Dynamic Virtual Tunnel Interface – Securing a Hub & Spoke Topology

Dynamic Virtual Tunnel Interface – Securing a Hub & Spoke Topology

The last post we talk about VTI to establish a connection between to points over the Internet. This connection was secure via IPSec and allowed dynamic routing protocols through it. The challenge in this post is to escalate this topology into multipoints, which is the usual topologies that we can encounter in the real world.

Once again we will use EVE (Unetlab) to emulate the scenario.

Scenario:

dvti1

Initial Configs
hostname INTERNET
!
interface Ethernet0/0
 description Connects to R0 - HUB
 ip address 10.0.0.2 255.255.255.252
 ip nat inside
 no shutdown
!
interface Ethernet0/1
 description Connects to R1 - SPOKE 1
 ip address 10.0.0.6 255.255.255.252
 ip nat inside
 no shutdown
!
interface Ethernet0/2
 description Connects to R2 - SPOKE 2
 ip address 10.0.0.10 255.255.255.252
 ip nat inside
 no shutdown
!
interface Ethernet0/3
 description Connects to R3 - SPOKE 3
 ip address 10.0.0.14 255.255.255.252
 ip nat inside
 no shutdown
!
interface Ethernet1/0
 ip address dhcp
 ip nat outside
 no shutdown
!
ip nat inside source list NAT interface Ethernet1/0 overload
!
ip access-list extended NAT
 permit ip 10.0.0.0 0.0.0.15 any
 deny   ip any any
! HUB ROUTER CONFIGURATION
hostname R0
!
interface Ethernet0/0
 description Internet Connection
 ip address 10.0.0.1 255.255.255.252
 ip nat outside
 no shutdown
!
interface Ethernet0/1
 description Local Lan Connection
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 no shutdown
!
ip nat inside source list NAT interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.0.0.2
!
ip access-list extended NAT
 permit ip 192.168.0.0 0.0.0.255 any
 deny   ip any any
! SPOKE1 ROUTER CONFIGURATION
hostname R1
!
interface Ethernet0/0
 description Internet Connection
 ip address 10.0.0.5 255.255.255.252
 ip nat outside
 no shutdown
!
interface Ethernet0/1
 description Local Lan Connection
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 no shutdown
!
ip nat inside source list NAT interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.0.0.6
!
ip access-list extended NAT
 permit ip 192.168.1.0 0.0.0.255 any
 deny   ip any any
! SPOKE2 ROUTER CONFIGURATION
hostname R2
!
interface Ethernet0/0
 description Internet Connection
 ip address 10.0.0.9 255.255.255.252
 ip nat outside
 no shutdown
!
interface Ethernet0/1
 description Local Lan Connection
 ip address 192.168.2.254 255.255.255.0
 ip nat inside
 no shutdown
!
ip nat inside source list NAT interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.0.0.10
!
ip access-list extended NAT
 permit ip 192.168.2.0 0.0.0.255 any
 deny   ip any any
! SPOKE3 ROUTER CONFIGURATION
hostname R3
!
interface Ethernet0/0
 description Internet Connection
 ip address 10.0.0.13 255.255.255.252
 ip nat outside
 no shutdown
!
interface Ethernet0/1
 description Local Lan Connection
 ip address 192.168.3.254 255.255.255.0
 ip nat inside
 no shutdown
!
ip nat inside source list NAT interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.0.0.14
!
ip access-list extended NAT
 permit ip 192.168.3.0 0.0.0.255 any
 deny   ip any any
Dynamic Virtual Tunnel Interface – Hub
! Since the connection will come from different address, create a keyring
! to hold them 
crypto keyring KEYRING 
 pre-shared-key address 10.0.0.5 key password5
 pre-shared-key address 10.0.0.9 key password9
 pre-shared-key address 10.0.0.13 key password13
!
! Define the IKE phase 1 parameters in the isakmp policy
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
!
! The isakmp profile will connect the virtual-template with the connection
! received from the specified address and the password kept in the keyring
crypto isakmp profile ISAKMPPROFILE
 keyring KEYRING
 match identity address 10.0.0.5 255.255.255.255 
 match identity address 10.0.0.9 255.255.255.255 
 match identity address 10.0.0.13 255.255.255.255 
 virtual-template 1
!
! Define the IKE phase 2 parameters in the ipsec transform-set
crypto ipsec transform-set TSET esp-aes esp-sha-hmac 
 mode tunnel
!
! Create an ipsec profile to protect the virtual-template traffic
crypto ipsec profile IPSECPROFILE
 set transform-set TSET 
!
! The loopback interface will be used to address the virtual-template
! Any other interface could be used
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
! Create the template that will be used in the different connection
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSECPROFILE
!
! Configure routing in the virtual-template interface and all other as necessary
router eigrp 1
 network 1.0.0.0
 network 192.168.0.0
Static Virtual Tunnel Interfaces in SPOKE1, 2 and 3
! SPOKE1
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
crypto isakmp key password5 address 10.0.0.1 
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile IPSECPROFILE
 set transform-set TSET 
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
 ip unnumbered Loopback0
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 10.0.0.1
 tunnel protection ipsec profile IPSECPROFILE
!
router eigrp 1
 network 2.0.0.0
 network 192.168.1.0
! SPOKE2
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
crypto isakmp key password9 address 10.0.0.1 
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile IPSECPROFILE
 set transform-set TSET 
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
 ip unnumbered Loopback0
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 10.0.0.1
 tunnel protection ipsec profile IPSECPROFILE
!
router eigrp 1
 network 3.0.0.0
 network 192.168.2.0
! SPOKE3
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
crypto isakmp key password13 address 10.0.0.1 
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile IPSECPROFILE
 set transform-set TSET 
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface Tunnel0
 ip unnumbered Loopback0
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 10.0.0.1
 tunnel protection ipsec profile IPSECPROFILE
!
router eigrp 1
 network 4.0.0.0
 network 192.168.3.0
Verification
R0# show ip route eigrp
<output omitted>

