
– Scalable Networks: Suitable for large and growing networks where adding new sites needs to be efficient.
In summary, DMVPN is a robust and flexible solution for creating and managing secure VPN connections across multiple sites, offering scalability, dynamic routing, and efficient communication.
GRE – Generic Routing Encapsulation (GRE)
What is GRE?
Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that is used to encapsulate a wide variety of network layer protocols inside point-to-point connections. It allows for the transportation of packets from one network to another, creating a virtual point-to-point link between endpoints.
Key Features of GRE:
Encapsulation of multiple protocols: GRE can encapsulate many different Layer 3 protocols, including IP, IPX, and AppleTalk, inside IP tunnels.
Protocol-independent: GRE doesn’t care what the encapsulated protocol is — it simply wraps it in an IP header.
Virtual Point-to-Point Connection: Creates a tunnel between two routers that appears as a direct connection.
Stateless: GRE itself does not maintain session state; it’s a simple wrapper.
GRE Packet Structure:
A GRE packet consists of:
Outer IP Header – Used to route the packet across the tunnel.
GRE Header – Contains information about the encapsulated payload.
Encapsulated Packet – The original packet (can be IPv4, IPv6, or others).
GRE vs Other Tunneling Protocols:
| Feature | GRE | IPsec | L2TP |
|---|---|---|---|
| Encryption | ❌ No (by default) | ✅ Yes | ❌ No (requires IPsec) |
| Protocol Support | ✅ Multi-protocol | ✅ IP only | ✅ Multi-protocol |
| Use Case | Simple tunneling | Secure tunneling | VPN + encryption |
Note: GRE does not provide encryption or confidentiality by itself — it must be paired with something like IPsec for secure communication.
Common Use Cases:
Site-to-site VPNs (especially when used with IPsec)
Routing non-IP protocols over IP networks
Connecting isolated networks through an intermediate network
MPLS over GRE tunnels
Internet-ISP
int fa0/0
ip add 200.1.1.1 255.255.255.0
no sh
int fa0/1
ip add 205.1.1.1 255.255.255.0
no sh
int lo 0
ip add 8.8.8.8 255.255.255.0
BR---
conf t
hostname BR
int fa0/0
ip add 200.1.1.2 255.255.255.0
no sh
int fa0/1
ip add 192.168.1.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 200.1.1.1
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface fa0/0 overload
int fa0/1
ip nat inside
int fa0/0
ip nat outside
ip dhcp pool NWKINGS
default-router 192.168.1.1
HQ---
conf t
hostname HQ
int fa0/0
ip add 205.1.1.2 255.255.255.0
no sh
int fa0/1
ip add 192.168.2.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 205.1.1.1
access-list 1 permit 192.168.2.0 0.0.0.255
ip nat inside source list 1 interface fa0/0 overload
int fa0/1
ip nat inside
int fa0/0
ip nat outside
ip dhcp pool NWKINGS
default-router 192.168.2.1
network 192.168.2.0 255.255.255.0
GRE TUNNEL
-----------
Branch
interface tunnel 100
ip add 192.168.3.1 255.255.255.0
tunnel source fa0/0
tunnel destination 205.1.1.2
HQ
interface tunnel 100
ip add 192.168.3.2 255.255.255.0
tunnel source fa0/0
tunnel destination 200.1.1.2
BR
conf t
ip route 192.168.2.0 255.255.255.0 192.168.3.2
or
router eigrp 1
network 192.168.1.0
network 192.168.3.0
no auto-summary
HQ
conf t
ip route 192.168.1.0 255.255.255.0 192.168.3.1
or
router eigrp 1
network 192.168.2.0
network 192.168.3.0
no auto-summary
GRE – Issues
VPN Tunnel Point to Point
No Encryption
Not scalable
Static IP
After DMVPN – MGRE
DMVpn = Dynamic Multipoint VPN | MGRE
Introduced by cisco 2000.
Automatically created VPN tunnels.
DMVPN supports point to multipoint tunnels.
Hub is central location like HQ of any office and Spokes are branch offices of any network.
Keep the low cost, less configurations and increasing flexibilty & scalibilty.
DMVPN a popular choice for connecting different sites using regular Internet connections.
It’s a great backup or alternative to private networks like MPLS VPN.
- Multipoint GRE (mGRE)
- NHRP (Next Hop Resolution Protocol)
- Routing (RIP, EIGRP, OSPF, BGP, etc.)
- IPsec (not required but recommended)
GRE Multipoint, there will be only one tunnel interface on each router.
