How to configure Encrypted GRE Tunnel with IPsec ESP security?

When do we use the GRE? 

GRE is used when packets need to be sent from one network to another over the internet.

 

Generic Routing Encapsulation (GRE) is a network tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links or point-to-multipoint links over an Internet Protocol network. GRE tunnels also allow unicast, multicast, and broadcast traffic between routers but there is a problem with GRE tunnels it is clear text and GRE does not provide good-grade protection. However, we can encrypt the complete GRE tunnel with IPsec security which provides good-grade security.

let's see the configuration of the Encrypt GRE tunnel. 

Topology:- https://youtu.be/5_sfxQGPlg0?si=D4x3RWf8AoZHGvSY

(As you can see from the topology above here, we have 3 Sites, to encrypt the tunnel you have to configure the GRE tunnel first, So first we configure the GRE tunnel between Site-A to Site-B and Site-A to Site-C, after establishing the GRE tunnels we will encrypt the entire tunnel with IPsec ESP between Site-A to Site-B only.) 

GOAL: Youtube

• Configure the topology as per the diagram 
• Assign the IP addresses as per the topology
• Configure default route at Site-A, Site-B and Site-C
• Configure static routing on router 2 which is acting as an internet router
• Configure the GRE tunnel between Site-A to Site-B, the IP address of the tunnel will be 192.168.123.0/24
• Configure EIGRP on Site-A and Site-B and advertise LAN network and tunnel IP
• Verify the tunnel with show commands and trace commands to make sure data will travel in the tunnel created. 
• Same way configure the GRE tunnel for Site-C and remember we encrypt the entire tunnel only for Site-A to Site-B not for Site-C. 
• After establishing the GRE tunnel, 
• Configure IPsec and apply the tunnel protection IPsec profile on the tunnel interface. 
• Make sure the entire tunnel will encrypt data. 

• Assign the IP addresses as per the topology

SITE-A-router(config)#interface serial 4/0

SITE-A-router(config-if)#ip address 1.1.1.1 255.0.0.0

SITE-A-router(config-if)#no shutdown

SITE-A-router(config-if)#exit

SITE-A-router(config)#interface fastethernet 0/0

SITE-A-router(config-if)#ip address 10.1.1.1 255.0.0.0

SITE-A-router(config-if)#no shutdown

SITE-A-router(config-if)#exit

R2(config)#interface serial 4/0

R2(config-if)#ip address 1.1.1.2 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#exit

R2(config)#interface serial 4/1

R2(config-if)#ip address 3.3.3.1 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#exit

R2(config)#interface serial 4/2

R2(config-if)#ip address 4.4.4.1 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#exit

SITE-B-router(config)#interface serial 4/1

SITE-B-router(config-if)#ip address 3.3.3.2 255.0.0.0

SITE-B-router(config-if)#no shutdown

SITE-B-router(config-if)#exit

SITE-B-router(config)#interface fastethernet 0/0

SITE-B-router(config-if)#ip address 30.1.1.1 255.0.0.0

SITE-B-router(config-if)#no keepalive

SITE-B-router(config-if)#no shutdown

SITE-B-router(config-if)#exit

SITE-C-router(config)#interface serial 4/2

SITE-C-router(config-if)#ip address 4.4.4.2 255.0.0.0

SITE-C-router(config-if)#no shutdown

SITE-C-router(config-if)#exit

SITE-C-router(config)#interface fastethernet 0/0

SITE-C-router(config-if)#ip address 40.1.1.1 255.0.0.0

SITE-C-router(config-if)#no keepalive

SITE-C-router(config-if)#no shutdown

SITE-C-router(config-if)#exit

• Configure default route at Site-A, Site-B and Site-C

SITE-A-router(config)#ip route 0.0.0.0 0.0.0.0 serial 4/0

SITE-B-router(config)#ip route 0.0.0.0 0.0.0.0 serial 4/1

SITE-C-router(config)#ip route 0.0.0.0 0.0.0.0 serial 4/2

• Configure static routing on router 2 which is acting as an internet router

internet(config)#ip route 10.0.0.0 255.0.0.0 serial 4/0

internet(config)#ip route 30.0.0.0 255.0.0.0 serial 4/1

internet(config)#ip route 40.0.0.0 255.0.0.0 serial 4/2

SITE-A-router#show ip route static

S*   0.0.0.0/0 is directly connected, Serial4/0

SITE-B-router#show ip route static

S*   0.0.0.0/0 is directly connected, Serial4/1

SITE-C-router#show ip route static

S*   0.0.0.0/0 is directly connected, Serial4/2

• Configure the GRE tunnel between Site-A to Site-B, the IP address of the tunnel will be 192.168.123.0/24

