iscw+module+3+lesson

8/10/2019 iscw+module+3+lesson

1/46


2/46

2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 2

Module 3

Lesson 5

Configuring GRE

Tunnels over IPsec


3/46


Module Introduction

Virtual private networks (VPNs) use advanced encryptiontechniques and tunnelingto permit organisations to establishsecure, end-to-end, private network connections over third-partynetworks such as the Internet

Cisco offers a wide range of VPN products, including VPN-optimised routers, PIX security and Adaptive Security Appliances(ASA), and dedicated VPN concentrators. These infrastructuredevices are used to create VPN solutions that meet the securityrequirements of any organisation

This module explains fundamental terms associated with VPNs,including the IP Security protocol, and Internet Key Exchange. Itthen details how to configure various types of VPN, using variouscurrently available methods


4/46


Objectives

At the completion of this fifth lesson, you will be able to:

Explain the requirement to use the GRE protocol

Describe GRE technology

Configure a GRE tunnel using SDM on IOS routersMonitor and test the tunnel


5/46


Generic Routing Encapsulation GRE

GRE is an OSI Layer 3 tunneling protocol:

Encapsulates a wide variety of protocol packet types inside IP tunnels

Creates a virtual point-to-point link to Cisco routers at remote points over an IP

internetwork

Uses IP for transport

Uses an additional header to support any other OSI Layer 3 protocol as payload

(for example, IP, IPX, AppleTalk)


6/46


Generic Routing Encapsulation

IPsec only encapsulates IP traffic

This may be a problem for non-IP or multicast traffic that needs tobe sent across a secure tunnel

GRE a Cisco developed protocol allows traffic other than IP to

be transported using a powerful but simple tunnel technique GRE supports any OSI Layer 3 protocol as payload, for which it

provides virtual point-to-point connectivity.

GRE also allows the use of routing protocols across the tunnel

However, GRE offers minimum security (basic plaintextauthentication using the tunnel key) to the payload, and so needsto be used with IPsec if security is required


7/46 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 7

Generic Routing Encapsulation

Some of the reasons for using GRE over IPsec:

To pass multicast and broadcast traffic across the tunnelsecurely

To pass non-IP traffic securely

To provide resiliency

To assist in saving memory and CPU cycles in the router, byreducing the number of SA that need to be set up



Basic GRE Header - GRE flags

GRE is stateless (no flow control mechanisms).

GRE offers no security (no confidentiality, data authentication,

or integrity assurance).GRE uses 24-byte overhead by default (20-byte IP header and4-byte GRE header).



Basic GRE Header - GRE flags

The GRE flags are encoded in the first two octets. Bit 0 is theMSB, and bit 15 the LSB. Some of the GRE flags include thefollowing:

Checksum Present (bit 0):If Checksum Present bit is set to 1, theoptional checksum field is present in the GRE header

Key Present (bit 2):If Key Present bit is set to 1, the optional Key field

is present in the GRE headerSequence Number Present (bit 3):If Sequence Number Present bitis set to 1, the optional Sequence Number field is present in the GREheader

Version Number (bits 1315):Version Number indicates the GREimplementation version. A value of 0 is typically used for basic GRE

implementation. Point-to-Point Tunneling Protocol (PPTP) usesVersion 1

Protocol Type:Protocol Type field contains the protocol type of thepayload packet. In general, the value will be the Ethernet protocol typefield for the packet. For IP, the hexadecimal value of 0x800 is used.This field enables the GRE to tunnel any Layer 3 protocol



Optional GRE Extensions

GRE can optionally contain any one or more of these fields:

Tunnel checksumTunnel key

Tunnel packet sequence number

GRE keepalives can be used to track tunnel path status.



Optional GRE Extensions

The GRE tunnel header can contain additional optional headerinformation, depending on the flags in the first two bytes of the GREheader

The optional GRE header information can include the following:

Tunnel checksum:The tunnel checksum detects packet corruption. Thisoption is not used often because checksums are used on other layers in the

protocol stack, typically to ensure the accuracy of the GRE packets

Tunnel key:Can be used for two purposes:

The tunnel key can be used for basic plaintext authentication of packets inwhich only the two GRE endpoints share a secret number that enables thetunnel to operate properly. However, anyone in the packet path can easilysee the key and be able to spoof tunnel packets

A more common use of the tunnel key is when two routers want to establishparallel tunnels sourced from the same IP address. The tunnel key is thenused to distinguish between GRE packets belonging to different tunnels

Tunnel sequence number:This number is used to ensure that GRE packetsare accepted only if the packets arrive in the correct order.



Secure GRE Tunnels

IPsec provides what GRE lacks:

Confidentiality through encryption using symmetricalgorithms

Data source authentication using HMACs Data integrityverification using HMACs

IPsec is notperfect at tunneling:

Older IOS versions do not support IP multicast over IPsec

IPsec was designed to tunnel IP only (no multiprotocolsupport)

Using crypto maps to implement IPsec does not allow theuse of routing protocols across the tunnel

IPsec does not tunnel IP protocols; GRE does



GRE over IPsec

GRE over IPsec is typically used to do thefollowing:

Create a logical hub-and-spoke topology of virtualpoint-to-point connections

Secure communication over an untrusted transportnetwork (e.g. the Internet)



GRE over IPsec Encapsulation

GRE encapsulates an arbitrary payload.

