GRE IPSEC

karl.jones · ‎06-07-2004

Hi, We are starting to roll out site-to-site vpns. At the remote site, we will have an 828 router and at the Hub will be a Checkpoint firewall. An ipsec tunnel will run between the two. At the remote site is also an ISDN router which will be used for ISDN backup to the CO. We would like transparent failover to ISDN in the event of VPN failover, so I will be running a GRE tunnel from the 828 remote rtr to a router behind the Checkpoint FW. The GRE will enable us to use EIGRP and allow for better failover to isdn.

The only problem with this (and this is my concern) -is that the GRE tunnel will hide all traffic from the Checkpoint fw. I would prefer too (but we dont have this option) terminate the GRE tunnel behind the Checkpoint FW and have another fw sitting behind this to inspect the packets in the clear and prevent dos attacks etc. The only problem with this is it makes the routing a little more awkward.

One option I have thought of is sitting a GRE terminating router at the CO on its own vlan and then filtering out the packets on the SVI of a 3550 switch.

Could anyone give me some ideas - all of the docs and posts I have read would lead me to beleive it is common practice to allow GRE through the terminating IPSEC/FW, but there is never much mention of a FW behind to inspect packets after they have left the GRE tunnel.

Maybe I am being over cautious but would appreciate it if anyone could lend some experience and ideas here - Regards

ehirsel · ‎06-07-2004

I believe that the easiest solution is to use GRE only to send the routing protocol packets, i.e. EIGRP traffic, not for general enacap of user data packets. This is done by configuring the access-lists that apply to traffic to be sent/received off of the GRE tunnel to inspect EIGRP traffic only. Normal user traffic gets sent over IPSec, which will terminate at the Checkpoint Firewall.

How does the Checkpoint FW at the CO connect to the remote sites now? Does it have a direct interface to a service provider?

karl.jones · ‎06-07-2004

Thanks for reply - not sure how the soltuion you mentioned would work. Could you explain a little further or send a sample config :-)

The Checkpoint connects to remote sites using IPSec over the web. We have a leased line to the internet provided by UUnet.

Thanks

ehirsel · ‎06-07-2004

Here is the topology the way I understand it to be:

RemoteRtr---UUNET---CheckPointFW

| |

|-------------ISDN----InternalRTR--InternalNetwork

There is no router between the FW and the UUNET connection and the FW passes trafifc into the internal network via the InternalRouter; and that the only change will be the ISDN implementation.

Did I depict the topology correctly? Is the ISDN going to be an always-on service or will you be charged only when using it for user data sessions?

What I was thinking is to configure a floating static on the internal and remote routers using the ISDN link as a metric of 240 like this:

route 0.0.0.0 0.0.0.0 isdn-rtr-ip 240

Then you configure EIGRP to run on the UUNET link of the remote router and on the FW link of the internal/CO router. The routers will be configured to use GRE over IPSEC, tunneling the EIGRP updsates over the GRE. As far as the FW is concerned, you will allow IPSEC traffic betweent the CO and remote router. The floating static will only take effect if the EIGRP hellos are not seen over the UUNET connection. Once the hellos are seen and the neighbor adjacency is established the UUNET route will be preferred to to admin distance of EIGRP being higher than 240 (the static metric).

Let me know if I have the topology understood correctly before I go into more details. If I am mistaken, please depict the correct topology and I will make the proper adjustments and provide a more detailed config.

karl.jones · ‎06-08-2004

The toplogy is like this

828rtr ------ internet cloud ------- UUnet rtr -- OUTSIDELAN -- Checkpoint --- INSIDE LAN --- GRE terminating RTR

Along side the 828 for backup is

801rtr ---- ISDN ---- RASSERVER (INTERNAL LAN)

Regards

Karl