SITE-A-router(config)#interface tunnel 123

SITE-A-router(config-if)#ip address 192.168.123.1 255.255.255.0

SITE-A-router(config-if)#ip mtu 1400

SITE-A-router(config-if)#ip tcp adjust-mss 1360

SITE-A-router(config-if)#tunnel source 1.1.1.1

SITE-A-router(config-if)#tunnel destination 3.3.3.2

SITE-A-router(config-if)#exit

*Jan  5 14:54:33.579: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel124,changed state to up

SITE-B-router(config)#interface tunnel 123

SITE-B-router(config-if)#ip address 192.168.123.2 255.255.255.0

SITE-B-router(config-if)#ip mtu 1400

SITE-B-router(config-if)#ip tcp adjust-mss 1360

SITE-B-router(config-if)#tunnel source 3.3.3.2

SITE-B-router(config-if)#tunnel destination 1.1.1.1

SITE-B-router(config-if)#exit

*Jan  5 14:44:06.719: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel123,changed state to up

SITE-A-router#show ip interface brief | ex unass

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            10.1.1.1        YES manual down              up                                                                                                                                    

Serial4/0                       1.1.1.1         YES manual up                    up                                                                                                                                     

Tunnel123                  192.168.123.1   YES manual up                up 

• Configure EIGRP on Site-A and Site-B and advertise LAN network and tunnel IP

SITE-A-router(config)#router eigrp 123

SITE-A-router(config-router)#network 10.0.0.0

SITE-A-router(config-router)#network 192.168.123.0

SITE-A-router(config-router)#no auto-summary

SITE-A-router(config-router)#exit

*Jan  5 14:45:42.327: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.2 (Tunnel123) is up: new adjacency

*Jan  5 14:45:54.175: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.2 (Tunnel123) is resync: peer graceful-restart

SITE-B-router(config)#router eigrp 123

SITE-B-router(config-router)#network 30.0.0.0

SITE-B-router(config-router)#network 192.168.123.0

SITE-B-router(config-router)#no auto-summary

SITE-B-router(config-router)#exit

*Jan  5 14:45:53.559: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.1(Tunnel123) is resync: summary configured

*Jan  5 14:45:41.811: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.1 (Tunnel123) is up: new adjacency

SITE-A-router#ping 30.1.1.1 source fastEthernet 0/0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 48/60/64 ms

• Verify the tunnel with show commands and trace commands to make sure data will travel in the tunnel created. 

SITE-A-router#traceroute 30.1.1.1

Type escape sequence to abort.

Tracing the route to 30.1.1.1

  1 192.168.123.2 56 msec 64 msec 56 msec

SITE-A-router#traceroute 40.1.1.1

Type escape sequence to abort.

Tracing the route to 40.1.1.1

  1 1.1.1.2 52 msec 32 msec 36 msec

  2 4.4.4.2 56 msec 64 msec 68 msec

Same way configure the GRE tunnel for Site-C and remember we encrypt the entire tunnel only for Site-A to Site-B not for Site-C.

SITE-A-router(config)#interface tunnel 124

SITE-A-router(config-if)#ip address 192.168.124.1 255.255.255.0

SITE-A-router(config-if)#ip mtu 1400

SITE-A-router(config-if)#ip tcp adjust-mss 1360

SITE-A-router(config-if)#tunnel source 1.1.1.1

SITE-A-router(config-if)#tunnel destination 4.4.4.2

SITE-A-router(config-if)#exit

*Jan  5 19:52:36.575: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel124, changed state to up

SITE-C-router(config)#interface tunnel 124

SITE-C-router(config-if)#ip address 192.168.124.2 255.255.255.0

SITE-C-router(config-if)#ip mtu 1400

SITE-C-router(config-if)#ip tcp adjust-mss 1360

SITE-C-router(config-if)#tunnel source 4.4.4.2

SITE-C-router(config-if)#tunnel destination

SITE-C-router(config-if)#tunnel destination 1.1.1.1

SITE-C-router(config-if)#exit

*Jan  5 19:53:48.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel124, changed state to up

