Post on 03-Jan-2016
transcript
Generic Routing Encapsulation GRE
GRE is an OSI Layer 3 tunneling protocol:Encapsulates a wide variety of protocol packet types inside IP tunnelsCreates a virtual point-to-point link to Cisco routers at remote points over an IP internetwork Uses IP for transportUses an additional header to support any other OSI Layer 3 protocol as payload (for example, IP, IPX, AppleTalk)
GRE over IPsec Encapsulation
GRE encapsulates an arbitrary payload. IPsec encapsulates unicast IP packet
(GRE):Tunnel mode (default): IPsec creates a new tunnel IP packet
Transport mode: IPsec reuses the IP header of the GRE (20 bytes less overhead than tunnel mode)
Module 3 – Lesson 4
Configuring IPsec VPN using SDM
Configuring GRE over IPsec Site-to-Site Tunnel Using SDM
5.
6.
2.
1.
3. 4.
IKE Proposals You can now use a predefined IKE policy, or click the Add button and
enter the required information to create a custom IKE policy:
You can also modify the existing policies by selecting an individual policy and clicking the Edit button
When adding or editing an IKE policy, define the required parameters that appear in the Add IKE Policy window
– IKE proposal priority
– Encryption algorithm (most commonly 3DES or AES; Software Encryption Algorithm [SEAL] can also be used to improve crypto performance on routers that do not have hardware IPsec accelerators; DES is no longer advised)
– HMAC (SHA-1 or MD5)
– Authentication method (pre-shared key or digital certificates)
– DH group (1, 2, or 5)
– IKE lifetime
– When you finish adding or editing IKE proposals, click Next button on the IKE proposals window to proceed to next task
IKE Proposals
Creating a Custom IKE Policy
Define all IKE policy parameters:Priority
Encryption algorithm: DES, 3DES, or AES
HMAC: SHA-1 or MD5
Authentication method: preshared secrets or digital certificates
Diffie-Hellman group: 1, 2, or 5
IKE lifetime
VPN Configuration Page
2.
1.3.
Wizards for IPsecsolutions
Individual IPseccomponents
Configuring the Transform Set
1.
2.
3.
Test Tunnel Configuration and Operation
1.
2.
4.
6.
3.
5.
Test Results
7.
Testing and Monitoring GRE Tunnel Configuration
show crypto isakmp sa
router#
To display all current IKE SAs, use the show crypto isakmp sa command in EXEC mode. QM_IDLE status indicates an active IKE SA
show crypto ipsec sa
router#
To display the settings used by current SAs, use the show crypto ipsec sa command in EXEC mode. Non-zero encryption and decryption statistics can indicate a working set of IPsec SA
show interfaces
router#
Use the show interfaces command to display statistics for all interfaces that are configured on the router, including the tunnel interfaces
Troubleshooting GRE Tunnel Configuration
debug crypto isakmp
router#
• Debugs IKE communication
• Advanced troubleshooting can be performed using the Cisco IOS CLI
• Troubleshooting requires knowledge of Cisco IOS CLI commands
Module 3 – Lesson 7
An Introduction to Cisco Easy VPN
Small or Medium Business Deployment
Mobile Worker With VPN Software
Client On Laptop
Teleworker With DSL Or Cable Modem & Cisco 806 or uBR900 With Easy VPN Remote Support
Nontechnical Users Can Use CRWS GUI To Set Up Easy VPNs
Internet
Remote Office With Cisco 800 or Cisco 1700 Series Router With Easy VPN Remote Support
Company Main Site
Cisco 1700, Cisco 2600 Or Cisco 3600 Series Router With Support To Terminate Cisco VPN Clients
VPN Tunnels
Easy VPN Server and Easy VPN Remote Operation
Step 1 The VPN client initiates the IKE Phase 1 processStep 2 The VPN client establishes an ISAKMP SAStep 3 The Easy VPN Server accepts the SA proposalStep 4 The Easy VPN Server initiates a username and
password challengeStep 5 The mode configuration process is initiatedStep 6 The RRI process is initiatedStep 7 IPsec quick mode completes the connection
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 27
Module 3 – Lesson 9
Implementing the Cisco VPN Client
Cisco VPN Client Configuration Tasks
1. Install Cisco VPN Client
2. Create a new client connection entry
3. Configure the client authentication properties
4. Configure transparent tunneling
5. Enable and add backup servers
6. Configure a connection to the Internet through dialup networking
Create a New Client Connection Entry—Main Window (Task 2)
2.
1.
VPN Client Main Window
DPD Configuration Example
Router will first try primary peer.
If primary peer is not available or becomes unavailable (DPD failure detection), the router tries backup peers in order as listed in the crypto map.
HSRP for Default Gateway at Remote Site
All remote devices use virtual IP as the default gateway.
The backup router is only used when the primary router is down.
HSRP for Head-End IPsec Routers
Remote sites peer with virtual IP address (HSRP) of the head-end.
RRI or HSRP can be used on the inside interface to ensure a proper return path.
Using an IPsec VPN to Back Up a WAN Connection
IGP used to detect PVC failures
Reroute to GRE over IPsec tunnel
Example Using GRE over IPsec