Prepping Ubuntu Server Edition to run as a DMVPN.

After reading about the open source implementation of NHRP, I decided that I would play around with it a bit to see where it’s at, development wise. I have a VMWare Session of Ubuntu 9.04 (Server Edition) that I use to geek out on stuff like this. It’s nice, because at a click of a button I can have a default install, by reverting to my default snap shot.

I’ve determined that the packages that you need to install, on a default install of Ubuntu SE are:


Gcc, make, git, git-core, pkg-config, and libc-ares-dev are the packages required to compile openNHRP from source. They can probably be uninstalled after it’s been compiled. :)

Openssh-server is just used to admin the box remotely. It’s easier to do everything over ssh, rather than through the vm window.

Quagga is the routing software. It’s not required to install opennhrp, but I figured I might as well install it. Same goes for ipsec-tools.

Iproute2, which supports the GRE implementation, is installed by default, so we don’t need to worry about it.

I wrote a quick perl script to run on Ubuntu to check to see whether the packages are installed. If they aren’t it installs them via apt-get.

After you run that perl script, opennhrp is ready to install. Download the latest version from, unpack the contents, then run make and make install. That’s it! Now to play with configurations.

May 31, 2009

Posted In: Perl Tips, Ubuntu SE, VPN

An Open Source Implementation of Cisco’s Dynamic Multipoint VPN (DMVPN)

For a few years, Cisco has had a pretty innovative VPN solution called “Dynamic Multipoint VPN”. In essence, it’s a traditional hub and spoke VPN design, except that when two, or more, spokes want to communicate directly with each other, they initiate a dynamic IPSEC tunnel with each other instead of sending the traffic to the hub, where the hub would route the traffic to the destination spoke. If you’re confused, the “hub” would be the main office where all VPN sessions are initiated to and the “spoke” are the branch offices.

Why does this matter? There are two HUGE reasons: bandwidth and ease of operation. If two spokes need to send data back and forth to each other over the VPN, it doesn’t make sense that the data should be sent from spoke 1, to the hub, to spoke 2. Doing this doubles the amount of Internet bandwidth that you need. That’s a lot of wasted money. For the people configuring the VPN devices, it’s an added complexity to add all kinds of VPN tunnels to each branch turning your VPN network into a mesh design. Could you imagine doing that with hundreds or thousands of branch offices? It would be an administration night mare. So essentially, either way you look at it, DMVPN could save your organization a ton of money in total cost of ownership and on bandwidth. Your network admins will love you for it.

How is DMVPN achieved? It uses all the same tricks as traditional hub and spoke VPN; IPSEC, GRE, a dynamic routing protocol, along with a fairly new protocol called Next Hop Resolution Protocol. “NHRP is an Address Resolution Protocol (ARP)-like protocol that dynamically maps nonbroadcast multiaccess (NBMA) network. With NHRP, systems attached to an NBMA network can dynamically learn the NBMA (physical) address of the other systems that are part of that network, allowing these systems to directly communicate.” ( Pretty cool, right?

It now looks like the Open Source community is putting together the last piece of the DMVPN puzzle. For years there have been open source implementations of IPSEC, GRE, and dynamic routing protocols, such as OSPF. (It’s a shame that EIGRP is proprietary to Cisco.) Now there is a NHRP implementation in the works, that looks promising. I’m sure that I’ll be keeping up with the progress.

Maybe Vyatta will implement this? hmmm…

RFC 2332 – NBMA Next Hop Resolution Protocol

Open Source Related Links:
Quagga Routing Software
Iproute2 – Open Source GRE implementation
StrongSwan – IPSEC for Linux
OpenSwan – Another IPSEC for Linux

Cisco Related Links:
Cisco’s implementation of NHRP
Configuring DMVPN using GRE over IPSEC between multiple routers
DMVPN Overview

May 31, 2009

Posted In: Open Source Alternatives, VPN