SITE-A-router(config)#router eigrp 123

SITE-A-router(config-router)#network 192.168.124.0

SITE-A-router(config-router)#exit

SITE-C-router(config)#router eigrp 123

SITE-C-router(config-router)#network 192.168.124.0

SITE-C-router(config-router)#network 40.0.0.0

SITE-C-router(config-router)#no auto-summary

SITE-C-router(config-router)#exit

SITE-A-router#show ip interface brief | exclude unass

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            10.1.1.1        YES manual up                    up

Serial4/0                       1.1.1.1         YES manual up                    up

Tunnel123                  192.168.123.1   YES manual up                    up

Tunnel124                  192.168.124.1   YES manual up                    up

SITE-A-router#traceroute 40.1.1.1

Type escape sequence to abort.

Tracing the route to 40.1.1.1

  1 192.168.124.2 72 msec 48 msec 56 msec

SITE-A-router#traceroute 30.1.1.1

Type escape sequence to abort.

Tracing the route to 30.1.1.1

  1 192.168.123.2 52 msec 56 msec 64 msec

Read More

How to configure IPsec tunnel over DMVPN?

 In this previous session, we discussed MPLS, DMVPN basic to advance, and IPSec. I am assuming you are familiar with these topics. in this section are going to configure IPsec Over DMVPN.

1. Introduction of MPLS

2.What is MPLS Label distributing protocol (LDP) ? How LDP works?

3.how to configure MPLS LDP Peering ?

4.What is MPLS L3 VPN ? How to configure?

5.How to configure MPLS L3 VPN with RIPv2 ?

6.How to configure MPLS L3 VPN with EIGRP ?

7.How to configure MPLS L3 VPN with OSPF ?

8.What is OSPF Sham Links? how to configure OSPF Sham Links?

9.How to configure MPLS L3 with BGP AS OVERRIDE?

10.What Is Network Tunneling And How To Configure Generic Routing Encapsulation (GRE) Tunnels?

