Saturday, October 17, 2015

Facts to remember about IPSEC VPN


If you are trying to configure GRE over IPSec (tunnel encapsulation first then encryption), then you can do this with one of the 2 configuration options,
  1.  Using crypto map and apply the crypto map to the physical egress interface for the GRE encapsulated tunnel packets,  
  2. Using ipsec profiles with tunnel protection. With crypto map on the tunnel interface
If you are trying to configure IPSec over GRE (encryption first then encapsulation), then apply crypto map on the tunnel interface


This is the diagram used for the examples


IPsec VPNs with Crypto Maps
  • Configure an IPsec VPN between R7 and R8. The first step is verify reachability between R7 and R8 with a ping
  • EIGRP has been enabled on R7, R6, R3, R5, R8. OSPF between R7 and R9,  R9 loopback0 is advertised into OSPF. OSPF between R8 and R10, R10 loopback0 is advertised into OSPF. 
  • The tunnel endpoints (R9 and R10) and the devices behind them (R7 and R8) require default routing to reach destinations over the IPsec tunnel that's why a "default-information originate" command under the OSPF process on R7 and R8 propagates a default route on R9 and R10, R7 has two static default routes toward R6 and R3
  • R7 has now two default routes so it advertises itself as default gateway to R9 into the OSPF process with the command "default-information originate". R8 advertises as a default gateway to R10 with the same command into OSPF process
  • Because R7 has multiple connections to the transit network (one to R3 and one to R6), the IPsec tunnel should be sourced off an interface independent of these links, such as its Loopback0
  • This is the Phase one IPsec (ISAKMP - part of IKE, it is a framework for authentication and key exchange) and Phase 2 SA (security association) on R7 and R8
R7:    
crypto isakmp policy 10   (define the isakmp policy with id 10)
 encr aes 256             (define encryption protocol)
 hash sha512              (define integrity protocol)
 authentication pre-share (define authentication with pre known password)
 group 24                 (define key strenght during exchange process)
!
crypto isakmp key CISCO address 155.1.58.8  (remote peer and password)   
!
crypto ipsec transform-set ESP-AES-192-SHA-384 esp-aes 192 esp-sha384-hmac (encryption and integrity protocols during the transmission)
 mode tunnel        (ESP transform set is running in tunnel mode Phase 2)
!
ip access-list extended R9_TO_R10  (Proxy ACL - ips through tunnel)
 permit ip host 150.1.9.9 host 150.1.10.10  (src R9 l0, dst R10 l0 )
 permit ip host 150.1.9.9 155.1.10.0 0.0.0.255 (src R9 l0, dst R8-10 net) 
!

crypto map R7_TO_R8 local-address Loopback0  (tunnel source definition)
!
crypto map R7_TO_R8 10 ipsec-isakmp    (isakmp settings)
 set peer 155.1.58.8                   (remote peer)
 set transform-set ESP-AES-192-SHA-384 (transform set previously defined)
 match address R9_TO_R10               (Proxy ACL previously defined)
!
interface G0/3
 crypto map R7_TO_R8                   (linking cryto map with interface)
!
interface G0/1
 crypto map R7_TO_R8                   (linking crypto map with interface)


R8:
crypto isakmp policy 10
 encr aes 256
 hash sha512
 authentication pre-share
 group 24
!
crypto isakmp key CISCO address 150.1.7.7     
!
crypto ipsec transform-set ESP-AES-192-SHA-384 esp-aes 192 esp-sha384-hmac 
 mode tunnel
!
ip access-list extended R10_TO_R9
 permit ip host 150.1.10.10 host 150.1.9.9
 permit ip host 150.1.10.10 155.1.9.0 0.0.0.255
 permit ip 155.1.10.0 0.0.0.255 host 150.1.9.9
 permit ip 155.1.10.0 0.0.0.255 155.1.9.0 0.0.0.255
!
crypto map R7_TO_R8 10 ipsec-isakmp 
 set peer 150.1.7.7
 set transform-set ESP-AES-192-SHA-384 
 match address R10_TO_R9
!
interface G0/2
 crypto map R7_TO_R8
!

GRE Tunnel








  • Configure OSPF area 0 between R7 and R9, and advertise all links on R9 into OSPF.
  • Configure OSPF area 0 between R8 and R10, and advertise all links on R10 into OSPF.
  • There is no need to do default routing, GRE tunnel support dynamic routing
  • Configure a GRE tunnel between R7 and R8 as follows:

    • Source the tunnel from Loopback0 addresses.
    • Use the IP subnet 169.254.78.0/24, with host addresses .7 and .8 respectively.
    • Enable OSPF area 0 on the tunnel.
    R7:
interface Tunnel0
 ip address 169.254.78.7 255.255.255.0
 ip ospf 1 area 0
 tunnel source Loopback0
 tunnel destination 150.1.8.8
    R8:
interface Tunnel0
 ip address 169.254.78.8 255.255.255.0
 ip ospf 1 area 0
 tunnel source Loopback0
 tunnel destination 150.1.7.7
!


