DEPLOYING SITE-TO-SITE IPSEC VPNS

DEPLOYING SITE-TO-SITE IPSEC VPNS SESSION 1 IPSEC REMAINS THE DOMINANT TUNNELING AND ENCRYPTION TECHNOLOGY FOR VPNS. INFONETICS RESEARCH REPORT Q303 IPSec Remains the Dominant Tunneling and Encryption Technology for VPNs, but MPLS and SSL Are Now Having a Mainstream Impact; Users Are Wary of MPLS Deployed with No Encryption, So IPSec Will Sell Well as a Complement to MPLS, and SSL Can Only Satisfy a Portion of the total VPN Market (Remote Access and Extranet); Ultimately these Technologies Will All Co-operate in a VPN Ecosystem 2 Printed in USA.

Other VPN Sessions SEC-1000: Introduction to Network Security SEC-2006: Managing Security Technologies SEC-2010: Deploying Remote-Access IPSec VPNs SEC-3010: Troubleshooting Cisco IOS and PIX-Firewall Based IPSec Implementations SEC-3011: Troubleshooting VPN 3000 IPSec Implementations SEC-4010: Advanced IPSec Algorithms and Protocols SEC-4011: Deploying Complex and Large Scale IPSec VPNs 3 APPLICATION OF SITE-TO-SITE IPSEC VPN 4 Printed in USA.

What Are We Talking About? Secure IPSec VPN A I m A Here Is My Proof Authority Identity Authentication and Trust B I m B Here Is My Proof PKI Proposals Key Generation Key Management Security Association IPSec VPN Tunnel ISAKMP and IKE Proposals IPSec Encryption Algorithms and Standards Hash Algorithms Tunneling Technology Cryptography Building Blocks A B Needs Secure Communications over Insecure Channel 5 WAN Replacement Using Site-to-Site IPSec VPNs Intranet Branch/Remote Office Frame Internet Relay WAN VPN Network Extranet Business-to-Business POP DSL Cable Central Site 6 Printed in USA.

WAN Backup Using Site-to-Site IPSec VPNs Intranet Branch/Remote Office Extranet Business-to-Business VPN VPN Frame Relay WAN Network Internet VPN PSTN/ISDN Broadband VPN VPN Central Site 7 Regulatory Encryption Using Site-to-Site IPSec VPNs By law, encryption is required to protect data such as medical records (HIPPA), Corporate or Personal Financial data, academic records even if another VPN technology is used (Frame Relay, MPLS VPN) Intranet Branch/Remote Office Frame Relay or MPLS VPNs Extranet Business-to-Business 8 Printed in USA.

DESIGN CONSIDERATIONS 9 Design Topics for Consideration IP addressing Routing Security Device authentication Migration Security policy enforcement Access control Scalability Device placement Performance Best products for function High availability QoS Management Interoperability 10 Printed in USA.

Design Considerations: IP Addressing and Routing IP Addressing IPSec VPN is an overlays on existing IP network; VPN device needs routable IP address, Private IP address space can be used across VPN Design VPN address space to allow summarization NAT is not required or bypassed for VPN traffic Routing Routing required to forward encrypted and un-encrypted traffic appropriately Large-scale networks require dynamic routing 11 Design Considerations: Security Components of a VPN Packet IPSec Tunnel Packet L3 L7 Inspection IDS/FW IPSec L3 Filtering (Stateless) Network Transport L3 Filtering (Stateless) IPSec L3 L7 Inspection IDS/FW Peer Authentication Packet Integrity Data Encryption Session Re-Keying Apply Defense in Depth model to VPN designs Intranet and extranet consideration 12 Printed in USA.

B A N K Design Considerations: Cryptographic Options RFC IPSec Implementation Secure VPN IPSec Many Safeguards Hides Networks Transparent Tunneling Encryption Authentication Integrity IPSec GRE DES Triple DES AES RSA Digital Certificates Pre-shared Key HMAC-MD5 HMAC-SHA-1 13 Design Considerations: VPN Device Authentication Pre-shared keys Tied to unique IP address, not highly scalable, moderate difficulty to deploy Wildcard pre-shared keys Any device may use regardless of IP address, insecure since if the key is compromised all devices can be tunneled to, extremely easy to deploy Digital certificates Highly scalable, initial investment significant, very secure, non-repudiation option, not tied to IP address 14 Printed in USA.

Design Considerations: Migration Migration from traditional WAN Generally Internet access via a router and/or firewall already exists If existing Internet WAN link is used for VPN as well, augment bandwidth to accommodate extra VPN traffic and QoS may be required Policy routing may be necessary during a phased migration approach 15 Design Considerations: Scaling, Sizing and Performance: I Head-end VPN Device sizing consideration factors: Total number of remote sites, tunnels VPN traffic throughput Features: routing protocols, GRE, Firewall, QoS Scalability The head-end design must scale to support future load requirements Consider integrated verses purposedefined devices Routing, resilience, load balancing, and the WAN connection are all key factors 16 Printed in USA.

Design Considerations: Scaling, Sizing and Performance: II A head-end device should not be deployed in a configuration that results in CPU utilization higher than 50% after failure The 50% target includes all overhead incurred by IPSec and any other enabled features (firewall, routing, IDS, logging, etc.) Branch devices should not be taxed above 65% CPU utilization 17 Cisco VPN Security Router Performance Cisco VPN Security Router Cisco SOHO 90 Cisco 830 Cisco 1700 with VPN Module Cisco 2600XM with AIM-VPN/BPII Cisco 2691 with AIM-VPN/EPII Cisco 3725 with AIM-VPN/EPII Cisco 3745 with AIM-VPN/EPII Cisco 7200VXR with a single SA- VAM2 Cisco 7301 with SA-VAM2 Cisco Catalyst 6500/7600 with a single VPNSM Max Tunnels 8 10 100 800 800 800 2000 5000 5000 8000 3DES Throughput 1 Mbps 7 Mbps 15 Mbps 22 Mbps 150 Mbps 186 Mbps 190 Mbps 260 Mbps 370 Mbps 1.9 Gbps AES Throughput N/A 2 Mbps N/A 22 Mbps 150 Mbps 186 Mbps 190 Mbps 260 Mbps 370 Mbps N/A 18 Printed in USA.

Performance: Features and Packet Sizes 90.00 80.00 70.00 60.00 Throughput 50.00 40.00 30.00 20.00 10.00 Unencrypted Firewall Unencrypted QoS 3DES-SHA/Software 3DES-SHA/Hardware IPsec/FW IPsec/QoS IPsec/QoS/FW GRE 3DES-SHA 0.00 64 128 300 512 1024 1400 19 VPN Headend and Branch Device Consideration Cisco 1700 Series Cisco PIX 506-E Cisco VPN 3005 Remote Office T-1/E-1 Cisco 7200/7300/6500 Series Cisco PIX 535 Cisco VPN 3080 Cisco 2600/3600 Series Cisco PIX 515-E Cisco VPN 3030/3060 nxt-1/e-1 Regional Office Broadband Central Office Cisco 800/900 Series Cisco PIX 501 Cisco VPN3002 Home Office 20 Printed in USA.

Design Consideration: Topology Peer-to-peer Hub and spoke Most common topology Scales well, o(n) Performance penalty due to two encryption/decryption cycles Mesh Partial Compared to hub and spoke topology, more direct spoke to spoke communications Mesh Full Scaling issues: IPSec tunnels grow exponentially as number of sites increases Difficult to provision 21 IPSec Site to Site VPN Solutions: Productivity at Low Cost for ALL Situations DYNAMIC MULTIPOINT IPSEC VPNS Simplified Scaling and Mgmt. Traffic-based dynamic tunnels DYNAMIC MULTIPOINT VPN: On-Demand VPNs Enhanced Service ROUTED GRE/IPSEC The power of IOS networking applied to VPNs Full routing, application support, instrumentation STANDARD IPSEC: Interoperability EASY VPN: Ease of Deployment STANDARD IPSEC Full standards compliance Interoperates with other vendors EXAMPLE: EXTRANET VPN ROUTED GRE/IPSEC: Proven IOS Networking EASY VPN IPSEC Policy Push for Easy Deployment High Scalability at Low Cost Improved Productivity 22 Printed in USA.

