See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/314041206

Policy-Based Automation of Dynamique and Multipoint Virtual Private Network

Simulation on OPNET Modeler

Article in International Journal of Advanced Computer Science and Applications · January 2014
DOI: 10.14569/IJACSA.2014.051201#sthash.5R4sF0jy.dpuf

CITATIONS READS

7 486

1 author:

Ayoub Bahnasse
Université Hassan II de Casablanca
128 PUBLICATIONS 1,386 CITATIONS

SEE PROFILE

All content following this page was uploaded by Ayoub Bahnasse on 25 February 2017.

The user has requested enhancement of the downloaded file.

 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 5, No. 12, 2014

Policy-Based Automation of Dynamique and

Multipoint Virtual Private Network Simulation on
OPNET Modeler
Ayoub BAHNASSE Najib EL KAMOUN
Department of physics Department of physics
University Chouaïb Doukali University Chouaïb Doukali
Faculty of science El Jadida Faculty of science El Jadida
EL Jadida, MOROCCO EL Jadida, MOROCCO

Abstract—The simulation of large-scale networks is a encapsulates various higher layer protocols and carry all traffic
challenging task especially if the network to simulate is the types (unicast, multicast and broadcast), but doesn’t provide
Dynamic Multipoint Virtual Private Network, it requires expert any authentication, integrity or confidentiality mechanism.
knowledge to properly configure its component technologies. The IPsec is a suite of protocols; Encapsulation Security Payload
study of these network architectures in a real environment is (ESP) and Authentication Header (AH), the first protocol
almost impossible because it requires a very large number of ensure the integrity, authentication and confidentiality of trade,
equipment, however, this task is feasible in a simulation the second provides integrity and authentication for data
environment like OPNET Modeler, provided to master both the exchange. IPsec operates in two modes, tunnel and transport
tool and the different architectures of the Dynamic Multipoint
mode, transport mode does not change the initial header it sits
Virtual Private Network.
between the network layer and transport of the OSI model, for
Several research studies have been conducted to automate the this mode, NAT can cause a problem of integrity [5], the tunnel
generation and simulation of complex networks under various mode replaces the original IP and encapsulates the entire
simulators, according to our research no work has dealt with the packet header.
Dynamic Multipoint Virtual Private Network. In this paper we OPNET Modeler is a software tool for network modeling
present a simulation model of the Dynamic and Multipoint and simulation. It allows to design and study communication of
Virtual Private network in OPNET Modeler, and a WEB-based
large scale networks, devices, protocols, and applications with
tool for project management on the same network.
great flexibility, it allows to study the system performance
Keywords—VPN; multipoint; Opnet; automation; DMVPN; under varying conditions, it also contributes to the
cloud; policy-based; WEB-BASED development of new protocols and architectures and their
optimization and the analysis of the impact of emerging
I. INTRODUCTION technologies, several books have been written to master
Dynamic multipoint Virtual Private Network “DMVPN” is OPNET Modeler environment and properly handle its
a solution for building dynamic Virtual Private Network associated objects [6, 7].
tunnels in an easy, scalable and dynamic manner supported on The process of setting up an Opnet project can be done by
Cisco IOS routers and Unix Operating System, DMVPN is several methods including: Drag drop objects to the
based on standard technologies such as Resolution Next Hop workspace;
Protocol (NHRP) and multipoint Generic Routing
Encapsulation (mGRE) for the dynamic creation of tunnels, Data Router configuration, to create the project based on
and Internet Protocol Security (IPsec) to ensure security of data the configuration files of routers such as Cisco and Juniper, to
exchanges between multiple sites, as well as routing protocols benefit from this feature the module Multi Vendor Import “
to route data optimally [1] [2], several scientific studies have MVI ” must be turned on from license management;
been conducted to study the effect of routing protocols on Non Extensible Markup Language “ XML ”, the required form
Broadcast Multi-Access networks (NBMA) [3] [4]. The HUB of the XML file to import to Opnet is specified in the
maintains in its NHRP cache, public and tunnel IP addresses of Document Data Type “ DTD ” , the file path is <opnet_dir> /
each SPOKE on the same network, this protocol is based on <reldir> / sys / etc / network.dtd.
the client-server principle, the spokes (NHRP Clients) send
periodic NHRP updates containing public and tunnels The simulation of communication network is paramount in
addresses to the HUB (NHS) of the network, for example when the design process task, planning and optimization of
SPOKE1 wants to communicate with SPOKE2, SPOKE1 architectures. Through a simulation environment, many
consults the NHRP cache of NHS to determine public IP conditions can be studied such as scalability that is difficult to
associated with the IP tunnel of SPOKE2. A GRE interface can simulate in a real environment because of its very high cost,
maintain multiple IPsec tunnels, both to simplify configuration such as simulation of the dynamic and multipoint virtual
and save time thanks to mGRE protocol. GRE protocol private networks. Several scientific research simulators can be

1|P age
www.ijacsa.thesai.org
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 5, No. 12, 2014

used as OPNET Modeler, NS2…[8,9,10], but managing a A. User Policies Definition:

dynamic and multipoint VPN under OPNET Modeler This agent allows defining the attributes of security and
simulator requires firstly a mastery of the tool and secondly routing policies of the DMVPN network, through a graphical
the technology, this is a good motivation to develop a system man/machinery interaction.
for automatically creating projects for various architectures of
the same network, for this reason we have created an This agent is composed of several modules; Architecture
automation model for simulating dynamic multipoint and multi Module, Tunnel Module, Security Module, Routing Module
architectures Virtual Private Network, and a GUI and Key Module.
man/machinery application designed for this type of networks.  Architecture Module: This module defines the type of
The simulation of a large scale network such as DMVPN in architecture to handle: Single Hub Single Cloud or
a simulator such as Opnet Modeler requires a mastery of VPN Multiple Hub Multiple Cloud.
technology and the simulator, and since these VPNs can be
 Tunnel Module: This module is responsible of
composed of hundreds sometimes thousands of sites its
establishing tunnels between the Hubs and Spokes
simulation by the manual method without mistakes is a big
depending on the type of architecture described in the
challenge, various works has been done in the automation of
previous module. The identification and authentication
networks simulations for Opnet modeler [11, 12] and the
of tunnels will be made by
design of GUI-based tool for the conversion of simulation
Key Module attributes.
scenarios to the XML files meant for various simulators[13],
unfortunately according to our research no automation model  Security Module: This module defines the IPsec
of generation and simulation of such networks was proposed, protocol to use and which could be AH or ESP,
this is a good motivation to develop a new model for encryption protocols (DES, 3DES, AES) and integrity
automating simulations of DMVPN networks for Opnet protocols (MD5, SHA) for two IKE phases, by default
Modeler “DMVPN Automatic Simulation” and create a WEB- the mode used is transport to avoid a third
based tool for personalized management of projects. encapsulating of the IP header.
The rest of the paper is organized as follows, in Section 2  Key Module: This module defines the identification key
we will discuss the developed model “DMVPN Automatic of the tunnel, the DMVPN cloud ID, the authentication
Simulation” and define its various modules, in Section 3 we key for access to the DMVPN network as well as the
will describe thoroughly various steps required by the model to IPsec password.
automatically generate projects, Section 4 will be reserved for a
sample demonstration of an automatic generation of project  Routing Module: This module allows the generation of
using the application implemented, and we will conclude in a more suitable configuration of routing protocol for a
section 5. specific DMVPN architecture, the proposed model
supports; Routing Information Version 2 (RIPv2),
II. DMVPN AUTOMATIC SIMULATION MODEL Enhanced Interior Gateway Routing Protocol (EIGRP),
DMVPN Automatic Simulation model [Fig. 1] allows Open Shortest Path First (OSPF) and Interior Border
policy-based simulation automation for DMVPN network, Gateway Protocol (iBGP).
multi-architectures, for Opnet model using a web graphical B. Treatment and generation:
interface, the model is composed of two main agents “User
This agent describes the processing that occurs on the
Policies Definition” and “Treatment and generation”;
server side, converting user data into a project already
configured ready to be simulated in Opnet Modeler, this agent
is composed of three modules:
 Device personalization module: This module allows the
generation of nodes (routers and IPV4 clouds) with a
customized number of interfaces according to the user-
specified architecture.
 XML to map OPNET Module: This module check the
attributes of the file network.dtd to prepare a
customized XML file with user specified data, XML
attributes may differ from architecture to another,
equipment generated by the previous module will be
defined in the XML file.
 Project generation module: This module allows the
generation of XML file prepared by the previous
module and run the simulation in Opnet Modeler.

