of 46
8/10/2019 iscw+module+3+lesson
1/46
8/10/2019 iscw+module+3+lesson
2/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 2
Module 3
Lesson 5
Configuring GRE
Tunnels over IPsec
8/10/2019 iscw+module+3+lesson
3/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 3
Module Introduction
Virtual private networks (VPNs) use advanced encryptiontechniques and tunnelingto permit organisations to establishsecure, end-to-end, private network connections over third-partynetworks such as the Internet
Cisco offers a wide range of VPN products, including VPN-optimised routers, PIX security and Adaptive Security Appliances(ASA), and dedicated VPN concentrators. These infrastructuredevices are used to create VPN solutions that meet the securityrequirements of any organisation
This module explains fundamental terms associated with VPNs,including the IP Security protocol, and Internet Key Exchange. Itthen details how to configure various types of VPN, using variouscurrently available methods
8/10/2019 iscw+module+3+lesson
4/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 4
Objectives
At the completion of this fifth lesson, you will be able to:
Explain the requirement to use the GRE protocol
Describe GRE technology
Configure a GRE tunnel using SDM on IOS routersMonitor and test the tunnel
8/10/2019 iscw+module+3+lesson
5/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 5
Generic Routing Encapsulation GRE
GRE is an OSI Layer 3 tunneling protocol:
Encapsulates a wide variety of protocol packet types inside IP tunnels
Creates a virtual point-to-point link to Cisco routers at remote points over an IP
internetwork
Uses IP for transport
Uses an additional header to support any other OSI Layer 3 protocol as payload
(for example, IP, IPX, AppleTalk)
8/10/2019 iscw+module+3+lesson
6/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 6
Generic Routing Encapsulation
IPsec only encapsulates IP traffic
This may be a problem for non-IP or multicast traffic that needs tobe sent across a secure tunnel
GRE a Cisco developed protocol allows traffic other than IP to
be transported using a powerful but simple tunnel technique GRE supports any OSI Layer 3 protocol as payload, for which it
provides virtual point-to-point connectivity.
GRE also allows the use of routing protocols across the tunnel
However, GRE offers minimum security (basic plaintextauthentication using the tunnel key) to the payload, and so needsto be used with IPsec if security is required
8/10/2019 iscw+module+3+lesson
7/46 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 7
Generic Routing Encapsulation
Some of the reasons for using GRE over IPsec:
To pass multicast and broadcast traffic across the tunnelsecurely
To pass non-IP traffic securely
To provide resiliency
To assist in saving memory and CPU cycles in the router, byreducing the number of SA that need to be set up
8/10/2019 iscw+module+3+lesson
8/46 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 8
Basic GRE Header - GRE flags
GRE is stateless (no flow control mechanisms).
GRE offers no security (no confidentiality, data authentication,
or integrity assurance).GRE uses 24-byte overhead by default (20-byte IP header and4-byte GRE header).
8/10/2019 iscw+module+3+lesson
9/46 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 9
Basic GRE Header - GRE flags
The GRE flags are encoded in the first two octets. Bit 0 is theMSB, and bit 15 the LSB. Some of the GRE flags include thefollowing:
Checksum Present (bit 0):If Checksum Present bit is set to 1, theoptional checksum field is present in the GRE header
Key Present (bit 2):If Key Present bit is set to 1, the optional Key field
is present in the GRE headerSequence Number Present (bit 3):If Sequence Number Present bitis set to 1, the optional Sequence Number field is present in the GREheader
Version Number (bits 1315):Version Number indicates the GREimplementation version. A value of 0 is typically used for basic GRE
implementation. Point-to-Point Tunneling Protocol (PPTP) usesVersion 1
Protocol Type:Protocol Type field contains the protocol type of thepayload packet. In general, the value will be the Ethernet protocol typefield for the packet. For IP, the hexadecimal value of 0x800 is used.This field enables the GRE to tunnel any Layer 3 protocol
8/10/2019 iscw+module+3+lesson
10/46 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 10
Optional GRE Extensions
GRE can optionally contain any one or more of these fields:
Tunnel checksumTunnel key
Tunnel packet sequence number
GRE keepalives can be used to track tunnel path status.