11. What Is DMVPN (Dynamic Multipoint VPN), NHRP, MGRE And How To Configure DMVPN Phase 1?

12. What Is DMVPN (Dynamic Multipoint VPN) Phase 2? How To Configure DMVPN Phase 2 Dynamic And Static Mapping?

 13. How To Configure EIGRP And OSPF Over DMVPN Phase 1 & 2?

 14. How To Configure External BGP And EIGRP On DMVPN Phase 2?

15.  What Is IPSec (Internet Protocol Security)? What Is Internet Key Exchange IKE? How To  Configure IPSec Tunnel?

16. What Is IKE (Internet Key Exchange)? How To Configure IPSec Site-To-Site?

let's see the configuration:-

Topology:-

R1(config)#interface serial 4/0

R1(config-if)#ip address 12.1.1.1 255.255.255.0

R1(config-if)#no shutdown

R1(config-if)#exit

R1(config)#interface fastEthernet 0/0

R1(config-if)#ip address 10.1.1.1 255.255.255.0

R1(config-if)#no shutdown

R1(config-if)#exit

R2(config)#interface serial 4/0

R2(config-if)#ip address 12.1.1.2 255.255.255.0

R2(config-if)#no shutdown

R2(config-if)#exit

R2(config)#interface serial 4/1

R2(config-if)#ip address 23.1.1.1 255.255.255.0

R2(config-if)#no shutdown

R2(config-if)#exit

R2(config)#interface fastEthernet 0/0

R2(config-if)#ip address 20.1.1.1 255.255.255.0

R2(config-if)#no keepalive

R2(config-if)#exit

R2(config)#interface serial 4/2

R2(config-if)#ip address 24.1.1.1 255.255.255.0

R2(config-if)#no shutdown

R2(config-if)#exit

R2(config)#interface serial 4/1

R2(config-if)#ip address 23.1.1.1 255.255.255.0

R2(config-if)#no shutdown

R3(config)#interface serial 4/1

R3(config-if)#ip address 23.1.1.2 255.255.255.0

R3(config-if)#no shutdown

R3(config-if)#exit

R3(config)#interface loopback 0

R3(config-if)#ip address 192.168.30.1 255.255.255.0

R3(config-if)#exit

R3(config)#interface fastEthernet 0/0

R3(config-if)#ip address 30.1.1.1 255.255.255.0

R3(config-if)#no shutdown

R3(config-if)#no keepalive

R3(config-if)#exit

R4(config)#interface serial 4/2

R4(config-if)#ip address 24.1.1.2 255.255.255.0

R4(config-if)#no shutdown

R4(config-if)#exit

R4(config)#interface fastEthernet 0/0

R4(config-if)#ip address 40.1.1.1 255.255.255.0

R4(config-if)#no shutdown

R4(config-if)#no keepalive

R4(config-if)#exit

R4(config)#interface loopback 0

R4(config-if)#ip address 192.168.30.1 255.255.255.0

R4(config-if)#no shutdown

R4(config-if)#exit

R1(config)#ip route 0.0.0.0 0.0.0.0 12.1.1.2

R1(config)#exit

R2(config)#ip route 192.168.10.0 255.255.255.0 12.1.1.1.

R2(config)#ip route 10.1.1.0 255.255.255.0 12.1.1.1

R2(config)#ip route 192.168.30.0 255.255.255.0 23.1.1.2

R2(config)#ip route 30.1.1.0 255.255.255.0 23.1.1.2

R2(config)#ip route 40.1.1.0 255.255.255.0 24.1.1.2

R2(config)#ip route 192.168.40.0 255.255.255.0 24.1.1.2

R2(config)#ip route 24.1.1.0 255.255.255.0 24.1.1.2

R2(config)#ip route 23.1.1.0 255.255.255.0 2.1.1.2

R2(config)#ip route 23.1.1.0 255.255.255.0 23.1.1.2

R2(config)#ip route 12.1.1.0 255.255.255.0 12.1.1.1

R2(config)#exit

R3(config)#ip route 0.0.0.0 0.0.0.0 23.1.1.1

R3(config)#exit 

R4(config)#ip route 0.0.0.0 0.0.0.0 24.1.1.1

R4(config)#exit

R1(config)#interface tunnel 4321

R1(config-if)#ip address 192.168.1.1 255.255.255.0

R1(config-if)#tunnel source 12.1.1.1

R1(config-if)#tunnel mode gre multipoint

*Oct 23 15:53:38.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4321, changed state to up

R1(config-if)#ip nhrp network-id 1

R1(config-if)#exit

R3(config)#interface tunnel 4321

*Oct 23 15:53:52.263: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4321, changed state to down

R3(config-if)#ip address 192.168.1.3 255.255.255.0

R3(config-if)#tunnel source 23.1.1.2

R3(config-if)#tunnel destination 12.1.1.1

*Oct 23 15:54:23.315: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4321, changed state to up

R3(config-if)#ip nhrp network-id 2

R3(config-if)#ip nhrp nhs 192.168.1.1

R3(config-if)#ip nhrp map 192.168.1.1 12.1.1.1

R3(config-if)#exit

R4(config)#interface tunnel 4321

*Oct 23 15:55:05.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4321, changed state to down

R4(config-if)#ip address 192.168.1.4 255.255.255.0

R4(config-if)#tunnel source 24.1.1.2

R4(config-if)#tunnel destination 12.1.1.1

*Oct 23 15:55:40.667: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4321, changed state to up

R4(config-if)#ip nhrp network-id 3

R4(config-if)#ip nhrp nhs 192.168.1.1

R4(config-if)#ip nhrp map 192.168.1.1 12.1.1.1

R4(config-if)#exit

R1(config)#interface tunnel 4321

R1(config-if)#ip nhrp map multicast dynamic

R1(config-if)#exit

R1(config)#router ospf 1

R1(config-router)#router-id 1.1.1.1

R1(config-router)#network 10.0.0.0 255.0.0.0 area 0

R1(config-router)#network 192.168.1.0 255.0.0.0 area 0

R1(config-router)#exit

R3(config)#router ospf 1

R3(config-router)#router-id 3.3.3.3

R3(config-router)#network 30.0.0.0 255.0.0.0 area 0

R3(config-router)#network 192.168.1.0 255.0.0.0 area 0

R3(config-router)#exit

R3(config)#interface tunnel 4321

R3(config-if)#ip ospf network point-to-mult

R3(config-if)#ip ospf network point-to-multipoint

R3(config-if)#exit

R4(config)#router ospf 1

R4(config-router)#router-id 4.4.4.4

R4(config-router)#network 40.0.0.0 255.0.0.0 area 0

R4(config-router)#network 192.168.1.0 255.0.0.0 area 0

R4(config-router)#exit

R4(config)#interface tunnel 4321

R4(config-if)#ip ospf network point-to-mul

R4(config-if)#ip ospf network point-to-multipoint

R4(config-if)#exit

R1(config)#crypto isakmp policy 10

R1(config-isakmp)#encryption aes

R1(config-isakmp)#hash sha

R1(config-isakmp)#authentication pre-share

R1(config-isakmp)#group 5

R1(config-isakmp)#exit

R1(config)#crypto isakmp key 0 mpls123 address 0.0.0.0

R3(config)#crypto isakmp policy 10

R3(config-isakmp)#encryption aes

R3(config-isakmp)#hash sha

R3(config-isakmp)#authentication pre-share

R3(config-isakmp)#group 5

R3(config-isakmp)#exit

R1(config)#crypto isakmp key 0 mpls123 address 0.0.0.0

R4(config)#crypto isakmp policy 10

R4(config-isakmp)#encryption aes

R4(config-isakmp)#hash sha

R4(config-isakmp)#authentication pre-share

R4(config-isakmp)#group 5

R4(config-isakmp)#exit

{You can configure more specific IP address of the peers but we are using address 0.0.0.0}

R1(config)#crypto isakmp key 0 mpls123 address 23.1.1.2

R1(config)#crypto isakmp key 0 mpls123 address 24.1.1.2

R3(config)#crypto isakmp key 0 mpls123 address 12.1.1.1

R3(config)#crypto isakmp key 0 mpls123 address 24.1.1.2

R4(config)#crypto isakmp key 0 mpls123 address 12.1.1.1

R4(config)#crypto isakmp key 0 mpls123 address 23.1.1.2

R1(config)#crypto isakmp key 0 mpls123 address 0.0.0.0

R1#

*Oct 23 16:08:14.239: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on Tunnel4321 from LOADING to FULL, Loading Done

R1#

*Oct 23 16:08:23.587: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Tunnel4321 from LOADING to FULL, Loading Don 

R1(config)#crypto ipsec transform-set MYSET esp-3des esp-md5-hmac

R1(cfg-crypto-trans)#exit

R3(config)#crypto ipsec transform-set MYSET esp-3des esp-md5-hmac

R3(cfg-crypto-trans)#exit

R4(config)#crypto ipsec transform-set MYSET esp-3des esp-md5-hmac

R4(cfg-crypto-trans)#exit

R1(config)#crypto IPsec profile INTERNETWORKS

R1(ipsec-profile)#set transform-set MYSET

R1(ipsec-profile)#exit

R1(config)#interface tunnel 4321

R1(config-if)#tunnel protection IPsec profile INTERNETWORKS

R1(config-if)#EXIT

*Oct 23 16:12:45.259: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R3(config)#crypto IPsec profile INTERNETWORKS

R3(ipsec-profile)#set transform-set MYSET

R3(ipsec-profile)#exit

R3(config)#interface tunnel 4321

R3(config-if)#tunnel protection IPsec profile INTERNETWORKS

R3(config-if)#EXIT

*Oct 23 16:12:45.259: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R4(config)#crypto IPsec profile INTERNETWORKS

R4(ipsec-profile)#set transform-set MYSET

R4(ipsec-profile)#exit

R4(config)#interface tunnel 4321

R4(config-if)#tunnel protection IPsec profile INTERNETWORKS

R4(config-if)#EXIT

*Oct 23 16:12:45.259: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R1#show crypto session

