Application Note 45. Main Mode IPSec VPN from Digi WR44 to a Cisco Using GRE over IPSec with the Cisco configured for VTI. UK Support June 2011

Transcription

1 Application Note 45 Main Mode IPSec VPN from Digi WR44 to a Cisco Using GRE over IPSec with the Cisco configured for VTI UK Support June

2 Contents 1 Introduction Outline Assumptions Corrections Version Scenario Configure the Cisco. IPSec Responder Configure the default route and enable NAT on the WAN interface Configure IPSec phase 1 parameters and pre-shared key Configure IPSec phase 2 parameters Configure the VTI tunnel interface Add a route to the remote LAN subnet via Tunnel Exit global config mode and save the configuration Configure the WR44. IPSec Initiator Configure the Ethernet interfaces Configure the default route Configure IPSec phase 1 parameters Configure the Pre-shared key Configure phase Configure the GRE tunnel Save the configuration Confirm IPSec & GRE is up and ping test the connection Using the Digi WR Using the Cisco Firmware versions Digi TransPort WR Cisco Configuration Files Digi Transport WR Cisco

3 1 INTRODUCTION 1.1 Outline This document describes how to configure a GRE tunnel within an IPSec tunnel to secure communications between a Digi TransPort router and a Cisco router configured with Virtual Tunnel Interfaces (VTI). The GRE tunnel provides a point-to-point link between the routers that can be used by routing protocols as well as for transferring regular data. The Cisco VTI configuration is an updated and simpler method of creating GRE over IPSec VPNs on Cisco routers. There are two types of VTI interfaces: static VTIs (SVTIs) and dynamic VTIs (DVTIs). This example will use SVTIs. UVTI information from Cisco s website Benefits of Using IPsec Virtual Tunnel Interfaces instead of Crypto Map IPsec VTIs allow you to configure a virtual interface to which you can apply features. Features for clear-text packets are configured on the VTI. Features for encrypted packets are applied on the physical outside interface. When IPsec VTIs are used, you can separate the application of features such as NAT, ACLs, and QoS and apply them to clear-text or encrypted text, or both. When crypto maps are used, there is no simple way to apply encryption features to the IPsec tunnel. 1.2 Assumptions This guide has been written for use by technically competent personnel with a good understanding of the communications technologies used in the product, and of the requirements for their specific application. Configuration: This Application Note assumes the devices are set to their factory default configurations. Most configuration commands are only shown if they differ from the factory default. This application note applies to; Models shown: Digi TransPort WR44 router and Cisco 3745 router. Other Compatible Models: All other Digi Transport products. Firmware versions: Digi 5130 or newer. Cisco 12.4 or newer. 1.3 Corrections Requests for corrections or amendments to this application note are welcome and should be addressed to: Uuksupport@digi.com U Requests for new application notes can be sent to the same address. 1.4 Version Version Number Status 1.0 Published 1.1 Updated for new GUI 3

4 2 SCENARIO For the purposes of this application note, the following scenario will be used. The IPSec VPN is a Main mode configuration. The Cisco 3745 is the IPSec responder. The Digi WR44 is the IPSec initiator. The IP addressing used is as follows: Digi WR44 WAN = Eth 0 = /24 LAN = Eth 1 = /24 GRE = Tun 0 = /30 Cisco 3745 WAN = Fa0/0 = /24 LAN = Fa0/1 = /24 GRE = Tun0 = /30 IPSec parameters: IPSec Type: Main mode Phase 1 Encryption algorithm: Three key triple DES Hash algorithm: Secure Hash Standard (SHA1) Authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) Lifetime: seconds, no volume limit Pre-shared key: Phase 2 Encryption algorithm: Hash algorithm: Mode: DH group: Lifetime: Cisco12345 Three key triple DES Secure Hash Standard (SHA1) Tunnel mode No PFS 3600 seconds, no volume limit 4

