Saturday, November 28, 2015

Configuring GRE over IPSEC w/ Routing (EIGRP)

In this blogtorial, we will briefly explore how to configure GRE tunnels over IPSEC with routing (EIGRP). In addition, we will take a closer look down at the packet level on how GRE interacts with IPSEC. Take a look at the simple topology below and let's get started.


As always let's start by configuring the interfaces on the routers so we have L3 reachability between the routers.

 R1#show run int gig1.12  
 Building configuration...  
 Current configuration : 95 bytes  
 !  
 interface GigabitEthernet1.12  
  encapsulation dot1Q 12  
  ip address 1.1.1.1 255.255.255.0  
 end

 R2#show run int gig1.12  
 Building configuration...  
 Current configuration : 95 bytes  
 !  
 interface GigabitEthernet1.12  
  encapsulation dot1Q 12  
  ip address 1.1.1.2 255.255.255.0  
 end  

 R1#ping 1.1.1.2  
 Type escape sequence to abort.  
 Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms  

Now let's configure the Generic Routing Encapsulation (GRE) tunnel on both routers.

 R1#sh run int tun0  
 Building configuration...  
 Current configuration : 139 bytes  
 !  
 interface Tunnel0  
  ip address 192.168.1.1 255.255.255.0  
  ip mtu 1400  
  tunnel source GigabitEthernet1.12  
  tunnel destination 1.1.1.2  
 end  

 R2#sh run int tun0  
 Building configuration...  
 Current configuration : 139 bytes  
 !  
 interface Tunnel0  
  ip address 192.168.1.2 255.255.255.0  
  ip mtu 1400  
  tunnel source GigabitEthernet1.12  
  tunnel destination 1.1.1.1  
 end  

Notice that I am setting the MTU on the tunnel interface to account for the GRE overhead so routers do not have to fragment the packets. Keep in mind that GRE adds extra 24 bytes of overhead (4 byte GRE Header + 20 byte IP Header). See below on the packet capture between 192.168.1.1 and 192.168.1.2.


Now let's move on to the configuring basic IPSEC between the routers.

!!--First configure the isakmp policy--!!
 R1#conf t  
 R1(config)#crypto isakmp policy 10  
 R1(config-isakmp)# encr 3des  
 R1(config-isakmp)# hash md5  
 R1(config-isakmp)# authentication pre-share  
 R1(config-isakmp)# group 5   

!!--Next let's configure the transform-set (ESP / AH) parameters and the pre-shared key between the routers
 R1(config)#crypto isakmp key CISCO address 1.1.1.2
 R1(config)#crypto ipsec transform-set AES-128-SHA-1 esp-aes esp-sha-hmac

!!--Source the ipsec connection from gig1.12
 R1(cfg-crypto-trans)#crypto map GRE_OVER_IPSEC local-address gig1.12

!!--Create the crypto map, set the peer, attach transform set, and configure the ACL to match traffic that should be IPSEC encapsulated
 R1(config)#crypto map GRE_OVER_IPSEC 10 ipsec-isakmp
   % NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
 R1(config-crypto-map)# set peer 1.1.1.2
 R1(config-crypto-map)# set transform-set AES-128-SHA-1
 R1(config-crypto-map)# match address ipsec-acl

!!--Keep in mind the only traffic we need to IPSEC is GRE traffic between the routers. 
!!--This is because all other packets will be encapsulated within GRE. 
 R1(config-crypto-map)#ip access-list extended ipsec-acl
 R1(config-ext-nacl)# permit gre host 1.1.1.1 host 1.1.1.2

Let's configure R2 the same way except change the PEER and mirror the "ipsec-acl".

 R2#conf t  
 R2(config)#crypto isakmp policy 10  
 R2(config-isakmp)# encr 3des  
 R2(config-isakmp)# hash md5  
 R2(config-isakmp)# authentication pre-share  
 R2(config-isakmp)# group 5   

 R2(config)#crypto isakmp key CISCO address 1.1.1.1
 R2(config)#crypto ipsec transform-set AES-128-SHA-1 esp-aes esp-sha-hmac

 R2(cfg-crypto-trans)#crypto map GRE_OVER_IPSEC local-address gig1.12

 R2(config)#crypto map GRE_OVER_IPSEC 10 ipsec-isakmp
   % NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
 R2(config-crypto-map)# set peer 1.1.1.1
 R2(config-crypto-map)# set transform-set AES-128-SHA-1
 R2(config-crypto-map)# match address ipsec-acl

!!--Make sure that the IPSEC ACLs are exact mirror on both routers. 
 R1(config-crypto-map)#ip access-list extended ipsec-acl
 R1(config-ext-nacl)# permit gre host 1.1.1.2 host 1.1.1.1

Let's do show commands to make sure we have ISAKMP/IPSEC encapsulating and decapsulating packets. I did a few "pings" to get the interesting traffic to flow through the GRE tunnel.