Design Consideration: VPN Device Placement VPN Device Parallel to Firewall VPN Device DMZ of Firewall VPN Device Integrated with Firewall/IDS 23 VPN Device: Parallel to Firewall Stateless L3 Filtering (IKE,ESP) VPN Termination VPN Focused Layer 4 77 Analysis To WAN Edge To Campus Monitoring Internet Traffic DMZ Layer 4 74 7 Stateful Inspection and Filtering DOS Mitigation 24 Printed in USA.

Design Summary ADVANTAGES DISADVANTAGES Simplifies migration task VPN device addition Easy device management High scalability stack VPN devices IPSec decrypted traffic is NOT firewall inspected Lacks stateful inspection unless VPN device supports it No centralized point of logging/content inspection 25 VPN Device: DMZ of Firewall Stateless L3 Filtering (IKE,ESP) VPN VPN Termination Focused Layer 4 77 Analysis To WAN Edge To Campus Monitoring Internet Traffic DMZ Layer 4 74 7 Stateful Inspection and Filtering DOS Mitigation 26 Printed in USA.

Design Summary ADVANTAGES Abides to the layered security model and enforces security policies that require firewalling Easy management with additional device Migration relatively straight-forward with addition of LAN interface to firewall Moderate-to-high scalability as we stack VPN devices DISADVANTAGES Configuration complexity increases additional configuration on firewall Firewall must support policy routing to differentiate VPN verses non-vpn traffic Firewall may impose bandwidth restrictions on stacks of VPN devices 27 VPN Device: Integrated with Firewall/IDS To WAN Edge To Campus DMZ To WAN Edge DMZ To Campus To WAN Edge To Campus 28 Printed in USA.

Design Summary ADVANTAGES Abides to the layered security model and enforces security policies that require firewalling Migration relatively straightforward with addition of VPN feature set to firewall Same number of devices to manage DISADVANTAGES Scalability can be an issue as single device must scale to meet performance requirements of multiple features Complex configuration, many eggs in one basket 29 VPN Device: Placement Overview High Availability Scalability Management Defense in Depth Performance Consolidated Solution VPN Device Parallel to FW Above Average Superior Superior Below Average Superior Below Average VPN Device DMZ of FW Superior Superior Superior Superior Superior Below Average VPN Device Integrated with FW/IDS Superior Above Average Superior Superior Superior Superior VPN Device Choice for Site to Site IPSec VPN: 1. Cisco IOS Router Platform 2. Cisco Secure PIX Firewall 3. Cisco VPN3000 Concentrator 30 Printed in USA.

DEPLOYMENT SCENARIOS 31 Site-to-Site VPN Deployment Scenarios Basic peer-to-peer topology Basic site-to-site IPSec configuration Static vs. dynamic mapping Crypto ACL consideration Split tunneling consideration Access control Hub and spoke topology GRE over IPSec Partial/Fully Mesh Topology Dynamic Multipoint VPN (DMVPN) 32 Printed in USA.

Peer-to-Peer Configuration: IKE (Phase I) Policy 172.16.172.10 172.16.171.20 Backbone Router1 Router2 10.1.1.0/24 10.1.2.0/24 crypto isakmp policy 1 authentication pre-shared hash sha encr aes 128 group 2 crypto isakmp key df*li^gj*al address 172.16.171.20 netmask 255.255.255.255 crypto isakmp policy 1 authentication pre-shared hash sha encr aes 128 group 2 crypto isakmp key df*li^gj*al address 172.16.172.10 netmask 255.255.255.255 33 IPSec (Phase II) Policy 172.16.172.10 172.16.171.20 Backbone Router1 Router2 10.1.1.0/24 10.1.2.0/24 crypto ipsec transform-set aes_sha espaes 128 esp-sha-hmac access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 crypto map VPN_To_R2 10 ipsec-isakmp set peer 172.16.171.20 match address 101 set transform-set aes_sha crypto ipsec transform-set aes_sha esp-aes 128 esp-sha-hmac access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 crypto map VPN_To_R1 10 ipsec-isakmp set peer 172.16.172.10 match address 101 set transform-set aes_sha 34 Printed in USA.

Apply VPN Configuration 172.16.172.10 172.16.171.20 Backbone Router1 Router2 10.1.1.0/24 10.1.2.0/24 interface serial 1/0 ip address 172.16.172.10 255.255.255.0 crypto map VPN_To_R2 interface serial 3/0 ip address 172.16.171.20 255.255.255.0 crypto map VPN_To_R1 ip route 10.1.2.0 255.255.255.0 172.16.172.1 ip route 10.1.1.0 255.255.255.0 172.16.171.1 35 PIX Firewall Site-to-Site VPN Configuration isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash md5 isakmp policy 1 group 2 isakmp policy 1 lifetime 43200 isakmp key ********** address 172.16.172.34 netmask 255.255.255.255 access-list vpnacl permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto map vpnmap 1 ipsec-isakmp crypto map vpnmap 1 match address vpnacl crypto map vpnmap 1 set peer 172.16.172.34 crypto map vpnmap 1 set transform-set myset access-list bypass_nat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 nat (inside) 0 access-list bypass_nat sysopt connection permit-ipsec isakmp enable outside crypto map vpnmap interface outside Define IKE (phase I) policy Define IPSec (phase II) Policy Bypass NAT Allow VPN through Apply tunnel 36 Printed in USA.

VPN 3000 Concentrator Configuration 37 VPN 3000 Concentrator (Cont.) 38 Printed in USA.

Static vs. Dynamic Crypto Map Site_A Site_B ISP Dynamic Crypto Map crypto map vpn 10 IPSec-isamkp dynamic dynamap crypto dynamic-map dynamap 10 set transform-set match address Static Crypto Map crypto map vpn 10 IPSec-isakmp set peer Site_A set transform-set match address 101 crypto map vpn 20 IPSec-isakmp set peer Site_B set transform-set match address 102 39 Static vs. Dynamic Crypto Map (Cont.) STATIC CRYPTO MAP Need to VPN peer, crypto ACL, IPSec transform-set Use multiple crypto map instances to define multiple VPN peers Bi-directional tunnel initiation Requires more intensive management, deployment and troubleshooting DYNAMIC CRYPTO MAP Only need to configure IPSec transform-set, crypto ACL is optional One dynamic map as a template Only the remote peer can initiate tunnel Used when remote peer has dynamic IP address Simple to manage and deploy 40 Printed in USA.

Crypto ACL Consideration: Cisco IOS and PIX Firewall Crypto ACL defines IPSec SA proxy identities which specifies what data traffic IPSec protects Cisco IOS/VPNSM/PIX use access-list which supports L3/L4 protocol, L4 Ports, port ranges, IP address, IP subnets, subnet ranges Only use the any keyword once in a given ACL entry Take care to match more specific ACL entries first Never use any any 41 Crypto ACL Consideration: VPN 3000 Concentrator VPN 3000 uses network lists which support only IP address, subnets, subnet ranges Auto Discovery in conjunction with routing can be enabled to automatically exchange crypto network list between VPN peers Crypto ACL: 10.1.0.0/16 192.168.1.0/24 Internet RIP 10.1.0.0/16 192.168.1.0/24 42 Printed in USA.

IPSec SA Scalability: Crypto ACL Summarization ISP Internet access-list 199 permit tcp 10.1.1.0 0.0.0.255 range 1024 65535 any eq www Six SAs access-list 101 permit ip 10.0.0.0 0.0.255.255 10.10.1.0 0.0.0.255 access-list 101 permit ip 10.1.0.0 0.0.255.255 10.10.2.0 0.0.0.255 access-list 101 permit ip 10.2.0.0 0.0.255.255 10.10.3.0 0.0.0.255 Two SAs: access-list 101 permit ip 10.0.0.0 0.255.255.255 any Each ACL entry corresponds to two IPSec SAs Plan VPN addressing scheme carefully so that crypto ACL can be summarized: Reduce configuration Improve IPSec SA performance 43 Split Tunneling Definition: Split tunneling is the ability of a device to forward clear and encrypted traffic at the same time over the same interface Without Split Tunneling Central Site http://www.cisco.com/ With Split Tunneling Central Site http://www.cisco.com/ VPN Head End VPN VPN Head End VPN 44 Printed in USA.

