How to configure IPsec on GRE Dynamic Virtual-Template interface?

 

Generic Routing Encapsulation (GRE) is a network tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links or point-to-multipoint links over an Internet Protocol network. GRE tunnels also allow unicast, multicast, and broadcast traffic between routers but there is a problem with GRE tunnels it is clear text and GRE needs to provide better-grade protection. However, we can encrypt the complete GRE tunnel with IPsec security which provides good-grade security. we already configure IPsec with GRE click here. but in this blog, we will configure an IPsec with a Dynamic Virtual-Template interface.

VTI does the same job that GRE with IPsec does. They both encrypt the tunnel with IPsec. VTI removed the additional 4 bytes GRE header, thus reducing the bandwidth for sending encrypted data. VTI allows the configuration of ACL, NAT, and QoS. remember the default mode for a tunnel is GRE you have to define the mode IPsec IPv4 to configure the SVTI tunnel. 

let's see the configuration- in this topology, we have head office router 1 and branch routers 3 and 4. Router 2 is acting as an internet. 

Topology:-

Goal: is to make sure all the traffic is encrypted with IPsec 

1. Configure the topology as per the diagram 
2. Configure the IP addresses as per the topology
3. Configure default route on head office and branch routers
4. Configure crypto ISAKMP policy
5. Configure crypto keyring
6. Configure crypto ISAKMP profile
7.  Configure crypto IPsec transform-set
8. Configure crypto IPsec Profile
9. Configure dynamic virtual-template 1 type tunnel
10. Configure EIGRP 100
11. Configure tunnel 0 on branches.
12. Apply the IPsec protection on the virtual tunnel 
13. make sure all the traffic is encrypted 
14. verify the configuration with show commands and ping + trace

R1(config)#interface serial 3/0
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#no keepalive
R1(config-if)#exit

R1(config)#interface loopback 0
R1(config-if)#ip address  192.168.111.1 255.255.255.0
R1(config-if)#exit

 
R2(config)#interface serial 3/0
R2(config-if)#ip address 192.168.12.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface serial 3/1
R2(config-if)#ip address 192.168.23.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface serial 3/2
R2(config-if)#ip address 192.168.24.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
 

 
R3(config)#interface serial 3/1
R3(config-if)#ip address 192.168.23.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 192.168.30.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#no keepalive
R3(config-if)#exit

R3(config)#interface loopback 0
R3(config-if)#ip address  192.168.133.1 255.255.255.0
R3(config-if)#exit
 

 
R4(config)#interface serial 3/2
R4(config-if)#ip address 192.168.24.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#exit

R4(config)#interface fastethernet 0/0
R4(config-if)#ip address 192.168.40.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#no keepalive
R4(config-if)#exit

R4(config)#interface loopback 0
R4(config-if)#ip address  192.168.144.1 255.255.255.0
R4(config-if)#exit

 
R1(config)#ip route 0.0.0.0 0.0.0.0 serial 3/0

R2(config)#ip route 192.168.10.0 255.255.255.0 serial 3/0
R2(config)#ip route 192.168.30.0 255.255.255.0 serial 3/1
R2(config)#ip route 192.168.40.0 255.255.255.0 serial 3/2
 
R3(config)#ip route 0.0.0.0 0.0.0.0 serial 3/1

R4(config)#ip route 0.0.0.0 0.0.0.0 serial 3/2
 
R1#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.10.1    YES manual up                    up
Serial3/0              192.168.12.1    YES manual up                    up
Loopback0              192.168.111.1   YES manual up                    up
 
 
R2#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
Serial3/0              192.168.12.2    YES manual up                    up
Serial3/1              192.168.23.2    YES manual up                    up
Serial3/2              192.168.24.2    YES manual up                    up
 
R3#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.30.1    YES manual up                    up
Serial3/1              192.168.23.1    YES manual up                    up
Loopback0              192.168.133.1   YES manual up                    up
 
R4#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.40.1    YES manual up                    up
Serial3/2              192.168.24.1    YES manual up                    up
Loopback0              192.168.144.1   YES manual up                    up

R1(config)#crypto isakmp policy 11
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 14
R1(config-isakmp)#hash sha256
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#lifetime 3600
R1(config-isakmp)#exit

R1(config)#crypto keyring DVTI-KEYRING
R1(conf-keyring)#pre-shared-key address 192.168.23.1 key INTERNET
R1(conf-keyring)#pre-shared-key address 192.168.24.1 key INTERNET
R1(conf-keyring)#exit

R1(config)#crypto isakmp profile DVTI-ISAKMP
% A profile is deemed incomplete until it has match identity statements
R1(conf-isa-prof)#keyring DVTI-KEYRING
R1(conf-isa-prof)#match identity address 192.168.23.1
R1(conf-isa-prof)#match identity address 192.168.24.1
R1(conf-isa-prof)#virtual-template 1
R1(conf-isa-prof)#exit

R1(config)#crypto ipsec transform-set TRANS-SET esp-aes 256 esp-sha256-hmac
R1(cfg-crypto-trans)#mode tunnel
R1(cfg-crypto-trans)#exit