 R1#show crypto isa sa  
 IPv4 Crypto ISAKMP SA  
 dst       src       state     conn-id status  
 1.1.1.2     1.1.1.1     QM_IDLE      1046 ACTIVE  
 IPv6 Crypto ISAKMP SA  

 R1#show crypto ipsec sa  
 interface: GigabitEthernet1.12  
   Crypto map tag: GRE_OVER_IPSEC, local addr 1.1.1.1  
   protected vrf: (none)  
   local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)  
   remote ident (addr/mask/prot/port): (1.1.1.2/255.255.255.255/47/0)  
   current_peer 1.1.1.2 port 500  
    PERMIT, flags={origin_is_acl,}  
   #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4  
   #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4  
   #pkts compressed: 0, #pkts decompressed: 0  
   #pkts not compressed: 0, #pkts compr. failed: 0  
   #pkts not decompressed: 0, #pkts decompress failed: 0  
   #send errors 0, #recv errors 0  
    local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2  
    plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1.12  
    current outbound spi: 0xD3A1D361(3550597985)  
    PFS (Y/N): N, DH group: none  
    inbound esp sas:  
    spi: 0xC6C0A240(3334513216)  
     transform: esp-aes esp-sha-hmac ,  
     in use settings ={Tunnel, }  
     conn id: 3197, flow_id: CSR:1197, sibling_flags FFFFFFFF80004048, crypto map: GRE_OVER_IPSEC  
     sa timing: remaining key lifetime (k/sec): (4607999/3286)  
     IV size: 16 bytes  
     replay detection support: Y  
     Status: ACTIVE(ACTIVE)  
    inbound ah sas:  
    inbound pcp sas:  
    outbound esp sas:  
    spi: 0xD3A1D361(3550597985)  
     transform: esp-aes esp-sha-hmac ,  
     in use settings ={Tunnel, }  
     conn id: 3198, flow_id: CSR:1198, sibling_flags FFFFFFFF80004048, crypto map: GRE_OVER_IPSEC  
     sa timing: remaining key lifetime (k/sec): (4607999/3286)  
     IV size: 16 bytes  
     replay detection support: Y  
     Status: ACTIVE(ACTIVE)  
    outbound ah sas:  
    outbound pcp sas:  

 R1# show crypto isa policy  
 Global IKE policy  
 Protection suite of priority 10  
     encryption algorithm:  Three key triple DES  
     hash algorithm:     Message Digest 5  
     authentication method: Pre-Shared Key  
     Diffie-Hellman group:  #5 (1536 bit)  
     lifetime:        86400 seconds, no volume limit  

As you can see the IPSEC between the routers is good to go.

Let's take a look at the IPSEC encapsulated pings between the routers.



As you can see ICMP packets which are encapsulated in GRE is now encapsulated inside IPSEC. So we have [IP]-[IPSEC]-[GRE]-[IP]-[PAYLOAD]-[TRAILER]

Note that you can run the IPSEC in transport mode and get ride of the extra IP header and save a few bytes of overhead.

Running routing is as simple as configuring EIGRP on the interfaces.

 R1#conf t  
 R1(config)#int lo0  
 R1(config-if)#ip add 10.10.10.1 255.255.255.255  
 R1(config)#router eigrp 1  
 R1(config-router)#network 10.10.10.1 0.0.0.0  
 R1(config-router)#network 192.168.1.0 0.0.0.255  

 R2#conf t  
 R2(config)#int lo0  
 R2(config-if)#ip add 10.10.10.2 255.255.255.255  
 R2(config)#router eigrp 1  
 R2(config-router)#network 10.10.10.2 0.0.0.0  
 R2(config-router)#network 192.168.1.0 0.0.0.255  

 R1#show ip eigrp neighbors  
 EIGRP-IPv4 Neighbors for AS(1)  
 H  Address         Interface       Hold Uptime  SRTT  RTO Q Seq  
                           (sec)     (ms)    Cnt Num  
 0  192.168.1.2       Tu0           14 00:01:48  2 1398 0 3  

 R1#show ip eigrp topology  
 EIGRP-IPv4 Topology Table for AS(1)/ID(10.10.10.1)  
 Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,  
     r - reply Status, s - sia Status  
 P 10.10.10.1/32, 1 successors, FD is 128256  
     via Connected, Loopback0  
 P 10.10.10.2/32, 1 successors, FD is 27008000  
     via 192.168.1.2 (27008000/128256), Tunnel0  
 P 192.168.1.0/24, 1 successors, FD is 26880000  
     via Connected, Tunnel0  

 R1#show ip route eigrp  
 Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP  
     D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area  
     N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2  
     E1 - OSPF external type 1, E2 - OSPF external type 2  
     i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2  
     ia - IS-IS inter area, * - candidate default, U - per-user static route  
     o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP  
     a - application route  
     + - replicated route, % - next hop override  
 Gateway of last resort is not set  
    10.0.0.0/32 is subnetted, 2 subnets  
 D    10.10.10.2 [90/27008000] via 192.168.1.2, 00:01:54, Tunnel0  

 R1#ping 10.10.10.2  
 Type escape sequence to abort.  
 Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/5 ms  

There you have it ... GRE over IPSEC w/ routing (EIGRP).

Many more articles to come so ....

Please subscribe/comment/+1 if you like my posts as it keeps me motivated to write more and spread the knowledge.