Split Tunneling (Cont.) Split Tunnel Policy Allowed Corporate Network Bound Traffic Via Tunnel Internet Bound Traffic Via Internet Disallowed Via Tunnel Via Tunnel In Site-to-Site VPN, Use routing and crypto ACL to control split tunneling Enabling split tunneling on spoke site can reduce load on head end; use firewalls on spoke site to secure spoke VPN devices 45 Filtering/Access Control When filtering at the edge there s not much to see IKE UDP port 500 ESP, AH IP Protocol numbers 50,51 respectively NAT Transparency Enabled UDP port 4500 Internal access control should be implemented via the internal interface ACLs or group policy and not the crypto ACLs for the performance reasons 46 Printed in USA.

Current Inbound Encrypted Packet Flow 5 Packet Forwarding IPSec Decryption 3 inbound ACL drop 2 Reverse Crypto Map ACL 1 Layer 2 Decapsulation 1 2 3 4 5 Arriving IP packet Is checked against reverse of Crypto Map ACL. If denied then packet is dropped, because it was not encrypted, but it should have been IP packet is checked against interface inbound ACL; If denied it is dropped If IP packet is encrypted it is then decrypted Just decrypted IP packet is again checked against interface inbound ACL, if denied it is dropped Just decrypted and not encrypted IP packets permitted by interface inbound ACL are forwarded 4 drop 47 Current Outbound Encrypted Packet Flow 1 Crypto Map ACL 2 Outbound ACL IPSec Encryption 4 5 3 Layer 2 Encapsulation drop 1 2 3 4 5 Departing IP packet is checked against Crypto Map ACL, if permitted it is marked for encryption All IP packets are checked against outbound interface ACL; If denied they are dropped IP packets not marked for encryption are Layer-2 encapsulated IP packets marked for encryption are encrypted Encrypted IP packets are Layer-2 encapsulated 48 Printed in USA.

New Inbound Encrypted Packet Flow 2 3 Packet Forwarding 6 Inbound Access Crypto Map ACL 5 3 IPSec Decryption 4 inbound ACL 2 Reverse Crypto Map ACL 1 Layer 2 Decapsulation drop 1 Arriving IP packet Is checked against reverse of Crypto Map ACL; If denied then packet is dropped, because it was not encrypted, but it should have been IP packet is checked against interface inbound ACL; If denied it is dropped If IP packet is not encrypted it is forwarded drop drop 4 If IP packet is encrypted it is then decrypted 5 Just decrypted IP packet is checked against Inbound Access Crypto Map ACL (optional), if denied it is dropped 6 Just decrypted IP packet is forwarded 49 New Outbound Encrypted Packet Flow 1 Crypto Map ACL 3 Outbound Access Crypto Map ACL 2 IPSec Encryption 4 5 Outbound ACL drop 6 Layer 2 Encapsulation 1 2 3 4 drop All departing IP packets are checked against Crypto Map ACL, if permitted they are marked for encryption IP packets unmarked for encryption are checked against outbound interface ACL; If denied they are dropped IP packets marked for encryption are checked against Outbound Access Crypto Map ACL (optional); If denied they are dropped Permitted IP packets are encrypted 5 Encrypted IP packets are checked against outbound interface ACL. If denied they are dropped 6 Permitted IP packets are Layer-2 encapsulated 50 Printed in USA.

IPSec ACL Configuration Example1: 10.1.1.0/24 10.1.2.0/24 192.168.1.1 192.168.2.1 Internet A IPSec Tunnel B Only allow encrypted host traffic between hosts on 10.1.1.0/24 and 10.1.2.0/24 No clear-text traffic from Internet to any host 51 Current IPSec ACL Configuration Example 1: Router A crypto map vpnmap 10 ipsec-isakmp set peer 192.168.2.1 set transform-set trans1 match address 101 interface Ethernet0/0 ip address 10.1.1.1 255.255.255.0 interface Serial1/0 ip address 192.168.1.1 255.255.255.0 ip access-group 150 in ip access-group 160 out crypto map vpnmap access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 150 permit udp host 192.168.2.1 eq 500 host 192.168.1.1 eq 500 access-list 150 permit esp host 192.168.2.1 host 192.168.1.1 access-list 150 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 160 permit udp host 192.168.1.1 eq 500 host 192.168.2.1 eq 500 access-list 160 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 52 Printed in USA.

New IPSec ACL Configuration Without Crypto Access ACLs Example 1: Router A crypto map vpnmap 10 ipsec-isakmp set peer 192.168.2.1 set transform-set trans1 match address 101 interface Ethernet0/0 ip address 10.1.1.1 255.255.255.0 interface Serial1/0 ip address 192.168.1.1 255.255.255.0 ip access-group 150 in ip access-group 160 out crypto map vpnmap access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 150 permit udp host 192.168.2.1 eq 500 host 192.168.1.1 eq 500 access-list 150 permit esp host 192.168.2.1 host 192.168.1.1 access-list 160 permit udp host 192.168.1.1 eq 500 host 192.168.2.1 eq 500 access-list 160 permit esp host 192.168.1.1 host 192.168.2.1 53 Current IPSec ACL Configuration Example 1: Router B crypto map vpnmap 10 ipsec-isakmp set peer 192.168.1.1 set transform-set trans1 match address 101 interface Ethernet0/0 ip address 10.1.2.1 255.255.255.0 interface Serial1/0 ip address 192.168.2.1 255.255.255.0 ip access-group 150 in ip access-group 160 out crypto map vpnmap access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 150 permit udp host 192.168.1.1 eq 500 host 192.168.2.1 eq 500 access-list 150 permit esp host 192.168.1.1 host 192.168.2.1 access-list 150 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 160 permit udp host 192.168.2.1 eq 500 host 192.168.1.1 eq 500 access-list 160 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 54 Printed in USA.

New IPSec ACL Configuration Without Crypto Access ACLs Example 1: Router B crypto map vpnmap 10 ipsec-isakmp set peer 192.168.1.1 set transform-set trans1 match address 101 interface Ethernet0/0 ip address 10.1.2.1 255.255.255.0 interface Serial1/0 ip address 192.168.2.1 255.255.255.0 ip access-group 150 in ip access-group 160 out crypto map vpnmap access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 150 permit udp host 192.168.1.1 eq 500 host 192.168.2.1 eq 500 access-list 150 permit esp host 192.168.1.1 host 192.168.2.1 access-list 160 permit udp host 192.168.2.1 eq 500 host 192.168.1.1 eq 500 access-list 160 permit esp host 192.168.2.1 host 192.168.1.1 55 Hub and Spoke Topology 90% hub spoke, 10% spoke spoke traffic Design options: Cisco IOS: Uses crypto ACL summarization for smaller scale deployment; uses GRE over IPSec with dynamic routing protocol for larger scale deployment VPN 3000 concentrators use summarized network lists for small scale deployment PIX Firewalls do not support hub and spoke topology Best option: GRE over IPSec with dynamic routing protocol 56 Printed in USA.

Why GRE over IPSec L3 GRE Tunnel IPSec Tunnel IP IP ESP HDR Data IP GRE IP HDR Data IP HDR HDR HDR HDR HDR IPSec (ESP) tunnels only IP unicast traffic GRE encapsulates non-ip and IP multicast or broadcast packets into IP unicast packets Using a GRE tunnel inside an IPSec tunnel uses only three security associations (at maximum) Use tunnel mode IPSec vs. transport because: With hardware acceleration it is actually faster Some new features (LAF) require tunnel mode GRE IP HDR HDR Encrypted Data IP HDR Decapsulate Twice Data 57 GRE over IPSec Configuration crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco47 address 172.17.63.18 crypto ipsec transform-set trans2 esp-3des esp-md5-hmac mode transport crypto map vpnmap2 local-address Ethernet1 crypto map vpnmap2 10 IPSec-isakmp set peer 172.17.63.18 set transform-set trans2 match address 110 interface Ethernet1 ip address 172.16.175.75 255.255.255.0 crypto map vpnmap2 interface Tunnel0 ip address 10.10.2.1 255.255.255.252 ip mtu 1440 tunnel source Ethernet1 tunnel destination 172.17.63.18 ******crypto map vpnmap2******** ip route 0.0.0.0 0.0.0.0 172.16.175.1 access-list 110 permit gre - host 172.16.175.75 host 172.17.63.18 12.2(13)T and later crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco47 address 172.16.175.75 crypto ipsec transform-set trans2 esp-3des esp-md5- hmac mode transport crypto ipsec profile vpnprof set transform-set trans2 interface Ethernet1 ip address 172.17.63.18 255.255.255.0 interface Tunnel0 ip address 10.10.2.2 255.255.255.252 ip mtu 1440 tunnel source Ethernet1 tunnel destination 172.16.175.75 tunnel protection ipsec profile vpnprof ip route 0.0.0.0 0.0.0.0 172.17.63.1 58 Printed in USA.