Crypto session current status

Interface: Tunnel4321

Session status: UP-ACTIVE

Peer: 24.1.1.2 port 500

  IKEv1 SA: local 12.1.1.1/500 remote 24.1.1.2/500 Active

  IPSEC FLOW: permit 47 host 12.1.1.1 host 24.1.1.2

        Active SAs: 4, origin: crypto map

Interface: Tunnel4321

Session status: UP-ACTIVE

Peer: 23.1.1.2 port 500

  IKEv1 SA: local 12.1.1.1/500 remote 23.1.1.2/500 Active

  IPSEC FLOW: permit 47 host 12.1.1.1 host 23.1.1.2

        Active SAs: 4, origin: crypto map

R3#show crypto session

Crypto session current status

Interface: Tunnel4321

Session status: UP-ACTIVE

Peer: 12.1.1.1 port 500

  IKEv1 SA: local 23.1.1.2/500 remote 12.1.1.1/500 Active

  IPSEC FLOW: permit 47 host 23.1.1.2 host 12.1.1.1

        Active SAs: 4, origin: crypto map

R4#show crypto session

Crypto session current status

Interface: Tunnel4321

Session status: UP-ACTIVE

Peer: 12.1.1.1 port 500

  IKEv1 SA: local 24.1.1.2/500 remote 12.1.1.1/500 Active

  IPSEC FLOW: permit 47 host 24.1.1.2 host 12.1.1.1

        Active SAs: 4, origin: crypto map

R1#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel4321, IPv4 NHRP Details

Type:Hub, NHRP Peers:2,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1 23.1.1.2            192.168.1.3    UP 01:34:52     D

     1 24.1.1.2            192.168.1.4    UP 01:33:09     D

R3#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel4321, IPv4 NHRP Details

Type:Spoke, NHRP Peers:1,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1 12.1.1.1            192.168.1.1    UP 00:46:35     S

R4#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel4321, IPv4 NHRP Details

Type:Spoke, NHRP Peers:1,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1 12.1.1.1            192.168.1.1    UP 00:46:45     S

R1#show crypto ipsec transform-set

Transform set default: { esp-aes esp-sha-hmac  }

   will negotiate = { Transport,  },

Transform set MYSET: { esp-3des esp-md5-hmac  }

   will negotiate = { Tunnel,  },

R3#show crypto ipsec transform-set

Transform set default: { esp-aes esp-sha-hmac  }

   will negotiate = { Transport,  },

Transform set MYSET: { esp-3des esp-md5-hmac  }

   will negotiate = { Tunnel,  },

R4#show crypto ipsec transform-set

Transform set default: { esp-aes esp-sha-hmac  }

   will negotiate = { Transport,  },

Transform set MYSET: { esp-3des esp-md5-hmac  }

   will negotiate = { Tunnel,  },

R1#ping 192.168.1.3 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 56/65/88 ms

R1#ping 192.168.1.4 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 56/69/112 ms

R4#ping 192.168.1.1 source 40.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

Packet sent with a source address of 40.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 56/67/92 ms

R4#ping 192.168.1.3 source 40.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:

Packet sent with a source address of 40.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 68/79/84 ms

R1#show crypto ipsec profile

IPSEC profile INTERNETWORKS

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                MYSET:  { esp-3des esp-md5-hmac  } ,

        }

IPSEC profile default

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                default:  { esp-aes esp-sha-hmac  } ,

        }

R3#show crypto ipsec profile

IPSEC profile INTERNETWORKS

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                MYSET:  { esp-3des esp-md5-hmac  } ,

        }

IPSEC profile default

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                default:  { esp-aes esp-sha-hmac  } ,

        }

R4#show crypto IPsec profile

IPSEC profile INTERNETWORKS

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                MYSET:  { esp-3des esp-md5-hmac  } ,

        }

IPSEC profile default

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                default:  { esp-aes esp-sha-hmac  } ,

        }

 

 

Instagram

YouTube

Facebook

Twitter

LINKEDIN

Read More

What is IKE (Internet Key Exchange)? How to configure IPSec site-to-site?

IKE (Internet Key Exchange) Phase 1

The main reason for IKE phase 1 is to establish a secure for IKE phase 2 or IPsec. let understand Phase 1 in steps 

• The first step is Negotiation between future neighbors or peers have traffic to be 

Step 1: Negotiation

the neighbor (peer) which having traffic and want to protect will initiate the initiate INK phase 1 negotiation. Peers will negotiate about the following:

• Hashing: peers will use a hashing algorithm to verifying the integrity and use MD5 or SHA.
• Authentication: peers have to show their identity to prove who he is. Peers use shared keys or digital certificates.
• DH (Diffie Hellman) group : DH group determines how strong the key is and it's used in the exchange process of the key. The higher number means more secure but it takes longer to compute.
• Lifetime: lifetime means how long does the IKE phase 1 tunnel stand up? The shorter the lifetime means the more secure it is because rebuilding the tunnel means we will also use new keying material. Each the vendor uses a different lifetime; a default value is 86400 seconds (1 day).
• Encryption: algorithm we use for encryption DES, 3DES, or AES.