R1(config)#crypto ipsec profile DVTI-IPSEC
R1(ipsec-profile)#set transform-set TRANS-SET
R1(ipsec-profile)#exit

R1#show crypto isakmp profile
 
IKEv1 PROFILE DVTI-ISAKMP
Ref Count = 5
   Identities matched are:
    ip-address 192.168.23.1 255.255.255.255
    ip-address 192.168.24.1 255.255.255.255
   Certificate maps matched are:
   keyring(s): DVTI-KEYRING
   trustpoint(s): <all>

   virtual-template: 1

 
R1#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },
 
Transform set TRANS-SET: { esp-256-aes esp-sha256-hmac  }
   will negotiate = { Tunnel,  },

R1#show crypto ipsec profile
IPSEC profile DVTI-IPSEC
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                TRANS-SET:  { esp-256-aes esp-sha256-hmac  } ,
        }
 
IPSEC profile default
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,

R3(config)#crypto isakmp policy 11
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 14
R3(config-isakmp)#hash sha256
R3(config-isakmp)#encryption aes 256
R3(config-isakmp)#lifetime 3600
R3(config-isakmp)#exit

R3(config)#crypto keyring DVTI-KEYRING
R3(conf-keyring)#pre-shared-key address 192.168.12.1 key INTERNET
R3(conf-keyring)#exit

R3(config)#crypto isakmp profile DVTI-ISAKMP
% A profile is deemed incomplete until it has match identity statements
R3(conf-isa-prof)#keyring DVTI-KEYRING
R3(conf-isa-prof)#match identity address 192.168.12.1
R3(conf-isa-prof)#exit

R3(config)#crypto ipsec transform-set TRANS-SET esp-aes 256 esp-sha256-hmac
R3(cfg-crypto-trans)#mode tunnel
R3(cfg-crypto-trans)#exit

R3(config)#crypto ipsec profile DVTI-IPSEC
R3(ipsec-profile)#set transform-set TRANS-SET
R3(ipsec-profile)#exit

R3#show crypto isakmp profile

IKEv1 PROFILE DVTI-ISAKMP

Ref Count = 1

   Identities matched are:

    ip-address 192.168.12.1 255.255.255.255

   Certificate maps matched are:

   keyring(s): DVTI-KEYRING

   trustpoint(s): <all>

R3#show crypto ipsec transform-set

Transform set default: { esp-aes esp-sha-hmac  }

   will negotiate = { Transport,  },

Transform set TRANS-SET: { esp-256-aes esp-sha256-hmac  }

   will negotiate = { Tunnel,  },

R3#show crypto ipsec profile

IPSEC profile DVTI-IPSEC

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                TRANS-SET:  { esp-256-aes esp-sha256-hmac  } ,

        }

IPSEC profile default

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                default:  { esp-aes esp-sha-hmac  } ,

 

R4(config)#crypto isakmp policy 11
R4(config-isakmp)#authentication pre-share
R4(config-isakmp)#group 14
R4(config-isakmp)#hash sha256
R4(config-isakmp)#encryption aes 256
R4(config-isakmp)#lifetime 3600
R4(config-isakmp)#exit

R4(config)#crypto keyring DVTI-KEYRING
R4(conf-keyring)#pre-shared-key address 192.168.12.1 key INTERNET
R4(conf-keyring)#exit

R4(config)#crypto isakmp profile DVTI-ISAKMP
% A profile is deemed incomplete until it has match identity statements
R4(conf-isa-prof)#keyring DVTI-KEYRING
R4(conf-isa-prof)#match identity address 192.168.12.1

R4(conf-isa-prof)#crypto ipsec transform-set TRANS-SET esp-aes 256 esp-sha256-hmac
R4(cfg-crypto-trans)#mode tunnel
R4(cfg-crypto-trans)#exit

R4(config)#crypto ipsec profile DVTI-IPSEC
R4(ipsec-profile)#set transform-set TRANS-SET
R4(ipsec-profile)#exit

R4#show crypto isakmp profile

IKEv1 PROFILE DVTI-ISAKMP

Ref Count = 2

   Identities matched are:

    ip-address 192.168.12.1 255.255.255.255

   Certificate maps matched are:

   keyring(s): DVTI-KEYRING

   trustpoint(s): <all>

R4#show crypto ipsec transform-set

Transform set default: { esp-aes esp-sha-hmac  }

   will negotiate = { Transport,  },

Transform set TRANS-SET: { esp-256-aes esp-sha256-hmac  }

   will negotiate = { Tunnel,  },

R4#show crypto ipsec profile

IPSEC profile DVTI-IPSEC

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                TRANS-SET:  { esp-256-aes esp-sha256-hmac  } ,

        }

IPSEC profile default

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                default:  { esp-aes esp-sha-hmac  } ,

        }

 R1(config)#interface virtual-template 1 type tunnel
R1(config-if)#ip unnumbered loopback 0
R1(config-if)#tunnel source 192.168.12.1
R1(config-if)#tunnel destination dynamic
R1(config-if)#tunnel protection ipsec profile DVTI-IPSEC
R1(config-if)#no ip split-horizon eigrp 100
R1(config-if)#no ip next-hop-self eigrp 100
R1(config-if)#exit

