Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham In part two of NetCertLabs Cisco CCNA Security VPN lab series, we explored setting up a site-to-site VPN connection where one side is the corporate office with a static IP address and the other side is a home office with a dynamic IP address. In part three of this series we will be setting up a GRE (Generic Routing Encapsulation) tunnel between our two sites in a Site-to-Site configuration. If you need to setup a GRE tunnel where one side of the tunnel has a dynamic IP address or you need a Siteto-MultiSite GRE VPN, please see our DMVPN lab. Cisco supports many other VPN technologies such as: SSL VPN (AnyConnect SSL VPN & Clientless SSL VPN), Dynamic Multipoint VPN (DMVPN), Easy VPN, Group Encrypted Transport (GET) VPN and others. Please visit our website for labs on those technologies. Because of the simplicity in setting up GRE VPNs, their low cost and secure communications, and the ability to pass routing protocols (point-to-point IPSec tunnels do not pass multicast packets like EIGRP & OSPF), GRE VPNs are becoming very popular with network engineers. GRE Tunnel strengths are providing multicast protocols over a VPN and connecting discontinuous networks. Is weakness is that there is no encryption of the traffic going through the tunnel and no flow control. This is where IPSec comes in, providing the encryption and flow control needed and when using GRE over IPSec you create a top-notch secure connection protecting sensitive data. There are two modes in which you can configure GRE with IPSec, Tunnel Mode and Transport Mode. Tunnel mode encapsulates the entire IP packet including the original IP header whereas the Transport mode only encapsulates the data payload leaving the GRE IP address exposed. Other disadvantages to using the Transport mode, you cannot pass NAT Network Address Translation) or PAT (Port Address Translation) through the tunnel and the GRE endpoints and crypto endpoints must be on the same IP address network. The benefit to using the Transport mode, it is 20 bytes smaller. To implement the Transport mode, you must enter the command mode transport after entering the crypto ipsec transform-set command. With the additional overheard of GRE tunnels and IPSec, you will need to adjust the MTU (Maximum Transfer Unit) from its default size of 1500 bytes to 1400 bytes. We also must adjust the MSS (Maximum Segment Size) to 1360 bytes. These two changes will prevent packet fragmentation and will increase overall performance greatly. Even with the smaller (20 byte) payload capacity and the slightly less processor utilization of Transport mode over Tunnel mode, we feel that the increased security, NAT/PAT capabilities, and different IP networks of Tunnel mode is far outweigh any advantages Transport mode may seem to offer. NetCertLabs' goal is to provide you with the basic knowledge necessary to pass your desired exam or just help you get your lab setup and working so you can learn each subject. Another one of NetCertLabs' goals is to provide you with CLEAR and concise step-by-step instructions of KNOWN working configurations. For a more in-depth study of IPSec VPN's, visit Cisco's website's Video Training Series at: http://www.cisco.com/en/us/tech/tk827/tk369/tk287/tsd_technology_support_sub-protocol_home.html Equipment List: 3 2610 Routers that has Cisco IOS Software Release 12.2(15)T2 (or similar)* 4 WIC-1T Serial modules** 2 Ethernet Cat5 cross-over patch cables 2 DB60 Serial DCE/DTE cable (simulates the Leased Line or MPLS connection)* 2 PC's * The IOS has a software VPN ability built-in in many versions. Hardware VPN modules are also available for increased performance. **If your router has two Ethernet ports you can use them in-place of the serial ports.
