GRE over IPSec Site to Site VPN

IPSEC VERSUS IPSEC GRE
As we mentioned, GRE provides no form of payload confidentiality or encryption. If the packet are sniffed over the public transit networks, their contents are in plain-text.

IPSec solves this security concerns in GRE by encrypting part or all of the GRE packets

GRE OVER IPSEC TUNNEL:
GRE over IPSec tunnels supports multicast traffic whiles the standalone IPSec does not. It is for this reason why it is advisable to implement GRE over IPSec tunnels where routing protocols like EIGRP or OSPF are in use. Such protocols which need to send routing information across the tunnel through multicast, GRE over Multicast would be the most suitable since it allow and provide secure transport via the tunnel for these services.

There are two IPSec tunnel modes – tunnel and transport.

This configuration example will show the default, tunnel-mode IPSec encryption which protects the entire GRE header and payload.

Setup:
Steps to follow:
- Create GRE tunnel
-  Configure IKE/ISAKMP policy;  phase 1
- Specify PSK and peer
- Identify interesting traffic
- Configure Transform-set; IKE phase 2
- Configure crypto map
- apply crypto map to an interface
- verify the tunnel and traffic

CREATE GRE TUNNEL
Hq(config)#int tunnel0
Hq(config-if)#Tunnel mode gre ip
Hq(config-if)#Ip add 172.16.1.1 255.255.255.0
Hq(config-if)#Tunel source g0
Hq(config-if)#Tunnel destination 41.72.102.3

I.   CONFIGURE AN ISAKMP POLICY.
Note: The ISAKMP policy, key, and IPSec transform set must match on both sides of a single tunnel

Hq(config)#crypto isakmp policy 1        // 1 is priority of the policy.
Hq(config-isakmp)#authentication pre-share    
Hq(config-isakmp)#hash sha  
Hq(config-isakmp)#group 5   // diffie-hellman group; handles exchange of  keys
Hq(config-isakmp)#lifetime 86400

II. SPECIFY PRE-SHARED KEY AND THE PEER.

 Hq(config)#crypto isakmp key cisco address 41.72.103.3
 This is the public IP of the peer router.

III. DEFINE INTERESTING TRAFFIC USING AN EXTENDED ACCESS LIST:
Hq(config)#ip access-list extended important
 Hq(config-ext-nacl) #Permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255

IV. CONFIGURE TRANSFORM-SET
Hq(config)# Crypto isakmp transform-set r1-r2 esp-md5 esp-sha-hmac
esp-md5 – encryption method  // or esp-aes
esp-sha-hmac  - hashing method

V. CONFIGURE CRYPTO MAP AND BIND IT TO A PEER, TRANSFORM-SET AND MATCH THE INTERESTING TRAFFIC.
Hq(config)# crypto map R1-R3_map 1 ipsec-isakmp
 Hq(config-crypto-map) # set peer 41.72.102.3
 Hq(config-crypto-map) # set transform-set R1-R3
 Hq(config-crypto-map) # match address important

VI. APPLY CRYPTO MAP TO THE INTERFACE (THE PHYSICAL INTERFACE):
Hq(config)#int gig0
Hq(config-if)#crypto map R1-R2_map

Now configure the remote router (office2 branch) using the same IPSec configuration template. Make sure to change the local and remote IPs as necessary.

Now that the GRE over IPSec tunnel configuration is complete, we can verify end-to-end IPSec tunnel connectivity. By simply sending pings to the remote networks, the IPSec VPN will come up and begin encrypting/decrypting traffic.

Hq# ping  10.10.10.23  
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

vii. VERIFYING TUNNEL AND ENCRYPTION
Show commands; traffic monitoring:
#Show int tunnel0
above will show whether the  tunnel has an IP address, source and destination of tunnel
#Show ip route
This should indicate a direct connection to tunnel 0
#Show crypto map
This ought to indicate the binding done othe crypto map e.g with access-list, peer, and transform-set
#Show crypto isakmp sa
This will give the  status of the VPN and source and destination and the status active
#Show crypto session
Shows that IPSec VPN encryption is operational
#Show crypto ipsec sa
Shows the packets that have been encapsulated and those that have been decapsulated

You can further use Wireshark to see the packets encapsulated and decapsulated.

                                                  END.

Comments

Post a Comment

Popular posts from this blog

MPLS-VPN

Image
L3MPLS VPN Definitions: VRF – Virtual Routing Instance. Its an Instance of a routing table – Each customer has their own VRF defined with different definitions of RD and RT Route Distinguisher (RD); Used to uniquely identify routes belonging to a particular VRF. Route Targets (RT); Used to specify how routes are imported and exported from VRF. MP-BGP; Multiprotocol BGP- Used to carry BGP routes and VPN routes between PE Routers. Setup: Required; VPN to interconnect Head office to a branch office. 1. Define VRF, RD and RT VRF = Trust-Bank Route Distinguisher (RD): 37027:20 Route Targets (RT): 37027:20 PE1(config)#ip vrf Trust-Bank PE1(config-vrf)#rd 37027:20 PE1(config-vrf)#route-target both 37027:20 2. Enable VRF on the client facing interface on the PE routers and assign IP to be used to communicate to CE VRF = Trust-Bank R1(config)# int fastEthernet 0/0 R1(config-if)# ip vrf forwarding Trust-Bank R1(config-if)# ip add 192.168.2.1 255.255...
Read more

MPLS - L2MPLS / L2 Circuits

Image
L2MPLS L2 Circuits Before MPLS MPLS Enabled Core: Required: Head office and Branch office to be interconnected on L2 which is of full redundancy on Service Provider Core Network Configuration: 1. Select VLAN to use for the circuit. For our case we assign VLAN 200 note: Configuration only done on Edge Devices (PE) 2.Configure on PE-1 Defining presudowire class to MPLS; #pseudowire-class ethernet-port encapsulation mpls #exit Note: fa0/0 is the interface facing HQ #show run int fa0/0.200 #interface FastEthernet0/0.200 #encapsulation dot1Q 200 #xconnect 3.3.3.3 200 pw-class ethernet-port 3. Configure on PE-3: Defining presudowire class to MPLS; #pseudowire-class ethernet-port #encapsulation mpls #exit Note: fa0/0 is the interface facing HQ # no shut #interface FastEthernet0/0.200 #encapsulation dot1Q 200 #Xconnect 1.1.1.1 200 pw-class ethernet-port Troubleshooting; Make sure that the CEF is enabled ...
Read more

Linux Box as a DHCP Server

Image
Operating System: Centos 6.3 In this setup, client machines on the LAN are assigned IP addresses automatically unlike the previous setup where IP addresses were being assigned manually. To configure; Install dhcp package via terminal; [root@telweb]#  yum install dhcp* -y Copy the available sample dhcp configuration at /usr/share/doc/dhcp* [root@telweb]#  Cd  /usr/share/doc/dhcp* [root@telweb]#  Cp dhcpd.conf.sample /etc/dhcp/dhcpd.conf If asked to replace the existing dhcpd.conf at /etc/dhcp/ , answer with an yes. To configure the dhcp, edit the file /etc/dhcp/dhcp.conf [root@telweb]#  Vi /etc/dhcp/dhcpd.conf Go to the section highlighted below and edit it to suit your network; -------------------------------------------------------------------------------------------------------------------- # A slightly different configuration for an internal subnet. subnet  192.168.2.0  netmask  255.255.255.0  {   range...
Read more