R1(config)#router eigrp 100
R1(config-router)#network 192.168.10.0
R1(config-router)#network 192.168.111.0
R1(config-router)#no auto-summary
R1(config-router)#exit
 
*Apr  8 12:06:26.907: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

*Apr  8 12:09:06.051: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
*Apr  8 12:09:58.035: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.133.1 (Virtual-Access1) is up: new adjacency
*Apr  8 12:28:57.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
*Apr  8 12:29:58.979: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.144.1 (Virtual-Access2) is up: new adjacency

R1#show interfaces virtual-template 1

Virtual-Template1 is up, line protocol is down

  Hardware is Virtual Template interface

  Interface is unnumbered. Using address of Loopback0 (192.168.111.1)

  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL, loopback not set

  Keepalive not set

  Tunnel source 192.168.12.1

  

R1#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

192.168.12.1    192.168.24.1    QM_IDLE           1007 ACTIVE

192.168.12.1    192.168.23.1    QM_IDLE           1006 ACTIVE

R1#show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol

FastEthernet0/0        192.168.10.1    YES manual up                    up

Serial3/0              192.168.12.1    YES manual up                    up

Loopback0              192.168.111.1   YES manual up                    up

Virtual-Access1        192.168.111.1   YES unset  up                    up

Virtual-Access2        192.168.111.1   YES unset  up                    up

Virtual-Template1      192.168.111.1   YES unset  up                    down

R3(config)#interface tunnel 0

R3(config-if)#ip unnumbered loopback 0

R3(config-if)#tunnel source serial 3/1

R3(config-if)#tunnel destination 192.168.12.1

R3(config-if)#tunnel protection ipsec profile DVTI-IPSEC

R3(config-if)#no ip split-horizon eigrp 100

R3(config-if)#no ip next-hop-self eigrp 100

R3(config-if)#exit

R3(config)#router eigrp 100

R3(config-router)#network 192.168.30.0

R3(config-router)#network 192.168.133.0

R3(config-router)#no auto-summary

R3(config-router)#exit

*Apr  8 12:09:03.531: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

*Apr  8 12:07:48.547: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down

*Apr  8 12:08:31.939: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

*Apr  8 12:09:57.203: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency

R4(config)#interface tunnel 0

R4(config-if)#ip unnumbered loopback 0

R4(config-if)#tunnel source 192.168.24.1

R4(config-if)#tunnel destination 192.168.12.1

R4(config-if)#tunnel protection ipsec profile DVTI-IPSEC

R4(config-if)#no ip split-horizon eigrp 100

R4(config-if)#no ip next-hop-self eigrp 100

R4(config-if)#exit

R4(config)#router eigrp 100

R4(config-router)#network 192.168.40.0

R4(config-router)#network 192.168.144.0

R4(config-router)#no auto-summary

R4(config-router)#exit

R4(config)#end

R4# show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

192.168.12.1    192.168.24.1    QM_IDLE           1003 ACTIVE

IPv6 Crypto ISAKMP SA

*Apr  8 12:28:55.243: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

*Apr  8 12:28:32.819: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

*Apr  8 12:29:58.335: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency

*Apr  8 12:26:54.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down

R1#traceroute 192.168.30.1

Type escape sequence to abort.

Tracing the route to 192.168.30.1

VRF info: (vrf in name/id, vrf out name/id)

  1 192.168.133.1 80 msec 60 msec 52 msec

R1#traceroute 192.168.40.1

Type escape sequence to abort.

Tracing the route to 192.168.40.1

VRF info: (vrf in name/id, vrf out name/id)

  1 192.168.144.1 56 msec 60 msec 56 msec

R3#show crypto ipsec sa

interface: Tunnel0

    Crypto map tag: Tunnel0-head-0, local addr 192.168.23.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.23.1/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (192.168.12.1/255.255.255.255/47/0)

   current_peer 192.168.12.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 1487, #pkts encrypt: 1487, #pkts digest: 1487

    #pkts decaps: 1498, #pkts decrypt: 1498, #pkts verify: 1498

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.23.1, remote crypto endpt.: 192.168.12.1

     path mtu 1500, ip mtu 1500, ip mtu idb Serial3/1

     current outbound spi: 0xE987DEF7(3917995767)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x34186AB2(874015410)

        transform: esp-256-aes esp-sha256-hmac ,

        in use settings ={Tunnel, }

        conn id: 5, flow_id: 5, sibling_flags 80000040, crypto map: Tunnel0-head-0

        sa timing: remaining key lifetime (k/sec): (4337556/3569)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xE987DEF7(3917995767)

        transform: esp-256-aes esp-sha256-hmac ,

        in use settings ={Tunnel, }

        conn id: 6, flow_id: 6, sibling_flags 80000040, crypto map: Tunnel0-head-0

        sa timing: remaining key lifetime (k/sec): (4337556/3569)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

R3#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

192.168.23.1    192.168.12.1    QM_IDLE           1002 ACTIVE

IPv6 Crypto ISAKMP SA