CCNA/CCNA Security Lab 3 In this lab we will setup a Cisco hardware-to-hardware site-to-site GRE (Generic Routing Encapsulation) VPN Tunnel. Tunnel 192.168.0.100 172.16.0.1 10.0.0.100 IP s 172.16.0.2 fa0/0 s0/0 s0/0 fa0/0 Corp VPN s0/0 Internet s0/1 Branch 192.168.0.1 50.137.15.9.1 209.87.55.42 10.0.0.1 This lab will show you how to setup and configure three Cisco routers to create a permanent secure site-to-site GRE VPN tunnel over the Internet, MPLS network, or Frame-Relay network to encapsulate our packets and hide them from those networks. Once the GRE VPN has been established we will use the IP Security (IPSec) protocol to encrypt our data payload. In this lab we assume that you have your Ethernet and serial ports already configured and both Cisco routers have a static IP address. One of the three routers is used to simulate the Internet. In the above lab there are public IP addresses utilized to give you a more realistic understanding of what happens and where to apply the commands in a real world setting. Since the routers in this lab are NOT connected to the Internet there will not be any IP address conflicts. Please make sure that your lab is disconnected from any equipment that could provide Internet connectivity. If you are interested in configuring Point-to-Multipoint DMVPN (Dynamic Multipoint Virtual Private Network) mgre Tunnels see the CCNA/CCNA Security Lab 4. NetCertLabs has several additional CCNA/CCNA Security labs for you to learn with on our web site as well as many other labs to help you earn the certification you are seeking. The following six steps need to be configured in order to create a secure GRE VPN on a Cisco IOS device. Step 1. Create the GRE Tunnel Step 2. Route Networks Through the Tunnel Step 3. Configure ISAKMP (IKE) - (ISAKMP Phase 1) Step 4. Create IPSec Transform (ISAKMP Phase 2 policy) Step 5. IPSec Profile Step 6. Apply Step 1. Create the Tunnel ------------- Corp Router ------------- The first step in creating a GRE tunnel is to create a logical interface and assign it a private IP address. Packets within the tunnel will be encapsulated on one end and un-encapsulated on the other end. Remember, the packets and data within the packets are NOT encrypted at this point. On the Corp router preform the following steps: Corp(config)#interface Tunnel 0 Corp(config-if)#ip address 172.16.0.1 255.255.255.0 Corp(config-if)#ip mtu 1400 Corp(config-if)#ip tcp adjust-mss 1360 Corp(config-if)#tunnel source 50.137.15.9 Corp(config-if)#tunnel destination 209.87.55.42
Since the Tunnel 0 interface is a logical interface it will remain up even if there is no GRE tunnel configured or connected at the other end. Before your proceed to step two, jump down to the Branch router section and configure a logical tunnel and assign it its IP address, MTU, MSS, Source and Destination addresses. Once you have those settings entered, return here and proceed with step two. Be sure that you have your default gateways and default routes setup or your tunnel protocol will be down and your lab will not work. Step 2. Route Networks Through the Tunnel First let s test the tunnel connectivity by issuing an ICMP ping. Corp#ping 172.16.0.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms As you can see from the output above, we can connect to the other side of the tunnel. However, workstations on either side cannot communicate with each other. You needed at create a static route so that the remote networks can reach each other. Corp(Config)#ip route 10.0.0.0 255.255.255.0 172.16.0.2 Instead of entering static routes which could be difficult to manage in a medium to large size network, you can use routing protocols such at RIP, EIGRP, OSPF, and others. Normal routing protocol rules such as Area s and autonomous system apply when using these protocols over a tunnel. Here is an EIGRP configuration that you can use in place of the static route above. Corp(Config)#router eigrp 1577 Corp(Config-router)#network 172.16.0.0 0.0.0.255 Corp(Config-router)#network 192.168.0.1 0.0.0.255 Step 3. ISAKMP First we enter into the configuration mode then enable isakmp. Although by default isakmp is enabled, do this just to be sure it is. The policy number is quite important. When the router tries to negotiate an acceptable phase one policy, it always starts with the policy closest to 1 then works its way up in order until a negotiation is successful (using 10 leaves some room for growth if needed). Corp(config)#crypto isakmp enable Corp(config)#crypto isakmp policy 10 Now we configure the authentication method. Acceptable options are pre-shared key, RSA-Sig and RSA-Encr. For simplicity we ll use a pre shared key at the moment. In other labs we will exam these other options. Corp(config-isakmp)#authentication pre-share Next is the hash method to be used. Options are MD5 and SHA-1 (SHA-1 is the default). (MD5 is a stronger hash method). Corp(config-isakmp)#hash sha
