IPsec over a GRE tunnel

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
today we're going to look at a lab that's going to demonstrate the flexibility and the power of using a GRE tunnel versus a traditional VPN connection between sites so here's what we have for our scenario that we're going to be playing with today we have a company they have two sites which in this map are designated by r1 and r2 both of these sites have a connection to the internet on a public IP space router one with 162 over here and site to which r2 is the one for 512 space and behind each of these routers just for demonstration purposes we have an RFC 1918 IP space that they might be using for their client networks let us say what this company would like to do is they would like to have these two offices see each other so the users can communicate with each other shared documents back and forth access resources typical things like that that you know two offices for the same company would want to do so there's a couple options to do this the you know one of the most popular they're all going to involve the same technology but one of the ways you would do this is have maybe a VPN appliance device sitting here that would go you know through this link through the internet back down to this site to router two and the two routers would see each other through the internet and you could encapsulate that and secure that with current VPN technology and that is certainly a viable way to do it what we're going to do in this video is take that a step further we're going to create a secure VPN tunnel like that but we're going to use a GRE tunnel to do that and that stands for generic routing and encapsulation tunnel this is going to give us a couple of nice advantages for the network administrator at the site first thing that is going to do is from a router perspective it's going to create a virtual interface on router 1 and router to that that traffic will appear to flow across so we won't have to worry about traffic going out to the Internet hopping through the internet hosts for troubleshooting and tracking purposes you know physically it certainly does that logically we're going to have an interface between these two routers the other the second big benefit of GRE is that it allows us to run a GP routing protocol so in our demonstration these two devices are going to be connected via VPN using a GRE tunnel and they're going to be in the same OSPF area and we're going to see that they can transfer OSPF information between them - so they'll get route updates from each other and they'll become OSPF neighbors in the same area and across the third benefit of GRE which I mentioned earlier is that it will be using standard encryption for VPN tunnels so our data is going to be secure secure and safe going is still going to be going through the internet it will be encapsulated into this GRE tunnel so what we're going to do is start with this two different sites connected to the Internet and we want to turn it into this two different sites still connected to the Internet we're going to create this virtual GRE tunnel between them it's going to be a layer three tunnel and these two devices will be in the same oh s PF area and they're going to we're going to see that they're going to become OSPF neighbors and they're going to trade update each other with OSPF route updates so the router - over here we'll see this network and router one over on at this site we'll be able to get to this network via OSPF so let's get started on how we're going to make that happen okay I've updated our network map with a little bit more information about what we're going to do in this first phase we're going to do two things here one is we're going to configure OSPF get it up and running on each of these routers and they're going to create the tunnel interfaces as our second step we're going to configure the tunnel interfaces which is step three and when we do that we're going to see some interesting behavior that happens with a tunnel interface that you wouldn't see with a physical interface and I'll point that out when we get to it the fourth thing we're going to have to do is because this tunnel interfaces are layer three we're going to have to make a tweak to our OSPF I could do that ahead of time but I want to show you you know the logical order that we would do these things and encounter these in so we're going to have to go back and tweak OSPF just slightly once we have our GRE tunnel interfaces up and running and then of course the last thing that we're going to do is look at OSP F make sure we can ping across the tunnel make sure OSPF neighbors are coming up and we'll do some trace routes and some ping tests and some some displays of the routing tables to make sure that our tunnel is indeed being used from a logical perspective so let's get started on router 1 with creating the first step up there which is creating our OSPF routing process so let me drag this into the window okay so here we are on router one let's get into the router and we're going to create just a real quick and dirty OSPF process so now we're going to start with router if I can type today OSPF one two three that's just what our process ID is going to be we're going to say network and on the routers one side our network is 192 168 1 0 which we can see right down there when I to that 1 6 8 1 0 0 dot 0 dot 0 dot 255 remember with OSPF you have to enter in the wild-card mask rather than the subnet mask and we're going to put that in area 0 and that's all we're going to do for OSPF on router 1 let let me get this out of the way and we'll bring in router 2 and we'll do the same basic configure a router 2 so