NHRP (Next Hop Resolution Protocol)
- One router will be the NHRP server.
- All other routers will be NHRP clients.
The NHRP server keeps track of all public IP addresses in its cache. When one router wants to tunnel something to another router,
it will request the NHRP server for the public IP address of the other router.
After Recieving the NHRP Registeration Requests, NHRP
DMVPN Phases Explained
DMVPN has three main phases — each offering progressively more efficient and flexible communication between network sites (spokes).
Phase 1 – Hub-and-Spoke
Key Points:
All traffic flows through the hub router.
GRE tunnels are built between spokes and hub only.
No direct spoke-to-spoke tunnels.
NHRP is used by spokes to register with the hub.
Traffic Flow:
Spoke ➡️ Hub ➡️ Spoke
Pros:
Simple to configure.
Good for small networks.
Cons:
Inefficient: All data between spokes must go through the hub.
Bottleneck risk at hub.
Phase 2 – Spoke-to-Spoke with Static Routing
Key Points:
Direct spoke-to-spoke tunnels are allowed.
Spokes dynamically discover each other using NHRP.
Hub helps resolve the next-hop IP address for spoke-to-spoke connections.
Still uses GRE tunnels and optionally IPsec.
Routing protocol still sees hub as next-hop (static or with “next-hop-self”).
Traffic Flow:
Spoke ➡️ Spoke (via dynamic GRE tunnel, but routing goes through hub)
Pros:
More efficient traffic flow.
Reduces load on hub.
Cons:
More complex configuration.
Some routing limitations due to next-hop handling.
Phase 3 – Full Dynamic Spoke-to-Spoke with Dynamic Routing
Key Points:
Most scalable and flexible phase.
True spoke-to-spoke communication with dynamic GRE tunnels.
Hub initially routes traffic, then redirects spokes to each other using NHRP Redirect/Shortcut messages.
Works with dynamic routing protocols like EIGRP, OSPF, BGP using Next-Hop unchanged (real next hop, not hub).
Traffic Flow:
Spoke ➡️ Hub (initially) ➡️ Redirect ➡️ Spoke (direct)
Pros:
Fully dynamic, scalable for large networks.
Best performance with dynamic routing.
Cons:
Most complex to configure.
Requires router support for NHRP redirection.
📊 Phase Comparison Table
| Feature | Phase 1 | Phase 2 | Phase 3 |
|---|---|---|---|
| Spoke-to-Spoke Tunnels | ❌ No | ✅ Yes | ✅ Yes |
| NHRP Used | ✅ Yes | ✅ Yes | ✅ Yes |
| Routing Type | Static/Dynamic | Static/Dynamic (Next-hop-self) | Dynamic (real next-hop) |
| NHRP Redirect/Shortcut | ❌ No | ❌ No | ✅ Yes |
| Hub Traffic Load | 🔺 High | 🔽 Reduced | 🔽 Lowest |
| Complexity | ⭐ Easy | ⭐⭐ Moderate | ⭐⭐⭐ Complex |
Real-World Use Case Mapping:
Phase 1: Small branch networks with low inter-branch traffic.
Phase 2: Medium networks needing direct branch-to-branch communication.
Phase 3: Large enterprises with high scalability and dynamic routing needs.
Phase1 COnfiguration
---------------------
Hub
interface Tunnel 0
ip address 172.16.123.1 255.255.255.0
ip nhrp authentication NWKINGS
tunnel mode gre multipoint
tunnel source Gigabit0/1
ip nhrp map multicast dynamic
ip nhrp network-id 1
DMVPN neighbor
Spoke - 1 Config
----------------
interface tunnel 0
ip address 172.16.123.2 255.255.255.0
ip nhrp authentication NWKINGS
ip nhrp map 172.16.123.1 1.1.1.1.
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.123.1
tunnel source Gigabit0/1
tunnel destination 1.1.1.1
#show ip nhrp
---------------
For resting Spoke 1 - lo 0 - 192.168.5.1
Spoke 2- ip route 192.168.5.0 255.255.255.0 172.16.123.1
Hub - ip route 192.168.5.0 255.255.255.0 172.16.123.2
ip nhrp map multicast dynamic: this command tells the hub router where to forward multicast packets to.
Since the IP addresses of the spoke routers are unknown,
we use dynamic to automatically add their IP addresses to the multicast destination list when the spokes register themselves.
ip nhrp network-id: when you use multiple DMVPN networks, you need the network ID to differentiate between the two networks. This value is only locally significant but for troubleshooting reasons it’s best to use the same value on all routers.
