< Home

DSVPN Protected by IPSec

DSVPN uses an mGRE tunnel to transmit data, but data is not encrypted over the mGRE tunnel and data transmission on the Internet is insecure. You are advised to deploy IPSec to ensure secure communication data transmission between Spokes when DSVPN is used.

Figure 1 DSVPN protected by IPSec

On a DSVPN network, IPSec profiles are configured on the Hub and Spokes and bound to mGRE tunnel interfaces. mGRE tunnel setup will trigger IPSec tunnel setup. The implementation is as follows:
  1. All the Spokes on the network send NHRP Registration Request packets to the Hub and report the NHRP mapping entries to IPSec. The Internet Key Exchange (IKE) modules of the Spokes and the Hub negotiate with each other for IPSec tunnel parameters.
  2. The Hub generates local NHRP mapping entries between tunnel addresses and public network addresses of the Spokes based on the NHRP Registration Request packets received. The Hub then sends NHRP Registration Reply packets to the Spokes.
  3. The Spokes trigger an mGRE tunnel immediately when they transmit traffic. For details about how to establish an mGRE tunnel, see Establishing mGRE Tunnels Between Spokes.
  4. After the Spokes establish an mGRE tunnel, the IPSec module obtains NHRP mapping entries, adds or deletes IPSec peers based on the mapping entries, and triggers the Spokes to dynamically establish an IPSec tunnel.
  5. After an IPSec tunnel is established between the Spokes, packets are routed based on the destination IP addresses. If the outbound interface is an mGRE interface, the Spoke searches the NHRP mapping table for the public network address mapping the next hop private address. After obtaining the public network address, the Spoke searches for the IPSec security association (SA) matching the public network address to encrypt the packets and send them.
Compared with IPSec in traditional Hub-Spoke networking, integrating DSVPN and IPSec has the following advantages:
  • Traditional IPSec uses ACLs to identify unicast traffic to be encrypted. The ACL configuration is complex and its maintenance is difficult. In DSVPN scenarios, you only need to bind mGRE tunnel interfaces to IPSec profiles, without defining complex ACLs. The network deployment is more simple.
  • Because an IPSec tunnel is dynamically established between Spokes, IPSec packets transmitted between Spokes are not decrypted or encrypted by the Hub. This shortens the packet forwarding delay.
When you deploy IPSec on a DSVPN network, the IPSec encapsulation mode can only be transport if two branches are connected to different NAT devices or the headquarters is connected to a NAT device. This is because NHRP cannot learn post-NAT IP addresses when the IPSec encapsulation mode is tunnel mode.
Parent Topic: Understanding DSVPN
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >