Description

DMVPN (Dynamic Multipoint VPN) is a routing technique we can use to build a VPN network with multiple sites without having to statically configure all devices. It’s a “hub and spoke” network where the spokes will be able to communicate with each other directly without having to go through the hub. Encryption is supported through IPsec which makes DMVPN a popular choice for connecting different sites using regular Internet connections.

Milesight Industrial Router supports DMVPN feature and works as client mode, in this manual, we will guide you how to install the DMVPN server, then connect Milesight router to the server.

Note: ensure your Milesight router has upgraded the firmware to the latest one.


Requirement

Ubuntu

Milesight Router

UR Router IP: 192.168.22.105

DMVPN Hub: 192.168.23.206

GRE Hub IP 10.0.0.1

GRE tunnel IP: 10.0.0.XX (10.0.0.2-10.0.0.254)

GRE Key: 123456, Pre shared key: 123456


Contents

DMVPN Server configuration

Milesight Router configuration

Check connection status


Configuration

DMVPN Server Configuration

Step1. Install essential environment

1. login ubuntu, execute: apt-get update

root@ubuntu:~# apt-get update

2. Install the racoon

root@ubuntu:~# apt-get install racoon

3. Install the opsec-tools.

root@ubuntu:~# apt-get install ipsec-tools

4: Install the build-essential.

root@ubuntu:~# apt-get install build-essential

5: Install the libc-ares-dev

root@ubuntu:~# apt-get install libc-ares-dev

6: Install the pkg-config 

root@ubuntu:~# apt-get install pkg-config

7: Download opennhrp-0.14.1.tar.bz2 through this URL .

8: Install the opennhrp, tar -xjvf opennhrp-0.14.1.tar.tz2 & make & make install

root@ubuntu:~# tar xjvf opennhrp-0.14.1.tar.bz2
root@ubuntu:~# cd opennhrp-0.14.1
root@ubuntu:~/opennhrp-0.14.1# ls
AUTHORS contrib doc etc libev Makefile Make.rules man MIT-LICENSE.txt NEWS nhrp patches README TODO
root@ubuntu:~/opennhrp-0.14.1# make
root@ubuntu:~/opennhrp-0.14.1# make install
install -d /usr/sbin
install nhrp/opennhrp nhrp/opennhrpctl /usr/sbin
install -d /etc/opennhrp
install etc/opennhrp.conf etc/opennhrp-script etc/racoon-ph1down.sh etc/racoon-ph1dead.sh /etc/opennhrp
install -d /usr/share/man/man5 /usr/share/man/man8
install man/opennhrp.conf.5 /usr/share/man/man5
install man/opennhrp.8 man/opennhrpctl.8 man/opennhrp-script.8 /usr/share/man/man8
install -d /usr/share/doc/opennhrp
install README /usr/share/doc/opennhrp


Step2. Configure /etc/opennhrp/opennhrp.conf

root@ubuntu:/etc/opennhrp# cat opennhrp.conf
interface gre1
  shortcut
  redirect
  non-caching
  multicast nhs


Step3. Configure /etc/racoon/racoon.conf

root@ubuntu:/etc/racoon# cat racoon.conf
path include "/etc/racoon/";
path pre_shared_key "/etc/racoon/psk.txt";
remote anonymous {
    exchange_mode main;
    lifetime time 10800 seconds;
    my_identifier address;
    dpd_delay 30;
    dpd_retry 3;
    dpd_maxfail 6;
    nat_traversal on;
    proposal {
            encryption_algorithm des;
            hash_algorithm sha1;
            dh_group modp768;
            authentication_method pre_shared_key;
    }
}
sainfo anonymous {
    lifetime time 3600 seconds;
    compression_algorithm deflate;
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1;
}


Step4. Configure /etc/racoon/psk.txt

Note: configure ip address according to your router’s WAN ip address


Step5. Configure the ipsec-tools.conf

root@ubuntu:/# cat /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
 flush;
 spdflush;
 spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
 spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in  ipsec esp/transport//require;


Step6. Create a script to start/stop the DMVPN

Note: configure the local IP address according to your server’s IP address

root@ubuntu:/# cat dmvpn.sh
#!/bin/sh
    start_nhrp() {
    opennhrp -d
    }
    stop_nhrp() {
        killall -9 opennhrp
             }
    start_gre1() {
    ip tunnel add gre1 mode gre local 192.168.23.206 key 123456 ttl 64
    ip addr add 10.0.0.1/24 dev gre1
    ip link set gre1 up multicast on
    }
    stop_gre1() {
        ifconfig gre1 down
        ip tunnel del gre1
             }
    start_ipsec() {
        setkey -f /etc/ipsec-tools.conf
        racoon -f /etc/racoon/racoon.conf
             }
    stop_ipsec() {
        setkey -F
        setkey -FP
        killall -9 racoon
             }
    ACTION="$1"
    if [ "$ACTION" = "start" ];then
        start_gre1
        start_ipsec
        start_nhrp
    fi
    if [ "$ACTION" = "stop" ];then
        stop_nhrp
        stop_gre1
        stop_ipsec
    fi

Step7. Start the service using the script we created

root@ubuntu:~# chmod +x dmvpn.sh
root@ubuntu:~# ./dmvpn.sh start
opennhrp[19850]: OpenNHRP 0.14.1 starting
opennhrp[19850]: Interface lo: configured UP, mtu=0
opennhrp[19850]: Interface ens18: configured UP, mtu=1500
opennhrp[19850]: Interface gre0: config change, mtu=1476
opennhrp[19850]: Interface gretap0: config change, mtu=1462
opennhrp[19850]: Interface gre1: configured UP, mtu=1472
opennhrp[19850]: Interface gre1: GRE configuration changed. Purged 0 peers.
opennhrp[19850]: Filter code installed (21 opcodes)


Milesight Router Configuration

Enable DMVPN, save and apply setting.


Check connection status

Go to Status -> VPN on Milesight router’s Web GUI