Now we configure the encryption algorithm we want to use. In order of strength AES 256, AES 192, AES 128, 3DES, DES (168-bit Triple DES is the default if nothing is explicitly configured). Corp(config-isakmp)#encryption 3des Group <number> will configure the modulus size of the Diffie-Hellman key exchange. (Group 5 isn't supported on all versions of IOS). Group Description 1 The 768-bit Diffie-Hellman group. 2 The 1024-bit Diffie-Hellman group. 5 The 1536-bit Diffie-Hellman group. *(Group 1 is the default) Corp(config-isakmp)#group 5 Lifetime, is the time in seconds for the Security Association (SA). 3600 = 1 hour (86400 (1 day) is the default). Corp(config-isakmp)#lifetime 3600 Since we configured pre-shared key we need to configure the key on a per host basis in main config mode. Corp(config)#crypto isakmp key K3y4vPnLab address 209.87.55.42 The peer s pre shared key is set to K3y4vPnLab and its public IP Address is 209.87.55.42. Every time the Corp router tries to establish a VPN tunnel with the Branch router (209.87.55.42), this pre shared key will be used. To keep our VPN up and connected when traffic may not be passing, we use dead peer detection (DPD) by setting isakmp to send keepalives every 10 seconds then every 2 seconds if a keepalive fails. Sent on demand rather than periodically like we have configured is the default. Not all versions of the IOS support this. Corp(config)#crypto isakmp keepalive 10 2 periodic Verify configuration with the show crypto isakmp policy Global IKE policy Protection suite of priority 10 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #5 (1536 bit) lifetime: 3600 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
Step 4. Transform Set Now we will create the transform set used to protect our data. Our IPSEC tunnel mode will be using 256 bit AES encryption and sha-1 hmac. Corp(config)# crypto ipsec transform-set MYTSETNAME esp-3des esp-md5-hmac Corp(cfg-crypto-trans)#mode tunnel Various other options are: Corp(config)#crypto ipsec transform-set MYTSETNAME? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform comp-lzs IP Compression using the LZS compression algorithm esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-aes ESP transform using AES cipher esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-null ESP transform w/o cipher esp-seal ESP transform using SEAL cipher (160 bits) esp-sha-hmac ESP transform using HMAC-SHA auth Verify with show crypto ipsec transform-set Transform set MYTSETNAME: { esp-3des esp-md5-hmac } will negotiate = { Tunnel, }, Step 5. IPSec Profile Now we create an IPSec profile to connect the ISAKMP and IPSec configuration together. Corp(config)#crypto ipsec profile ENCRYPT-GRE Corp(ipsec-profile)#set security-association lifetime seconds 86400 Corp(ipsec-profile)#set transform-set MYTSETNAME Step 6. Apply Finally we apply the IPSec profile to the tunnel interface. Corp(config)#interface Tunnel 0 Corp(config-if)#tunnel protection ipsec profile ENCRYPT-GRE You will get a response from the router as follows: *Mar 1 03:11:48.715: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Corp(config-if)# *Mar 1 03:11:53.015: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /50.137.15.9, src_addr= 209.87.55.42, prot= 47 *Mar 1 03:12:03.379: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1577: Neighbor 172.16.0.2 (Tunnel0) is down: holding time expired
