VPN Types – Which VPN Protocols Support Multicast Traffic

best practicesmulticasttunnelvpn

At my work, we build mobile networks from scratch for customers regularly. (Mobile Networks: think battery powered LTE router with wifi.) Since we build from scratch we can be vendor agnostic and research ways to keep costs down.

There's the saying that to a hammer every problem is a nail. (To a cisco guy, every product can be solved with a Cisco Solution.) I'm a strong believer in using the right tool for the job. Thus I decided to work on a mental model of the strengths/best usage scenarios of different secure/trustworthy VPN technologies.
Then develop a working proficiency of each to add to my toolkit.

Here are noteworthy VPN types/protocols I'm reading up on. Note I've omitted VPN technologies I believe to be insecure or untrustworthy (NSA backdoors).

IKEv2/IPSec: (I read it's a better version of L2TP, that it can reestablish VPN connection, when the internet flaps, or switches between multiple networks, home, work, cellular.)
openVPN: Best for security. It's been audited. I'd like to know if it supports multicast. (I've read somewhere that it doesn't, but I also heard someone mentioned it can with a bridged mode.)
SoftEtherVPN: Creates a virtual hub that emulates a hardware switch, so can do multicast. It also has NAT Transversal features, which make it so you can have a VPN server behind a firewall that people can connect to without having to edit any firewall settings. (I think it's through a cloud relay).
GRE/IPSec VPN Tunnel: 2 Routers (cisco, pfsense, etc) can form a site to site link using this, which will allow multicast traffic. (Is this a site to site router only VPN protocol?)

Question: Of the aforementioned VPN tunnel protocols/types, which support multicast traffic inherently, transparently, or with minimal configuration.

Best Answer

IKE is (in massively simplified terms/practically explained) just a way of establishing an IPSec VPN tunnel, and IPSec VPN tunnels don't inherently support multicast.
You can put a GRE tunnel inside of an IPSec VPN tunnel which will support multicast, and other non-IP Layer 3 protocols, like apple talk, IPX, and NHRP, which explains why DMVPN which uses NHRP(a non-IP layer 3 protocol) for its magic depends on GRE.
There's a relatively new thing called VTI(Virtual Tunnel Interfaces)'s, which are IPSec VPN tunnels that support multicast. It only supports IP traffic though, doesn't support NHRP so couldn't be used for DMVPN. Note about relatively new: at this point, most commercial vendors support VTI's (cisco, juniper, etc). I've heard that VTIs make live easier in multi-vendor environments. Note StrongSwan is a Linux IKEv2 VPN Server that has recently added support for VTIs (VyOS is a Linux Router Distro with StrongSwan build in, so opensource router can form Site-to-Site VPN Bridge with commercial routers). I read that as of June 2017 pfsense doesn't support VTIs, but the VTI code will be available in a future version of FreeBSD which pfsense is based on, so maybe 2 years from now a new version of pfsense might support it.
OpenVPN: doesn't inherently support multicast traffic. I did read however that it has a Bridged VPN mode where it can support multicast traffic by treating it as a broadcast, someone on a random forums post I found via google-fu shared a story about 1 user watching a large multicast stream, which was then broadcast to all other users on the VPN connection, it acted as a denial of service for the other OpenVPN clients, so I wouldn't recommend OpenVPN for multicast.
EtherSoft is VPN Server Software: it offers its own home-brewed VPN server service that involves a virtual switch, it simultaneously offers OpenVPN server service, and a L2TP server service. From what I can tell mobile clients can only connect to the L2TP server. (which from what I've read is insecure due to exploits) It treats multicast traffic as broadcast traffic, it's "virtual hubs" have a default security policy that limits broadcast traffic/starts dropping traffic beyond a limit, you can lift the limit, but then you'd have the same issue as OpenVPN Bridge VPN mode.

Related Solutions

Cisco – Traffic from route-map to crypto-map

I have to give credit to @ron for this answer.