here's router 2 in the window and remote this one is 10 1 1 excuse me 10 1 1 0 / 24 so in our config router OSPF 123 the process ID needs to be the same network is going to be 10.1 at one dot look one dot one dot 1.0 0.0 0.2 5:5 and that's also going to be an area 0 so there's the network we want to advertise on OSPF and we're putting it into arrows area 0 ah what didn't know we got a got a space in there alright so there we go let's get that out of there okay we are now ready we have OSPF configured on both sides and the reason I did that ahead of time so we can see the neighbor relationships form real time as we bring up the tunnel now normally you would probably want to get your tunnel up first your encryption in place things like you know the basic housekeeping before you'd start to route traffic across the tunnel I'm doing it slightly out of order here just for illustrative purposes so here we are back on router 1 ok so we've we've we finished step 1 there we've created the OSPF routing process now we're on to step 2 which is to create the tunnel interfaces creating a tunnel interface is is is very much the process like creating a loopback on a Cisco device it's a virtual interface and you just create it it's not a you just tell the router I'm making up this interface very much like creating a like I said a loopback or an svi a VLAN interface so we're going to say we want to create interface tunnel we'll just call it tunnel 0 now when we do our tunnel interfaces so there we created the tunnel interface it put it to down when we do our tunnel interfaces we've got to tell it a couple of things first of all our first command that we're going to use this tunnel source now the tunnel source let me do a question mark it can be the IP address or I can specify an interface what we're going to do in in this case when we look at our network map from router ones perspective the source of the tunnel where it's going to start is going to be fast zero zero because that's connected to the internet and its destination is going to be this public IP address over on fast zero zero on router two so on router one we're going to specify the source is fast slash zero fast zero slash zero okay now I'm going to do something I should have done earlier but I want to do ping I want to make sure this router can actually get to the Internet okay again good enough okay so our tunnel source is fast a zero zero the next thing we need to do is specify the destination now the tunnel destination is the public IP address over on this side so we're going to type that in forty five twelve one fifty three forty five dot 12.1 fifty three dot the IP address on that interface is 202 202 now we're going to see something interesting happen when we hit the enter key here so we've got our source and our destination for the tunnel and look at that we get a message that tells us our interface tunnel top zero zero has gone to an up up state how can that be the tunnel interface is logical it does not have a built in keep a live statement like you would see from a Cisco device on it in a physical interface so in order to rectify that we are actually going to add a keep a live statement we'll say three seconds just I'm just kind of making these numbers up now once we do that we're going to see that it's going to try and do a keepalive and our tunnel interface will go down because there really is nothing that is communicating with on the far side there we go the tunnel interface change state to down it couldn't communicate the keepalive failed so it truly put our tunnel in the accurate status which would be an up/down status so now we have the tunnel interface created on router one we can see it if we do a do show IP interface brief so there is our tunnel interface it's in an up-down status the bottom line here so we have to add a few more things to it to bring it up to what we want first thing is we need to assign it an IP address we want this to be a layer 3 interface so just like any other interface we're going to assign it an IP address based on our network diagram back here the interfaces are 10 10 1 this is going to be dot one this is going to be dot two on us on a / 30 interface so this one is going to be 10.10 dot one dot one 255 255 255 255 255 255 ace interface tunnel zero we're going to give it ok so it went to down we're going to give it a tunnel source and just like our last router this is all relative to where the router sits from so from router to perspective it's fast zero zero is the source and this routers public IP address is the destination so the source is I'm going to be fast 0/0 just like it was on the other side the tunnel destination is the public IP address of router 1 so let me slide this over so we can see it 1/6 2.27 dot 193 dot and the actual interface is dot 130 130 now we should see the same thing again here I'm going to hit this enter if you remember on the last time it's told us our interface switch to up up and we saw the same thing here I'm going to add to keep alive I think I use 3 2 on the other one now what we should see this time though is the keep alive should stay up the tunnel is now established if we show IP interface brief we see that there on we did not give it an IP address on this side so interface tunnel 0 IP address is going to be 10.10 to 1.2 let's look at our diagram again so 10.10 dot 1 slash 30 so this one gets 1 this one gets 2 so it's going to be dot 2 subnet mask 255 255 255 255 to set the cap block path the discovery and we are going to be using OSPF so IP ospf MTU ignore just to keep our tunnel working well with the eye of the OSPF protocol so again let me get out of the interface interface brief there's