GRE over IPSec Configuration Evolution Before 12.2(13)T, crypto maps are required to apply to both GRE tunnel interface and physical interface From 12.2(13)T and later Only need to apply crypto map on physical interface Use tunnel protection ipsec profile under tunnel interface 59 GRE over IPSec Design Recommendations I h1 h2 INTERNET s1 s2 In order to avoid asymmetric routing, one of the two GRE tunnels between the head-end and remote site must be favored Change bandwidth value for the GRE interface on both ends to create primary and secondary tunnels Unrealistic bandwidth setting might affect the flow control of EIGRP Alternative: use the delay command under GRE tunnel interface 60 Printed in USA.

GRE over IPSec Design Recommendations II On failure recovery, the load should be dynamically rebalanced at the head-end Generally speaking the routing protocol at the head-end can safely scale up to 1000 peers Consider that EIGRP is less CPU intensive than OSPF GRE Keepalives can be used for failure detection in case of static routing 61 Partial/Full Mesh Topology More than 20% spoke spoke traffic Configuration task, number of IPSec SAs grow exponentially as number of spoke sites increases; does not scale well for above ~10 sites Dynamic peer discovery and on-demand tunnel creation mechanisms are required: Dynamic Multipoint VPN (DMVPN) 62 Printed in USA.

Why DMVPN Is Needed? Create the spoke to spoke tunnels dynamically based on traffic requirements Advantages: Dynamic mesh: number of active tunnels is much lower on each spoke Configuration scales better: no need for static definitions for each spoke in the hub configuration Easy to add a node: no need to configure the new spoke on all the other nodes THIS IS THE BASIS OF CISCO S DYNAMIC MULTIPOINT VPN 63 How Do Other Topologies Compare? Hub and Spoke + All traffic must go via hub + Easy to deploy Two encrypts/decrypts Can result in wasted bandwidth and hub resources Can result in unwieldy hub configuration files Full Mesh + Direct spoke to spoke tunnels Smaller spoke CPE can t support large numbers of connections (big configurations and lots of resources) Adding a node=lots of provisioning Basically a scaling and support headache, therefore most production networks use hub and spoke 64 Printed in USA.

Dynamic Multipoint VPN (DMVPN) 10.10.2.75 172.16.175.75 10.10.2.76 172.16.176.76 192.168.0.0/24 E0 192.168.1.0/24 10.10.2.75 192.168.2.0/24 10.10.2.76 172.17.63.18 Internet.1 10.10.2.1 Rh1 172.16.176.76 10.10.2.76.1 192.168.2.0/24 192.168.0.0/24 10.10.2.1 192.168.1.0/24 10.10.2.75.2 192.168.2.0/24 E0 H1 192.168.1.0/24 10.10.2.1 72.17.63.18 10.10.2.75 172.16.175.75.2 H3 Multi-point GRE greatly reduces configuration task Next hop resolution protocol (NHRP) is used to dynamically map GRE layer to backbone IP layer Dynamic, on-demand spoke-to-spoke communication; Spoke sites can have dynamic IP address GRE/IPSec 192.168.0.0/24 10.10.2.1 192.168.1.0/24 E0 192.168.2.0/24 10.10.2.76 10.10.2.1 172.17.63.18 10.10.2.76 172.16.176.76 172.16.175.75 10.10.2.75.1 Rs1.2 H2 192.168.1.0/24 65 DMVPN: How Does It Work? Relies on Two Proven Cisco Technologies NHRP Next Hop Resolution Protocol Client/server protocol: hub is server; spokes are clients Hub maintains a (NHRP) database of all the spoke s real (public interface) addresses Each spoke registers its real address when it boots Spokes query HNRP database for real addresses of destination spokes to build direct tunnels Multipoint GRE Tunnel Interface Allows single GRE interface to support multiple IPSec tunnels Simplifies size and complexity of configuration 66 Printed in USA.

DMVPN: How Does It Work? Spokes have a permanent IPSec tunnel to the hub, but not to the spokes; They register as clients of the NHRP server When a spoke needs to send a packet to a destination (private) subnet on another spoke, he queries the NHRP server for the real (outside) address of the destination spoke Now the originating spoke can initiate a dynamic ipsec tunnel to the target spoke (because he knows the peer address) The spoke to spoke tunnel is built over the mgre interface 67 DMVPN Design: Key, Security and Redundancy Recommended: use certificates/pki (typically CA server located on hub s private subnet) Alternative: wildcard pre-shared key If key is compromised every spoke needs to be given a new key To prevent unauthorized nodes from joining the VPN: NHRP Network ID and Password: spokes must be configured for both to join the NHRP network mgre Network ID: must be configured on the spokes to match the hub These parameters are sent via the spoke-hub tunnel and are therefore encrypted Redundancy: you can configure multiple NHRP servers on multiple hubs for backup 68 Printed in USA.

Agenda Applications of Site-to-Site IPSec VPNs Design Considerations Deployment Scenarios Fine Tuning Site-to-Site Deployment High Availability Management Advanced IOS Features Case Study 69 FINE TUNING SITE-TO-SITE DEPLOYMENT 70 Printed in USA.

Fine Tune VPN Systems to Avoid MTU Issues Due to the overhead (~60bytes) added by IPSec in the middle of transmission path, the Path MTU (PMTU) setting of your VPN system might need to be fine tuned to avoid stalled application symptom Normal scenarios (no need to fine tune) Application sends only small-sized packets PMTU discovery (PMTUd) process helps end hosts reduce packet size automatically to accommodate IPSec overhead 71 Fine Tune VPN Systems to Avoid MTU Issues (Cont.) When do you need to find tune: PMTUd fails due to the ICMP messages used by PMTUd (Type 3 code 4) are lost or blocked IPSec fragments packets after encryption; the reassembly job done by the remote VPN device causes performance degradation When DF (Don t Fragment) bit is set 72 Printed in USA.

IPSec and PMTU Discovery 10.1.1.2 MTU 1500 172.16.172.10/28 172.16.172.20/28 MTU 1500 e1/1 e1/0 MTU MTU MTU 1500 1400 1500 10.1.2.2 Path 1500 Media 1500 IPSec Tunnel Path 1500 Media 1500 1500 DF=1 ICMP Type3 Code 4 ICMP: dst (10.1.2.2) frag. needed and DF set unreachable sent to (1454) 10.1.1.2 ( debug ip icmp output) 1454 DF=1 1500 DF Copied 1454 DF=1 ICMP (1400) IPSec SPI Copied ICMP: dst (172.16.172.20) frag. needed and DF set unreachable rcv from 172.16.172.11 Adjust path MTU on corresponding IPSec SA path mtu 1400, media mtu 1500 ICMP Type3 Code 4 current outbound spi: EB84DC85 (1354) 1354 DF=1 1400 1400 1354 73 PMTU Setting Options on VPN Devices General Consideration: Avoid fragmentation after encryption as much as possible Adjust MTU to leave room in advance for IPSec overhead Last resort: clear DF bit so that packet can get through Device Methods for setting PMTU Cisco IOS PIX VPN 3000 Adjust TCP MSS option Look Ahead Fragmentation (LAF) Adjust IP MTU of GRE tunnel interface Clear DF bit using policy routing or IPSec df-bit clear feature (last resort) Adjust TCP MSS option Pre-tunnel Fragmentation Adjust IP MTU of the interface Clear DF bit 74 Printed in USA.