5 3 CONFIGURE THE CISCO. IPSEC RESPONDER Configure the Ethernet interfaces, Console port and hostname From the Cisco console port configure the Ethernet interfaces with the addressing shown in Section 2. Set the Console port exec-timeout and the hostname. The relevant Cisco config from sh run should be: hostname Cisco interface FastEthernet0/0 description WAN ip address speed auto full-duplex interface FastEthernet0/1 description LAN ip address speed auto full-duplex line con 0 exec-timeout

6 3.2 Configure the default route and enable NAT on the WAN interface The relevant Cisco config from sh run should be: interface FastEthernet0/0 description WAN ip address ip nat outside duplex auto speed auto interface FastEthernet0/1 description LAN ip address ip nat inside duplex auto speed auto ip route ip nat inside source list 1 interface FastEthernet0/0 overload access-list 1 permit Configure IPSec phase 1 parameters and pre-shared key Create an ISAKMP policy and give it is priority of 1. Set 3DES encryption, the authentication mode as pre-shared keys & the DH group to 2. Set the pre-shared key as Cisco12345 for all remote devices. The relevant Cisco config from sh run should be: crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key Cisco12345 address

7 The phase 1 policy can be confirmed: 3.4 Configure IPSec phase 2 parameters Create a transform set named T1 and enable 3DES & SHA1 Create an IPSec profile named P1 Link the transform set T1 to the IPSec profile P1 The relevant Cisco config from sh run should be: crypto ipsec transform-set T1 esp-3des esp-sha-hmac crypto ipsec profile P1 set transform-set T1 The phase 2 transform set can be confirmed: 3.5 Configure the VTI tunnel interface Create the Tunnel 0 interface. Set the IP address Enable Keep-alives for every 3 seconds and set to show link as down after 3 failures. Set the load check interval to 30 seconds Set the tunnel source & destination Link the IPSec profile P1 to this tunnel so that traffic is encrypted. 7

8 Take note that the Cisco source and destination addressing on the IPSec tunnel uses WAN interface addresses rather than private addressing as seen on regular Digi GRE / IPSec configurations. The GRE addressing does however use a regular 30 bit mask to create a point to point link. The relevant Cisco config from sh run should be: interface Tunnel0 ip address ip ospf mtu-ignore load-interval 30 keepalive 3 3 tunnel source tunnel destination tunnel protection ipsec profile P1 Confirm the mode of the tunnel is GRE / IP If the tunnel is showing anything other than GRE / IP, use the following commands to set the tunnel mode correctly: interface Tunnel0 tunnel mode gre ip 3.6 Add a route to the remote LAN subnet via Tunnel 0 Add a route so that /24 is directed via Tun0 8

9 3.7 Exit global config mode and save the configuration 9

10 4 CONFIGURE THE WR44. IPSEC INITIATOR 4.1 Configure the Ethernet interfaces Ethernet 0 The WAN interface Browse to Configuration - Network > Interfaces > Ethernet > ETH 0 Set the Description, IP address & Mask. Click Advanced and enable NAT & IPsec. Configuration - Network > Interfaces > Ethernet > ETH 0 > Advanced Parameter Setting Description Description WAN Friendly name for this interface IP address IP address Mask Subnet mask 10

11 Enable NAT on this interface Enable IPsec on this interface Ticked and IP address selected Ticked Enables NAT on this interface Enables IPSec on this interface Ethernet 1 The LAN interface. Browse to Configuration - Network > Interfaces > Ethernet > ETH 1 Set the Description and IP address. NAT and IPSec should remain disabled. Parameter Setting Description Description LAN Friendly name for this interface IP address IP address Mask Subnet mask 4.2 Configure the default route Browse to Configuration - Network > IP Routing/Forwarding > Static Routes > Default Route 0 Set the Description, Gateway IP address and exit interface. Parameter Setting Description Description Default Route via Eth 0 Friendly name for this interface Gateway IP address of the next hop router Interface Ethernet 0 Exit interface 4.3 Configure IPSec phase 1 parameters Browse to Configuration - Network > Virtual Private Networking (VPN) > IPsec > IKE > IKE 0 These parameters must match the Cisco phase 1 parameters. 11