our tunnel it's got an IP address it's up up you notice this time as I mentioned the tunnel did not go down after we kept to keep alive our tunnels established now so let's go back to router 1 and we should see that the interface came back up and it did Tunnel 0 came back up so the first time the keepalive kept it down because there was no interface for it to to do a keepalive against now it's up so we can see it on the other side now the thing to know about tunnels is their layer 3 so we are not going to see this even though on a network map it looks like it's directly connected logically from this perspective ah that's the interface of the ISP the ISP router but from this routers perspective it does not see router 2 as a directly connected neighbor so let's do a couple of verification tests again back into router 1 I mean let's see show IP interface brief show IP interface brief so it should be able to ping the other side of that tunnel 10.10 dot 1 dot 2 and it can so we're pinging we're sending ping packets from this device to this virtual interface on router 2 now you know that I had mentioned that we set up OSPF process first because we want to see the neighbors come up as the tunnel was built and you also notice up here on step 4 I said we're going to have to update OSPF to make that happen now the reason we have to do that is because when I added the network statements and step one for OSPF I did not include the the virtual tunnel interfaces because we hadn't created them yet so what we need to do is go back into router 1 go into the router OSPF process and add the 10.10 dot dot 0 dot 3 into areas 0 so now we're telling it that yes you can form neighbors relationships on that new interface that we just created that tunnel interface again wildcard mask so that's why we using dot 3 there and then we're just going to take this and we're going to go over to router 2 and we're going to go into our router OSPF 1 2 3 process and we're just going to put that statement in there same network now we should see our OSPF neighbors come up there we go Jason sea-change tunnel came up excellent excellent and if we do show IP ospf neighbor we see the neighbor this is router 2 perspective we see the neighbor ID using this address on its interface and because it's a point-to-point circuit we're only seeing full point this out right here when you're looking at OSP F if you recall your OSPF when it's trying to figure out a neighbor ID or a router ID and if it is not specified in the OSPF clause which we did not do it's going to pick and a router ID based on IPS assigned to interfaces and if memory serves it's the highest IP address that will win but if there's a loopback configured on the router it's the highest loopback rather than the highest physical interface so back here on our network drawing I had said that we had this network behind it and this is actually a loopback I simulated this network on router 1 with a loopback and Rud or two with a loopback that's why the 192 168 1 1 is picked for the neighbor ID from on routers 2 router 2 is going to advertise its router ID as being 10 1 1 1 0 so let's verify that we go over to router 1 let's do a show IP ospf neighbor and there we are the neighbor ID 10 1 1 1 because that's the highest loopback on router 2 over here again this is a loopback it's up in the open in full state now using tunnel 0 now let's see if we're exchanging routes show IP you're out if I can type so there we are indeed router one is learning about the 10 network 10 to the 10 1 1 Network excuse me from that which is over here on router 2 is learning it from OSPF using this GRE tunnel okay so we've accomplished our steps here we've created the process and I guess I could have done it all at once one in four didn't need to be separate steps create we create a tunnel in turf we added some extra commands to keep them clean specified source and destination and IP addresses and we updated OSPF with the virtual interfaces from the tunnels and then we did some verification commands now our next step now that we have our tunnel up and running in the OSPF process running through it our next step is going to be to start to add the security layer to our tunnel so what we've done so far is two out of the three things we wanted to accomplish one was these are now in one logical OSPF area they're communicating to each other through a virtual GRE tunnel but at this point that tunnel is unsecure there's no encryption algorithms on it so even though this is a virtual interface a virtual tunnel it's still going through the internet so we still want to protract and encapsulate and and our traffic between these two routers so that they can't be it can't be sniffed on the internet or in intercepted somewhere along the path and that is going to be our next piece where we're going to start putting the VPN framework around our GRE tunnel I've updated our network map to show what we're going to do in this section of the instructions and this is the final instruction right now the third piece of what we set out to do was to encrypt our traffic as it goes across the internet because even though we have a logical GRE tunnel and it looks like our traffic it's going directly between these two routers from a network map respect of an IP perspective and even the routing protocol perspective it really is going over the Internet and we want to protect that traffic so if it's a captured or sniff upon it's encrypted and can't be inspected so we are going to be employing standard VPN tunnel mechanisms to our GRE tunnel to make it as secure as any other VPN connection so I put on the the screen here the the steps that we need to do to make that happen