Dynamic Routing Through IPSec Without GRE – Using VTI’s

Dynamic Routing Through IPSec Without GRE – Using VTI’s

On a previous post, we created a GRE tunnel to permit routing protocol through an insecure (Internet) network and protected it with IPSec. As you all should know GRE adds another layer of encapsulation (at least 4 bytes), which means more overhead.

One major advantage compared with the traditional method of IPSec is that, since we created a new interface instead of using the crytpo map in the physical interface, we are able to apply specific rules to the traffic that goes through (QoS, ACL, etc)

In this post we will configure a connection bet ween to routers over the Internet (our “Internet”) using Virtual Tunnel Interfaces (VTI) and dynamic routing over it.

R1 Initial Config
hostname R1
!
!DHCP Server Configuration
ip dhcp excluded-address 192.168.0.254
!
ip dhcp pool LOCALLAN
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.254 
 dns-server 8.8.8.8 
 domain-name bsnetworking.blog
!
interface Ethernet0/0
 description Local Lan Connection
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 no shutdown
!
interface Ethernet0/1
 description "Internet" Connection
 ip address 10.0.0.1 255.255.255.252
 ip nat outside
 no shutdown
!
ip nat inside source list NAT interface Ethernet0/1 overload
!
ip route 0.0.0.0 0.0.0.0 10.0.0.2
!
ip access-list extended NAT
 permit ip 192.168.0.0 0.0.0.255 any
 deny   ip any any
R2 Initial Config
hostname R2
!
!DHCP Server Configuration
ip dhcp excluded-address 172.16.0.254
!
ip dhcp pool LOCALLAN
 network 172.16.0.0 255.255.255.0
 default-router 172.16.0.254 
 dns-server 8.8.8.8 
 domain-name bsnetworking.blog
!
interface Ethernet0/0
 description Local Lan Connection
 ip address 172.16.0.254 255.255.255.0
 ip nat inside
 no shutdown
!
interface Ethernet0/2
 description "Internet" Connection
 ip address 10.0.0.5 255.255.255.252
 ip nat outside
 no shutdown
ip nat inside source list NAT interface Ethernet0/2 overload
!
ip route 0.0.0.0 0.0.0.0 10.0.0.6
!
ip access-list extended NAT
 permit ip 172.16.0.0 0.0.0.255 any
 deny   ip any any
Internet Config
hostname INTERNET

interface Ethernet0/0
 description Internet Connection
 ip address dhcp
 ip nat outside
 no shutdown
!
interface Ethernet0/1
 description Connection to R1
 ip address 10.0.0.2 255.255.255.252
 ip nat inside
 no shutdown
!
interface Ethernet0/2
 description Connection to R2
 ip address 10.0.0.6 255.255.255.252
 ip nat inside
 no shutdown
!
ip nat inside source list NAT interface Ethernet0/0 overload
!
ip access-list extended NAT
 permit ip 10.0.0.0 0.0.0.7 any
 deny   ip any any
Connectivity Tests
VPCS> sh ip 
IP/MASK     : 192.168.0.1/24
GATEWAY     : 192.168.0.254
DNS         : 8.8.8.8  
DHCP SERVER : 192.168.0.254
DHCP LEASE  : 85351, 86400/43200/75600
DOMAIN NAME : bsnetworking.blog

VPCS> ping www.google.com
www.google.com resolved to 194.210.238.166

84 bytes from 194.210.238.166 icmp_seq=1 ttl=53 time=6.764 ms
84 bytes from 194.210.238.166 icmp_seq=2 ttl=53 time=7.485 ms
84 bytes from 194.210.238.166 icmp_seq=3 ttl=53 time=7.216 ms
84 bytes from 194.210.238.166 icmp_seq=4 ttl=53 time=7.612 ms
VTI (Virtual Tunnel Interface) Configuration
R1
! Configure IKE phase 1 policy
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
!
! Configure the pre-shared key
crypto isakmp key ourpass address 0.0.0.0        
!
! Configure the IKE phase 2
crypto ipsec transform-set OUR-TSET esp-aes esp-sha-hmac 
 mode tunnel
!
! Create an IPSec profile used to protect the tunnel traffic
crypto ipsec profile OUR-PROFILE
 set transform-set OUR-TSET 
!
! Create the interface tunnel          
interface Tunnel1
 ip address 1.1.1.1 255.255.255.252
 tunnel source Ethernet0/1
 ! Identify the tunnel mode as ipsec for ipv4
 tunnel mode ipsec ipv4
 tunnel destination 10.0.0.5
 ! Protect the tunnel with the ipsec profile
 tunnel protection ipsec profile OUR-PROFILE
!
! Configure a routing protocol and add the tunnel network
router eigrp 1
 network 1.1.1.1 0.0.0.0
 network 192.168.0.254 0.0.0.0
R2
! Configure IKE phase 1 policy
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
!
! Configure the pre-shared key
crypto isakmp key ourpass address 0.0.0.0        
!
! Configure the IKE phase 2
crypto ipsec transform-set OUR-TSET esp-aes esp-sha-hmac 
 mode tunnel
!
! Create an IPSec profile used to protect the tunnel traffic
crypto ipsec profile OUR-PROFILE
 set transform-set OUR-TSET 
!
! Create the interface tunnel          
interface Tunnel1
 ip address 1.1.1.2 255.255.255.252
 tunnel source Ethernet0/2
 ! Identify the tunnel mode as ipsec for ipv4
 tunnel mode ipsec ipv4
 tunnel destination 10.0.0.1
 ! Protect the tunnel with the ipsec profile
 tunnel protection ipsec profile OUR-PROFILE
!
! Configure a routing protocol and add the tunnel network
router eigrp 1
 network 1.1.1.2 0.0.0.0
 network 172.16.0.254 0.0.0.0
Verify Configurtion
R1# show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                192.168.0.254   YES manual up                    up      
Ethernet0/1                10.0.0.1        YES manual up                    up      
Ethernet0/2                unassigned      YES unset  administratively down down    
Ethernet0/3                unassigned      YES unset  administratively down down    
NVI0                       192.168.0.254   YES unset  up                    up      
Tunnel1                    1.1.1.1         YES manual up                    up      

R1# show ip route eigrp


      172.16.0.0/24 is subnetted, 1 subnets
D        172.16.0.0 [90/26905600] via 1.1.1.2, 00:17:23, Tunnel1
Test Connectivity
VPCS> ping 192.168.0.1

84 bytes from 192.168.0.1 icmp_seq=1 ttl=62 time=2.264 ms
84 bytes from 192.168.0.1 icmp_seq=2 ttl=62 time=1.744 ms
84 bytes from 192.168.0.1 icmp_seq=3 ttl=62 time=2.303 ms
84 bytes from 192.168.0.1 icmp_seq=4 ttl=62 time=1.573 ms
84 bytes from 192.168.0.1 icmp_seq=5 ttl=62 time=1.426 ms

VPCS> trace 192.168.0.1
trace to 192.168.0.1, 8 hops max, press Ctrl+C to stop
 1   172.16.0.254   0.972 ms  0.228 ms  0.220 ms
 2   1.1.1.1   1.245 ms  1.064 ms  0.755 ms
 3   *192.168.0.1   0.887 ms (ICMP type:3, code:3, Destination port unreachable)
Traffic Captured on the “Internet”

IPSEC-VTI-Scan.gif

Video

Until next post, stay good.

Advertisements

2 thoughts on “Dynamic Routing Through IPSec Without GRE – Using VTI’s

Comments are closed.