This post will describe some of the crypto design considerations for DMVPN.
DMVPN Overview and Crypto Overhead
First let’s have a quick recap of what Dynamic Multipoint VPN (DMVPN) is. DMVPN is an overlay technology where multi point GRE tunnels are used to form an overlay where a routing protocol will run across the overlay. DMVPN is a hub and spoke technology where the DMVPN hub acts as a centralized control plane. DMVPN uses Next Hop Resolution Protocol (NHRP) to register the IP addresses of the spokes with the hub. When a router looks in its routing table, the next-hop will be the IP address of the tunnel, not the real outside IP which must be used for the GRE encapsulation. To find the outside IP of the spoke, NHRP is used to resolve the next-hop to the real outside IP.
DMVPN runs over public transport. This means that it’s possible to snoop the traffic while in transit. To prevent this from happening, DMVPN is often combined with IPSec to encrypt the packets. IPSec can run in two modes, transport mode and tunnel mode. In transport mode, the original IP header is not encrypted and there is no additional IP header added. In tunnel mode, which is the default for tunnels, a new IP header is added and the original IP header is encrypted. Tunnel mode is a must for classic LAN to LAN setups because normally the inside subnets are private addresses and the tunnel is formed between publically routable IP addresses.
The difference between transport mode and tunnel mode is show in the picture below.