and I'll run through those really quickly here the first one is we have to tell each router what is the traffic that we want it to encrypt when it goes to the Internet when this router sends traffic from the users down here to the internet we don't want all that traffic encrypted only only traffic that's going from router 1 to router - do we want to encrypt it so we need to tell it that then we need to start defining our IPSec policies and there's traditionally two phases to an IPSec encryption mechanism one is the iso kemp which is phase 1 and the second which is IPSec which is the true IPSec and that's phase 2 for phase 1 ISO camp we're going to be using a pre-shared secret instead of using certificates so we have to define our pre shared secret key a number 5 step number 5 is we take the interesting traffic the iso camp policy in the Trant IPSec transform set and we combine them all together into our crypto math and the crypto map is where the magic happens once we've defined our crypto map we take that crypto map and we apply it to the interfaces on our routers and then last but not least we'll do some show commands and verification to make sure that traffic that's between these two routers going across this GRE tunnel is indeed encrypted so step one we're going to hop on to router one pull this into the window and on router one get back into enable mode the first thing we want to do is define the traffic to be encrypted when we look at our network map from router one's perspective any traffic going from router ones to router two across the Internet that's the traffic we want to be encrypted so that's how we're defining our interesting traffic so to define that traffic it's simply an access list access list we'll call it's going to be an extended access list we'll call it IPSec traffic and I don't know if I've mentioned this before but the reason I capitalized things like this is so that I can find them quickly in a running config so usually when I have to create a name for something I'll almost always give it all caps so that it stands out in a config okay our access list is going to be a one-liner we're going to have we can put a remark in here remark let's call this VP and traffic and then we're going to say permit permit traffic type probably you're used to using IP or TCP or UDP those are the most common but if you look in here you'll see that we actually have an option to specify GRE traffic that's what we want to pick in this case so permit GRE from host the public IP address of router 1 which is the IP assigned to fast 0 0 so that is 1 6 2 dot 27 dot slide this out of the way dot 193 dot what was it 130 dot 130 and thus destination is host and that's the public IP address over here on router 2 that is going to be 45 dot 12 12.1 50 3.20 2 and I just want to verify these because these are easy to do typos on for 5.1 to 143 202 on that side and on this side it's 160 227 193 130 okay so that's the access list that we're going to use to define the interesting traffic again from router ones perspective on router 2's respective these are just going to be flip-flop the source is going to be this rotor to Zhu an IP address and the destination is going to be a router ones way an IP address all right so that's it we've done step one up here and our in our in our list up here define the traffic to be encrypted next is our phase one ice account policy to do that we when we start getting into VPNs almost everything is with crypto so we do crypto I so camp policy and we're just going to create policies number one I'm only going to create one policy we're going to make a match on each side but in many instances you might have did many different AIESEC CEM policies and for phase two many different transform sets we're only going to do one because we're going to force them to match so we give it a policy and then once we define the the policy number we have to give it the basic information that we want it to use for phase one of our tunnel what we need to tell it is what kind of authentication mechanism we're going to use the encryption method we want to use the diffie-hellman group we want to use the hash method that we want to use and the lifetime that we want the tunnel to stay up before it needs to be tore down and rebuilt automatically so let's start with authentication and our choices our certificate based or pre shared key we're going to use a pre shared key which we will define shortly the next thing that we want to do is is the sticker of our encryption method when we look at that we have two three options Triple DES DES and AES we're going to use AES and we can specify the bit depth that we want the key to be so we're going to go with I will go 128 which is the default the next thing that we want to define is the hash we've got md5 or sha-1 use sha the next thing that we need to define is the diffie-hellman group SE group and we're going to use group number two the last parameter if you remember was lifetime I'm not going to override the lifetime but if we want to look at it we can specify the lifetime in seconds the default is the 86400 I believe and that's that should be 24 hours if I remember correctly I'm not going to specify a lifetime so we've not going to override the lifetime so we've got that taken care of now because it we used the pre shared key if you remember up here we had options to use for our sorry for our where is it at am missing it here right here for our authentication mechanism we we had the apps we chose to use a pre shared key now we need to define that pre shared key we got to tell it what that pre shared key is going to be so we do again crypto I so camp key we're going to do is 0 it's