The policy map was never going to work the way it was previously. @ron suggested a gre tunnel, then protect that with ipsec.

interface Tunnel0
ip address 10.10.10.2 255.255.255.252
ip mtu 1420
tunnel source 1.1.1.1
tunnel destination 2.2.2.2
crypto map IOFVPN

and a route to point to the internal subnet on the remote side with a gateway of the remote side.

S    192.168.10.0/24 [1/0] via 10.10.10.1

I've never used gre before but I will now. Getting the tunnel up was pretty basic both on the cisco and linux ( openswan ) side. Once that was up and running I tested without ipsec.

On my fa0/0 interface, my internal I put:

ip policy route-map PROXY-REDIRECT

route-map proxy-redirect permit 100
 match ip address PROXY-REDIRECT
 set ip next-hop recursive 192.168.10.1

The matching ACL is:

ip access-list extended proxy-redirect
 deny   tcp host 192.168.30.13 any eq www
 permit tcp 192.168.30.0 0.0.0.255 any eq www
 permit tcp 192.168.30.0 0.0.0.255 any eq 443
 permit tcp 192.168.30.0 0.0.0.255 any eq irc
 permit tcp 192.168.30.0 0.0.0.255 any eq 6667
 deny   tcp 192.168.30.0 0.0.0.255 any eq 5938
 deny   tcp any any
 deny   udp any any
 deny   ip any any

As soon as I added that my traffic started passing the way I wanted it. I'll note here that this ACL could be shrunk. I added the implicit deny's because I was having the odd traffic pass over the link.

Once was verified working then I just needed to wrap it in ipsec. Configuring the Cisco side was easy.

crypto isakmp policy 1
 encr aes 192
 authentication pre-share
 group 2
 lifetime 43200
crypto isakmp key *********** address 2.2.2.2
!
!
crypto ipsec transform-set IOFSET2 esp-aes 192 esp-sha-hmac 
 mode transport
!
crypto map IOFVPN 1 ipsec-isakmp 
 description IOM
 set peer 2.2.2.2
 set transform-set IOFSET2 
 match address IPSEC-GRE-IOF

ip access-list extended IPSEC-GRE-IOF
 permit gre host 1.1.1.1 host 2.2.2.2

** Must use transport mode. It took me a bit to figure that one out.

Apply that crypto map to both f0/1 and tun0 and you have a tunnel.

The openswan side is what gave me trouble though this whole thing. Their config is a bit odd and it just took some getting used to.

At the end of the day all traffic that I want is peeled off and routed through an ipsec protected gre tunnel to a remote endpoint.

Enjoy.

Cisco VPN Clients Routing Over IPSec VPN – ACL Configuration

Obviously you aren't using a Cisco VPN client, as it monitors the route table and will remove your tampering immediately. Even if the routes stick, the ASA will ignore traffic that doesn't belong in the tunnel.

There are two possibilities at play here:

the ASA isn't configured to hairpin traffic
the ASA isn't configured to allow those networks through the tunnel

The first can be enabled via same-security-traffic permit inter-interface and same-security-traffic permit intra-interface.

The second requires changes to the VPN split-tunnel configuration, any ACLs restricting access, routes on other gateways to know where the vpn-pool lives, and finally ensure the site-to-site VPNs know about and allow that pool across their tunnel.

(The latter is why my ASA proxy's DHCP from the local LAN for clients. It essentially makes VPN clients look like nodes on the local LAN.)

[UPDATE]

With IOS, the crypto map defines what traffic goes in the tunnel(s). (match address clause) That info is provided to the IPSec client. (it creates a security-association (SA) for each rule of the ACL.)

(for the record, I don't use the old IPSec client engine anymore. I prefer the SSLVPN (webvpn) setup on both ASA and IOS -- the setup is nearly identical. ASA-IOS tunnels are still the old, complicated crypto map IPSec setup. IOS-IOS tunnels, I prefer Tunnel interfaces.)

Best Answer

Related Solutions

Cisco – Traffic from route-map to crypto-map

Cisco VPN Clients Routing Over IPSec VPN – ACL Configuration

Related Topic