For a few years, Cisco has had a pretty innovative VPN solution called “Dynamic Multipoint VPN”. In essence, it’s a traditional hub and spoke VPN design, except that when two, or more, spokes want to communicate directly with each other, they initiate a dynamic IPSEC tunnel with each other instead of sending the traffic to the hub, where the hub would route the traffic to the destination spoke. If you’re confused, the “hub” would be the main office where all VPN sessions are initiated to and the “spoke” are the branch offices.
Why does this matter? There are two HUGE reasons: bandwidth and ease of operation. If two spokes need to send data back and forth to each other over the VPN, it doesn’t make sense that the data should be sent from spoke 1, to the hub, to spoke 2. Doing this doubles the amount of Internet bandwidth that you need. That’s a lot of wasted money. For the people configuring the VPN devices, it’s an added complexity to add all kinds of VPN tunnels to each branch turning your VPN network into a mesh design. Could you imagine doing that with hundreds or thousands of branch offices? It would be an administration night mare. So essentially, either way you look at it, DMVPN could save your organization a ton of money in total cost of ownership and on bandwidth. Your network admins will love you for it.
How is DMVPN achieved? It uses all the same tricks as traditional hub and spoke VPN; IPSEC, GRE, a dynamic routing protocol, along with a fairly new protocol called Next Hop Resolution Protocol. “NHRP is an Address Resolution Protocol (ARP)-like protocol that dynamically maps nonbroadcast multiaccess (NBMA) network. With NHRP, systems attached to an NBMA network can dynamically learn the NBMA (physical) address of the other systems that are part of that network, allowing these systems to directly communicate.” (Cisco.com) Pretty cool, right?
It now looks like the Open Source community is putting together the last piece of the DMVPN puzzle. For years there have been open source implementations of IPSEC, GRE, and dynamic routing protocols, such as OSPF. (It’s a shame that EIGRP is proprietary to Cisco.) Now there is a NHRP implementation in the works, that looks promising. I’m sure that I’ll be keeping up with the progress.
Maybe Vyatta will implement this? hmmm…
RFC 2332 - NBMA Next Hop Resolution Protocol
Open Source Related Links:
Iproute2 - Open Source GRE implementation
OpenSwan - Another IPSEC for Linux
Cisco Related Links:
Cisco’s implementation of NHRP
Configuring DMVPN using GRE over IPSEC between multiple routers