Adjust TCP MSS Option TCP Maximum Send Segment (MSS) option is sent during TCP connection establishment phase; TCP end hosts obeys the MSS value conveyed to the other end Cisco IOS: ip tcp adjust-mss 1360 under ingress interface PIX: sysopt connection tcp mss 1360 75 Look Ahead Fragmentation (LAF) Fragmentation after IPSec requires reassembly on the receiving router Take the packet, look ahead by adding 84 bytes (max. ESP header size) If > path MTU size, then fragment before IPSec Early tests show, pre-frag increases performance on 7200VXR receiver from 12mb/s to 70mb/s Re-assembly now done on end host To enable: Crypto IPSec df-bit clear Crypto IPSec fragmentation before-encryption Cisco IOS/ VPNSM VPN3000 76 Printed in USA.

GRE over IPSec MTU Considerations Fragmentation GRE fragments before encapsulation IPSec fragments after encryption Can get double fragmentation: Reassembly by IPSec peer and end host Solution: Set GRE interface IP MTU IPSec transport mode ip mtu 1400 IPSec tunnel mode ip mtu 1400 (20 more bytes used in tunnel mode) Use tunnel path-mtu-discovery under GRE interface so that PMTUd process will work after GRE Use LAF; the IP MTU of GRE tunnel interface will automatically adjusted 77 Quality of Service (QoS) in VPN Deployment Enable end-to-end QOS throughout the network Cisco VPN products preserve the TOS/DSCP bits after encryption QoS classification/marking must occur before encryption Challenges: QoS happens after IPSec on egress interface; some QoS mechanisms (Flow-based WFQ, PQ,CQ, CBWFQ) that classify traffic using L3/4 packet header info; no longer work when applied on egress interfaces Crypto engine is a FIFO queue; no priority associated with different classes of traffic 78 Printed in USA.

Cisco IOS VPN QoS Consideration: QoS Pre-Classify Network Headers Crypto Engine QoS pre-classify preserves the Layer3/4 information before crypto engine QoS mechanism at egress interface used preserved header info to classify packets 79 Cisco IOS VPN QoS Consideration: Crypto Low Latency Queuing (LLQ) D v D D CB WFQ D D D D v v v v Best Effort LLQ v v Crypto Engine D v IP Data Traffic VOIP Traffic LLQ before crypto engine is designed to minimize voice latency and jitter Queuing occurs when crypto engine is congested 80 Printed in USA.

VPN Service Module (VPNSM) QoS Consideration VPNSM supports priority queuing with two priorities: High and Low Class of Service (CoS) is used to map traffic to VPNSM priority queues Use Catalyst 6000 MLS QoS to mark packets with CoS values 81 VPN QoS Consideration: VPN 3000 Concentrator Allows bandwidth reservation for site-to-site tunnels Traffic policing is available to police excess packets 82 Printed in USA.

NAT and Site-to-Site VPN One-to-one NAT in between IPSec peers: Works fine with IPSec ESP Does not work with IPSec AH (integrity check covers IP header) Port address translation (PAT) breaks IPSec Solution: IPSec NAT transparency (NAT-T) During IKE phase I negotiation, special NAT discovery payload is used to discover the existence of NAT and location of NAT device If there is NAT, encapsulate ESP packet as UDP payload (UDP/4500) ISAKMP NAT keepalive is sent to keep NAT entry from timeout 83 Compression and VPNs Aids in path MTU issues LZS can be used for layer 3 compression over VPNs; to enable add the comp-lzs IPSec transform to the transform set The compression ratio will vary dramatically depending on the traffic undergoing compression The LZS implementation has a maximum 2:1 compression ratio IPCP-LZS in software runs in process mode and creates significant CPU overhead Some crypto hardware accelerator cards support LZS in hardware (VAM, VAM2) Layer 2 compression has no effect on IPSec traffic VAM-2 Compression Only NOT supported so do not deploy it for only compression 84 Printed in USA.

HIGH AVAILABILITY 85 High Availability Common High Availability (HA) practice in conjunction with IPSec HA features Design options Local HA via link resiliency Local HA via Hot Standby Routing Protocol/Virtual Router Redundancy Protocol/failover Geographical HA via IPSec backup peers Local/geographical HA via GRE over IPSec (dynamic routing) VPN peer reachability detection mechanism IKE timer IKE keepalive/dpd Routing protocol GRE Tunnel keepalive 86 Printed in USA.

IKE Keepalive and Dead Peer Detection (DPD) Consideration IKE KEEPALIVE ESP Used to clear stale IPSec SAs in the dead peer situation Must be enabled on both VPN peers Bi-directional, periodic keepalive between two peers Can cause high CPU usage on hub VPN device in large scale deployment; can scale up to 1000 peers? DPD Used to clear stale IPSec SAs in the dead peer situation Can be configured to track on direction only Keepalive sent only in absence of VPN traffic Compared to IKE keepalive, more efficient and use less CPU 87 Local HA via Link Resiliency ISPs Link Resiliency: ISDN backup, backup Frame Relay DLCI, etc. Choose multiple ISPs to achieve link diversity Use a loopback interface as the ISAKMP identity for the VPN router Failover mechanism: backup interface, dialer watch, floating static routes 88 Printed in USA.

Local HA Using HSRP/VRRP Remote HSRP Internet HE-2 VPN Head-End VPN HE-1 VRRP Corporate Intranet Available in Cisco IOS Active-active failover Reverse route injection (RRI) is required for the hosts behind HSRP routers to track tunnel states VRRP supported by VPN 3000 concentrator PIX failover is similar to VRRP mechanism Active-standby failover 89 Local HA Using HSRP/VRRP: Cisco IOS HSRP and RRI (1) SA Established To Primary Sending IKE Keepalives (2) Router P RRI: I can reach 10.1.1.0 Remote P Internet (3) 10.1.1.0/24 via P Head-End 10.1.1.0/24 (8) 10.1.1.0/24 via S S (6) New SA Established To Secondary (5) Secondary Active Sending IKE Keepalives (7) Router S RRI: I can reach 10.1.1.0 = Unscheduled Immediate Memory Initialization Routine (4) HSRP is enable on outside (WAN facing) interface Cisco IOS IPSec HA enhancement features: Allow IPSec use HSRP Virtual IP as the peer address Reverse route injection (RRI) injects IPSec remote proxy IDs into dynamic routing process 90 Printed in USA.

Cisco IOS HSRP and RRI Configuration crypto isakmp keepalive 10 crypto map vpn 10 IPSec-isakmp set peer 172.16.175.75 set transform-set myset match address 101 reverse-route interface Ethernet1/0 ip address 172.17.63.18 255.255.255.248 standby 1 ip 172.16.172.19 standby 1 priority 200 standby 1 preempt standby 1 name VPNHA standby 1 track Ethernet1/1 150 crypto map vpn redundancy VPNHA interface Ethernet1/1 ip address 10.1.1.1 255.255.255.0 router ospf 1 redistribute static subnets network 10.1.1.0 0.0.0.255 area 0 access-list 101 permit ip 10.1.1.0 0.0.0.255 20.1.1.0 0.0.0.255 91 Cisco IOS IPSec Stateful Failover inbound esp sas: spi: 0xB57000DA(3044016346) transform: esp-des esp-md5- hmac, in use settings ={Tunnel, } slot: 100, conn id: 2000, flow_id: 1, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4607998/663) IV size: 8 bytes replay detection support: Y P SSP S inbound esp sas: spi: 0xB57000DA(3044016346) transform: esp-des esp-md5-hmac, in use settings ={Tunnel, } slot: 100, conn id: 2000, flow_id: 1, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4147198/3489) IV size: 8 bytes replay detection support: Y HA Status: STANDBY IPSec stateful failover greatly improves failover time compared to the stateless IPSec/HSPR failure State Synchronization Protocol (SSP) is designed to sync ISAKMP and IPSec SA database between HSRP active and standby routers Use a dedicated link between the two HSRP routers for SSP exchange 92 Printed in USA.