8/10/2019 iscw+module+3+lesson
11/46 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 11
Optional GRE Extensions
The GRE tunnel header can contain additional optional headerinformation, depending on the flags in the first two bytes of the GREheader
The optional GRE header information can include the following:
Tunnel checksum:The tunnel checksum detects packet corruption. Thisoption is not used often because checksums are used on other layers in the
protocol stack, typically to ensure the accuracy of the GRE packets
Tunnel key:Can be used for two purposes:
The tunnel key can be used for basic plaintext authentication of packets inwhich only the two GRE endpoints share a secret number that enables thetunnel to operate properly. However, anyone in the packet path can easilysee the key and be able to spoof tunnel packets
A more common use of the tunnel key is when two routers want to establishparallel tunnels sourced from the same IP address. The tunnel key is thenused to distinguish between GRE packets belonging to different tunnels
Tunnel sequence number:This number is used to ensure that GRE packetsare accepted only if the packets arrive in the correct order.
8/10/2019 iscw+module+3+lesson
12/46 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 12
Secure GRE Tunnels
IPsec provides what GRE lacks:
Confidentiality through encryption using symmetricalgorithms
Data source authentication using HMACs Data integrityverification using HMACs
IPsec is notperfect at tunneling:
Older IOS versions do not support IP multicast over IPsec
IPsec was designed to tunnel IP only (no multiprotocolsupport)
Using crypto maps to implement IPsec does not allow theuse of routing protocols across the tunnel
IPsec does not tunnel IP protocols; GRE does
8/10/2019 iscw+module+3+lesson
13/46 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 13
GRE over IPsec
GRE over IPsec is typically used to do thefollowing:
Create a logical hub-and-spoke topology of virtualpoint-to-point connections
Secure communication over an untrusted transportnetwork (e.g. the Internet)
8/10/2019 iscw+module+3+lesson
14/46 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 14
GRE over IPsec Encapsulation
GRE encapsulates an arbitrary payload.
IPsec encapsulates unicast IP packet (GRE):
Tunnel mode (default): IPsec creates a new tunnel IPpacket
Transport mode:IPsec reuses the IP header of theGRE (20 bytes less overhead than tunnel mode)
8/10/2019 iscw+module+3+lesson
15/46 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 15
Configuring GRE over IPsec Site-to-SiteTunnel Using SDM
To configure a GRE over IPsec tunnel using SDM, followthese steps (see next slide):
1. Use a web browser to connect via HTTP server to therouter. Click the Configureicon in the top navigation bar toenter the configuration page
2. Click the VPNicon in the vertical navigation bar to open theVPN page
3. Choose the Site to Site VPNwizard in the menu
4. Click the Create Site to Site VPNtab at the top of the
section on the right5. Click the Create a secure GRE tunnel (GRE over IPSec)
radio button
6. Click the Launch the selected taskbutton to start thewizard that will guide you through the configuration steps
8/10/2019 iscw+module+3+lesson
16/46 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 16
Configuring GRE over IPsec Site-to-SiteTunnel Using SDM
5.
6.
2.
1.
3. 4.
8/10/2019 iscw+module+3+lesson
17/46 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 17
GRE Tunnel (GRE over IPsec)
8/10/2019 iscw+module+3+lesson
18/46 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 18
Configuring GRE Tunnel Information
Follow these steps for configuring the GRE tunnel (see next):1. Under Tunnel Source, enter the GRE tunnel source IP address
from a configured interface or manually specify the source IPaddress. This address must be a valid IP address configured onone of the interfaces on the router. Under Tunnel Destination,enter the tunnel destination IP address
2. In the IP address of the GRE tunnelsection, define the inner IPaddress and subnet mask that is applied to the virtual point-to-pointlink
3. Note that the Enable path MTU discovery(PMTUD) button isenabled by default. This setting lets the router determine themaximum transmission unit (MTU) for the virtual interface. This is
accomplished by using ICMP4. Click the Nextbutton to proceed to the next task
NOTE:ICMP unreachable message must be permitted by all ACLsand firewalls in the path between the two tunnel endpoints in orderfor PMTUD to work
8/10/2019 iscw+module+3+lesson
19/46 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 19
Configuring GRE Tunnel Information
1.
2.
3.
4.
8/10/2019 iscw+module+3+lesson
20/46 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 20
Configuring a Backup GRE Tunnel
To provide resilience to the VPN, create a secondGRE tunnel in case the primary tunnel fails. (Thesteps are shown on next slide):
1. Check Create a backup secure GRE tunnel for resilience
2. Define the IP address of the backup VPN peer in theavailable field
3. In the TunnelIP address section, define the inner IPaddress and the subnet mask for the logical tunnel interface
4. Click the Nextbutton to proceed to the next task
8/10/2019 iscw+module+3+lesson
21/46 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 21
Configuring a Backup GRE Tunnel
1.
