GRE – configuring point-to-point VPN tunnel via GRE – unprotected and protected

GRE IPSec tunnel

GRE – Generic Routing Encapsulation is a protocol that encapsulates packets in order to route other protocols over IP networks. It allows encapsulation of a wide variety of network layer protocols inside point-to-point links.

It was developed as a tunneling tool meant to carry any OSI L3 protocol over an IP networks. In essence GRE creates a private point-to-point connection or VPN.
GRE works by encapsulation a payload (inner packet that has to be delivered to other side) inside an outer IP packet.
GRE does not use encryption like the IPSec Encapsulation Payload (ESP); it just encapsulates traffic with GRE header.

GRE tunnel uses a tunnel interface – a logical interface configured on the router with an IP address where packets are encapsulated and decapsulated as they enter or exit the GRE tunnel.

Essential steps to configure protected GRE IPSec VPN tunnel:
Create a Cisco GRE tunnel
Add route to remote LAN reachable via GRE tunnel interface IP
Configure ISAKMP (IKE) = (ISAKMP Phase 1)
Create a transform set (ISAKMP phase 2 policy), used to protect our data.
Create IPSec profile to connect previously defined ISAKMP and IPsec configs together.
Apply IPSec encryption to tunnel interface at both routers

========= IPSec related configs on both routers ==========
!! Configure ISAKMP (IKE) = (ISAKMP Phase 1) !!
R2(config)# crypto isakmp policy 1
R2(config-isakmp)# encr 3des
R2(config-isakmp)# hash md5
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2
R2(config-isakmp)# lifetime 86400

!! define a pre shared key for authentication!!
R2(config)# crypto isakmp key <firewall> address 10.1.1.2

!! Create a transform set (ISAKMP phase 2 policy) !
R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
R2(cfg-crypto-trans)# mode transport

!! Create IPSec profile !!
R2(config)# crypto ipsec profile protect-gre
R2(ipsec-profile)# set security-association lifetime seconds 86400
R2(ipsec-profile)# set transform-set TS

!! Apply IPSec encryption to tunnel interface !!
R2(config)# interface Tunnel 0
R2(config-if)# tunnel protection ipsec profile protect-gre

===============================================================

Basic configuration on all routers for GRE and IPSec:

R1:
Int f0/0
ip address 10.1.1.2 255.255.255.0
int loopback 1
ip address 172.16.1.1 255.255.255.0
ip route 20.1.1.2 255.255.255.255 10.1.1.1

R3 (simulated ISP router, make sure you add routes so R1 and R2 can ping each otjher)
int f0/0
ip address 10.1.1.1 255.255.255.0
int g2/0
ip address 20.1.1.2 255.255.255.0

R2:
int f0/0
ip address 20.1.1.2 255.255.255.0
int loopback 1
ip address 192.168.1.1 255.255.255.0
ip route 10.1.1.2 255.255.255.255 20.1.1.1

======================================================
GRE part of config:
R1:
int tunnel 1
tunnel source f0/0
tunnel destination 20.1.1.2
ip address 192.168.13.2 255.255.255.0

R2:
int tunnel 1
tunnel source f0/0
tunnel destination 10.1.1.2
ip address 192.168.13.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360

Since GRE is an encapsulating protocol, we adjust the maximum transfer unit (mtu) to 1400 bytes and maximum segment size (mss) to 1360 bytes. Because most transport MTUs are 1500 bytes and we have an added overhead because of GRE, we must reduce the MTU to account for the extra overhead. A setting of 1400 is a common practice and will ensure unnecessary packet fragmentation is kept to a minimum.

Verify GRE tunnel:
R1
#show interface tunnel 1
Tunnel1 is up, line protocol is up
Hardware is Tunnel
Internet address is 192.168.13.2/24
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.1.1.2 (FastEthernet0/0), destination 20.1.1.2
Tunnel protocol/transport GRE/IP

R2:
#show interface tunnel 1
Tunnel1 is up, line protocol is up
  Hardware is Tunnel
Internet address is 192.168.13.1/24
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 20.1.1.2 (FastEthernet0/0), destination 10.1.1.2
Tunnel protocol/transport GRE/IP

Ping remote LAN via the tunnel

R1#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/44 ms

R2#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/21/28 ms
R2#

Add route to loopback interfaces on both routers:

R1 #ip route 192.168.1.0 255.255.255.0 192.168.13.1
R2: #ip route 172.16.1.0 255.255.255.0 192.168.13.2

Secure the tunnel with IPSec encryption for GRE tunnell (GRE over IPSec)

Two steps for each router are needed:
1. configure ISAKMP (ISAKMP phase 1)
2. configure IPSec (ISAKMP phase 2)

Configure ISAKMP (IKE) – ISAKMP phase 1
IKE exist only to establish SAs for IPSec, Before it can do that, IKE muist negotiate an AS (an ISAKMP SA) relationship with the peer.

R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encr 3des                    !! The encryption method to be used for Phase 1
R1(config-isakmp)# hash md5        !! the hashing algorithm
R1(config-isakmp)# authentication pre-share    !! preshare key as authentication method
R1(config-isakmp)# group 2        !! Diffie-Hellman group to be used
R1(config-isakmp)# lifetime 86400        !!Session key lifetime (in kb, after xamoutn of traffic change the key) or in seconds.

R1(config)# crypto isakmp key firewall address 20.1.1.2

Create IPSEC transform (ISAKMP Phase 2 policy)

R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
R1(cfg-crypto-trans)# mode transport

– ESP-3DES – Encryption method
– MD5 – Hashing algorithm
– Set IPSec to transport mode

Create IPsec profile to connect previously defined ISAKMP and IPSec configurations together.
R1(config)# crypto ipsec profile protect-gre
R1(ipsec-profile)# set security-association lifetime seconds 86400
R1(ipsec-profile)# set transform-set TS

Apply the IPSec encryption to the tunnel interface:
R1(config)# interface Tunnel 0
R1(config-if)# tunnel protection ipsec profile protect-gre

Configure same on R2:
R2(config)# crypto isakmp policy 1
R2(config-isakmp)# encr 3des
R2(config-isakmp)# hash md5
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2
R2(config-isakmp)# lifetime 86400

R2(config)# crypto isakmp key firewall address 10.1.1.2
R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
R2(cfg-crypto-trans)# mode transport

R2(config)# crypto ipsec profile protect-gre
R2(ipsec-profile)# set security-association lifetime seconds 86400
R2(ipsec-profile)# set transform-set TS

R2(config)# interface Tunnel 1
R2(config-if)# tunnel protection ipsec profile protect-gre

Test connectivity over VPN:
R1#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/40 ms

R1#sh crypto session
Crypto session current status
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 20.1.1.2 port 500
IKE SA: local 10.1.1.2/500 remote 20.1.1.2/500 Active
IPSEC FLOW: permit 47 host 10.1.1.2 host 20.1.1.2
Active SAs: 2, origin: crypto map

R1#

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s