How do I secure this scenerio?
1) Site A has a 2821 router and a IP connection to site C's 2821 across another organizations IP network.
2) Site B has a 2821 router with an MPLS connection to site C's 2821.
This is easy enough to connect and get working clear text connections and GRE tunnels, but I'm leaving my network open to other other organization nor to the MPLS service provider.
I'm thinking some flavor of encryption between the routers with GRE tunnels for routing the actual traffic.
Thank you in advance for any recommendations and config examples.
Solved! Go to Solution.
if you already operate GRE tunnels you can simply turn them into "VTI" interfaces.
A VTI (virtual tunnel interface) is similar to GRE but it uses IPsec direct instead of GRE to encapsulate the packets.
Here is a sample:
crypto isakmp policy 1
crypto isakmp key [ike-key] address [address-of-other-router] 255.255.255.255
crypto isakmp keepalive 10
ip address 192.168.10.2 255.255.255.0
tunnel source 10.0.149.220
tunnel destination 10.0.149.221
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
I wish you success with the encrypted tunnel
A VTI sounds like most of my answer, thanks.
Does a VTI protect against intrustions into the physical interface? I guess I'm wondering about how to configure the physical interface to allow only the tunnel and drop everything else (ssh, telnet, ping, etc). I'm expecting some sort of access list or something as well.