Step 2: DH Key Exchange

After completing the negotiation process, now both the peers will know what kind of policy they have to use. Now they will use the DH the group for negotiating and to exchange keying material and in the end result both peers will have a shared key.

Step 3: Authentication

in the previous step, both peers authenticate each other using authenticate method in which they agreed on in the negotiation process. Once the authentication is successful it’s mean we that both peers can send and receive on this tunnel (the tunnel is completed).

The three steps above can be completed using two different modes:

• Main mode

• Aggressive mode 

IKE Phase 2

IPSec tunnel or IKE phase 2 is used to protect user data. In the IKE phase 2 tunnel, there is only one mode for building the IPSec tunnel is called Quick mode.

As peers negotiate in IKE phase 1, our IKE phase 2 (IPSec) peers will be negotiated.

• IPsec Protocol: AH or ESP
• Encapsulation Mode: transport or tunnel mode.
• Encryption: what encryption algorithm  DES, 3DES, or AES.
• Authentication: what authentication algorithm is MD5 or SHA.
• Lifetime: how long is the IKE phase 2 tunnel valid? When the tunnel is about to expire, we will refresh the keying material.

(Optional) DH exchange: used for PFS (Perfect Forward Secrecy).

IPsec Protocols

AH, and ESP is the two protocols that we use to protect user data. Both of them can be used in transport or tunnel mode, let’s see all the possible options.

Authentication Header Protocol     

AH offers authentication and integrity which is good but it doesn’t provide any encryption. AH protects IP packet by calculating a hash value over almost all fields in the IP header. The fields it excludes are the ones that can be changed in transit (TTL and header checksum).

Transport Mode

Transport mode is very simple, it just adds an AH header just after the IP header. Here’s an example of an IP packet that carries some TCP traffic:

Tunnel Mode

In tunnel mode, we add a new IP header on top of the original IP packet. So this could be useful when you are using private IP addresses and you need to tunnel your traffic over the Internet. Yes we can use AH but it doesn’t provide encryption

In simple words, IPsec uses three main protocols to create a security framework

• ESP Encapsulation security payload is used for providing encryption, authentication, and sharing data.
• AH, Authentication Header use provides a framework for authentication and sharing data.
• IKE Internet Key Exchange offers a framework for negotiating security parameters and establishing authenticating keys. 

Let's take a look at our topology: 

Goal:

• configure a site-to-site VPN 
• configure IPSec VPN on router 1 and router 2
• enable IKE policy on both the routers
• verify site-to-site IPSec VPN
• Test IPSec VPN.
• configure an authentication type pre-shared keys
• use AES 256 encryption, SHA Hash algorithm, and DH group 3 key exchange 
• configure lifetime of one hour

R1(config)#interface serial 4/0

R1(config-if)#ip address 1.1.1.1 255.0.0.0

R1(config-if)#no shutdown

R1(config-if)#interface fastethernet 0/0

R1(config-if)#ip address 10.1.1.1 255.0.0.0

R1(config-if)#no shutdown

R1(config-if)#no keepalive

R1(config-if)#exit

R1(config)#interface loopback 0

R1(config-if)#ip address 192.168.10.1 255.255.255.0

R1(config-if)#no shutdown

R1(config-if)#exit

R2(config-if)#interface serial 4/1

R2(config-if)#ip address 3.3.3.1 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#interface serial 4/2