12 Parameter Setting Description Encryption 3DES Use 3DES encryption Authentication SHA1 Use SHA1 authentication MODP Group for Phase 1 2 (1024) Use DH group 2 Renegotiate after 24 Phase 1 lifetime in hours 4.4 Configure the Pre-shared key Browse to the next available unused User in the user table. In this example, this is User 2. The name is the IP address of the IPSec peer. This is what will be sent from the Cisco for its authentication. The Password is the Pre-shared key. Access level should be set to None, so if anyone knows these credentials, they cannot access the router for configuration or management. Browse to Configuration - Security > Users > User 0-9 > User 2 Parameter Setting Description Name IP address of IPSec Peer (Cisco WAN address) Password Cisco12345 Pre-shared key Confirm Password Cisco12345 Pre-shared key Access Level None No access to router management for this user 4.5 Configure phase 2 Browse to Configuration - Network > Virtual Private Networking (VPN) > IPsec > IPsec Tunnels > IPsec 0 These parameters must match the Cisco phase 2 parameters. 12

13 Parameter Setting Description Description IPSec to Cisco Friendly name for this VPN The IP address or hostname of the IPSec peer IP address (Cisco WAN address) remote unit Local LAN Use these settings for the local LAN Use the specified settings below IP Address Local IPSec endpoint (WR44 WAN address) Mask Local IPSec endpoint mask (Must be /32) Remote LAN Use these settings for the remote LAN Use the specified settings below IP Address Remote IPSec endpoint (Cisco WAN address) Mask Remote IPSec endpoint mask (Must be /32) Use the following security on this tunnel Preshared Keys Use Preshared keys for authentication between routers Our ID Local router IPSec ID (WR44 WAN address) Our ID type IPv4 Address Type of IDs used. IPv4 addresses. 13

14 Remote ID IPSec peer ID (Cisco WAN address) Use x encryption on this tunnel 3DES Use 3DES encryption Use x authentication on this tunnel SHA1 Use SHA1 authentication Bring this tunnel up If the tunnel is down and a packet is ready to be sent Renew the tunnel after All the time Bring the tunnel up 1 hrs / KBytes Create SAs, but only if there is a valid route and interface to create the IPSec tunnel on. If there is no IPSec SA, use IKE to create one. Lifetime of phase 2 SA in seconds / Lifetime of phase 2 SA in kilobytes 4.6 Configure the GRE tunnel This is the Digi TransPort end of the point to point GRE tunnel. Configure the tunnel IP address, and source and destination. Note that the source and destination addresses are the WAN interface addresses of the 2 routers. Browse to Configuration - Network > Interfaces > GRE > Tunnel 0 14 Parameter Setting Description Description GRE to Cisco Friendly name for this interface IP address GRE local endpoint IP address Mask GRE local endpoint subnet mask Source IP Address Use IP Address / Source IP address of this tunnel (WR44 WAN interface) Destination IP Address or Hostname Destination IP address of this tunnel (Cisco WAN interface) Enable keepalives on this GRE tunnel Ticked Enables GRE keepalives Send a keepalive 3 Sends 1 keepalive every 3 seconds

15 every x seconds Bring this GRE tunnel down after no replies to x keepalives 3 If 3 keepalive packets fail, the tunnel is marked as down 4.7 Save the configuration Browse to Administration - Save configuration Save the configuration to profile 0, the default power up config. 15

16 5 CONFIRM IPSEC & GRE IS UP AND PING TEST THE CONNECTION. 5.1 Using the Digi WR Check the IPSec SA status Browse to Management - Connections > Virtual Private Networking (VPN) > IPsec > IPsec Tunnels Check the GRE tunnel status Browse to Management - Network Status > Interfaces > GRE Ping an IP address on the Cisco LAN subnet Browse to Administration - Execute a command 16