Phase 2 Config
Hub Config
------------
interface Tunnel0
ip address 172.16.123.1 255.255.255.0
ip nhrp authentication DMVPN
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
end
Spoke Config
-------------
interface Tunnel0
ip address 172.16.123.2 255.255.255.0
ip nhrp authentication DMVPN
ip nhrp map 172.16.123.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.123.1
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
The configuration above is exactly the same as in DMVPN phase 1
except for two commands:
We removed the tunnel destination command.
We added the tunnel mode command to use GRE multipoint.
#show dmvpn
How To Configration GRE-VPN Tunnel ?
....................................
-------R1-Router-HQ-Branch------------
Step #1 interface tunnel 1
Step #2 ip address 40.40.40.1 255.255.255.0
Step #3 tunnel source fa0/0
Step #4 tunnel destination 203.202.2.2 <R2-Public-IP>
----------R2-Router-Branch-Office----------
Step #1 interface tunnel 1
Step #2 ip address 40.40.40.2 255.255.255.0
Step #3 tunnel source fa0/0
Step #4 tunnel destination 203.202.100.100 <R1-Public-IP>
-------Optional-------
Step #5 int tunnel 0
Step #6 ip mtu 1400
Step #7 ip tcp adjust-mss 1360
How To Configration GRE-VPN IP-Sec Policy
.........................................
---------R1-Router-HQ-Office-------------
Step #1 crypto isakmp policy 10
Step #2 authentication pre-share
Step #3 encryption 3des
Step #4 hash md5
Step #5 group 2
Step #6 exit
Step #7 crypto isakmp key saikat address 203.202.100.100
<Remote Public IP Remote Public IP -R2-Router-Branch-Office>
Step #8 crypto ipsec transform-set saikat123 esp-sha-hmac esp-3des
Step #9 mode transparent
Step #10 exit
Step #11 crypto ipsec profile CCNP
Step #12 set transform-set saikat123
-----R2-Router-Branch-Office--------
Step #1 crypto isakmp policy 10
Step #2 authentication pre-share
Step #3 encryption 3des
Step #4 hash md5
Step #5 group 2
Step #6 exit
Step #7 crypto isakmp key saikat address 203.202.100.100 <Remote Public IP -R1-Router-HQ-Office>
Step #8 crypto ipsec transform-set saikat123 esp-sha-hmac esp-3des
Step #9 mode transparent
Step #10 exit
Step #11 crypto ipsec profile CCNP
Step #12 set transform-set saikat123
IP-SEC Policy Apply GRE-VPN Tunnel Interface 1 ?
................................................
Step #5 int tunnel 1
Step #6 tunnel protection ipsec profile CCNP
How To Configration DM-VPN Hub Phase - 1 - Branch Router ?
------R1-Router-Hub-HQ-Office---------
Step #1 interface tunnel 1
Step #2 ip address 40.40.40.1 255.255.255.0 <Hub-Tunnel-Private-IP-Gateway>
Step #3 tunnel source fa0/0
Step #4 tunnel mode gre multipoint
Step #5 ip nhrp network id 123
Step #6 ip nhrp map multicast dynamic
Step #7 no ip split-horizon eigrp 10
How To Configration DM-VPN Hub Phase - 2 - Branch Router ?
........................................................
-R1-Router-Hub-HQ-Office-------
Step #1 interface tunnel 1
Step #2 ip address 40.40.40.1 255.255.255.0 <Hub-Tunnel-Private-IP-Gateway>
Step #3 tunnel source fa0/0
Step #4 tunnel mode gre multipoint
Step #5 ip nhrp network id 123
Step #6 ip nhrp map multicast dynamic
Step #7 no ip split-horizon eigrp 10
Step #8 no ip next hop self eigrp 10 <Spoke To Spoke Reach With Out Hub >
How To Configration DM-VPN Spoke Phase - 1 - Branch Router ?
..........................................................
-R2-Router-Spoke-2----------
Step #1 interface tunnel 1
Step #2 ip address 40.40.40.2 255.255.255.0
Step #3 tunnel source fa0/0
Step #4 tunnel destination 203.202.2.2 <R1-Hub-Public-IP>
Step #5 ip nhrp network id 123
Step #6 ip nhrp nhs 40.40.40.1 <Hub-Tunnel-Private-IP-Gateway>
Step #7 Exit
How To Configration DM-VPN Spoke Phase - 2 - Branch Router ?
............................................................
