routeprotocol.com

Site-to-Site IPSec Configuration

GRE over IPSec first encapsulates traffic within GRE and adds a new IP header. That new GRE packet is then encapsulated again inside of a IPSec transport mode.

VTI over IPSec encapsulates an IP packet without the need of an additional GRE header.

Site to Site GRE over IPSec with Pre-Shared Key

There are two methods to encrypt traffic over a GRE tunnel, using crypto maps or IPSec profiles.

Crypto maps are not recommended for tunnel protection as they have limitations that can be resolved with the use of IPSec profiles. Such examples of limitations are:

  • Crypto maps can not natively support MPLS
  • Configuration using crypto maps can become complex
  • Crypto map access control lists can easily be misconfigured
  • Crypto map entries can consume an excessive amount of TCAM space

Configuration of an IPSec GRE tunnel using Crypto Maps

Create an access list to classify VPN traffic using the GREs source and destination IP addresses:

ip access-list extended interesting-traffic
 10 permit gre host 64.62.123.123 host 34.12.56.21

The access list created specifies that traffic that needs to be protected by IPSec.

An ISAKMP policy can be configured next using the command crypto isakmp policy <priority-number> 

crypto isakmp policy 10
 encryption aes 256
 hash sha256
 group 14
 authentication pre-share

The above configuration creates a policy with the priority of 10. It uses the encryption of AES256 with a hash of SHA256. The policy utilises Diffie-Hellman group 14. A preshared key is being used for authentication, but a public key (rsa-encr) or a digital certificate (rsa-sig) can alternatively be used.

As a pre shared key is being used to authentication the connection, it needs to be specified in configuration.

crypto isakmp key myipseckey address 34.12.56.21 255.255.255.255

A key of ‘myipseckey‘ has been specified and is to be used against the address of 34.12.56.21

With the isakmp policy part of the configuration done, the transform set needs to be configured next:

crypto ipsec transform-set my-transform-set esp-aes 256 esp-sha256-hmac
 mode tunnel

The transform set has been configured to use AES 256 and SHA256-HMAC in an ESP mode. There was a choice between utilising transport or tunnel as the mode, tunnel was chosen.

Finally the configuration needs to be tied together through the use of a crypto map

crypto map my-map 10 ipsec-isakmp
 match address interesting-traffic ! Tie in the ACL
 set peer 34.12.56.21 ! The other end of the tunnel
 set transform-set my-transform-set ! Tie in the transform set

The crypto map can then be specified on the outgoing outside interface to activate it

interface GigabitEthernet0/0
 crypto map my-map

Configuration of an IPSec GRE tunnel using IPSec Profiles

Begin with an ISAKMP policy using the command crypto isakmp policy <priority-number> 

crypto isakmp policy 10
 encryption aes 256
 hash sha256
 group 14
 authentication pre-share

A pre shared key is being used to authentication the connection, it needs to be specified in configuration.

crypto isakmp key myipseckey address 34.12.56.21 255.255.255.255

A key of ‘myipseckey‘ has been specified and is to be used against the address of 34.12.56.21

With the isakmp policy part of the configuration done, the transform set needs to be configured next:

crypto ipsec transform-set my-transform-set esp-aes 256 esp-sha256-hmac
 mode tunnel

Finally, the different part, create an IPSec profile with crypto ipsec profile my-ipsec-profile. 

crypto ipsec profile my-ipsec-profile
 set transform-set my-transform-set

Next, attach the IPSec profile to the tunnel interface

interface tunnel 10
 tunnel protection ipsec profile my-ipsec-profile

Site-to-site Static Virtual Tunnel Interfaces (VTI) over IPSec with Pre-Shared Key

VTI over IPSec encapsulates traffic without the need of a GRE header.

The configuration for a VTI over IPSec tunnel is very similar, except there is an addition in the tunnel interface to change the tunnel mode to tunnel mode ipsec ipv4. To revert back to GRE mode, use the command tunnel mode gre ipv4

Configuration on Router A

crypto isakmp policy 10
 encryption aes 256
 hash sha256
 group 14
 authentication pre-share
!
crypto isakmp key my-ipsec-key address 192.168.2.1 255.255.255.255
!
crypto ipsec transform-set my-transform-set esp-aes 256 esp-sha256-hmac 
 mode tunnel
!
crypto ipsec profile my-ipsec-profile
 set transform-set my-transform-set 
! 
interface Tunnel10
 ip address 10.10.10.1 255.255.255.0
 tunnel source GigabitEthernet1
 tunnel mode ipsec ipv4
 tunnel destination 192.168.2.1
 tunnel protection ipsec profile my-ipsec-profile

Configuration on Router B

crypto isakmp policy 10
encryption aes 256
hash sha256
group 14
authentication pre-share
!
crypto isakmp key my-ipsec-key address 192.168.1.1 255.255.255.255
!
crypto ipsec transform-set my-transform-set esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile my-ipsec-profile
set transform-set my-transform-set
!
interface Tunnel10
 ip address 10.10.10.2 255.255.255.0
 tunnel source GigabitEthernet1
 tunnel mode ipsec ipv4
 tunnel destination 192.168.1.1
 tunnel protection ipsec profile my-ipsec-profile
end

Posted

in

, ,

by

routeprotocol

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.