going to be an unencrypted key the next thing is to what is the key we want to use we're going to use the word key all in uppercase as our key or as our password if you will the next thing we have to specify is an address in this case because it's going across the internet and then what is the address of the remote host that this tunnel is going to be paired with and in this case because we're on router 1 that is going to be the when IP address of router 2 over here so we type that in very carefully 45 12 150 3.20 245 12 153 to 0 to enter ok so we have completed what numbers of numbers 2 and number 3 up here we've we've completed our I so Kemp policy with our encryption and our hash and in our in our diffie-hellman groups and we've defined the pre shared key because that's the authentication mechanism that we chose to use so let's do a quick show run and we'll see how that looks in the running config so here we are here's our crypto isoquant policy number 1 the encryption mechanism we chose was AES and because we picked 128 that's the default it doesn't show it in the config here pre shared key diffie-hellman group 2 and then also we have the the crypto pre-shared key that we want to use for the phase one tunnel to be built up now you'll notice one thing that's missing here is our hash we specified hash as being sha again that's a default so it does not show it in the running config had we chosen another mechanism for our hash md5 we would see that showing in the run because it is not the default so that's why it appears to be missing okay so we've got that taken care of now we are on to step four which is phase two of our phase two of IPSec and that's actually defining the transform set so again we are going to we start with crypto and instead of aiesec camp we're doing phase two which is IPSec we're going to create a transform set that's the the mechanism of the method that they call it we have to give it a name we're going to call it trans set gr e kind of long I know what I like to be descriptive transform set GRE tunnel and then we have to give it a couple parameters behind here so we are going to use ESP we're going to use AES ESP hive and AES and if we wanted to we could specify the strength that we're going to use on that 128 192 256 we'll leave it at the default which is 128 and then the other thing that we need to specify is that we're going to use sha so ESP - sh a and hit enter okay and then the last thing we want to do is say mode we have a couple of different modes that we can have our transform set B to define for and we're going to use it for a tunnel mode hit enter all right let's look let's do a show run here again real quick so we have there's our policy there's our shared key and here's our transform set that we just typed in the transform set is all one line and you can do multiple transform sets if you wanted to are multiple just like you can do multiple AIESEC camp policies so if you have multiple tunnels going and you want to use different authentication encryption mechanisms on the different tunnels you have that flexibility all right so back over to here we are now on step five step five is where we take our our access list our phase one and our phase two information and we tie it all together into an item called a crypto map crypto map is what brings it all together so we're going to hop over to router one again and we're going to create our crypto map crypto options there's lots of options you know we've been doing IPSec eisah camp a couple in the middle we've done the key in this case we're going to do a map what do we want to call it I'm going to call it crypto map to be really tricky and we give it a sequence number one and then what are we what methods are we using we're using IP well we're using IPSec with ISO camp that was what we decided to use for our phase one and Phase two so when we hit enter we get this message that tells us that our policy is going to be disabled until we define a few things basically in our crypto map we have to bring in all the other information we put together we've got to tell the peer that this crypto map is going to be used against we need to tell it the access list that tells it which traffic to apply this this crypto policy to and then although it's not stated in the text we also need to tell it the phase one and phase two information so we can do a description here if we want to description we'll just call it two are two so that we can put a description in there the first thing we'll do let's do them in the order that we created them in so we need to do our access list that's not with a match command match address and then the name of our access list which is IP back - traffic so that took care of one of our requirements here this one right here a valid access list has been configured that's our access list we need to do a set here and that's the other thing it tells us we need to do and we need to enter the IP address of the peer what is this what is the what's on the other end of this tunnel now we've defined that a few times already up here so I'm just going to copy and paste it from here but it's the win IP address of our partner router alright and the last thing that we need to do is we need to specify the transform set that we just created so again we say set transform set and the transform set is that big long name that we typed in up here trans set GRE trans set GRE tunnel so we specified the pier as we were required we specified the access list that we created to define the GRE traffic going across that tunnel and we set our transform set so now we are ready to apply the crypto map to our interfaces and for the sake of brevity I have already