Cisco IOS IPSec HSRP Stateful Failover Configuration ssp group 10 remote 10.1.2.2 redundancy IPSec_HA crypto isakmp ssp 10 crypto ipsec transform-set myset esp- 3des esp-md5-hmac crypto map vpn ha replay-interval inbound 10 outbound 1 crypto map vpn 10 IPSec-isakmp set peer 172.16.172.35 set transform-set myset match address 101 reverse-route interface Ethernet1/0 ip address 172.16.172.56 255.255.255.240 standby 10 ip 172.16.172.59 standby 10 preempt standby 10 name IPSec_HA standby 10 track Ethernet1/3 50 crypto map vpn ssp 10 access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 93 Geographic HA Using IPSec Backup Peers 200.1.1.1 Branch Office ISPs Corporate Network crypto isakmp keepalive 20 3 crypto map vpn 10 ipsec-isakmp set peer 200.1.1.1 set peer 200.1.5.1 set transform-set myset match address 101 200.1.5.1 During IKE negotiation, IKE timer (3 retries) detects the peer failure IKE keepalive or DPD detected failed peer after tunnel is established1 94 Printed in USA.

Local/Geographical HA Using GRE over IPSec (Dynamic Routing) San Jose Branch Internet Corporate Network h1 h2 s1 Geographical HA New York s2 Primary Tunnel Secondary Tunnel Local HA with Redundant Hub Design Except under failure conditions: The IPSec and GRE tunnels are always up since routing protocols are always running The remote sites always have two apparent paths to all networks available via the head-end Use dynamic routing for path selection and failover 95 Redundant Hubs in Action Initial Build A H1 33% S1: P H1 S H2 S2: P H1 S H3 H2 33% S3: P H2 S H1 S4: P H2 S H3 H3 33% S5: P H3 S H1 S6: P H3 S H2 96 Printed in USA.

Redundant Hubs in Action after Failure S1: P H1 S H2 H1 33% 50% S2: P H1 S H3 H2 33% 0% S3: P H2 S H1 S4: P H2 S H3 H3 33% 50% S5: P H3 S H1 S6: P H3 S H2 97 Site-to-Site High Availability Summary Key: CK = Cisco-type IKE Keepalives; DPD = Dead Peer Detection; HA = High Availability; RP = Routing Protocol; DPD is preferred over CK; BP= IPSec backup peer Remote Device Cisco IOS/VPNSM Head-end Device Cisco IOS PIX 3000 RP/GRE (IKE peers); HSRP+ (IKE peer), DPD/CK, RRI/HSRP (RP/HSRP back-end)/bp DPD/CK/BP DPD/CK, RRI (RP back-end)/bp PIX Firewall HSRP+ (IKE peer), DPD/CK, RRI/HSRP (RP/HSRP back-end)/bp DPD/CK/BP DPD/CK, RRI (RP back-end)/bp VPN3000 HSRP+ (IKE peer), DPD/CK, RRI/HSRP (RP/HSRP back-end)/bp DPD/CK/BP DPD, RRI (RP back-end)/bp 98 Printed in USA.

MANAGEMENT 99 Managing VPN In order to manage remote devices via a VPN tunnel you should: Use static public IP addresses at remote sites and static crypto maps at the head-end Use Auto Update Server for dynamically assigned Remote site Be aware that some services do not always use the public IP address as the source address (e.g. TFTP) IPSec information is available via syslog (minimal) or the IPSec MIB via SNMP (IOS, 3000) Manage out-of-band Use dedicated management interfaces if possible If not possible, use VPN for secure management and restrict access over the tunnel to management protocols only When managing a VPN device across the Internet: Use strong authentication, integrity and encryption Use a different username for configuration management and troubleshooting If you cannot use IPSec, i.e. Catalyst LAN switch, use SSH/SSL. However, use IPSec from first hop Cisco IOS router 100 Printed in USA.

VPN Management Advanced Cisco IOS Features Applications Mgmt ON the Box [Device Managers] PDM PIX Device Manager VDM VPN Device Manager for Cisco IOS SDM Security Device Manager for Cisco IOS Mgmt OFF the Box [Multi Device Managers] Cisco IOS, IDS, PIX Management Advanced IOS Features Centers VPN / Security Management Advanced IOS Features Solution VPN Monitor VPN Solutions Center (service provider provisioning tool) 101 CASE STUDY 102 Printed in USA.

Company Profile: Existing infrastructure 20,000 employee company Frame Relay and ISDN are used to interconnect remote offices Currently has 150 Remote sites, growing to 500+ in the near future VPN design goals Use Internet VPN to replace WAN to save cost Migrating from FR environment, requires some level of assurance of service availability Flexible design to accommodate future growth 103 Current Traffic Profile Internet access Multiple OC-3 line, Firewall and Edge/ISP Router Head-End: ~450 Mbps throughput HTTP, FTP and other traffic Frame Relay network Head-End: ~45 Mbps throughput Remote Sites: 56/64K T1/E1, ~1Mbps throughput Intranet Services: Database, HTTP, FTP, Mail etc PSTN network Head-End: Access Server PRI Lines Remote Sites: 128K ISDN 104 Printed in USA.

Current Network Topology Internet Head Quarter PSTN Frame Relay Cloud Remote Sites 105 Design Considerations Checklist: I IP Addressing and Routing Private IP addressing used for VPN All spoke sites has static routable IP addresses Dynamic routing required GRE Over IPSec Security Use firewall in front of VPN devices Device Authentication Limited remotes sites IKE Pre-shared Key Cryptographic options 3DES encryption with data integrity and authentication 106 Printed in USA.

Design Considerations Checklist: II High Availability Multiple Head End devices Routing protocol (EIGRP) is used for convergence, transparent to end user Migration Utilize existing Internet connection for site-to-site IPSec VPN Upgrade existing Internet connection to accommodate added VPN traffic Dynamic routing needed to distinguish between Internet and intranet traffic 107 Design Considerations Checklist: III Device Sizing and Scalability (Head End and Remote): Number of branches ~ 500 1000 VPN Tunnels No. of Head End Devices = [ no. Tunnels/1000 ]+1)=2 Throughput per branch ~ 0.75Mbps Aggregated head-end VPN throughput: 0.75*1000 750Mbps Traffic throughput and CPU utilization Branch device CPU utilization is considered at 65% 2 Tunnels (Primary and Secondary) Product selection Head End: C7301 VPN Security Router with SA-VAM2 Remote Sites: C1700 C3600 with encryption modules 108 Printed in USA.

VPN Design P S Central Site Internet Remote Sites 109 Conclusions Security Stateful inspection of traffic at VPN Headend Adhere to security policy such as split tunneling Cost saving Great time-to-value Monthly cost to subscribe to Internet Initial equipment cost is re-captured by monthly savings Deploy VPN enabled routers (including DSL and other features) DSL and/or cable-free install by some ISP Scalability Minimal downtime during failover Use of DSL and/or cable technology Flexible design Future growth and resiliency with multiple links and additional hub sites 110 Printed in USA.

Flexible VPN Design to Accommodate Future Growth San Jose Atlanta VPN A-P VPN B-S VPN A-S VPN B-P Internet VPN Z-S VPN Z-P Site A Site B Corporate Network Multiple Hub Sites Site Z Remote VPN Sites 111 Reference Materials Performance of Cisco IOS Routers, PIX and VPN 3000 http://www.cisco.com/en/us/netsol/ns340/ns394/ns171/netbr09186a00801f 0a72.html ROI Calculator for Site-to-Site VPN http://www.cisco.com/warp/public/779/largeent/learn/technologies/vpn/vp n_calc/vpnsite.html CERT Site http://www.cert.org/ VPN Design Pages http://www.cisco.com/warp/public/779/largeent/design/vpn.html VPN Insider http://www.vpninsider.com/index.shtml 112 Printed in USA.

Recommended Reading CCSP Self-Study: Cisco Secure Virtual Private Networks (CSVPN), Second Ed. [1-58705-145-1] Available late May 2004 Network Security Principles and Practices [1-58705-025-0] Available on-site at the Cisco Company Store 113 Q AND A 114 Printed in USA.

