Picture of Ipsec Tunnel for Gns3 Ipsec Tunnel Art

The previous tutorial shown GRE tunnel configuration between Cisco router and Linux Core. The big advantage of GRE protocol is that it encapsulates L3 and college protocols inside the GRE tunnel then routing updates and other multicast traffic can be successfully transferred over the tunnel. The principal drawback of GRE protocol is the lack of congenital-in security. Data are transferred in plain-text over the tunnel and peers are not authenticated (no confidentiality). Tunneled traffic can exist inverse by assaulter (no integrity checking of  IP packets). For this reason GRE tunnel is very frequently used in conjunction with IPSec. Typically, GRE tunnel is encapsulated inside the IPSec tunnel and this model is called GRE over IPSec.

The tutorial shows configuration of OSPF routing protocol, GRE and IPSec tunnel on Cisco 7206 VXR router and apparatus running VyOS network OS. Devices are running within GNS3 lab an they are emulated by Dynamips (Cisco) and Qemu (VyOS).

Picture i - Topology

Note: VyOS installation is described here. You can easily build your ain VyOS Qemu appliance using the Look and Fustigate script shared in the article.

1. R3 Configuration

R3(config)# interface gigabitEthernet i/0
R3(config-if)#ip address 1.one.ane.1 255.255.255.0
R3(config-if)# no shutdown

R3(config-if)# interface gigabitEthernet 0/0
R3(config-if)# ip address 2.2.two.2 255.255.255.0
R3(config-if)# no shutdown

2. R1 Configuration

2.1 Interfaces and Static Route Configuration

R1(config)# interface gigabitEthernet 0/0
R1(config-if)# ip address 1.1.i.10 255.255.255.0
R1(config-if)# no shutdown

R1(config)# interface gigabitEthernet one/0
R1(config-if)# ip address 192.168.i.i 255.255.255.0
R1(config-if)# no shutdown

A static road pointing to the subnet 2.2.2.0/24 via router R3 is needed in a routing table of the router R1 so nosotros have to create it.

R1(config)# ip road ii.2.ii.0 255.255.255.0 1.1.1.one

2.2 IPSec Tunnel Configuration

Internet Security Clan and Fundamental Management Protocol (ISAKMP), is the negotiation protocol that lets two hosts agree on how to build an IPsec security association. ISAKMP separates negotiation into ii phases - Phase i and Stage 2.

Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data (IPSec).

ISAKMP Configuration - ISAKMP Phase ane

First we create isakmp policy and select encryption, the hash algorithm, blazon of hallmark, Diffie-Hellman group and lifetime.

R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encryption aes 256
R1(config-isakmp)# hash md5
R1(config-isakmp)# hallmark pre-share
R1(config-isakmp)# group 14
R1(config-isakmp)# lifetime 86400
R1(config-isakmp)# exit

Notation: Yous tin bank check these parameters in the Transform payload located in first and the sixth parcel  of the attached pcap file.

Then we configure key the shared key and peer address.

R1(config)#crypto isakmp key test123 address ii.2.2.ten

IPSec Configuration - ISAKMP Phase two

In stage two we create  IPSec transform set up and configure encryption and the hash algorithm. This is also a place where we ascertain IPSec mode - either a tunnel (default) or ship mode. In the tunnel manner a completely new IP commitment header is inserted in each IPSec packet while in a send mode IP header stays untouched (except of the changed protocol blazon  - 50 for ESP).

R1(config)# crypto ipsec transform-set MyTS esp-aes esp-md5-hmac
R1(cfg-crypto-trans)# way tunnel

Continue with creating a new IPSec profile named Protect-Gre. Assign transform-gear up MyTS is to the contour Protect-GRE and configure the lifetime.

R1(config)# crypto ipsec contour Protect-GRE
R1(ipsec-contour)# set security-association lifetime seconds 86400
R1(ipsec-profile)# set transform-set MyTS

And finally assign IPSec profile to the interface tun0.

R1(config)# interface Tunnel 0
R1(config-if)# tunnel protection ipsec profile Protect-GRE

2.3 GRE Tunnel Configuration

R1(config)# interface tunnel 0
R1(config-if)# clarification Tunnel to R2
R1(config-if)# ip accost 172.16.0.1 255.255.255.0
R1(config-if)# ip mtu 1400
R1(config-if)# ip tcp conform-mss 1360
R1(config-if)# ip ospf network broadcast
R1(config-if)# tunnel source 1.1.one.x
R1(config-if)# tunnel destination ii.two.ii.10

It is recommend to use the Cisco online IPSec overhead computer to calculate Maximum Transmission Unit (MTU) for IP bundle.

Picture 2 - IPSec and GRE Tunnel Overhead Adding

The total calculated IPsec package size is 1592 bytes. The IPSec and GRE protocol overhead add together additional 92 bytes to original 1500B MTU. To avoid fragmentation by devices on the path we have to decrease MTU from 1500 to 1400 bytes.

