Building an IPSEC GRE Tunnel

So there is a little bit of confusion on the interwebz when it comes to understanding an IPSEC GRE tunnel. First off lets look at how it actually works.

GRE works by encapsulating IP traffic inside of an IP packet and sends it across the wire to its destination where it is decapsulated and the inner-packet is than routed. GRE is commonly used to bridge two routed domains over a network outside of your administrative control.

When using GRE over the public internet, security is a concern and therefore you would want to encrypt the traffic, this is where IPSEC comes in.

IPSEC GRE tunnels are GRE tunnels that are encapsulated inside of an IPSEC payload and sent across a public network. If you were to capture such traffic using Wireshark you would see only ESP (Encapsulating Security Payload) and not GRE as depicted below;

To get a better understanding this concept the following diagram should help;

Okay so how do I configure it?

Now on to the fun part, configuration. First off lets take a look at the diagram we’ll be using to demonstrate this technology;

The following configuration demonstration was performed on the Stub Lab. If you like, you can also do this configuration on the Stub Lab which is a freely accessible Cisco Lab. All ya gotta do is sign up and reserve lab time!

First off we need to configure the INET router. This router will simulate the internet connectivity between the NYC and ATL routers. The following initial configuration has been provided to make this quickly achievable;

!####################################!# IPSEC GRE TUNNEL - INET ROUTER #!####################################!enableconfigure terminal!hostname INETno ip domain-lookup!interface Serial0/0/0 description Link to R2 Se0/1/0 ip address 198.51.100.33 255.255.255.252 no fair-queue no cdp enable no shut!interface Serial0/1/0 description Link to R1 Se0/0/0 ip address 203.0.113.129 255.255.255.252 no cdp enable no shut!interface FastEthernet0/0 shutdown!interface FastEthernet0/1 shutdown!line con 0 logging sync no exec-timeout!end

Now we can go ahead and configure the basics on the NYC and ATL routers. We’ll setup a loopback interface on each router to simulate LAN connectivity and than EIGRP to route over the tunnel.

Router con0 is now availablePress RETURN to get started.Router>enableRouter#config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#hostname NYCNYC(config)#no ip domain-lookupNYC(config)#interface Loopback0NYC(config-if)#description Simulated LAN ConnectionNYC(config-if)#ip add 10.1.0.1 255.255.255.0NYC(config-if)#exitNYC(config)#interface Serial0/0/0NYC(config-if)#description Link to InternetNYC(config-if)#ip address 203.0.113.130 255.255.255.252NYC(config-if)#exitNYC(config)#router eigrp 1NYC(config-router)#no auto-summaryNYC(config-router)#network 10.1.0.1 0.0.0.0NYC(config-router)#exitNYC(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.129NYC(config)#Router con0 is now availablePress RETURN to get started.Router>enableRouter#config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#hostname ATLATL(config)#no ip domain-lookupATL(config)#interface Loopback0ATL(config-if)#description Simulated LAN ConnectionATL(config-if)#ip add 10.2.0.2 255.255.255.0ATL(config-if)#exitATL(config)#interface Serial0/1/0ATL(config-if)#description Link to InternetATL(config-if)#ip address 198.51.100.34 255.255.255.252ATL(config-if)#exitATL(config)#router eigrp 1ATL(config-router)#no auto-summaryATL(config-router)#network 10.2.0.2 0.0.0.0ATL(config-router)#exitATL(config)#ip route 0.0.0.0 0.0.0.0 198.51.100.33ATL(config)#

Now that the basic config is out of the way we can now setup the basic GRE tunnel interface and enable EIGRP routing on the tunnel interface which should allow the two simulated LAN segments to communicate with each other unencrypted over the public internet.

NYC(config)#interface Tunnel0NYC(config-if)#description IPSEC GRE TUNNEL TO ATLANTANYC(config-if)#ip address 10.12.0.1 255.255.255.0NYC(config-if)#tunnel source Serial0/0/0NYC(config-if)#tunnel destination 198.51.100.34NYC(config-if)#exitNYC(config)#router eigrp 1NYC(config-router)#network 10.12.0.1 0.0.0.0NYC(config-router)#exit%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.12.0.2 (Tunnel0) is up: new adjacencyNYC(config)#exitNYC#%SYS-5-CONFIG_I: Configured from console by consoleNYC#ATL(config)#interface Tunnel0ATL(config-if)#description IPSEC GRE TUNNEL TO ATLANTAATL(config-if)#ip address 10.12.0.2 255.255.255.0ATL(config-if)#tunnel source Serial0/1/0ATL(config-if)#tunnel destination 203.0.113.130ATL(config-if)#exitATL(config)#router eigrp 1ATL(config-router)#network 10.12.0.2 0.0.0.0ATL(config-router)#exit%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.12.0.1 (Tunnel0) is up: new adjacencyATL(config)#exitATL#%SYS-5-CONFIG_I: Configured from console by consoleATL#

Now that a basic GRE tunnel has been established, we can verify the operational status of the tunnel by pinging the other end.

