ipsec over gre tunnel cisco-cisco
TRANSCRIPT
-
7/28/2019 IPSEC Over GRE Tunnel Cisco-Cisco
1/4
IPSEC over GRE Tunnel
VERSIN 6Creado el: 21-jul-2008 11:22 por Shafagh Zandi - ltima modificacin: 14-mar-2011 1:03 por Shafagh ZandiShare on facebook Share on twitter Share on linkedin Share on facebook_like
We can encrypt our GRE tunnels using IPsec, and it is also possible to have GRE over IPSEC, in other words:Sending GRE header inside the IPsec transport headers. (transport mode instead of tunnel mode)
What we are trying to cover in this text is IPsec over GRE tunnels (as a transport not tunneled) Don't let the name**** you!
In this example, Theres no need to define Crypto-map as long as IPsec is defined inside the tunnel interface using
"tunnel protection" command.
The same concept is used in DMVPN implementations however we use multipoint GRE in Dynamic MultipointVirtual Private Networks
R1 and R2 are connected over internet and theres a firewall before R2 protecting the R2 network from theinternet threats.
Template Configuration on Routers:
-
7/28/2019 IPSEC Over GRE Tunnel Cisco-Cisco
2/4
crypto isakmp policy 10
authentication pre-share
crypto isakmp key CISCO address 217.218.1.1
!
crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac
mode transport
crypto ipsec profile MyProfile
set transform-set MyTransSet
!
interface Tunnel0
ip address 10.254.25.4 255.255.255.254
tunnel source 81.12.50.1
tunnel destination 217.218.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile MyProfile
After the configuration on both routers firewall will detect some UDP port 500 (ISAKMP) followed by (if accepted)numerous ESP (Protocol number 50) packets over the link.
The first activity is related to ISAKMP (over UDP 500):
%PIX-2-106006: Deny inbound UDP from 81.12.50.1/500 to 217.218.1.1/500 on interface outside.
The second one is related to ESP packets:
-
7/28/2019 IPSEC Over GRE Tunnel Cisco-Cisco
3/4
%PIX-3-106010: Deny inbound protocol 50 src outside:81.12.50.1 dst inside:217.218.1.1 on interface outside
So we need to permit this traffic to the inside of the network to establish the GRE Tunnel by:
access-list outin permit udp host 81.12.50.1 eq 500 host 217.218.1.1 eq 500access-list outin permit esp host 81.12.50.1 host 217.218.1.1
Lets ping the other side of tunnel to make sure everything is all right
R1#ping 10.254.25.5
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.254.25.5, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 20/137/312 ms
Now, lets check the ISAKMP and IPsec by show crypto command:
R1#show crypto isakmp sadst src state conn-id slot status81.12.50.1 217.218.1.1 QM_IDLE 1 0 ACTIVE
R1#show crypto ipsec sa
interface: Tunnel0Crypto map tag: Tunnel0-head-0, local addr 81.12.50.1
current_peer 217.218.1.1 port 500PERMIT, flags={origin_is_acl,}#pkts encaps: 25, #pkts encrypt: 25, #pkts digest: 25#pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25#pkts compressed: 0, #pkts decompressed: 0
local crypto endpt.: 81.12.50.1, remote crypto endpt.: 217.218.1.1
Configurations:
-
7/28/2019 IPSEC Over GRE Tunnel Cisco-Cisco
4/4
R1:
version 12.4
!
hostname R1
!ip cef
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key CISCO address 217.218.1.1
!
crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile MyProfile
set transform-set MyTransSet
!
interface Tunnel0
ip address 10.254.25.4 255.255.255.254
tunnel source 81.12.50.1
tunnel destination 217.218.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile MyProfile!
interface FastEthernet0/0
ip address 81.12.50.1 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 81.12.50.2
!
line con 0
line aux 0
line vty 0 4
!
!
end
R2:
version 12.4
!
hostname R2
!ip cef
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key CISCO address 81.12.50.1
!
!
crypto ipsec transform-set MyTransSet esp-3des esp-sha-
hmac
mode transport
!
crypto ipsec profile MyProfile
set transform-set MyTransSet
!
interface Tunnel0
ip address 10.254.25.5 255.255.255.254
tunnel source 217.218.1.1
tunnel destination 81.12.50.1tunnel mode ipsec ipv4
tunnel protection ipsec profile MyProfile
!
interface FastEthernet0/0
ip address 217.218.1.1 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 217.218.1.2
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
FW1:
PIX Version 8.0(4)!hostname pixfirewallnames!interface Ethernet0nameif outsidesecurity-level 0ip address 81.12.50.2 255.255.255.0!
interface Ethernet1nameif insidesecurity-level 100ip address 217.218.1.2 255.255.255.0!!access-list outin extended permit udp host 81.12.50.1 eq isakmp host 217.218.1.1 eq isakmpaccess-list outin extended permit esp host 81.12.50.1 host 217.218.1.1
!
access-group outin in interface outside
!
: end