Fig. 1. Architecture of DMVPN Automatic Simulation

2|P age
www.ijacsa.thesai.org
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 5, No. 12, 2014

III. FUNCTIONING OF THE DMVPN AUTOMATIC the model DMVPN Automatic Simulation to automatically
SIMULATION MODEL generate projects, [Fig. 2] shows the operation of the model.
In this section we will describe various steps required by

Fig. 2. Flow chart illustrate the operation of DMVPN Automatic Simulation

1) The user must choose the architecture to deploy; Single 5) If the user chooses Multiple Hub Multiple Cloud, a
Hub Single Cloud or Multiple Hub Multiple Cloud; specification of number of Hubs and Spokes to deploy is
2) If the user chooses to simulate Single Hub Single Cloud necessary;
architecture, a specification of number of Spokes to deploy is 6) The user must specify for each device its Public IP
necessary, according to the specified number by the user a address, private IP address, the name of the public interface
graphical user interface will be generated automatically and the priority of each HUB, if routers have the same priority,
composed of n + 1 rows, where n is the number of Spokes and load balancing with equal cost will be made between HUBs, if
1 is the HUB line; not the router with the highest priority will be the primary
3) The user must specify for each device its Public IP router, the other will be considered secondary;
addresses, private IP address and the name of the public 7) The user defines graphically the security settings of
interface; IPsec IKE Phase 1 and 2, specifies NHRP password, NHRP +
4) The user defines graphically the security settings of IKE mGRE keys and finally chooses the routing protocol (RIPv2,
Phase 1 and 2, specifies the NHRP password, NHRP + mGRE EIGRP, OSPF, iBGP)
keys and finally chooses the routing protocol (RIPv2, EIGRP, 8) The nodes are created with a customized number of
OSPF, iBGP); interfaces according to user-specified architecture.

3|P age
www.ijacsa.thesai.org
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 5, No. 12, 2014

9) XML attributes to be used for a specific version Opnet Step 4: DMVPN Automatic Simulation Tool convert
model are prepared according to DTD file of current version automatically user parameters into XML configuration file
of Opnet Modeler installed; ready to be simulated under OPNET Modeler.
10) The final generated XML file containing the position of The following demonstration will be for the simulation of
each node and its associated DMVPN network, Single Hub Single Cloud architecture,
configuration ready to be simulated in Opnet Modeler. composed of two Spokes.
IV. DEMONSTRATION AND GUIDED VISIT Step 1- Specify the architecture to simulate:
In order to validate the Designed model, an implementation The user through the menu [Fig. 4] can choose to deploy a
is required, the tool created is based on a guided web graphical Single Hub Single Cloud architecture (1) Multiple Hub
interface extremely easy to manipulate, any web browser and Multiple Cloud (2)
operating system can be used.
Developed tool (DMVPN Automatic Simulation Tool) has
two mains purposes. First purpose is to provide a user-friendly
entering and editing of parameters of DMVPN network.
Second purpose is to automatically map user parameters into
OPNET Modeler project and create custom nodes.

Fig. 4. Main Menu

Fig. 3. Use Case Diagram of proposed tool

The modeling procedure [Fig. 3] consists of four steps:

Step 1: User must choose the architecture to deploy;
Step 2: User must indicate for each specific device its
identity information (public, private and tunnel IP addresses,
outside interface and private address mask); Fig. 5. Specifying the number of Spokes to deploy
Step 3: User must indicate Security policy (IPsec attribute,
A window appears [Fig. 5], prompting the user to specify
NHRP password and mGRE and NHRP Keys) and routing
the number of Spokes to deploy (4).
protocol (RIPv2, EIGRP, OSPF, iBGP) to be applied for all
equipment on the same architecture; Step 2 : Define identity information:

4|P age
www.ijacsa.thesai.org
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 5, No. 12, 2014

Fig. 6. Specifying equipments data

After specifying the number of Spokes to install, a window sections are composed of the following fields: public IP
[Fig. 6] is displayed, the window is mainly composed of two address (9) outside interface (10), private IP address (11),
parts: identity configuration (5) security and routing policies subnet mask of private address (12), option (13) to reset all
configuration (6). The flap (5) consists of two sections: HUB fields the current window.
Configuration (7) and Spokes Configuration (8), the two
Step 3 : Define security policy and routing protocol:

Fig. 7. Configuration of security and routing policies

The second section, security and routing policies Section (15) is composed of three fields, the choice of
configuration [Fig. 7] consists of four main sections: IPsec encryption protocol (19), the integrity protocol (20) and the
phase 1 configuration (15), IPsec phase 2 configuration (16), password key derivation (21).
protection of the tunnel (17) and the choice of routing protocol
(18).