Motion-picture show three - Full Overhead of IPSec and GRE Tunnel

The maximum Segment Size (MSS) for TCP segments is always 40 Bytes (IP 20B + TCP 20B) lower than MTU. For this reason we set MSS to 1360 bytes.

ii.4 OSPF Configuration

R1(config)# router ospf 10
R1(config-router)# network 172.16.0.0 0.0.0.255 area 0
R1(config-router)# network 192.168.i.0 0.0.0.255 expanse 0
R1(config-router)# passive-interface gigabitEthernet 1/0

3. VyOS Configuration

three.ane Interfaces and Static Road Configuration

vyos@vyos:~$ configure
vyos@vyos# set interfaces ethernet eth0 address 2.ii.ii.10/24
vyos@vyos# set interfaces ethernet eth1 accost 192.168.2.one/24

Again we have to configure static route pointing to the subnet 1.1.x/24.

vyos@vyos# gear up protocols static road 1.1.1.0/24 next-hop 2.2.two.2

3.two IPSec Tunnel Configuration

Enable IPSec on interface eth0.

vyos@vyos# fix vpn ipsec ipsec-interfaces interface eth0

Configure an IKE Group - Phase 1

Set the encryption, the hash algorithm, DH group and lifetime for phase 1.

vyos@vyos# set vpn ipsec ike-group cisco proposal 1
vyos@vyos# gear up vpn ipsec ike-grouping cisco proposal ane encryption aes256
vyos@vyos# set up vpn ipsec ike-grouping cisco proposal ane hash md5
vyos@vyos# fix vpn ipsec ike-group cisco proposal one dh-group fourteen

vyos@vyos# set vpn ipsec ike-group cisco lifetime 86400

Configure an ESP Grouping - Stage ii

Set the encryption, the hash algorithm and lifetime for phase 2.

vyos@vyos# set vpn ipsec esp-group cisco proposal 1
vyos@vyos# prepare vpn ipsec esp-group cisco proposal 1 encryption aes128
vyos@vyos# set vpn ipsec esp-group cisco proposal i hash md5

vyos@vyos# set vpn ipsec esp-group cisco pfs enable
vyos@vyos# set vpn ipsec esp-group cisco lifetime 86400
vyos@vyos# set vpn ipsec esp-group cisco mode tunnel

Configure tunnel peer and pre-shared fundamental.

vyos@vyos# set vpn ipsec site-to-site peer 1.i.1.10 authentication pre-shared-secret test123

Configure ike-grouping used for the tunnel.

vyos@vyos# set up vpn ipsec site-to-site peer 1.1.1.10 ike-group cisco

Configure esp-group used for the tunnel.

vyos@vyos# set vpn ipsec site-to-site peer i.ane.1.ten tunnel 0 esp-group cisco

Configure local address used for connection.

vyos@vyos# gear up vpn ipsec site-to-site peer one.1.1.10 local-accost 2.ii.2.10

Configure protocol encapsulated inside IPSec.

vyos@vyos# set vpn ipsec site-to-site peer 1.one.1.x tunnel 0 protocol gre

3.three GRE Tunnel Configuration

Create a new route policy that changes TCP MSS to 1360 bytes.

vyos@vyos# prepare policy road alter-mss rule 1 set tcp-mss 1360
vyos@vyos# set policy route modify-mss rule 1 protocol tcp
vyos@vyos# set policy route change-mss rule 1 tcp flags SYN

Configure GRE tunnel.

vyos@vyos# set interfaces tunnel tun0 encapsulation gre
vyos@vyos# prepare interfaces tunnel tun0 address 172.xvi.0.two/24
vyos@vyos# set interfaces tunnel tun0 clarification "Tunnel to R1"
vyos@vyos# fix interfaces tunnel tun0 mtu 1400
vyos@vyos# set interfaces tunnel tun0 policy road change-mss
vyos@vyos# set interfaces tunnel tun0 local-ip 2.two.2.10
vyos@vyos# fix interfaces tunnel tun0 remote-ip 1.1.1.x
vyos@vyos# set up interfaces tunnel tun0 multicast enable

3.4 OSPF Configuration

vyos@vyos# set interfaces tunnel tun0 ip ospf network circulate
vyos@vyos# set protocols ospf surface area 0.0.0.0 network 172.xvi.0.0/24
vyos@vyos# set protocols ospf area 0.0.0.0 network 192.168.2.0/24
vyos@vyos# commit
vyos@vyos# save

4. Verification

iv.1 Verification on VyOS

Below are diverse show commands that help you to verify status of tunnels on VyOS.

List all currently agile IKE Security Associations (SA) - Phase i.

Motion picture 4 - Active IKE Security A ssociations

List all active IPsec Security Associations (SA) - Phase 2.

Flick 5 - Agile IPSec Security Associations

Check status of GRE tunnel interface.

Picture 6 -Status of  GRE Tunnel Interface Tun0

4.iiVerification on Cisco

Below are various testify commands that help you to verify condition of tunnels on Cisco device.

List all currently agile IKE Security Associations (SA) - Phase 1.

Pic 7 - Active IKE Security A ssociations

List all agile IPsec Security Associations (SA) - Phase 2.

Picture viii - Agile IPSec Security Associations

Bank check status of GRE tunnel interface.

Picture nine -Condition of  GRE  Interface Tunnel0

Tunnel line state evaluation.

Picture ten -Tunnel Line State Evaluation

Stop.

References:
http://cromwell-intl.com/tcpip/what-is-ipsec.html
http://www.carbonwind.net/VyattaOFR/AdvVPN/AdvVPN14.htm

torrenspromand.blogspot.com

Source: https://brezular.com/2015/10/06/gre-over-ipsec-tunnel-between-cisco-and-vyos/

Share this post