Complete Your Online Session Evaluation WHAT: WHY: Complete an online session evaluation and your name will be entered into a daily drawing Win fabulous prizes Give us your feedback WHERE: Go to the Internet stations located throughout the Convention Center HOW: Winners will be posted on the onsite Networkers Website; four winners per day 115 116 Printed in USA.

APPENDIX: GRE OVER IPSEC 117 GRE over IPSec: Network Layout 192.168.1.0/24.2 H2 172.16.175.75.1 Rh1 172.17.63.18 Internet Rs1.1.2 172.16.176.76 Rs2.1 192.168.2.0/24 H1 192.168.0.0/24.2 H3 118 Printed in USA.

IPSec + GRE Hub and Spoke Hub Configuration Transport Mode Dynamic Crypto Map ACL Entries GRE Hub to Spokes crypto ipsec transform-set trans2 esp-3des esp-md5-hmac mode transport crypto dynamic-map vpndyn 10 set transform-set trans2 match address 110 crypto map vpnmap local-address Ethernet4 crypto map vpnmap 10 ipsec-isakmp dynamic vpndyn interface Ethernet0 ip address 192.168.0.1 255.255.255.0 interface Ethernet4 ip address 172.17.63.18 255.255.255.240 crypto map vpnmap access-list 110 permit gre host 172.17.63.18 host 172.16.175.75 access-list 110 permit gre host 172.17.63.18 host 172.16.176.76 119 IPSec + GRE Hub and Spoke Hub Configuration (Cont.) GRE Tunnel Interfaces 1 per Spoke IP MTU EIGRP for Dynamic Routing interface Tunnel11 ip address 10.10.2.5 255.255.255.252 ip mtu 1440 tunnel source Ethernet4 tunnel destination 172.16.175.75 crypto map vpnmap interface Tunnel12 ip address 10.10.2.9 255.255.255.252 ip mtu 1440 tunnel source Ethernet4 tunnel destination 172.16.176.76 crypto map vpnmap router eigrp 1 network 10.10.2.0 0.0.0.255 network 192.168.0.0 no auto-summary 120 Printed in USA.

IPSec + GRE Hub and Spoke Hub Configuration crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco47 address 0.0.0.0 0.0.0.0 crypto ipsec transform-set trans2 esp-3des esp-md5-hmac mode transport crypto dynamic-map vpndyn 10 set transform-set trans2 match address 110 crypto map vpnmap local-address Ethernet4 crypto map vpnmap 10 ipsec-isakmp dynamic vpndyn interface Ethernet0 ip address 192.168.0.1 255.255.255.0 interface Ethernet4 ip address 172.17.63.18 255.255.255.240 crypto map vpnmap interface Tunnel12 ip address 10.10.2.5 255.255.255.252 ip mtu 1440 tunnel source Ethernet4 tunnel destination 172.16.175.75 crypto map vpnmap interface Tunnel13 ip address 10.10.2.9 255.255.255.252 ip mtu 1440 tunnel source Ethernet4 tunnel destination 172.16.176.76 crypto map vpnmap router eigrp 1 network 10.10.2.0 0.0.0.255 network 192.168.0.0 no auto-summary ip route 0.0.0.0 0.0.0.0 172.17.63.17 access-list 110 permit gre - host 172.17.63.18 host 172.16.175.75 access-list 110 permit gre - host 172.17.63.18 host 172.16.176.76 121 IPSec + GRE Hub and Spoke Spoke1 Configuration Transport Mode Static Crypto Map ACL Entry GRE Spoke to Hub crypto ipsec transform-set trans2 esp-3des esp-md5-hmac mode transport crypto map vpnmap2 local-address Ethernet1 crypto map vpnmap2 10 ipsec-isakmp set peer 172.17.63.18 set transform-set trans2 match address 120 access-list 120 permit gre host 172.16.175.75 host 172.17.63.18 122 Printed in USA.

IPSec + GRE Hub and Spoke Spoke1 Configuration (Cont.) GRE Tunnel Interface IP MTU EIGRP for Dynamic Routing interface Tunnel0 ip address 10.10.2.6 255.255.255.252 ip mtu 1440 tunnel source Ethernet1 tunnel destination 172.17.63.18 crypto map vpnmap2 interface Ethernet0 ip address 192.168.1.1 255.255.255.0 interface Ethernet1 ip address 172.16.175.75 255.255.255.0 crypto map vpnmap2 router eigrp 1 network 10.10.2.0 0.0.0.255 network 192.168.1.0 no auto-summary 123 IPSec + GRE Hub and Spoke Spoke Configuration crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco47 address 0.0.0.0 0.0.0.0 crypto ipsec transform-set trans2 esp-3des esp-md5-hmac mode transport crypto map vpnmap2 local-address Ethernet1 crypto map vpnmap2 10 ipsec-isakmp set peer 172.17.63.18 set transform-set trans2 match address 110 interface Ethernet0 ip address 192.168.1.1 255.255.255.0 interface Ethernet1 ip address 172.16.175.75 255.255.255.0 crypto map vpnmap2 interface Tunnel0 ip address 10.10.2.6 255.255.255.252 ip mtu 1440 tunnel source Ethernet1 tunnel destination 172.17.63.18 crypto map vpnmap2 router eigrp 1 network 10.10.2.0 0.0.0.255 network 192.168.1.0 no auto-summary ip route 0.0.0.0 0.0.0.0 172.16.175.1 access-list 110 permit gre - host 172.16.175.75 host 172.17.63.18 124 Printed in USA.

IPSec + GRE Hub and Spoke Spoke2 Configuration Transport Mode Static Crypto Map ACL Entry GRE Spoke to Hub crypto ipsec transform-set trans2 esp-3des esp-md5-hmac mode transport crypto map vpnmap2 local-address Ethernet1 crypto map vpnmap2 10 ipsec-isakmp set peer 172.17.63.18 set transform-set trans2 match address 120 access-list 120 permit gre host 172.16.176.76 host 172.17.63.18 125 IPSec + GRE Hub and Spoke Spoke2 Configuration (Cont.) GRE Tunnel Interface IP MTU EIGRP for Dynamic Routing interface Tunnel0 ip address 10.10.2.10 255.255.255.252 ip mtu 1440 tunnel source Ethernet1 tunnel destination 172.17.63.18 crypto map vpnmap2 interface Ethernet0 ip address 192.168.2.1 255.255.255.0 interface Ethernet1 ip address 172.16.176.76 255.255.255.0 crypto map vpnmap2 router eigrp 1 network 10.10.2.0 0.0.0.255 network 192.168.2.0 no auto-summary 126 Printed in USA.

IPSec + GRE Hub and Spoke Spoke2 Configuration crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco47 address 0.0.0.0 0.0.0.0 crypto ipsec transform-set trans2 esp-3des esp-md5-hmac mode transport crypto map vpnmap2 local-address Ethernet1 crypto map vpnmap2 10 ipsec-isakmp set peer 172.17.63.18 set transform-set trans2 match address 110 interface Ethernet0 ip address 192.168.2.1 255.255.255.0 interface Ethernet1 ip address 172.16.176.76 255.255.255.0 crypto map vpnmap2 interface Tunnel0 ip address 10.10.2.10 255.255.255.252 ip mtu 1440 tunnel source Ethernet1 tunnel destination 172.17.63.18 crypto map vpnmap2 router eigrp 1 network 10.10.2.0 0.0.0.255 network 192.168.2.0 no auto-summary ip route 0.0.0.0 0.0.0.0 172.16.176.1 access-list 110 permit gre - host 172.16.176.76 host 172.17.63.18 127 IPSec + GRE Routing Tables Hub Spoke1 Spoke2 C 172.17.63.16/28 is directly connected, Ethernet4 C 10.10.2.4/30 is directly connected, Tunnel12 C 10.10.2.8/30 is directly connected, Tunnel13 C 192.168.0.0/24 is directly connected, Ethernet0 D 192.168.1.0/24 [90/2841600] via 10.10.2.6, 00:12:30, Tunnel11 D 192.168.2.0/24 [90/2841600] via 10.10.2.10, 00:12:28, Tunnel12 S* 0.0.0.0/0 [1/0] via 172.17.63.17 C 172.16.175.0/24 is directly connected, Ethernet1 C 10.10.2.4/30 is directly connected, Tunnel0 D 10.10.2.8/30 [90/3072000] via 10.10.2.5, 00:18:39, Tunnel0 D 192.168.0.0/24 [90/2841600] via 10.10.2.5, 00:18:39, Tunnel0 C 192.168.1.0/24 is directly connected, Ethernet0 D 192.168.2.0/24 [90/3097600] via 10.10.2.5, 00:18:40, Tunnel0 S* 0.0.0.0/0 [1/0] via 172.16.175.1 C 172.16.176.0/24 is directly connected, Ethernet1 D 10.10.2.4/30 [90/3072000] via 10.10.2.9, 00:21:53, Tunnel0 C 10.10.2.8/30 is directly connected, Tunnel0 D 192.168.0.0/24 [90/2841600] via 10.10.2.9, 00:21:53, Tunnel0 D 192.168.1.0/24 [90/3097600] via 10.10.2.9, 00:21:54, Tunnel0 C 192.168.2.0/24 is directly connected, Ethernet0 S* 0.0.0.0/0 [1/0] via 172.16.176.1 128 Printed in USA.