2.
3.
4.
8/10/2019 iscw+module+3+lesson
22/46 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 22
Configuring VPN Authentication
After defining the GRE tunnel parameters, the SDMwizard proceeds to configure IPsec-specificparameters. This step ensures that both ends of thetunnel connect with the same secret key:
1. Click the radio button for the desired authentication method
Pre-shared keys
Digital certificates
2. If you choose pre-shared keys to provide authentication,then specify a pre-shared secret. The secret should be long
and random
8/10/2019 iscw+module+3+lesson
23/46 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 23
Configuring VPN Authentication
2.
1A 1B
8/10/2019 iscw+module+3+lesson
24/46 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 24
IKE Proposals
You can now use a predefined IKE policy, or click the Addbutton and
enter the required information to create a custom IKE policy:
You can also modify the existing policies by selecting an individual policy andclicking the Edit button
When adding or editing an IKE policy, define the required parametersthat appear in the Add IKE Policy window
1. IKE proposal priority2. Encryption algorithm (most commonly 3DES or AES; Software Encryption
Algorithm [SEAL] can also be used to improve crypto performance onrouters that do not have hardware IPsec accelerators; DES is no longeradvised)
3. HMAC (SHA-1 or MD5)
4. Authentication method (pre-shared key or digital certificates)5. DH group (1, 2, or 5)
6. IKE lifetime
7. When you finish adding or editing IKE proposals, click Nextbutton on theIKE proposals window to proceed to next task
8/10/2019 iscw+module+3+lesson
25/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 25
IKE Proposals
8/10/2019 iscw+module+3+lesson
26/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 26
Creating a Custom IKE Policy
Define all IKE policy parameters:
Priority
Encryption algorithm: DES, 3DES, or AES
HMAC: SHA-1 or MD5
Authentication method: preshared secrets or digital certificates
Diffie-Hellman group: 1, 2, or 5
IKE lifetime
8/10/2019 iscw+module+3+lesson
27/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 27
Configuring the Transform Set
When creating an IPsec transform set, the same set of algorithmsas were used with the configured IKE policy should be used:
1. There is a default IPsec transform set predefined by SDM thatcan be used.
If choosing to use the default, skip Step 2. A new transform set canalso be created
2. If wanting to use a custom IPsec transform set, create thetransform set by clicking the Addbutton and specifying theseparameters:
Transform set name
Encryption algorithm
HMAC
Mode of operation
Optional compression
3. When finished adding sets, click the Nextbutton to proceed tothe next task.
8/10/2019 iscw+module+3+lesson
28/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 28
Transform Set
1.
2.
3.
8/10/2019 iscw+module+3+lesson
29/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 29
Configuring Routing Information
A GRE tunnel supports multicast across the addressed point-to-point link.
Static routing is typically used for simple stub sites with a singleGRE over IPsec tunnel. Complex topologies with sites that usebackup tunnels or have multiple IP subnets require a routing
protocol to dynamically distribute routing information, detectfailures, and reroute to backup tunnels.
The SDM wizard allows choosing from three options:
1. Static routing
2. Dynamic routing using Enhanced Interior Gateway RoutingProtocol (EIGRP)
3. Dynamic routing using Open Shortest Path First (OSPF)
8/10/2019 iscw+module+3+lesson
30/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 30
Configuring Routing Information
8/10/2019 iscw+module+3+lesson
31/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 31
Static Routing
If choosing to configure using static routing, selectstatic routing button and then click Next.
In the first drop-down menu, disable split tunneling bychoosing the Tunnel all trafficoption. This option
results in a default route pointing into the tunnel. Unlessmore specific routes are in the routing table all trafficwill be sent through the tunnel.
Alternatively, choose the Do split tunnelingoptionfrom this drop-down menu and specify the IP address
and subnet mask of the destination that is reachablethrough the tunnel. All other destinations are reachableby bypassing the tunnel.
8/10/2019 iscw+module+3+lesson
32/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 32
Static Routing
8/10/2019 iscw+module+3+lesson
33/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 33
Dynamic Routing Using EIGRP
If choosing to configure using dynamic routing usingEIGRP, select EIGRP button on routing choice screen
There are two steps for configuring EIGRP across thetunnel:
1. Select an existing or define a new EIGRP autonomoussystem (AS) number by clicking the appropriate button andentering the number.