NYC#ping 10.12.0.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.12.0.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 msNYC(config)#

Also you should have noticed that the NYC and ATL became EIGRP neighbors and you should now have the ability to ping Atlanta’s simulated LAN segment from New York as demonstrated below;

NYC#ping 10.2.0.2 source loopback0Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:Packet sent with a source address of 10.1.0.1 !!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 msNYC#

Now we’re ready to configure the IPSEC portion of the IPSEC GRE tunnel. First you must define an ISAKMP policy. ISAKMP policies are used to define the phase 1 negotiations of an IPSEC tunnel. When it comes to IPSEC GRE, the ISAKMP policy is very simple. The policy must be defined on both routers.

NYC#config terminalNYC(config)#crypto isakmp policy 10NYC(config-isakmp)#authentication pre-shareNYC(config-isakmp)#exitNYC(config)#ATL#config terminalATL(config)#crypto isakmp policy 10ATL(config-isakmp)#authentication pre-shareATL(config-isakmp)#exitATL(config)#

Next we need to need to define the pre-shared key on a per peer basis;

NYC(config)#crypto isakmp key 0 CISCO address 198.51.100.34ATL(config)#crypto isakmp key 0 CISCO address 203.0.113.130

than we need to configure the transform-set which will actually be used to encrypt the data. For this demonstration we’re going to use AES128 and SHA hashing.

NYC(config)#crypto ipsec transform-set TRANS_IPSEC_GRE esp-aes esp-sha-hmac ATL(config)#crypto ipsec transform-set TRANS_IPSEC_GRE esp-aes esp-sha-hmac

Next we’ll need to build the ipsec profile that will be applied to the GRE tunnel interface;

NYC(config)#crypto ipsec profile IPSEC_GRENYC(ipsec-profile)#set transform-set TRANS_IPSEC_GREATL(config)#crypto ipsec profile IPSEC_GREATL(ipsec-profile)#set transform-set TRANS_IPSEC_GRE

Finally once all the IPSEC configuration is completed we can assign the IPSEC profile to the tunnel interface as shown below;

NYC(ipsec-profile)#interface Tunnel0NYC(config-if)#tunnel protection ipsec profile IPSEC_GRENYC(config-if)#%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ONNYC(config-if)#^ZNYC#ATL(ipsec-profile)#interface Tunnel0ATL(config-if)#tunnel protection ipsec profile IPSEC_GREATL(config-if)#%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ONATL(config-if)#^ZATL#

And now for the ultimate verification! We’ll ping the Atlanta simulated LAN segment (Loopback0: 10.2.0.2) from the NYC simulated LAN Segment (Loopback0: 10.1.0.1) and verify that the packets are being encrypted and decrypted by viewing the ipsec security-association;

NYC#ping 10.2.0.2 source loopback0Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:Packet sent with a source address of 10.1.0.1 !!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 msNYC#NYC#show crypto ipsec sa peer 198.51.100.34interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 203.0.113.130 protected vrf: (none) local ident (addr/mask/prot/port): (203.0.113.130/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (198.51.100.34/255.255.255.255/47/0) current_peer 198.51.100.34 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 79, #pkts encrypt: 79, #pkts digest: 79 #pkts decaps: 79, #pkts decrypt: 79, #pkts verify: 79 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 203.0.113.130, remote crypto endpt.: 198.51.100.34 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0 current outbound spi: 0xE15A5BAE(3780795310) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x67D027CC(1741694924) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2007, flow_id: NETGX:7, sibling_flags 80000046, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4590179/3282) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE15A5BAE(3780795310) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2008, flow_id: NETGX:8, sibling_flags 80000046, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4590178/3282) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:NYC#

We have successfully build an IPSEC GRE tunnel that can route EIGRP between two locations over the internet securely. Post your comments and questions below!

التسميات : Building , IPSEC , Tunnel

• twitter
• share
• plus