GRE over IPSec: Redundant Hubs S1: P H1 S H2 H1 33% S2: P H1 S H3 H2 33% S3: P H2 S H1 S4: P H2 S H3 H3 33% S5: P H3 S H1 S6: P H3 S H2 129 Redundant Hubs Base Hub Configuration ACL Definitions on Later Slide Hub s External IP Address Primary and Secondary Networks crypto ipsec transform-set trans2 esp-3des esp-md5-hmac mode transport crypto dynamic-map vpndyn 10 set transform-set trans2 match address 110 crypto map vpnmap local-address Ethernet4 crypto map vpnmap 10 ipsec-isakmp dynamic vpndyn interface Ethernet0 ip address 192.168.0.<x> 255.255.255.0 interface Ethernet4 ip address <hub(x)> 255.255.255.0 crypto map vpnmap router eigrp 1 network 10.10.1.0 0.0.0.255 network 10.10.2.0 0.0.0.255 network 192.168.0.0 130 Printed in USA.

Redundant Hubs Hub1 Configuration: Tunnels Primary GRE Tunnels Bandwidth Controls Routing Secondary GRE Tunnels interface Tunnel11 ip address 10.10.1.5 255.255.255.252 bandwidth 1000 tunnel source <hub1> tunnel destination <spoke1> crypto map vpnmap interface Tunnel12 ip address 10.10.1.9 255.255.255.252 bandwidth 1000 tunnel source <hub1> tunnel destination <spoke2> crypto map vpnmap interface Tunnel13 ip address 10.10.2.13 255.255.255.252 bandwidth 500 tunnel source <hub1> tunnel destination <spoke3> crypto map vpnmap interface Tunnel15 ip address 10.10.2.21 255.255.255.252 bandwidth 500 tunnel source <hub1> tunnel destination <spoke5> crypto map vpnmap 131 Redundant Hubs Hub2 Configuration: Tunnels Secondary GRE Tunnel Primary GRE Tunnels Secondary GRE Tunnel interface Tunnel11 ip address 10.10.2.5 255.255.255.252 bandwidth 500 tunnel source <hub2> tunnel destination <spoke1> crypto map vpnmap interface Tunnel13 ip address 10.10.1.13 255.255.255.252 bandwidth 1000 tunnel source <hub2> tunnel destination <spoke3> crypto map vpnmap interface Tunnel14 ip address 10.10.1.17 255.255.255.252 bandwidth 1000 tunnel source <hub2> tunnel destination <spoke4> crypto map vpnmap interface Tunnel16 ip address 10.10.2.25 255.255.255.252 bandwidth 500 tunnel source <hub2> tunnel destination <spoke6> crypto map vpnmap 132 Printed in USA.

Redundant Hubs Hub3 Configuration: Tunnels Secondary GRE Tunnel Primary GRE Tunnels interface Tunnel12 ip address 10.10.2.9 255.255.255.252 bandwidth 500 tunnel source <hub3> tunnel destination <spoke2> crypto map vpnmap interface Tunnel14 ip address 10.10.2.17 255.255.255.252 bandwidth 500 tunnel source <hub3> tunnel destination <spoke4> crypto map vpnmap interface Tunnel15 ip address 10.10.1.21 255.255.255.252 bandwidth 1000 tunnel source <hub3> tunnel destination <spoke5> crypto map vpnmap interface Tunnel16 ip address 10.10.1.25 255.255.255.252 bandwidth 1000 tunnel source <hub3> tunnel destination <spoke6> crypto map vpnmap 133 Redundant Hubs Hub Configuration: ACLs Hub1: Hub2: Hub3: access-list 110 permit gre host <hub1> host <spoke1> access-list 110 permit gre host <hub1> host <spoke2> access-list 110 permit gre host <hub1> host <spoke3> access-list 110 permit gre host <hub1> host <spoke5> access-list 110 permit gre host <hub2> host <spoke3> access-list 110 permit gre host <hub2> host <spoke4> access-list 110 permit gre host <hub2> host <spoke1> access-list 110 permit gre host <hub2> host <spoke6> access-list 110 permit gre host <hub3> host <spoke5> access-list 110 permit gre host <hub3> host <spoke6> access-list 110 permit gre host <hub3> host <spoke2> access-list 110 permit gre host <hub3> host <spoke4> 134 Printed in USA.

Redundant Hubs Spoke1 Configuration Primary Crypto Map Secondary Crypto Map IPSec and GRE Peers Match crypto ipsec transform-set trans2 esp-3des esp-md5-hmac mode transport crypto map vpnmap2 local-address Ethernet1 crypto map vpnmap2 10 ipsec-isakmp set peer <hub1> set transform-set trans2 match address 121 crypto map vpnmap2 20 ipsec-isakmp set peer <hub2> set transform-set trans2 match address 122 access-list 121 permit gre host <spoke1> host <hub1> access-list 122 permit gre host <spoke1> host <hub2> router eigrp 1 network 10.10.1.0 0.0.0.255 network 10.10.2.0 0.0.0.255 network 192.168.1.0 no auto-summary 135 Redundant Hubs Spoke1 Configuration (Cont.) Primary GRE Tunnel Secondary GRE Tunnel interface Tunnel0 ip address 10.10.1.6 255.255.255.252 bandwidth 1000 tunnel source <spoke1> tunnel destination <hub1> crypto map vpnmap2 interface Tunnel1 ip address 10.10.2.6 255.255.255.252 bandwidth 500 tunnel source <spoke1> tunnel destination <hub2> crypto map vpnmap2 interface Ethernet0 ip address 192.168.1.1 255.255.255.0 interface Ethernet1 ip address <spoke1> 255.255.255.0 crypto map vpnmap2 136 Printed in USA.

Redundant Hubs Spoke2 Configuration Primary Crypto Map Secondary Crypto Map IPSec and GRE Peers Match crypto ipsec transform-set trans2 esp-3des esp-md5-hmac mode transport crypto map vpnmap2 local-address Ethernet1 crypto map vpnmap2 10 ipsec-isakmp set peer <hub1> set transform-set trans2 match address 121 crypto map vpnmap2 20 ipsec-isakmp set peer <hub3> set transform-set trans2 match address 122 access-list 121 permit gre host <spoke2> host <hub1> access-list 122 permit gre host <spoke2> host <hub3> router eigrp 1 network 10.10.1.0 0.0.0.255 network 10.10.2.0 0.0.0.255 network 192.168.2.0 no auto-summary 137 Redundant Hubs Spoke2 Configuration (Cont.) Primary GRE tunnel Secondary GRE tunnel interface Tunnel0 ip address 10.10.1.10 255.255.255.252 bandwidth 1000 tunnel source <spoke2> tunnel destination <hub1> crypto map vpnmap2 interface Tunnel1 ip address 10.10.2.10 255.255.255.252 bandwidth 500 tunnel source <spoke2> tunnel destination <hub3> crypto map vpnmap2 interface Ethernet0 ip address 192.168.2.1 255.255.255.0 interface Ethernet1 ip address <spoke2> 255.255.255.0 crypto map vpnmap2 138 Printed in USA.