5|P age
www.ijacsa.thesai.org
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 5, No. 12, 2014

Section (16) is composed of three fields, the protocol IPsec Step 4 : Import generated XML File to OPNET Modeler:
to use ESP or AHP (22), encryption protocols and integrity
respectively (23) and (24); the default mode is set to Transport. After completing the customization of the architecture,
submit button (29) send user parameters to remote server in
Section (17) is composed of three fields, NHRP password order to generate custom nodes and an XML file containing the
of current network (25), mGRE tunnel key (26) used to configuration of the project ready to be simulated in Opnet
separate tunnels and provide authentication and the identifier of Modeler [Fig.8].
the NHRP network (27).
Final step consist of importing generated XML file to
The last section (18) allows the user to pick through a list Opnet Modeler, [Fig. 9] illustrate the resulting topology.
the protocol to be implemented which can be one of these
protocols RIPv2, EIGRP, OSPF or iBGP (28).

Fig. 8. resulting XML file

V. CONCLUSION
Manual stimulation of a Dynamic Multipoint multi-
architecture VPN network, in Opnet Modeler is a time-
consuming task, which also requires expertise in technology to
simulate and the simulator as well as the margin of error is not
null. The model proposed and the tool designed allows
automating the generation of dynamic scenarios VPN
multipoint multi- architectures projects for Opnet modeler
based on a WEB-Based interface easy to manipulate.
The model was implemented and tested on Single Hub
Single Cloud architecture consisting of ten Spokes, the time
required for an expert on VPN networks and Opnet Modeler
for manual set up of this architecture is 40 minutes, we
moved that to 3 minutes with the proposed model, in addition
to time effectiveness the margin error is null.
The independence of the modules of the model proposed
will allow in future work to adapt it with other simulators such
as NS3 simulator.

Fig. 9. Designed and configured Architecture

6|P age
www.ijacsa.thesai.org
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 5, No. 12, 2014

REFERENCES [7] Ibrahim, Q., & Khudher, I. A. (2011). Network Simulation Guide:
[1] Asati, R., Khalid, M., Retana, A. E., Van Savage, D., & Sethi, P. P. Lecture Notes and Lab Manual.
(2013). U.S. Patent No. 8,346,961. Washington, DC: U.S. Patent and [8] Altman, E., & Jimenez, T. (2012). NS Simulator for beginners.
Trademark Office. Synthesis Lectures on Communication Networks, 5(1), 1-184.
[2] Chen, H. (2011, May). Design and implementation of secure enterprise [9] Siraj, S., Gupta, A., & Badgujar, R. (2012). Network simulation tools
network based on DMVPN. In Business Management and Electronic survey.International Journal of Advanced Research in Computer and
Information (BMEI), 2011 International Conference on (Vol. 1, pp. 506- Communication Engineering, 1(4), 199-206.
511). IEEE. [10] Borboruah, G., & Nandi, G. (2014) A Study on Large Scale Network
[3] Jankuniene, R., & Jankunaite, I. (2009, June). Route creation influence Simulators5. International Journal of Computer Science and Information
on DMVPN QoS. In Information Technology Interfaces, 2009. ITI'09. Technologies, Vol. 5 (6) , 7318-7322.
Proceedings of the ITI 2009 31st International Conference on (pp. 609- [11] Mohorko, J., Klampfer, S., Fras, M., & Cucej, Z. Expert System for
614). IEEE. Automatic Analysis of Results of Network Simulation.
[4] Thorenoor, S. G. (2010, April). Dynamic routing protocol [12] Li, H., & Lin, X. (2005, October). An OPNET-based 3-tier network
implementation decision between EIGRP, OSPF and RIP based on simulation architecture. In Communications and Information
technical background using OPNET modeler. In Computer and Network Technology, 2005. ISCIT 2005. IEEE International Symposium on (Vol.
Technology (ICCNT), 2010 Second International Conference on (pp. 2, pp. 793-796). IEEE.
191-195). IEEE.
[13] Canonico, R., Emma, D., & Ventre, G. (2003, October). An XML
[5] Adoba, B., & Dixon, W. (2004). RFC 3715–IPSec-network address description language for web-based network simulation. In Distributed
translation (NAT) compatibility requirements. Simulation and Real-Time Applications, 2003. Proceedings. Seventh
[6] Lu, Zheng, and Hongji Yang. Unlocking the power of OPNET modeler. IEEE International Symposium on (pp. 76-81).IEEE.
Cambridge University Press, 2012.

7|P age
www.ijacsa.thesai.org
View publication stats