Virtual Private Networks (i.e., VPNs) provide a secured means for transmitting and receiving data between network nodes even though many users share a corresponding physical network supporting propagation of the data. Privacy is maintained through the use of a tunneling technique, such as generic routing encapsulation (GRE). The data transmitted between such network nodes may be encrypted to protect against eavesdropping and tampering by unauthorized parties. Because the physical network is shared, costs of using resources are generally reduced for each of many users.
A particular type of VPN is known as a Dynamic Multipoint VPN (DMVPN). DMVPN allows users to better scale large and small Internet Protocol Security (IPSec) VPNs by combining Generic Routing Encapsulation (GRE) tunnels, IPSec encryption, and Next Hop Resolution Protocol (NHRP) to provide users with easy configuration.
IPSec VPNs are built as a collection of point-to-point links. The most efficient way to manage larger and larger collections of these point-to-point links is to arrange them into hub router-and-spoke router networks. All traffic from behind one spoke router (i.e., the traffic from networks that must travel through the spoke router to get to the hub router) to behind another spoke router will need to traverse first to the hub router and then back out to the other spoke router.
Routers define nodes in a network, and data travels between the nodes in a series of so-called “hops” over the network. Since each router is typically connected to multiple other routers, there may be multiple potential paths between given computers. Typically, the routing information is employed in a routing table in each router, which is used to determine a path to a destination computer or network. The router makes a routing decision, using the routing table, to identify the next “hop,” or next router, to send the data to in order for it to ultimately reach the destination computer.
In a DMVPN environment, each spoke router has a “permanent” (i.e., always-on) IPSec tunnel to a hub router, but not to the other spoke routers within the network. Each spoke router registers as clients of the NHRP server, which may reside in the hub router. The hub router maintains an NHRP database of the publicly routable address(es) of each spoke router. Each spoke router registers its binding of “publicly routable” address and (private) tunnel address when it boots and becomes capable of querying its NHRP database for the publicly routable addresses of the destination (remote) spoke routers in order to build direct tunnels to the destination spoke routers, when needed.
When a spoke router needs to send a packet to a destination subnet on another (remote) spoke router, it queries the NHRP server for publicly routable address of the destination (remote) spoke router. The spoke router also obtains the ‘next hop’ for that destination spoke router from the NHRP server. After the originating spoke router learns the peer address of the remote spoke router, it can initiate a dynamic IPSec tunnel to the remote spoke router. The spoke router-to-spoke router tunnels are established on-demand whenever there is traffic between the spoke routers. Thereafter, packets are able to bypass the hub router and use the spoke router-to-spoke router tunnel. Once the transfer is complete, the spoke router-to-spoke router tunnel is torn down.
DMVPN provides on-demand creation of IPSec encrypted GRE tunnels for direct spoke router-to-spoke router communication and even builds a fully-meshed network, if needed. The spoke router-to-spoke router tunnels are dynamically created based on the interesting traffic from one spoke router site to another spoke router site so as to bypass the Hub router. A spoke router site includes any of the hosts (also referred to as netowkr devices) inside a spoke router of the DMVPN network as well as the spoke router itself.