GRE IPSec Tunnel – Routing over the Tunnel

GRE IPSec Tunnel – Routing over the Tunnel

Using the same topology and part of the configuration of a previous post (IPSec IKEv1 Formula) we will configure a GRE (Generic Routing Encapsulation) to allow routing protocols (IGP – Interior Gateway Protocols) through the Internet safely.

IPSec IKEv1 has a minor issue related to the packets that permits through, and this will be Unicast IP Packets only. This represents a problem when we need to use a dynamic routing protocols, because they rely on multicast to create adjacencies.

To solve this problem we can create a GRE Tunnel, which allows any traffic through and encapsulates it in Unicast IP Packet, and then encapsulate this packets inside IPSec to make use of its security performance. Nice!!!

So in the end we will have the routing protocol, in this case OSPF, inside the GRE tunnel protected with IPSec.

First we will create the GRE tunnel and test the connectivity.
! R1 Router
interface Tunnel0
 description Tunnel Connection to R2
 ip address 192.168.100.1 255.255.255.252
 tunnel source 10.0.0.1
 tunnel destination 10.0.1.2
 tunnel mode gre ip
!
router ospf 1
 passive-interface default
 no passive-interface Tunnel0
 network 172.16.0.0 0.0.0.255 area 0
 network 192.168.100.1 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 10.0.0.2
! R2 Router
interface Tunnel0
 description Tunnel Connection to R1
 ip address 192.168.100.2 255.255.255.252
 tunnel source 10.0.1.2
 tunnel destination 10.0.0.1
 tunnel mode gre ip
!
router ospf 1
 log-adjacency-changes
 passive-interface default
 no passive-interface Tunnel0
 network 192.168.0.0 0.0.0.255 area 0
 network 192.168.100.2 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 10.0.0.2
Verification
R1# ping 192.168.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

R1# ping 172.16.0.1 source 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

R1# show ip route ospf

 172.16.0.0/24 is subnetted, 1 subnets
O 172.16.0.0 [110/1001] via 192.168.100.2, 00:05:53, Tunnel0

Traffic captured in the INTERNET

greipsec2.gif

in line 10 we can observe an OSPF Hello Packet and on 11 we can see the ICMP Packet correspondent from the ping executed between R1’s LAN and R2’s LAN, all in clear text.

Now we will configure the IPSec protection to the GRE tunnel using almost the same configuration used in the IPSec IKEv1 Tunnel.

ISAKMP POLICY EXAMPLE:
! This configuration must match in both routers
 crypto isakmp policy 10
  encryption aes
  hash sha
  authentication pre-share
  group 5
PRE-SHARE KEY
! On R1
 crypto isakmp key 0 cisco12345 address 10.0.1.2

!On R2
 crypto isakmp key 0 cisco12345 address 10.0.0.1
TRANSFORM-SET EXAMPLE
! This configuration must match in both routers
 crypto ipsec transform-set TSET esp-aes esp-sha-hmac
ACL EXAMPLE
!On R1
 ip access-list extended VPN
 permit gre host 10.0.0.1 host 10.0.1.2
 deny ip any any
!On R2
 ip access-list extended VPN
 permit gre host 10.0.1.2 host 10.0.0.1
 deny ip any any

This is the main difference in the configuration. The crypto ACL will put inside IPSec all GRE traffic between the external router addresses. If we watch closely the last packet capture we can see that the ICMP packet is encapsulated in a GRE packet travelling from 10.0.0.1 to 10.0.1.2. The same happens to all traffic going through the tunnel interface, and since routing is done using the tunnel interfaces all traffic between LAN is going through GRE thus been encapsulated and protected with IPSec.

CRYPTO MAP EXAMPLE
!On R1
crypto map CMAP 10 ipsec-isakmp 
 set peer 10.0.1.2
 set transform-set TSET 
 set pfs group5
 match address VPN
!On R2
crypto map CMAP 10 ipsec-isakmp 
 set peer 10.0.0.1
 set transform-set TSET 
 set pfs group5
 match address VPN
ADD CRYPTO MAP TO THE EXTERNAL INTERFACE
!On both Routers
interface Ethernet0/0
 crypto map CMAP
BONUS STEP

We don’t need to exempt the traffic from the NAT because the tunnel interface does not belong the the NAT interfaces.

Verification
R1# ping 172.16.0.1 source 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

R1# show ip route ospf

 172.16.0.0/24 is subnetted, 1 subnets
O 172.16.0.0 [110/1001] via 192.168.100.2, 00:05:53, Tunnel0
Traffic captured in the INTERNET

greipsec3

All traffic between 10.0.0.1 and 10.0.1.2 is now protected with ESP.

Until the next post, stay good

 

Advertisements

One thought on “GRE IPSec Tunnel – Routing over the Tunnel

Comments are closed.