IPSec over GRE
Generic Routing Encapsulation (GRE) protocol
Internet Protocol Security (IPSec)
GRE Tunnel Configuration
IPSec Configuation
Generic Routing Encapsulation
- GRE is a Tunneling Protocol and it was Originally developed by Cisco systems for creating virtual point-to-point links between cisco routers at remote points over the Internet.
- GRE uses IP for Transport. GRE Encapsulates wide variety of protocol packet types inside IP Tunnels.
- Advantages:
- Use of multiple protocols over a single-protocol backbone
- Providing workarounds for networks with limited hops (like RIP)
- Connection of non-contiguous sub-networks
- It is important to note that packets travelling inside a GRE tunnel are not encrypted as GRE does not encrypt the tunnel but encapsulates it with a GRE header. If data protection is required, IPSec must be configured to provide data confidentiality – this is when a GRE tunnel is transformed into a secure VPN GRE tunnel.
Internet Protocol Security (IPSec)
- The “IPSec” is a framework of open standard (IETF) and it is used for configuring “Secure VPN’s” over a third party network such as Internet to connect Branch Offices, Remote Users and Business Partners.
- The Secure Site-to-Site VPN’s between Central and Remote Sites can be implemented by using IPSec protocol.
- There are two main IPSec framework protocols:
- Authentication Header (AH)
- Runs over IP protocol number 51.
- It only provides authentication, so this wouldn’t be ideal, where we are taking confidentiality into consideration.
- Encapsulation Security Payload (ESP)
- Runs over IP protocol number 50.
- ESP also has the capability of optionally providing authentication and it adds confidentiality through the use of encryption.
- ESP supports several different types of symmetric encryption algorithms, including: DES, 3DES and AES.
- The common authentication methods in VPNs are pre-shared keys (small and medium-sized organizations) and digital certificates with the use of Public Key Infrastructure (PKI) (Several Large Organizations).
- ESP includes Header and trailer fields to support the encryption and optional authentication.
- Authentication Header (AH)
To know more details about IPSec and it's Phases (Phases 1 and Phase 2 ), please go through the following link:
https://community.cisco.com/t5/security-knowledge-base/implemention-of-ipsec-vpns/ta-p/5129081
Configuration Example
R1(config)# ip route 192.168.23.0 255.255.255.0 fa0/0
R3(config)# ip route 192.168.12.0 255.255.255.0 fa0/0
R1# ping 192.168.23.3
! ! ! ! !
R1(config)# Interface Tunnel 0
R1(config-if)# ip address 172.16.0.1 255.255.255.0
R1(config-if)#Tunnel Source fa0/0
R1(config-if)#Tunnel destination 192.168.23.3
R1(config-if)#Tunnel mode gre ip
R1(config-if)#exit
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R3(config)# Interface Tunnel 0
R3(config-if)# ip address 172.16.0.2 255.255.255.0
R3(config-if)#Tunnel Source fa0/0
R3(config-if)#Tunnel destination 192.168.12.1
R3(config-if)#Tunnel mode gre ip
R3(config-if)# exit
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R1# ping 172.16.0.2
! ! ! ! !
Now, GRE tunnel is established between R1 and R3…!
As mentioned earlier, GRE is an encapsulation protocol and does not perform any encryption. Creating a point-to-point GRE tunnel without any encryption is extremely risky..!! That’s why we are going to implement IPsec to encrypt the traffic that is passing through our GRE Tunnel.
Configuring IPSec Encryption For GRE Tunnel (GRE over IPSec)
IPSec encryption involves two steps for each router. These steps are:
(1) Configure ISAKMP (ISAKMP Phase 1)
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#hash sha512
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 14
R1(config-isakmp)#lifetime 3600
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#exit
R1(config)#crypto isakmp key 6 xxxxxxxx address 192.168.23.3
Same way configure R3 Router…
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#hash sha512
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 14
R3(config-isakmp)#lifetime 3600
R3(config-isakmp)#encryption aes 256
R3(config-isakmp)#exit
R3(config)#crypto isakmp key 6 xxxxxxxx address 192.168.12.1
(2) Configure IPSec (ISAKMP Phase 2)
R1(config)#Crypto ipsec transform-set TS1 esp-aes 256 esp-sha512-hmac
R1(cfg-crypto-trans)#mode tunnel
R1(cfg-crypto-trans)#exit
R1(config)# crypto ipsec profile profile-1
R1(ipsec-profile)# set transform-set TS1
R1(ipsec-profile)# exit
R1(config)# interface Tunnel 0
R1(config-if)# tunnel protection ipsec profile profile-1
R1(config-if)#exit
Same way in R3 complete phase-2 configuration...
R3(config)#Crypto ipsec transform-set TS3 esp-aes 256 esp-sha512-hmac
R3(cfg-crypto-trans)#mode tunnel
R3(cfg-crypto-trans)#exit
R3(config)# crypto ipsec profile profile-1
R3(ipsec-profile)# set transform-set TS3
R3(ipsec-profile)# exit
R3(config-if)# tunnel protection ipsec profile profile-1
R3(config-if)#exit
R1# ping 172.16.0.2
! ! ! ! !
Our tunnel is successfully established and secured using IPsec. Now, to see the communication between loopbacks, configure any routing protocol.. In my case I am going to configure eigrp-100
R1(config)# router eigrp 100
R1(config-router)# network 1.1.1.1 0.0.0.0
R1(config-router)# network 172.16.0.0 0.0.0.255
R1(config-router)# no auto-summary
R1(config-router)#exit
R3(config)# router eigrp 100
R3(config-router)# network 3.3.3.3 0.0.0.0
R3(config-router)# network 172.16.0.0 0.0.0.255
R3(config-router)# no auto-summary
R3(config-router)#exit
Thank you very much..!!
--------------------------------------------------------- THE END ------------------------------------------