As you can see, ISAKMP is now turned on. Since we are no encrypting the packets, the tunnel goes down until we set up the other end of the tunnel with the same encryption scheme. Now we will set up the Branch office router. Step 1. Create Tunnel ------------- Branch_1 Router ------------- Corp(config)#interface Tunnel 0 Corp(config-if)#ip address 172.16.0.2 255.255.255.0 Corp(config-if)#ip mtu 1400 Corp(config-if)#ip tcp adjust-mss 1360 Corp(config-if)#tunnel source 209.87.55.42 Corp(config-if)#tunnel destination 50.137.15.9 Step 2. Route Networks Through the Tunnel Corp(Config)#ip route 192.168.0.0 255.255.255.0 172.16.0.1 Or use the EIGRP configuration in place of the static route above. Corp(Config)#router eigrp 1577 Corp(Config-router)#network 172.16.0.0 0.0.0.255 Corp(Config-router)#network 10.0.0.1 0.0.0.255 Step 3. ISAKMP Branch(config)#crypto isakmp enable Branch(config)#crypto isakmp policy 10 Banch(config-isakmp)#authentication pre-share Branch(config-isakmp)#hash sha Branch(config-isakmp)#encryption 3des Branch(config-isakmp)#group 5 Branch(config-isakmp)#lifetime 3600 Branch(config-isakmp)#exit Branch(config)#crypto isakmp key 0 K3y4vPnLab address 50.137.15.9 Branch(config)#crypto isakmp keepalive 10 2 periodic Step 4. Transform Set Branch(config)# crypto ipsec transform-set MYTSETNAME esp-3des esp-md5-hmac Branch(cfg-crypto-trans)#mode tunnel Must be the same encryption scheme as the other side of the tunnel. Step 5. IPSec Profile Now we create an IPSec profile to connect the ISAKMP and IPSec configuration together. Corp(config)#crypto ipsec profile ENCRYPT-GRE Corp(ipsec-profile)#set security-association lifetime seconds 86400 Corp(ipsec-profile)#set transform-set MYTSETNAME
Step 6. Apply Finally we apply the IPSec profile to the tunnel interface. Corp(config)#interface Tunnel 0 Corp(config-if)#tunnel protection ipsec profile ENCRYPT-GRE Testing/Verify To bring up the ISAKMP IPSec tunnel just ping the 10.0.0.0 network from the Corp router or the Corp PC. Corp#ping 10.0.0.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.100, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 56/70/92 ms To verify that encryption is setup and taking place, issue the show crypto session command. Corp#show crypto session Crypto session current status Interface: Tunnel0 Session status: UP-ACTIVE Peer: 209.87.55.42 port 500 IKE SA: local 50.137.15.9/500 remote 209.87.55.42/500 Active IPSEC FLOW: permit 47 host 50.137.15.9 host 209.87.55.42 Active SAs: 2, origin: crypto map As you see by the output above, we now have a working GRE VPN Tunnel using ISAKMP and IPSec to protect our data over a public network connection. The configuration files for this lab are on the following pages. After you have setup and tested this lab, please blog your experience on our blog site at: http://netcertlabs.com/netcertlabs-blog Thank You,
Corp PC IP Address 192.168.0.100 Mask 255.255.255.0 Gateway 192.168.0.1 Branch PC IP Address 10.0.0.100 Mask 255.255.255.0 Gateway 10.0.0.1 ------------- PC and Router configurations ------------- Corp Router hostname Corp crypto isakmp policy 10 encr 3des authentication pre-share group 5 lifetime 3600 crypto isakmp key K3y4vPnLab address 209.87.55.42 crypto isakmp keepalive 10 periodic crypto ipsec transform-set MYTSETNAME esp-3des esp-md5-hmac crypto ipsec profile ENCRYPT-GRE set security-association lifetime seconds 86400 set transform-set MYTSETNAME interface Tunnel0 ip address 172.16.0.1 255.255.255.0 ip mtu 1400 ip tcp adjust-mss 1360 tunnel source 50.137.15.9 tunnel destination 209.87.55.42 tunnel protection ipsec profile ENCRYPT-GRE interface Serial0/0 ip address 50.137.15.9 255.255.255.0 serial restart-delay 0 clock rate 128000 interface FastEthernet0/0 ip address 192.168.0.1 255.255.255.0 duplex auto speed auto router eigrp 1577 network 172.16.0.0 0.0.0.255 network 192.168.0.0 auto-summary ip route 0.0.0.0 0.0.0.0 50.137.15.1
Internet Router Hostname Internet interface Serial0/0 ip address 50.137.15.1 255.255.255.0 serial restart-delay 0 interface Serial0/1 ip address 209.87.55.1 255.255.255.0 serial restart-delay 0 Branch Router Hostname Branch crypto isakmp policy 10 encr 3des authentication pre-share group 5 lifetime 3600 crypto isakmp key K3y4vPnLab address 50.137.15.9 crypto isakmp keepalive 10 periodic crypto ipsec transform-set MYTSETNAME esp-3des esp-md5-hmac crypto ipsec profile ENCRYPT-GRE set security-association lifetime seconds 86400 set transform-set MYTSETNAME interface Tunnel0 ip address 172.16.0.2 255.255.255.0 ip mtu 1400 ip tcp adjust-mss 1360 tunnel source 209.87.55.42 tunnel destination 50.137.15.9 tunnel protection ipsec profile ENCRYPT-GRE interface Serial0/0 ip address 209.87.55.42 255.255.255.0 serial restart-delay 0 clock rate 128000 interface FastEthernet1/0 ip address 10.0.0.1 255.255.255.0 duplex auto speed auto router eigrp 1577 network 10.0.0.0 0.0.0.255 network 172.16.0.0 0.0.0.255 auto-summary ip route 0.0.0.0 0.0.0.0 209.87.55.1