Friday, December 4, 2015

Configuring IPSEC VTI (Virtual Tunnel Interfaces)

In this blogtorial, we will briefly explore how to configure IPSEC Virtual Tunnel Interfaces. One of the main advantages of Virtual Tunnel Interfaces is that you do not have to configure an ACL to match all "interesting traffic", thereby minimizing the number of IPSEC security associations (SAs) that must be created.

We'll use the same simple topology from my previous blogtorial "Configuring GRE over IPSEC w/ Routing".


Key notes regarding IPSEC VTI

  • Less overhead
  • Single protocol encapsulation only 
  • Multicast can be tunneled using VTI 
  • Tunnel is always on and no interesting traffic is needed to bring up the tunnel 
    • If you have a misconfiguration tunnel simply wont come up
    • Meaning status / line protocol is based on IPSEC coming up correctly 

As always let's start by configuring the interfaces on the routers so we have L3 reachability between the routers.

 R1#show run int gig1.12  
 Building configuration...  
 Current configuration : 95 bytes  
 !  
 interface GigabitEthernet1.12  
  encapsulation dot1Q 12  
  ip address 1.1.1.1 255.255.255.0  
 end

 R2#show run int gig1.12  
 Building configuration...  
 Current configuration : 95 bytes  
 !  
 interface GigabitEthernet1.12  
  encapsulation dot1Q 12  
  ip address 1.1.1.2 255.255.255.0  
 end  

 R1#ping 1.1.1.2  
 Type escape sequence to abort.  
 Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms  

Now let's configure the Generic Routing Encapsulation (GRE) tunnel on both routers.

 R1#sh run int tun0  
 Building configuration...  
 Current configuration : 139 bytes  
 !  
 interface Tunnel0  
  ip address 192.168.1.1 255.255.255.0  
  ip mtu 1400  
  tunnel source GigabitEthernet1.12  
  tunnel destination 1.1.1.2  
 end  

 R2#sh run int tun0  
 Building configuration...  
 Current configuration : 139 bytes  
 !  
 interface Tunnel0  
  ip address 192.168.1.2 255.255.255.0  
  ip mtu 1400  
  tunnel source GigabitEthernet1.12  
  tunnel destination 1.1.1.1  
 end  

Notice that I am setting the MTU on the tunnel interface to account for the GRE overhead so routers do not have to fragment the packets. Keep in mind that GRE adds extra 24 bytes of overhead (4 byte GRE Header + 20 byte IP Header). See below on the packet capture between 192.168.1.1 and 192.168.1.2.


Now let's move on to the configuring basic IPSEC Profile between the routers.

R1#
 !!--ISAKMP policy   
 crypto isakmp policy 10   
  encr 3des   
  hash md5   
  authentication pre-share   
  group 5 
   
 !!--Next let's configure the transform-set (ESP / AH) parameters and the pre-shared key between the routers  
  crypto isakmp key CISCO address 1.1.1.2
  crypto ipsec transform-set AES-128-SHA-1 esp-aes esp-sha-hmac  

 !!--Create the crypto ipsec profile and set the transform set  
 crypto ipsec profile IPSEC_VTI  
  set transform-set AES-128-SHA-1  

R2#
 !!--ISAKMP policy   
 crypto isakmp policy 10   
  encr 3des   
  hash md5   
  authentication pre-share   
  group 5 
   
 !!--Next let's configure the transform-set (ESP / AH) parameters and the pre-shared key between the routers  
  crypto isakmp key CISCO address 1.1.1.1
  crypto ipsec transform-set AES-128-SHA-1 esp-aes esp-sha-hmac  

 !!--Create the crypto ipsec profile and set the transform set  
 crypto ipsec profile IPSEC_VTI  
  set transform-set AES-128-SHA-1  

Now apply the IPSEC profile to the tunnel interface.

 R1#sh run int tun0  
 Building configuration...  
 Current configuration : 182 bytes  
 !  
 interface Tunnel0  
  ip address 192.168.1.1 255.255.255.0  
  ip mtu 1400  
  tunnel source GigabitEthernet1.12  
  tunnel destination 1.1.1.2  
  tunnel protection ipsec profile IPSEC_VTI  
 end  

 R2#sh run int tun0  
 Building configuration...  
 Current configuration : 182 bytes  
 !  
 interface Tunnel0  
  ip address 192.168.1.2 255.255.255.0  
  ip mtu 1400  
  tunnel source GigabitEthernet1.12  
  tunnel destination 1.1.1.1  
  tunnel protection ipsec profile IPSEC_VTI  
 end  

Notice that I am not applying the IPSEC profile to Gig1.12 as I did with my previous blogtorial. This time you apply it directly on the tunnel interface and anything going over the tunnel interface will be encapsulated.

Also notice that there is only security association being created so less stress on the CPU.

 R1# ping 192.168.1.2  
 Type escape sequence to abort.  
 Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms  
 R1#show crypto ipsec sa  
 interface: Tunnel0  
   Crypto map tag: Tunnel0-head-0, local addr 1.1.1.1  
   protected vrf: (none)  
   local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)  
   remote ident (addr/mask/prot/port): (1.1.1.2/255.255.255.255/47/0)  
   current_peer 1.1.1.2 port 500  
    PERMIT, flags={origin_is_acl,}  
   #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5  
   #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5  

In conclusion, IPSEC VTI greatly reduces the stress on the CPU and simplifies the configuration.

Many more articles to come so ....

Please subscribe/comment/+1 if you like my posts as it keeps me motivated to write more and spread the knowledge.