2. Define one or more local subnets (IP address and wildcard
mask) on which EIGRP will run and thus advertise to EIGRPneighbors.
8/10/2019 iscw+module+3+lesson
34/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 34
Dynamic Routing Using EIGRP
1.
2.
8/10/2019 iscw+module+3+lesson
35/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 35
Dynamic Routing Using OSPF
If choosing to configure using dynamic routing usingOSFP, click OSPF button on initial routing screen andthen click Next.
There are three steps used to configure OSPF across
the tunnel:1. Select an existing or define a new OSPF process number by
clicking the appropriate radio button and entering thenumber
2. Enter an OSPF area number for the tunnels
3. Enter the network IP address, subnet mask, and areanumber of one or more local subnets that you want toadvertise to OSPF neighbors
8/10/2019 iscw+module+3+lesson
36/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 36
Dynamic Routing Using OSPF
1.
3.
2.
8/10/2019 iscw+module+3+lesson
37/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 37
Review the Configuration
8/10/2019 iscw+module+3+lesson
38/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 38
Review the Configuration (Cont.)
8/10/2019 iscw+module+3+lesson
39/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 39
Testing, Monitoring and Troubleshooting GRETunnel Configuration
After creating the GRE over IPsec site-to-site tunnel, the tunnel status
can immediately be seen. A test can be run to determine theconfiguration correctness of the tunnel, or generate a mirroringconfiguration. The information in the mirror configuration is required to setup the other end of the tunnel. The mirror configuration is useful if theother router at the other end of the tunnel does not have SDM and CLI isto be used to configure the tunnel.
To test the tunnel:
1. Click the Configureicon in the top navigation bar of the SDM home page toenter the configuration page
2. Click the VPNicon in the vertical navigation bar to open the VPN page
3. Choose the Site to Site VPNwizard from the list in the middle section
4. Click the Edit Site to Site VPNtab at the top of the section on the right side.
5. Choose and highlight the tunnel that you want to test
6. Click the Test Tunnelbutton. The testing screen appears.
7. Click the Startbutton and wait until the test is complete
8. For each failed task, the bottom part of the window shows the reason andrecommended actions to resolve the issue
8/10/2019 iscw+module+3+lesson
40/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 40
Test Tunnel Configuration and Operation
1.
2.
4.
6.
3.
5.
8/10/2019 iscw+module+3+lesson
41/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 41
Test Results
7.
8/10/2019 iscw+module+3+lesson
42/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 42
Monitor Tunnel Operation
Use the Monitor page to view the status of the tunnel. To see all
IPsec tunnels, their parameters, and status, follow this procedure:1. Click the Monitoricon in the top navigation bar of the SDM homepage.
2. Click the VPN Statusicon in the vertical navigation bar.
3. Click the IPSec Tunnelstab.
Testing and Monitoring
Use the showcommands to determine the status of IPsec VPNconnections
Troubleshooting
Connect a terminal to the Cisco IOS router to use debugging
commands to troubleshoot VPN connectivity. Figure [5]shows thesyntax and an example of how to use the debug crypto isakmpcommand
The debug crypto isakmpEXEC command displays detailedinformation about the IKE Phase 1 and Phase 2 negotiationprocesses
8/10/2019 iscw+module+3+lesson
43/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 43
Monitor Tunnel Operation
1.
2.
3.
8/10/2019 iscw+module+3+lesson
44/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 44
Testing and Monitoring GRE TunnelConfiguration
show crypto isakmp sa
router#
To display all current IKE SAs, use the show crypto isakmp sacommand
in EXEC mode. QM_IDLE status indicates an active IKE SA
show crypto ipsec sa
router#
To display the settings used by current SAs, use the show crypto ipsec
sacommand in EXEC mode. Non-zero encryption and decryption
statistics can indicate a working set of IPsec SA
show interfaces
router#
Use the show interfacescommand to display statistics for all interfaces
that are configured on the router, including the tunnel interfaces
8/10/2019 iscw+module+3+lesson
45/46
2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 45
Troubleshooting GRE Tunnel Configuration
debug crypto isakmp
router#
Debugs IKE communication
Advanced troubleshooting can be performed using the Cisco IOS CLI
Troubleshooting requires knowledge of Cisco IOS CLI commands
8/10/2019 iscw+module+3+lesson
46/46