17 17

18 5.2 Using the Cisco Check the IPSec SA status Check the GRE tunnel status 18

19 5.2.3 Ping an IP address on the Cisco LAN subnet 6 FIRMWARE VERSIONS 6.1 Digi TransPort WR44 Digi TransPort WR44-HX00-WE1-XX Ser#: HW Revision: 7902a Software Build Ver5130. Jun :33:02 SW ARM Bios Ver 6.06 v39 400MHz B512-M512-F80-O80001,2 MAC:00042d Power Up Profile: 0 Async Driver Revision: 1.19 Int clk IX Revision: 1.0 Ethernet Hub Driver Revision: 1.11 Firewall Revision: 1.0 EventEdit Revision: 1.0 Timer Module Revision: 1.1 (B)USBHOST Revision: 1.0 L2TP Revision: 1.10 PPTP Revision: 1.00 TACPLUS Revision: 1.00 MODBUS Revision: 0.00 LAPB Revision: 1.12 X25 Layer Revision: 1.19 MACRO Revision: 1.0 PAD Revision: 1.4 X25 Switch Revision: 1.7 V120 Revision: 1.16 TPAD Interface Revision: 1.12 GPS Revision: 1.0 SCRIBATSK Revision: 1.0 BASTSK Revision: 1.0 PYTHON Revision: 1.0 ARM Sync Driver Revision: 1.18 TCP (HASH mode) Revision: 1.14 TCP Utils Revision: 1.13 PPP Revision: 1.19 WEB Revision: 1.5 SMTP Revision: 1.1 FTP Client Revision: 1.5 FTP Revision: 1.4 IKE Revision: 1.0 PollANS Revision: 1.2 PPPOE Revision: 1.0 BRIDGE Revision: 1.1 MODEM CC (Ericsson 3G) Revision: 1.4 FLASH Write Revision: 1.2 Command Interpreter Revision: 1.38 SSLCLI Revision: 1.0 OSPF Revision: 1.0 BGP Revision: 1.0 QOS Revision: 1.0 RADIUS Client Revision: 1.0 SSH Server Revision: 1.0 SCP Revision: 1.0 CERT Revision:

20 LowPrio Revision: 1.0 Tunnel Revision: 1.2 QDL Revision: 1.0 Wi-Fi Revision: 2.0 idigi Revision: 1.0 OK 6.2 Cisco 3745 Cisco#sh ver Cisco Internetwork Operating System Software IOS (tm) 3700 Software (C3745-ADVIPSERVICESK9-M), Version 12.3(24), RELEASE SOFTWARE (fc4) Technical Support: Copyright (c) by cisco Systems, Inc. Compiled Thu 18-Oct-07 18:22 by stshen Image text-base: 0x60008AF4, data-base: 0x61F80000 ROM: ROMMON Emulation Microcode ROM: 3700 Software (C3745-ADVIPSERVICESK9-M), Version 12.3(24), RELEASE SOFTWARE (fc4) Cisco uptime is 24 minutes System returned to ROM by unknown reload cause - suspect boot_data[boot_count] 0x0, BOOT_COUNT 0, BOOTDATA 19 System image file is "tftp:// /unknown" This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: If you require further assistance please contact us by sending to export@cisco.com. cisco 3745 (R7000) processor (revision 2.0) with K/10240K bytes of memory. Processor board ID XXXXXXXXXXX R7000 CPU at 100MHz, Implementation 39, Rev 2.1, 256KB L2, 512KB L3 Cache Bridging software. X.25 software, Version FastEthernet/IEEE interface(s) DRAM configuration is 64 bits wide with parity enabled. 151K bytes of non-volatile configuration memory K bytes of ATA System CompactFlash (Read/Write) Configuration register is 0x2102 Cisco# 20