-------------R2-Router-Spoke-2----------------------
Step #1 interface tunnel 1
Step #2 ip address 40.40.40.2 255.255.255.0
Step #3 tunnel source fa0/0
Step #4 tunnel mode gre multipoint
Step #5 ip nhrp network id 123
Step #6 ip nhrp map multicast 203.202.2.2 <Hub-Public-IP>
Step #7 ip nhrp nhs 40.40.40.1 <Hub-Tunnel-Private-IP-Gateway>
Step #8 ip nhrp map 40.40.40.1 203.202.2.2 <Hub-Public-IP>
How To Configration DM-VPN Duel Hub Phase - 2 - Branch Router ?
...............................................................
Step #01 Same Configration DM-VPN Hub <Changes From Spoke Router For Duel Hub NHS Server>
How To Configration DM-VPN Spoke Phase - 2 Duel Hub 2 Nhs Server - Branch Router ?
................................................................................
-------R1-Router-Spoke-1---------
Step #1 interface tunnel 1
Step #2 ip address 40.40.40.2 255.255.255.0
Step #3 tunnel source fa0/0
Step #4 tunnel mode gre multipoint
Step #5 ip nhrp network id 123
Step #6 ip nhrp map multicast 203.202.2.2 <Hub-Static-Public-IP-1>
Step #7 ip nhrp map multicast 203.202.2.3 <Hub-Static-Public-IP-2>
Step #8 ip nhrp nhs 40.40.40.1 <Hub-Tunnel-Private-IP-Gateway-Server-1>
Step #9 ip nhrp nhs 40.40.40.5 <Hub-Tunnel-Private-IP-Gateway-Server -2>
Step #10 ip nhrp map 40.40.40.1 203.202.2.2 <Hub-Public-IP>
Step #11 ip nhrp registration timeout 5
Step #12 ip nhrp holdtime 20
------Showing--Commnd----DM---VPN--------
Step #1 show ip nhrp nhs
Step #2 clear ip nhrp
Step #2 show ip nhrp
Step #3 show run int tunnel 0
Step #4 show dmvpn
Step #5 clear dmvpn session
How To Configration DM-VPN Hub Phase - 2-3 - Branch Router ?
...........................................................
-R1-Router-Hub-HQ-Office------
Step #1 interface tunnel 1
Step #2 ip address 172.168.1.1 255.255.255.0 <Hub-Tunnel-Private-IP-Gateway>
Step #3 tunnel source fa0/0
Step #4 tunnel mode gre multipoint
Step #5 ip nhrp network id 123
Step #5 ip nhrp authentication saikat
Step #5 ip nhrp holdtime 300
Step #6 ip nhrp map multicast dynamic
Step #7 no ip split-horizon eigrp 100
Step #8 no ip next hop self eigrp 100 <Spoke To Spoke Reach With Out Hub >
router eigrp 100
network 172.168.0.0
network 10.0.0.0
Phase 3
interface Tunnel0
ip nhrp redirect
How To Configration DM-VPN Spoke Phase - 2-3 ?
Step #1 interface tunnel 1
Step #2 ip address 172.168.1.2 255.255.255.0
Step #3 tunnel source fa0/0
Step #4 tunnel mode gre multipoint
Step #5 ip nhrp network id 123
Step #6 ip nhrp authentication saikat <Password Protect Hub Router>
Step #7 ip nhrp holdtime 300
Step #8 ip nhrp map 172.168.1.1 203.202.2.2 <Tunnel Gateway> <Hub-Public-IP>
Step #9 ip nhrp nhs 172.168.1.1 <Hub-Tunnel-Private-IP-Gateway>
Step #10 ip nhrp map multicast 203.202.2.2 <Hub-Public-IP-This Commnd For Eigrp Routing Hello Exchange
Go to Hub Router Then Commnd <show ip nhrp>
Output- Spoke Registration Details NBMA address
router eigrp 100 <Spoke Router Configure Eigrp>
network 172.168.0.0
network 20.0.0.0
interface Tunnel0
ip nhrp shortcut
Ipsec With DMVPN Commmnd
------------------------
HUB
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
encryption 3des
exit
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set TSET esp-des esp-md5-hmac
mode transport
crypto ipsec profile TST
set transform-set TSET
interface tunnel 1
tunnel protection ipsec profile TST
Spoke-1
same Commnd For Spoke Router <HUB Config Commnd>
Spoke-2
same Commnd For Spoke Router <HUB Config Commnd>
Checking Commnd
show crypto ipsec sa