      2.0.0.0/32 is subnetted, 1 subnets
D        2.2.2.2 [90/27008000] via 2.2.2.2, 00:27:58, Virtual-Access1
      3.0.0.0/32 is subnetted, 1 subnets
D        3.3.3.3 [90/27008000] via 3.3.3.3, 00:25:01, Virtual-Access2
      4.0.0.0/32 is subnetted, 1 subnets
D        4.4.4.4 [90/27008000] via 4.4.4.4, 00:21:11, Virtual-Access3
D     192.168.1.0/24 [90/26905600] via 2.2.2.2, 00:27:50, Virtual-Access1
D     192.168.2.0/24 [90/26905600] via 3.3.3.3, 00:25:02, Virtual-Access2
D     192.168.3.0/24 [90/26905600] via 4.4.4.4, 00:21:11, Virtual-Access3

! One virtual-access is created per connection

R0# show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                10.0.0.1        YES manual up                    up      
Ethernet0/1                192.168.0.254   YES manual up                    up      
Ethernet0/2                unassigned      YES unset  administratively down down    
Ethernet0/3                unassigned      YES unset  administratively down down    
Loopback0                  1.1.1.1         YES manual up                    up      
NVI0                       unassigned      NO  unset  up                    up      
Virtual-Access1            1.1.1.1         YES unset  up                    up      
Virtual-Access2            1.1.1.1         YES unset  up                    up      
Virtual-Access3            1.1.1.1         YES unset  up                    up      
Virtual-Template1          1.1.1.1         YES unset  up                    down
Configuration Video:

Until next post, stay good.

Advertisements

2 thoughts on “Dynamic Virtual Tunnel Interface – Securing a Hub & Spoke Topology

Comments are closed.