Most of enterprise today move to IPsec over GRE tunnel to save cost, but I'm not saying that this technology already rule out MPLS, lease line, etc. It depend on that site, how critical it is, how stable the internet connection is. Usually small office like sales that only have few workers use this to connect to corporate LAN.
IPsec and GRE Tunnel is 2 different thing, we'll go with IPsec first, then brief about GRE then I'll give you an example of IPsec over GRE tunnel
IPsec
The three main point of IPsec is
Authentication
Data Integrity
Confidentiality
Authentication
to make sure you communicating or talking to the right person
Data Integrity
to make sure what you sending is received at the destination with the same shape, mean no modification happen along the way
confidentiality
to make sure what send not able to be seen by third party
What build an IPsec ?
Basically, IPsec is a combo of a few protocol
Negotiation : IKE
Security : AH, ESP, ESP+AH
Encryption : DES. 3DES, AES
Authentication : MDS, SHA
Protection : DH, DH2, DH5, DH7
2 Mode of communication
Transport Mode
This mode is used when data need to be secure within the LAN, maybe super important and high confidentiality kind of data
Secure communication happen between two point, other party can't read the packet from layer4 and above only, they still can read the IP layer.
Tunnel Mode
This mode is used when packet need to travel across a public network, where it's dangerous to let other to see the private/internal IP information
In this mode, encryption is done starting from IP header(layer3) and above to protect the internal IP information, new public IP header then will be added so this packet can be routed in public network.
The two type of encryption keys
Symmetric : each use same key to encrypt and decrypt data (shared key)
Asymmetric : public key to encrypt, private key to decrypt
Data Integrity
Data integrity is to make sure data is-untouched along the way to the destination. To make sure this, first data will be calculated using a formula to produce a value, then it'll be hashed and send ed. When received in the other site, it'll be re-calculated again, if the value is same as value that produced before, it's mean that the data is clean from any modification.
The 2 phase to make communication happen
IKE phase 1
From example above, R1 want to initiate a connection, so R1 gonna with sending message 1
Message 2 : exchange DH key
Mesagge 3 : Make sure they are who they are (authentication)
Mesagge 3 : Make sure they are who they are (authentication)
Basically this phase is to setup a secure management channel for IKE phase 2
IKE phase 2
Negotiate and exchange IPSec Parameter protecting by existing existing IKE SA
Periodically renegotiate IPsec SAs to ensure security
Data transfer also happen in this stage
Example : Step by step how to configure a secure IPsec
Negotiate and exchange IPSec Parameter protecting by existing existing IKE SA
Periodically renegotiate IPsec SAs to ensure security
Data transfer also happen in this stage
Example : Step by step how to configure a secure IPsec
1. Setup ISAKMP policy (IKE Phase 1), the management phase
GRE Tunnel over IPsec
GRE tunnel is a standard tunneling method today, it's a logical interface and it's completely non-secure. By combining GRE Tunnel and IPsec we can build a super secure link with a simple and easy setup configuration. Also can forward routing update
Sample Conf for png
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname png
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 10 ipsec-isakmp
set peer 17.1.2.1
set transform-set strong
match address 110
crypto map vpn 20 ipsec-isakmp
set peer 17.1.2.2
set transform-set strong
match address 120
!
!
!
!
interface Tunnel1
ip address 192.168.1.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 17.1.2.1
crypto map vpn
!
interface Tunnel2
ip address 192.168.2.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 17.1.2.2
crypto map vpn
!
interface FastEthernet0/0
ip address 17.1.1.1 255.255.0.0
crypto map vpn
duplex auto
speed auto
crypto map vpn
!interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 60
network 192.168.0.0 0.0.255.255
auto-summary
no eigrp log-neighbor-changes
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
access-list 110 permit gre host 17.1.1.1 host 17.1.2.1
access-list 120 permit gre host 17.1.1.1 host 17.1.2.2
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
Sample Conf for cyb
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cyb
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 10 ipsec-isakmp
set peer 17.1.1.1
set transform-set strong
match address 110
!
!
!
!
interface Tunnel1
ip address 192.168.1.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 17.1.1.1
crypto map vpn
!
interface FastEthernet0/0
ip address 17.1.2.1 255.255.0.0
duplex auto
speed auto
crypto map vpn
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 60
network 192.168.0.0 0.0.255.255
auto-summary
no eigrp log-neighbor-changes
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
access-list 110 permit gre host 17.1.2.1 host 17.1.1.1
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
Sample Conf for lab
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname lab
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 20 ipsec-isakmp
set peer 17.1.1.1
set transform-set strong
match address 120
!
!
!