21 7 CONFIGURATION FILES 7.1 Digi Transport WR44 config c show eth 0 descr "WAN" eth 0 IPaddr " " eth 0 ipsec 1 eth 0 ipanon ON eth 1 descr "LAN" eth 1 IPaddr " " eth 1 ipanon ON eth 2 IPaddr " " eth 2 mask " " lapb 0 ans OFF lapb 0 tinact 120 lapb 1 tinact 120 lapb 3 dtemode 0 lapb 4 dtemode 0 lapb 5 dtemode 0 lapb 6 dtemode 0 ip 0 cidr ON route 0 IPaddr " " route 0 ll_ent "tun" def_route 0 ll_ent "ppp" def_route 0 ll_add 1 eroute 0 peerip " " eroute 0 peerid " " eroute 0 ourid " " eroute 0 locip " " eroute 0 locmsk " " eroute 0 remip " " eroute 0 remmsk " " eroute 0 ESPauth "SHA1" eroute 0 ESPenc "MD5" eroute 0 ltime 3600 eroute 0 authmeth "PRESHARED" eroute 0 nosa "TRY" eroute 0 autosa 1 dhcp 0 IPmin " " dhcp 0 mask " " dhcp 0 gateway " " dhcp 0 DNS " " dhcp 0 respdelms 500 dyndns 0 epassword "atfwsbfeffecsri=" ppp 0 timeout 300 ppp 1 r_chap OFF ppp 1 IPaddr " " ppp 1 phonenum "*98*1#" ppp 1 name "W-WAN (HSPA 3G)" ppp 1 timeout 0 ppp 1 use_modem 1 ppp 3 defpak 16 ppp 4 defpak 16 ike 0 encalg "3DES" ike 0 authalg "SHA1" ike 0 ltime ike 0 ikegroup 2 ike 0 deblevel 4 modemcc 0 info_asy_add 6 modemcc 0 init_str "+CGQREQ=1" modemcc 0 init_str1 "+CGQMIN=1" 21

22 modemcc 0 apn "Your.APN.goes.here" modemcc 0 sms_interval 1 modemcc 0 sms_access 1 modemcc 0 sms_concat 0 modemcc 0 init_str_2 "+CGQREQ=1" modemcc 0 init_str1_2 "+CGQMIN=1" modemcc 0 apn_2 "Your.APN.goes.here" modemcc 0 link_retries_2 10 modemcc 0 stat_retries_2 30 ana 0 anon ON ana 0 l2on OFF ana 0 xoton OFF ana 0 lapdon 0 ana 0 lapbon 0 ana 0 ipfilt "23,80" ana 0 logsize 45 cmd 0 unitid "ss%s>" cmd 0 cmdnua "99" cmd 0 hostname "digi.router" cmd 0 asyled_mode 2 cmd 0 tremto 1200 user 0 epassword "atfwsbfeffecsri=" user 0 access 0 user 1 name "username" user 1 epassword "KD5lSVJDVVg=" user 1 access 0 user 2 name " " user 2 epassword "GzZlWUodFQ8GCA==" user 2 access 0 user 10 epassword "Ig==" local 0 transaccess 2 sslsvr 0 certfile "cert01.pem" sslsvr 0 keyfile "privrsa.pem" ssh 0 hostkey1 "privssh.pem" ssh 0 nb_listen 5 ssh 0 v1 OFF tun 0 IPaddr " " tun 0 mask " " tun 0 source " " tun 0 dest " " tun 0 kadelay 3 Power Up Profile: 0 OK 7.2 Cisco 3745 Cisco#sh run Building configuration... Current configuration : 1250 bytes version 12.3 service timestamps debug datetime service timestamps log datetime no service password-encryption hostname Cisco boot-start-marker boot-end-marker logging buffered 4096 debugging 22

23 no aaa new-model ip subnet-zero ip cef ip audit po max-events 100 crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key Cisco12345 address crypto ipsec transform-set T1 esp-md5 esp-sha-hmac crypto ipsec profile P1 set transform-set T1 interface Tunnel0 ip address ip ospf mtu-ignore load-interval 30 keepalive 3 3 tunnel source tunnel destination tunnel protection ipsec profile P1 interface FastEthernet0/0 description WAN ip address speed auto full-duplex interface FastEthernet0/1 description LAN ip address speed auto full-duplex interface FastEthernet1/0 no ip address shutdown duplex auto speed auto ip classless ip route Tunnel0 no ip http server no ip http secure-server no cdp run line con 0 exec-timeout line aux 0 line vty 0 4 login end 23