IPsec encapsulates unicast IP packet (GRE):

Tunnel mode (default): IPsec creates a new tunnel IPpacket

Transport mode:IPsec reuses the IP header of theGRE (20 bytes less overhead than tunnel mode)



Configuring GRE over IPsec Site-to-SiteTunnel Using SDM

To configure a GRE over IPsec tunnel using SDM, followthese steps (see next slide):

1. Use a web browser to connect via HTTP server to therouter. Click the Configureicon in the top navigation bar toenter the configuration page

2. Click the VPNicon in the vertical navigation bar to open theVPN page

3. Choose the Site to Site VPNwizard in the menu

4. Click the Create Site to Site VPNtab at the top of the

section on the right5. Click the Create a secure GRE tunnel (GRE over IPSec)

radio button

6. Click the Launch the selected taskbutton to start thewizard that will guide you through the configuration steps



Configuring GRE over IPsec Site-to-SiteTunnel Using SDM

5.

6.

2.

1.

3. 4.



GRE Tunnel (GRE over IPsec)



Configuring GRE Tunnel Information

Follow these steps for configuring the GRE tunnel (see next):1. Under Tunnel Source, enter the GRE tunnel source IP address

from a configured interface or manually specify the source IPaddress. This address must be a valid IP address configured onone of the interfaces on the router. Under Tunnel Destination,enter the tunnel destination IP address

2. In the IP address of the GRE tunnelsection, define the inner IPaddress and subnet mask that is applied to the virtual point-to-pointlink

3. Note that the Enable path MTU discovery(PMTUD) button isenabled by default. This setting lets the router determine themaximum transmission unit (MTU) for the virtual interface. This is

accomplished by using ICMP4. Click the Nextbutton to proceed to the next task

NOTE:ICMP unreachable message must be permitted by all ACLsand firewalls in the path between the two tunnel endpoints in orderfor PMTUD to work



Configuring GRE Tunnel Information

1.

2.

3.

4.



Configuring a Backup GRE Tunnel

To provide resilience to the VPN, create a secondGRE tunnel in case the primary tunnel fails. (Thesteps are shown on next slide):

1. Check Create a backup secure GRE tunnel for resilience

2. Define the IP address of the backup VPN peer in theavailable field

3. In the TunnelIP address section, define the inner IPaddress and the subnet mask for the logical tunnel interface

4. Click the Nextbutton to proceed to the next task



Configuring a Backup GRE Tunnel

1.

2.

3.

4.



Configuring VPN Authentication

After defining the GRE tunnel parameters, the SDMwizard proceeds to configure IPsec-specificparameters. This step ensures that both ends of thetunnel connect with the same secret key:

1. Click the radio button for the desired authentication method

Pre-shared keys

Digital certificates

2. If you choose pre-shared keys to provide authentication,then specify a pre-shared secret. The secret should be long

and random



Configuring VPN Authentication

2.

1A 1B



IKE Proposals

You can now use a predefined IKE policy, or click the Addbutton and

enter the required information to create a custom IKE policy:

You can also modify the existing policies by selecting an individual policy andclicking the Edit button

When adding or editing an IKE policy, define the required parametersthat appear in the Add IKE Policy window

1. IKE proposal priority2. Encryption algorithm (most commonly 3DES or AES; Software Encryption

Algorithm [SEAL] can also be used to improve crypto performance onrouters that do not have hardware IPsec accelerators; DES is no longeradvised)

3. HMAC (SHA-1 or MD5)

4. Authentication method (pre-shared key or digital certificates)5. DH group (1, 2, or 5)

6. IKE lifetime

7. When you finish adding or editing IKE proposals, click Nextbutton on theIKE proposals window to proceed to next task


25/46


IKE Proposals


26/46


Creating a Custom IKE Policy

Define all IKE policy parameters:

Priority

Encryption algorithm: DES, 3DES, or AES

HMAC: SHA-1 or MD5

Authentication method: preshared secrets or digital certificates

Diffie-Hellman group: 1, 2, or 5

IKE lifetime


27/46


Configuring the Transform Set

When creating an IPsec transform set, the same set of algorithmsas were used with the configured IKE policy should be used:

1. There is a default IPsec transform set predefined by SDM thatcan be used.

If choosing to use the default, skip Step 2. A new transform set canalso be created

2. If wanting to use a custom IPsec transform set, create thetransform set by clicking the Addbutton and specifying theseparameters:

Transform set name

Encryption algorithm

HMAC

Mode of operation

Optional compression

3. When finished adding sets, click the Nextbutton to proceed tothe next task.


28/46


Transform Set

1.

2.

3.


29/46


Configuring Routing Information

A GRE tunnel supports multicast across the addressed point-to-point link.

