© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Configuring GRE Tunnels over IPsec
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Generic Routing Encapsulation
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Generic Routing Encapsulation OSI Layer 3 tunneling protocol: Uses IP for transport Uses an additional header to support any other OSI Layer 3 protocol as payload (e.g., IP, IPX, AppleTalk)
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Default GRE Characteristics Tunneling of arbitrary OSI Layer 3 payload is the primary goal of GRE Stateless (no flow control mechanisms) No security (no confidentiality, data authentication, or integrity assurance) 24-byte overhead by default (20-byte IP header and 4-byte GRE header)
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Optional GRE Extensions GRE can optionally contain any one or more of these fields: –Tunnel checksum –Tunnel key –Tunnel packet sequence number GRE keepalives can be used to track tunnel path status.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v GRE Configuration Example GRE tunnel is up and protocol up if: –Tunnel source and destination are configured –Tunnel destination is in routing table –GRE keepalives are received (if used) GRE is the default tunnel mode.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Introducing Secure GRE Tunnels
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Introducing Secure GRE Tunnels GRE is good at tunneling: –Multiprotocol support –Provides virtual point-to-point connectivity, allowing routing protocols to be used GRE is poor at securityonly very basic plaintext authentication can be implemented using the tunnel key (not very secure) GRE cannot accommodate typical security requirements: –Confidentiality –Data source authentication –Data integrity
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec Characteristics IPsec provides what GRE lacks: –Confidentiality through encryption using symmetric algorithms (e.g., 3DES or AES) –Data source authentication using HMACs (e.g., MD5 or SHA-1) –Data integrity verification using HMACs IPsec is not perfect at tunneling: –Older Cisco IOS software versions do not support IP multicast over IPsec –IPsec was designed to tunnel IP only (no multiprotocol support) –Using crypto maps to implement IPsec does not allow the usage of routing protocols across the tunnel –IPsec does not tunnel IP protocols; GRE does
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v GRE over IPsec GRE over IPsec is typically used to do the following: Create a logical hub-and-spoke topology of virtual point-to- point connections Secure communication over an untrusted transport network (e.g., Internet)
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v GRE over IPsec Characteristics GRE encapsulates arbitrary payload. IPsec encapsulates unicast IP packet (GRE): –Tunnel mode (default): IPsec creates a new tunnel IP packet –Transport mode: IPsec reuses the IP header of the GRE (20 bytes less overhead)
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring GRE over IPsec Site-to-Site Tunnel Using SDM
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring GRE over IPsec Site-to-Site Tunnel Using SDM
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring GRE over IPsec Site-to-Site Tunnel Using SDM (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring GRE over IPsec Site-to-Site Tunnel Using SDM (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Backup GRE Tunnel Information
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Backup GRE Tunnel Information
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v VPN Authentication Information
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v VPN Authentication Information 2. 1A1B
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IKE Proposals
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IKE Proposals
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Creating a Custom IKE Policy Define all IKE policy parameters: Priority Encryption algorithm: DES, 3DES, AES HMAC: SHA-1 or MD5 Authentication method: preshared secrets or digital certificates Diffie-Hellman group: 1, 2, or 5 IKE lifetime
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Transform Set
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Transform Set
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Routing Information
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Routing Information
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Option 1: Static Routing
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Option 2: Dynamic Routing Using EIGRP
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Option 3: Dynamic Routing Using OSPF
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Completing the Configuration
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Review the Generated Configuration
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Review the Generated Configuration (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Test Tunnel Configuration and Operation
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Test Tunnel Configuration and Operation (Cont.) 7.7.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Monitor Tunnel Operation
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Advanced Monitoring Advanced monitoring can be performed using the default Cisco IOS HTTP server interface. Requires knowledge of Cisco IOS CLI commands. show crypto isakmp sa Lists active IKE sessions router# show crypto ipsec sa Lists active IPsec security associations router# show interfaces Lists interface and the statistics including the statistics of tunnel interfaces router#
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Troubleshooting debug crypto isakmp router# Debugs IKE communication Advanced troubleshooting can be performed using the Cisco IOS CLI Requires knowledge of Cisco IOS CLI commands
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Summary GRE is a multiprotocol tunneling technology. SDM can be used to implement GRE over IPsec site-to-site VPNs. Backup tunnels can be configured in addition to one primary tunnel. Routing can be configured through the tunnel interfaces: –Static for simple sites –OSPF or EIGRP for more complex sites (more networks, multiple tunnels) Upon completing the configuration, the SDM converts the configuration into the Cisco IOS CLI format.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v