!
interface Tunnel2
ip address 192.168.2.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 17.1.1.1
crypto map vpn
!
interface FastEthernet0/0
ip address 17.1.2.2 255.255.0.0
duplex auto
speed auto
crypto map vpn
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 60
network 192.168.0.0 0.0.255.255
auto-summary
no eigrp log-neighbor-changes
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
access-list 120 permit gre host 17.1.2.2 host 17.1.1.1
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
png(config)#crypto isakmp policy 50 // give policy number, the lower the higher priority
png(config-isakmp)#authentication pre-share // pre-share, both site much share the same key
png(config-isakmp)#encryption des
png(config-isakmp)#group 2 // select group for DH key to use
png(config-isakmp)#hash sha
png(config)#crypto isakmp key cisco123 add 71.209.254.34 // define the pre-share key here, set address for the peer
png(config-isakmp)#group 2 // select group for DH key to use
png(config-isakmp)#hash sha
png(config)#crypto isakmp key cisco123 add 71.209.254.34 // define the pre-share key here, set address for the peer
2. Setup IPsec transform set (IKE Phase 2), basically this is where we define the set of encryption and hash for the data to use
png(config)#crypto ipsec transform-set CISCO_SET esp-des esp-sha-hmac
png(config)#crypto ipsec transform-set CISCO_SET esp-des esp-sha-hmac
3. Define interesting traffic using access-list command, here is where where we define which subnet or address that need to be forwarded to the IPsec channel
png(config)#ip access-list extended INT_TRAFFIC
png(config-ext-nacl)#permit ip 172.3.0.0 0.0.255.255 192.168.1.0 0.0.255.255
png(config)#ip access-list extended INT_TRAFFIC
png(config-ext-nacl)#permit ip 172.3.0.0 0.0.255.255 192.168.1.0 0.0.255.255
4. Setup crypto map
png(config)#crypto map VPN_MAP 10 ipsec-isakmp // give a name to the map
png(config-crypto-map)#set peer 71.209.254.34 // set the it's peer
png(config-crypto-map)#match add INT_TRAFFIC //set interest traffic
png(config-crypto-map)#set transform-set CISCO_SET //set transform group
png(config)#crypto map VPN_MAP 10 ipsec-isakmp // give a name to the map
png(config-crypto-map)#set peer 71.209.254.34 // set the it's peer
png(config-crypto-map)#match add INT_TRAFFIC //set interest traffic
png(config-crypto-map)#set transform-set CISCO_SET //set transform group
5. Apply to the interface
png(config)#int fa 0/1
png(config-if)#crypto map VPN_MAP
png(config)#int fa 0/1
png(config-if)#crypto map VPN_MAP
GRE Tunnel over IPsec
GRE tunnel is a standard tunneling method today, it's a logical interface and it's completely non-secure. By combining GRE Tunnel and IPsec we can build a super secure link with a simple and easy setup configuration. Also can forward routing update
I'll go straight to the example : GRE over IPsec with EIGRP
To create a tunnel, make sure you have two public IP address that ping-able to each other. In this example i just assume 17.1.1.1, 17.1.2.1 and 17.1.2.2 is three public IP address.
Sample Conf for png
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname png
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 10 ipsec-isakmp
set peer 17.1.2.1
set transform-set strong
match address 110
crypto map vpn 20 ipsec-isakmp
set peer 17.1.2.2
set transform-set strong
match address 120
!
!
!
!
interface Tunnel1
ip address 192.168.1.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 17.1.2.1
crypto map vpn
!
interface Tunnel2
ip address 192.168.2.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 17.1.2.2
crypto map vpn
!
interface FastEthernet0/0
ip address 17.1.1.1 255.255.0.0
crypto map vpn
duplex auto
speed auto
crypto map vpn
!interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 60
network 192.168.0.0 0.0.255.255
auto-summary
no eigrp log-neighbor-changes
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
access-list 110 permit gre host 17.1.1.1 host 17.1.2.1
access-list 120 permit gre host 17.1.1.1 host 17.1.2.2
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
Sample Conf for cyb
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cyb
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 10 ipsec-isakmp
set peer 17.1.1.1
set transform-set strong
match address 110
!
!
!
!
interface Tunnel1
ip address 192.168.1.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 17.1.1.1
crypto map vpn
!
interface FastEthernet0/0
ip address 17.1.2.1 255.255.0.0
duplex auto
speed auto
crypto map vpn
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 60
network 192.168.0.0 0.0.255.255
auto-summary
no eigrp log-neighbor-changes
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
access-list 110 permit gre host 17.1.2.1 host 17.1.1.1
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
Sample Conf for lab
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname lab
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 20 ipsec-isakmp
set peer 17.1.1.1
set transform-set strong
match address 120
!
!
!
!
interface Tunnel2
ip address 192.168.2.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 17.1.1.1
crypto map vpn
!
interface FastEthernet0/0
ip address 17.1.2.2 255.255.0.0
duplex auto
speed auto
crypto map vpn
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 60
network 192.168.0.0 0.0.255.255
auto-summary
no eigrp log-neighbor-changes
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
access-list 120 permit gre host 17.1.2.2 host 17.1.1.1
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
Good one bro
ReplyDeletegreat work mate, keep it up!!GF
ReplyDelete