Static routing is typically used for simple stub sites with a singleGRE over IPsec tunnel. Complex topologies with sites that usebackup tunnels or have multiple IP subnets require a routing

protocol to dynamically distribute routing information, detectfailures, and reroute to backup tunnels.

The SDM wizard allows choosing from three options:

1. Static routing

2. Dynamic routing using Enhanced Interior Gateway RoutingProtocol (EIGRP)

3. Dynamic routing using Open Shortest Path First (OSPF)


30/46


Configuring Routing Information


31/46


Static Routing

If choosing to configure using static routing, selectstatic routing button and then click Next.

In the first drop-down menu, disable split tunneling bychoosing the Tunnel all trafficoption. This option

results in a default route pointing into the tunnel. Unlessmore specific routes are in the routing table all trafficwill be sent through the tunnel.

Alternatively, choose the Do split tunnelingoptionfrom this drop-down menu and specify the IP address

and subnet mask of the destination that is reachablethrough the tunnel. All other destinations are reachableby bypassing the tunnel.


32/46


Static Routing


33/46


Dynamic Routing Using EIGRP

If choosing to configure using dynamic routing usingEIGRP, select EIGRP button on routing choice screen

There are two steps for configuring EIGRP across thetunnel:

1. Select an existing or define a new EIGRP autonomoussystem (AS) number by clicking the appropriate button andentering the number.

2. Define one or more local subnets (IP address and wildcard

mask) on which EIGRP will run and thus advertise to EIGRPneighbors.


34/46


Dynamic Routing Using EIGRP

1.

2.


35/46


Dynamic Routing Using OSPF

If choosing to configure using dynamic routing usingOSFP, click OSPF button on initial routing screen andthen click Next.

There are three steps used to configure OSPF across

the tunnel:1. Select an existing or define a new OSPF process number by

clicking the appropriate radio button and entering thenumber

2. Enter an OSPF area number for the tunnels

3. Enter the network IP address, subnet mask, and areanumber of one or more local subnets that you want toadvertise to OSPF neighbors


36/46


Dynamic Routing Using OSPF

1.

3.

2.


37/46


Review the Configuration


38/46


Review the Configuration (Cont.)


39/46


Testing, Monitoring and Troubleshooting GRETunnel Configuration

After creating the GRE over IPsec site-to-site tunnel, the tunnel status

can immediately be seen. A test can be run to determine theconfiguration correctness of the tunnel, or generate a mirroringconfiguration. The information in the mirror configuration is required to setup the other end of the tunnel. The mirror configuration is useful if theother router at the other end of the tunnel does not have SDM and CLI isto be used to configure the tunnel.

To test the tunnel:

1. Click the Configureicon in the top navigation bar of the SDM home page toenter the configuration page

2. Click the VPNicon in the vertical navigation bar to open the VPN page

3. Choose the Site to Site VPNwizard from the list in the middle section

4. Click the Edit Site to Site VPNtab at the top of the section on the right side.

5. Choose and highlight the tunnel that you want to test

6. Click the Test Tunnelbutton. The testing screen appears.

7. Click the Startbutton and wait until the test is complete

8. For each failed task, the bottom part of the window shows the reason andrecommended actions to resolve the issue


40/46


Test Tunnel Configuration and Operation

1.

2.

4.

6.

3.

5.


41/46


Test Results

7.


42/46


Monitor Tunnel Operation

Use the Monitor page to view the status of the tunnel. To see all

IPsec tunnels, their parameters, and status, follow this procedure:1. Click the Monitoricon in the top navigation bar of the SDM homepage.

2. Click the VPN Statusicon in the vertical navigation bar.

3. Click the IPSec Tunnelstab.

Testing and Monitoring

Use the showcommands to determine the status of IPsec VPNconnections

Troubleshooting

Connect a terminal to the Cisco IOS router to use debugging

commands to troubleshoot VPN connectivity. Figure [5]shows thesyntax and an example of how to use the debug crypto isakmpcommand

The debug crypto isakmpEXEC command displays detailedinformation about the IKE Phase 1 and Phase 2 negotiationprocesses


43/46


Monitor Tunnel Operation

1.

2.

3.


44/46


Testing and Monitoring GRE TunnelConfiguration

show crypto isakmp sa

router#

To display all current IKE SAs, use the show crypto isakmp sacommand

in EXEC mode. QM_IDLE status indicates an active IKE SA

show crypto ipsec sa

router#

To display the settings used by current SAs, use the show crypto ipsec

sacommand in EXEC mode. Non-zero encryption and decryption

statistics can indicate a working set of IPsec SA

show interfaces

router#

Use the show interfacescommand to display statistics for all interfaces

that are configured on the router, including the tunnel interfaces


45/46


Troubleshooting GRE Tunnel Configuration

debug crypto isakmp

router#

Debugs IKE communication

Advanced troubleshooting can be performed using the Cisco IOS CLI

Troubleshooting requires knowledge of Cisco IOS CLI commands


46/46

Date post:	02-Jun-2018
Category:	Documents
Upload:	juan-vega
View:	218 times
Download:	0 times

iscw+module+3+lesson

Documents