    GRE over IPsec with Crypto Maps
    • Traffic is encrypted after it is GRE encapsulated between the tunnel endpoints
    • The ESP transform set is running in Transport mode, which means that an extra GRE IP header is not needed, only the additional ESP IP header
    • The Proxy ACL used needs only a single entry to specify all GRE traffic (IP protocol 47)
    • IP MTU on the tunnel interface is used to stop the router from having to do fragmentation after IPsec encryption
    • The TCP Adjust MSS feature is used to have the router edit the payload of a TCP three-way handshake if the MSS exceeds the configured value and avoid fragmentation
    R7:
interface Tunnel0
 ip address 169.254.78.7 255.255.255.0
 ip mtu 1400
     ip ospf 1 area 0
 ip tcp adjust-mss 1360
 tunnel source Loopback0
 tunnel destination 150.1.8.8
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
!
crypto isakmp key CISCO address 150.1.8.8     
!
crypto ipsec transform-set ESP-AES-128-SHA-1 esp-aes esp-sha-hmac 
 mode transport
!
ip access-list extended GRE_FROM_R7_TO_R8
 permit gre host 150.1.7.7 host 150.1.8.8
!
crypto map GRE_OVER_IPSEC local-address Loopback0
!
crypto map GRE_OVER_IPSEC 10 ipsec-isakmp 
 set peer 150.1.8.8
 set transform-set ESP-AES-128-SHA-1 
 match address GRE_FROM_R7_TO_R8
!
interface GigabitEthernet1.37
 crypto map GRE_OVER_IPSEC
!
interface GigabitEthernet1.67
 crypto map GRE_OVER_IPSEC
    R8:
interface Tunnel0
 ip address 169.254.78.8 255.255.255.0
     ip ospf 1 area 0
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source Loopback0
 tunnel destination 150.1.7.7
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
!
crypto isakmp key CISCO address 150.1.7.7     
!
crypto ipsec transform-set ESP-AES-128-SHA-1 esp-aes esp-sha-hmac 
 mode transport
!
crypto map GRE_OVER_IPSEC local-address Loopback0
!
ip access-list extended GRE_FROM_R8_TO_R7
 permit gre host 150.1.8.8 host 150.1.7.7
!
crypto map GRE_OVER_IPSEC 10 ipsec-isakmp 
 set peer 150.1.7.7
 set transform-set ESP-AES-128-SHA-1 
 match address GRE_FROM_R8_TO_R7
!
interface GigabitEthernet1.58
 crypto map GRE_OVER_IPSEC

    GRE over IPsec with Crypto Profiles
    • Configuration is simplified compared to GRE over IPsec with Crypto Maps. In both cases the IPsec Phase 1 (ISAKMP) negotiation is identical
    • For IPsec Phase 2, the IPsec Transform Set is called from a Crypto IPsec Profile.
    • The IPsec Profile is applied to the Tunnel interface
    • Because the Tunnel already specifies the source and destination, there is no need to set the peer address as in the Crypto Map-based configuration
    • No Proxy ACL is needed, because all GRE traffic between the tunnel endpoints is subject to the IPsec encryption and authentication
    R7:
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
!
crypto isakmp key CISCO address 150.1.8.8     
!
crypto ipsec transform-set ESP-AES-128-SHA-1 esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile GRE_OVER_IPSEC_PROFILE
 set transform-set ESP-AES-128-SHA-1 
!
interface Tunnel0
 ip address 169.254.78.7 255.255.255.0
 ip mtu 1400
 ip tcp adjust-mss 1360
 ip ospf 1 area 0
 tunnel source Loopback0
 tunnel destination 150.1.8.8
 tunnel protection ipsec profile GRE_OVER_IPSEC_PROFILE
    IPsec Virtual Tunnel Interfaces (VTIs)
    • VTI behaves very similar to a GRE tunnel, except the encapsulation overhead is lower (24 bytes lower that GRE over IPsec with ESP in Tunnel Mode).
    • VTI is a tunnel where the payload is directly encapsulated in ESP without the need of another transport header.
    • One key point to remember though is that since the payload is directly encapsulated into IPsec, which is an IP-only encapsulation, other non-IP payloads are not supported. This means that non-IP protocols like the IS-IS routing protocol could not run over an IPv4 VTI.
    • The configuration of a VTI is identical to a GRE over IPsec tunnel with a Crypto IPsec Profile, except that the tunnel mode is set to IPsec IPv4 or IPsec IPv6
    • Phase 2, the Proxy Identities (what would normally be configured as the Proxy ACL) are automatically negotiated as IP any any.
    • The IPsec Transform Set must run in Tunnel Mode, because there is no other transport header such as GRE that adds additional IP encapsulation
    R7:
crypto isakmp policy 10
 encr aes 192
 hash sha384
 authentication pre-share
 group 15
!
crypto isakmp key CISCO address 150.1.8.8     
!
crypto ipsec transform-set ESP-3DES-ESP-MD5 esp-3des esp-md5-hmac
 mode tunnel
!
crypto ipsec profile VTI_PROFILE
 set transform-set ESP-3DES-ESP-MD5 
!
interface Tunnel0
 ip address 169.254.78.7 255.255.255.0
 ip tcp adjust-mss 1406
 ip ospf 1 area 0
 tunnel source Loopback0
 tunnel destination 150.1.8.8
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI_PROFILE















    Posted by at
    Labels: , ,

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)