gone on router 2 and created the the access list the phase vise account policy the IPSec transform set and also the crypto map so the only difference is on router twos perspective is wherever we had to enter a peer ID is going to be the win address of router 1 so when we had to do that for our peers for here we had to do it for their crypto key and of course our access list the host our flip-flop because of the way the access lists work so right now we have our tunnel up and it's sending traffic back and forth we've seen that all along what we are going to do is apply the crypto map that we just created now when we apply the crypto map we have to apply it to two interfaces we have to apply it to our logical GRE tunnel and we also have to apply it to our physical fast 0 0 because that's where the traffic is really going so let's go to interface fast 0/0 first we type crypto map and then the name of our crypto map which we called crypto map and hit enter now we are going to see that we start getting some warning messages here because the Crypt I've created the other stuff run router 2 but I haven't applied the crypto map to the interfaces so what's going to happen here we are tunnel 0 went down it went to a down state so that's something to keep in mind when you're doing this that if you do the if you're actually sending business traffic across that circuit and you're going to go back and apply the security at a later date you need to do it off hours because it's going to take that interface down while you do that they take that towel down and then we also need to go to interface tunnel 0 and apply the crypto map c ry PT o to tunnel to the tunnel interface as well alright so that takes care of router 1 now I'm going to flip over to router 2 we're not going to recreate all that's the the AIESEC camp and the transform set because I've already done that here I've already created the crypto map as well we're just going to apply the crypto map so we go into interface tunnel 0 crypto map and the name crypto map and we go to interface fast 0/0 crypto map and then the name CR y PT o map now we should see our tunnel come back up we should see our isp OSPF sees maybe should see OSPF relationship come back up and we should see routes being exchanged and there we go our tunnel came back up came to an upstate and we see that our our bgp neighbors are see our our OSPF neighbors have transformed in a transition to a full state and if we go back to router 1 which was where we saw the tunnel go down we see that it's gone back up remember it went down up here right here we saw the tunnel go down here it's coming back up and here we see that OSPF has gone into a full state as well so back on router 1 again seeing as we're here let's continue if we do show IP ospf neighbor we should see there we are router 2 as our neighbor again and now let's see if our traffic is being encrypted to see that we use a show crypto IPSec because that's where the encryption really takes places that the IPSec level and we do si for security associations now here's the there's all kinds of good information here but here's the part that you want to look at to see if if your traffic is being encrypted what this is telling us is from router ones perspective as of when we ran this command it encapsulated 65 packets and encrypted 65 packets and here's what it received it decrypted 64 and 64 64 went from router 1 to router 2 6 I'm sorry 65 went from router 1 to router 264 came from router 2 back to router 1 now because we're running OSPF we got those keeper lives on our tunnel we should see if we run that command again that number climbing so there it went up let's check this up a little bit so we can see those numbers take a big hit so we're going to we're going to ping router to ping IP 1010 done to repeat of let's do 50 so we're sending 50 pings across that tunnel now what we should see is the number of packets should go up by 50 plus whatever other overhead took place in that time so I would expect to see it jump up to 150 plus so let's take a look at our SA and there we go it went from 96 to 172 and we see the same thing from routers two's perspective if we do that same command show show good lord show crypto IPSec security associations we can see they're gonna pretty much be flip-flop for one another what one receives the other one sentence so that is proof that we've we've encrypted our traffic going across that tunnel and remember that tunnel is really going across the Internet so we're crypting our our private secure traffic our private corporate traffic as it goes across the internet so there we go we set out to accomplish three goals and we've done all three of them we've we've created the GRE tunnel interface as a layer 3 interface we put these two routers that are connected directly to the internet and they're in the same OSPF area dynamic routing updates are going on router 1 to router 2 using this virtual private tunnel and then we've taken that that that logical interface and we've secured that traffic using IPSec so that when it goes through the internet physically goes through the Internet its encapsulated and encrypted and secured traffic flows through the internet so our traffic can be intercepted and inspected so I hope you found this tutorial informative thank you for watching
Info
Channel: Doug Suida
Views: 121,358
Rating: 4.8956976 out of 5
Keywords: OSPF, internet, WAN, routing, router, switch, IPSec, GRE, config, configure, IOS, Cisco, tunnel, VPN, Cripto-map, crypto, map, site to site, s2s
Id: 2PtK8HgkRvM
Channel Id: undefined
Length: 42min 42sec (2562 seconds)
Published: Sun Jul 03 2011
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.