Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1110
Views
0
Helpful
3
Replies

2821 router to router encryption

Go to solution
Tod Larson
Level 3
Level 3

‎06-03-2010 08:13 PM

How do I secure this scenerio?

1) Site A has a 2821 router and a IP connection to site C's 2821 across another organizations IP network.

2) Site B has a 2821 router with an MPLS connection to site C's 2821.

This is easy enough to connect and get working clear text connections and GRE tunnels, but I'm leaving my network open to other other organization nor to the MPLS service provider.

I'm thinking some flavor of encryption between the routers with GRE tunnels for routing the actual traffic.

Thank you in advance for any recommendations and config examples.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
m.kafka
Level 4
Level 4
In response to Tod Larson

‎06-04-2010 04:41 AM

Hi Tod,

you can deploy a separate acl on the physical interface, which allows only the tunnel itself (udp/500 and esp). The acl on the VTI would control the traffic through the tunnel.

Rgds,

MiKa

View solution in original post

0 Helpful
3 Replies 3

Go to solution
m.kafka
Level 4
Level 4

‎06-04-2010 01:15 AM

Hi Tod,

if you already operate GRE tunnels you can simply turn them into "VTI" interfaces.

A VTI (virtual tunnel interface) is similar to GRE but it uses IPsec direct instead of GRE to encapsulate the packets.

Here is a sample:

crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
crypto isakmp key [ike-key] address [address-of-other-router]  255.255.255.255
crypto isakmp keepalive 10

interface Tunnel0
  ip address 192.168.10.2 255.255.255.0
  tunnel source 10.0.149.220
  tunnel destination 10.0.149.221
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile VTI

taken from

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html

I wish you success with the encrypted tunnel

MiKa

0 Helpful

Go to solution
Tod Larson
Level 3
Level 3
In response to m.kafka

‎06-04-2010 04:20 AM

A VTI sounds like most of my answer, thanks.

Does a VTI protect against intrustions into the physical interface?  I guess I'm wondering about how to configure the physical interface to allow only the tunnel and drop everything else (ssh, telnet, ping, etc). I'm expecting some sort of access list or something as well.

0 Helpful

Go to solution
m.kafka
Level 4
Level 4
In response to Tod Larson

‎06-04-2010 04:41 AM

Hi Tod,

you can deploy a separate acl on the physical interface, which allows only the tunnel itself (udp/500 and esp). The acl on the VTI would control the traffic through the tunnel.

Rgds,

MiKa

0 Helpful
Customers Also Viewed These Support Documents