Wednesday 5 August 2009

Generic Routing Encapsulation (GRE) over IP Security (IPSec) Part 1

"Generic Routing Encapsulation (GRE) over IP Security (IPSec)"
is the longest title to one of my blog posts yet I could almost added
"...with two way OSPF<->EIGRP Redistribution"..so count yourself lucky :P

So In case you do not know, IPSec although great cannot carry multicast traffic, however GRE which can carry multicast traffic is not encrypted..and hence GRE over IPsec was born!

Here is the Lab:

Establishing IP Connectivity is the easy part, now on to the Tunnels:
R2

interface Tunnel0
ip address 192.168.12.2 255.255.255.0
tunnel source 10.0.12.2
tunnel destination 10.0.12.1


R3

interface Tunnel0
ip address 192.168.13.3 255.255.255.0
tunnel source 10.0.0.3
tunnel destination 10.0.0.1


R4

interface Tunnel0
ip address 192.168.14.4 255.255.255.0
tunnel source 10.0.0.4
tunnel destination 10.0.0.1



On R1 each spoke requires its own tunnel:

R1

interface Tunnel2
ip address 192.168.12.1 255.255.255.0
tunnel source 10.0.12.1
tunnel destination 10.0.12.2
!
interface Tunnel3
ip address 192.168.13.1 255.255.255.0
tunnel source 10.0.0.1
tunnel destination 10.0.0.3
!
interface Tunnel4
ip address 192.168.14.1 255.255.255.0
tunnel source 10.0.0.1
tunnel destination 10.0.0.4
!


Now the tunnels are up we can now start with the encryption. As R2 is on a different interface to R3 and R4 we will have to setup two different Crypto Maps:
(notice "transport" not "tunnel" under the transform sets)

R2:

crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key letmein address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set R2_TRANSFORM esp-3des esp-sha-hmac
mode transport
!
crypto map R22R1 10 ipsec-isakmp
set peer 10.0.12.1
set transform-set R2_TRANSFORM
match address 100

!ACL
access-list 100 permit gre host 10.0.12.2 host 10.0.12.1



Then under the interface:

crypto map R22R1


Here is the matching configuration on R1:

crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key letmein address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set R1_TRANSFORM esp-3des esp-sha-hmac
mode transport
!
crypto map R12R2 10 ipsec-isakmp
set peer 10.0.12.2
set transform-set R1_TRANSFORM
match address 120

!ACL
access-list 120 permit gre host 10.0.12.1 host 10.0.12.2


Then again apply it to an interface:

crypto map R12R2





Now for the fun bit! As R3 and R4 connect to R1 via the same interface you need a special crypto map:

crypto map R1R3R4 10 ipsec-isakmp
set peer 10.0.0.3
set transform-set R1_TRANSFORM
match address 100
crypto map R1R3R4 20 ipsec-isakmp
set peer 10.0.0.4
set transform-set R1_TRANSFORM
match address 110
!


ACLs:

access-list 100 permit gre host 10.0.0.1 host 10.0.0.3
access-list 110 permit gre host 10.0.0.1 host 10.0.0.4


Apply it to the interface:

crypto map R1R3R4


The ISAKMP Policy (100) and the transform set stay the same for R3 and R4 so there is no need to restate them.

Now the matching configuration on R3 and R4
R3

crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key letmein address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set R3_TRANSFORM esp-3des esp-sha-hmac
mode transport
!
crypto map R32R1 10 ipsec-isakmp
set peer 10.0.0.1
set transform-set R3_TRANSFORM
match address 100

!ACL
access-list 100 permit gre host 10.0.0.3 host 10.0.0.1


R4:

crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key letmein address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set R4_TRANSFORM esp-3des esp-sha-hmac
mode transport
!
crypto map R42R1 10 ipsec-isakmp
set peer 10.0.0.1
set transform-set R4_TRANSFORM
match address 100
!ACL
access-list 100 permit gre host 10.0.0.4 host 10.0.0.1



You can test the GRE over IPsec tunnels are up by pinging other end of the tunnel to generate GRE traffic. E.g. Ping 10.0.0.1 from R4
It may drop a couple of packets before the link comes up, but once established it should be fine.

No comments: