Configuring NHRP Overview
ScreenOS devices support autoconnect virtual private networks (ACVPNs) in a hub-and-spoke network topology. ACVPN provides a way for you to configure your hub-and-spoke network so that spokes can dynamically create VPN tunnels directly between each other as needed. This not only solves the problem of latency between spokes but also reduces processing overhead on the hub and thus improves overall network performance. Additionally, because ACVPN creates dynamic tunnels that time out when traffic ceases to flow through them, network administrators are freed from the time-consuming task of maintaining a complex network of static VPN tunnels.
After you set up a static VPN tunnel between the hub and each of the spokes, you configure ACVPN on the hub and the spokes and then enable the Next Hop Resolution Protocol (NHRP). The hub uses NHRP to obtain a range of information about each spoke, including its public-to-private address mappings, subnet mask length, and routing and hop count information, which the hub caches. Then, when any spoke begins communicating with another spoke (through the hub), the hub uses this information, in combination with information obtained from the ACVPN configuration on the spokes, to enable the spokes to set up an ACVPN tunnel between themselves. While the tunnel is being negotiated, communication continues to flow between the two spokes through the hub. When the dynamic tunnel becomes active, the hub drops out of the link and traffic flows directly between the two spokes. When traffic ceases to flow through the dynamic tunnel, the tunnel times out.
In cases where the hub fails and the dynamic tunnel expires, the spokes cannot reestablish the connection. To avoid this, ScreenOS 6.3 allows you to configure two hubs on the same virtual router (VR) so that connectivity is not lost even if one hub fails.
As ACVPN supports dynamic routing protocols, traffic from other subnets behind the spoke that needs to be routed through a hub may pass through the dynamic tunnel already created by the first cached subnet. To avoid this, ScreenOS 6.3 allows you to disable the dynamic routing operation on the ACVPN tunnel. Additionally, you can redistribute routes learned from NHRP into dynamic routing protocols such as BGP, OSPF, and RIP. In the same way, routes learned by the dynamic routing protocols can be redistributed automatically into the NHRP routing instance.
The following procedure explains how ACVPN works:
Adjust the topology to assign the VPN and gateway.
Assign the ACVPN—dynamic and next-hop server (NHS) IP address.
Set the NHRP redistribute rules.
Add NHRP to other dynamic routing protocols such as OSPF, BGP, and RIP redistribute.
Set the routing on tunnel interface.
You can configure the NHRP parameters as described in Table 1.
Table 1: NHRP Parameters
Enables the NHRP parameters.
Configures the number of seconds that NHRP waits before updating the routing table. Default is 300.
No of Query’s before giveup
Specifies the attempts that a query updates the routing table.
Res-Req. Retry Interval
Ensures that the NHS has current information about its subnetworks by having the next-hop client (NHC) periodically send Resolution Request messages to the NHS at regular intervals. If any devices have been added to or removed from their subnetworks, that information is contained in the Resolution Request message, and the NHS updates its cache and retries at regular intervals.
Specifies the autoconnect virtual private network profile. Select any value from the drop-down list.
Specifies the autoconnect virtual private network dynamic routers. Select any value from the drop-down list.
NHS IP Address
Next hop server IP address in a hub-and-spoke network.
NHS IP Address 2
Next hop server IP address 2 in a hub-and-spoke network.