R2(config-if)#ip address 4.4.4.1 255.0.0.0

R2(config-if)#no shutdown

R3(config)#interface serial 4/1

R3(config-if)#ip address 3.3.3.2 255.0.0.0

R3(config-if)#no shutdown

R3(config-if)#interface fastethernet 0/0

R3(config-if)#ip address 30.1.1.1 255.0.0.0

R3(config-if)#no shutdown

R3(config-if)#no keepalive

R3(config-if)#exit

R1(config)#ip route 0.0.0.0 0.0.0.0 serial 4/0

R1(config)#exit

R2(config)#ip route 1.0.0.0 255.0.0.0 serial 4/0

R2(config)#ip route 10.0.0.0 255.0.0.0 serial 4/0

R2(config)#ip route 30.0.0.0 255.0.0.0 serial 4/1

R2(config)#ip route 3.0.0.0 255.0.0.0 serial 4/1

R2(config)#ip route 4.0.0.0 255.0.0.0 serial 4/2

R2(config)#ip route 40.0.0.0 255.0.0.0 serial 4/2

R2(config)#exit

R3(config)#ip route 0.0.0.0 0.0.0.0 serial 4/1

R3(config)#exit

R1#ping 30.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 72/92/156 ms

R3#ping 10.0.0.0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.0, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 52/56/60 ms

R1(config)#access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

R1(config)#access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

R1(config)#crypto isakmp enable

R2(config)#crypto isakmp enable

R1(config)#crypto isakmp policy 10

R1(config-isakmp)#authentication pre-share

R1(config-isakmp)#encryption aes 256

R1(config-isakmp)#hash sha

R1(config-isakmp)# group 3

R1(config-isakmp)#lifetime 3600

R1(config-isakmp)#end

R3(config)#crypto isakmp enable

R3(config)#crypto isakmp policy 10

R3(config-isakmp)#authentication pre-share

R3(config-isakmp)#encryption aes ?

  128  128 bit keys.

  192  192 bit keys.

  256  256 bit keys.

  <cr>

 

R3(config-isakmp)#encryption aes 256

R3(config-isakmp)#hash sha?

sha  sha256  sha384  sha512

 

R3(config-isakmp)#hash sha

R3(config-isakmp)#group 3

R3(config-isakmp)#lifetime 3600

R3(config-isakmp)#do show crypto isakmp policy

 

Global IKE policy

Protection suite of priority 10

        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #3 (1536 bit)

        lifetime:               3600 seconds, no volume limit

R1(config)#crypto isakmp key 0 cisco123 address 2.2.2.2

R3(config-isakmp)#crypto isakmp key 0 cisco123 address 1.1.1.1

R1(config)#crypto ipsec transform-set ip_set esp-aes 256 esp-sha-hmac

R3(config)#crypto ipsec transform-set ip_set esp-aes 256 esp-sha-hmac

R3(cfg-crypto-trans)#exit

R1(config)#crypto map CRMAP 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

        and a valid access list have been configured.

R1(config-crypto-map)#match address 100

R1(config-crypto-map)#set peer 2.2.2.2

R1(config-crypto-map)#set transform-set ip_set

R1(config-crypto-map)#exit

R1(config)#interface serial 4/0

R1(config-if)#crypto map CRMAP

*Jul 30 14:16:13.923: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R1(config-if)#END

R3(config)#crypto map CRMAP 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

        and a valid access list have been configured.

R3(config-crypto-map)#match address 100

R3(config-crypto-map)#set peer 1.1.1.1

R3(config-crypto-map)#set transform-set ip_set

R3(config-crypto-map)#end

R3(config)#interface serial 4/1

R3(config-if)#crypto map CRMAP

R1#show crypto ipsec transform-set

Transform set default: { esp-aes esp-sha-hmac  }

   will negotiate = { Transport,  },

 

Transform set ip_set: { esp-256-aes esp-sha-hmac  }

   will negotiate = { Tunnel,  },

R3(config)#do show crypto ipsec transform-set

Transform set default: { esp-aes esp-sha-hmac  }

   will negotiate = { Transport,  },

 

Transform set ip_set: { esp-256-aes esp-sha-hmac  }

   will negotiate = { Tunnel,  },

 

R1#show crypto map

Crypto Map IPv4 "CRMAP" 10 ipsec-isakmp

        Peer = 2.2.2.2

        Extended IP access list 100

            access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255

        Current peer: 2.2.2.2

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                ip_set:  { esp-256-aes esp-sha-hmac  } ,

        }

        Interfaces using crypto map CRMAP:

                Serial4/0

 R1#ping 2.2.2.2 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 56/109/208 ms

R1#ping 192.168.30.1 so

R1#ping 192.168.30.1 source 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 52/68/88 ms

Instagram

Facebook

Twitter

LINKEDIN

Read More