Re: GRE over IPSEC

georgesofroniadis · ‎10-09-2024

!### VERSION: 0.1
!### ENABLE

!### WAN1 begin
!
conf t
!
!
!
!============================INSIDE ZONE==============================================
!
ip access-list extended ACL_OUTSIDE_INSIDE
permit tcp 10.212.93.0 0.0.0.255 object-group VOB_SUBNET eq 80 8080 5432 4840
!
!
class-map type inspect match-all CM_CUSTOMER_INSIDE_CLIENT
match access-group name ACL_OUTSIDE_INSIDE
!
policy-map type inspect PM_OUTSIDE_INSIDE
class type inspect CM_CUSTOMER_INSIDE_CLIENT
inspect
class class-default
drop
!
!########################################################################
!### ###
!### OPTIONAL ###
!### ###
!### TO ENABLE ICMP FOR THE CUSTOMER THROUGH THE S2S TUNNEL ###
!### ###
!########################################################################
!
!
! class-map type inspect match-all CM_CUSTOMER_INSIDE_CLIENT_ICMP
! match access-group name ACL_OUTSIDE_INSIDE
! match protocol icmp
! !
! policy-map type inspect PM_OUTSIDE_INSIDE
! class type inspect CM_CUSTOMER_INSIDE_CLIENT
! inspect
! class type inspect CM_CUSTOMER_INSIDE_CLIENT_ICMP
! inspect
! class class-default
! drop
!
!#######################################################################
!
zone-pair security ZP_OUTSIDE_INSIDE source OUTSIDE destination INSIDE
description Zone pair for traffic from CUSTOMER_NWT-VPN to LAN interface
service-policy type inspect PM_OUTSIDE_INSIDE
!
!============================MULTIBRAND ZONE==============================================

!
ip access-list extended ACL_OUTSIDE_MULTIBRAND
permit ip 10.212.93.0 0.0.0.255 object-group SITE_MULTIBRAND_ADDRESSES
!
!
class-map type inspect match-all CM_CUSTOMER_MULTIBRAND_CLIENT
match access-group name ACL_OUTSIDE_MULTIBRAND
match class-map CM_TECH_VOB_CLIENT_PROTO
!
policy-map type inspect PM_OUTSIDE_MULTIBRAND
class type inspect CM_CUSTOMER_MULTIBRAND_CLIENT
inspect
class class-default
drop
!
!########################################################################
!### ###
!### OPTIONAL ###
!### ###
!### TO ENABLE ICMP FOR THE CUSTOMER THROUGH THE S2S TUNNEL ###
!### ###
!########################################################################
!
!
! class-map type inspect match-all CM_CUSTOMER_MULTIBRAND_CLIENT_ICMP
! match access-group name ACL_OUTSIDE_MULTIBRAND
! match protocol icmp
! !
! policy-map type inspect PM_OUTSIDE_MULTIBRAND
! class type inspect CM_CUSTOMER_MULTIBRAND_CLIENT
! inspect
! class type inspect CM_CUSTOMER_MULTIBRAND_CLIENT_ICMP
! inspect
! class class-default
! drop
!
!#######################################################################
!
zone-pair security ZP_OUTSIDE_MULTIBRAND source OUTSIDE destination MULTIBRAND
description Zone pair for traffic from CUSTOMER_NWT-VPN to MULTIBRAND zone
service-policy type inspect PM_OUTSIDE_IMULTIBRAND
!
!
!
!===================================== CRYPTO AND TUNNEL INTERFACE =====================================================
!
!
crypto ikev2 proposal IKEV2-CUST-NWT-PROPOSAL
encryption AES-CBC-256
integrity SHA512
group 21
!

crypto ikev2 policy default
proposal IKEV2-CUST-NWT-PROPOSAL
!
crypto ikev2 keyring IKEV2-KEYRING-CUST-NWT-VPN
peer CUSTOMER_NWT
description CUSTOMER NWT L2LVPN
address 185.120.221.1
pre-shared-key ChangeMePlease123
!
crypto ikev2 profile CUST-NWT-IKEV2-PROFILE
match fvrf any
match identity remote address 185.120.221.1 255.255.255.255
identity local address 195.120.220.32
!(Delete this line if use the "identity local fqdn")
identity local fqdn 1111111.glo.net
!(Delete this line if use the "identity local address")
authentication local pre-share
authentication remote pre-share
keyring local IKEV2-KEYRING-CUST-NWT-VPN
lifetime 86400
!
!
crypto ipsec transform-set CUSTOMER-NWT-L2L esp-aes 256 esp-sha256-hmac
mode tunnel
!
!
!
crypto ipsec profile CUST-NWT-IPSEC-PROFILE
set security-association lifetime seconds 3600
set security-association replay window-size 512
set transform-set CUSTOMER-NWT-L2L
set pfs group21
set ikev2-profile CUST-NWT-IKEV2-PROFILE
!
!
!
interface Tunnel0
ip address 10.255.255.1 255.255.255.252
ip nat outside
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 185.120.221.1
tunnel path-mtu-discovery
tunnel protection ipsec profile CUST-NWT-IPSEC-PROFILE
zone-member security OUTSIDE
!
ip route 10.212.93.0 255.255.255.0 Tunnel 0
!
!
!============================================ NAT =====================================================
!
!
interface loopback301
description NAT for Site to Site VPN
ip address 100.100.0.220 255.255.255.0
!
!
!
ip access-list extended CLASS_NAT_CUSTOMER_S2S_VPN
permit ip any 10.212.93.0 0.0.0.255
!
!
route-map RM_NAT_CUSTOMER_S2S_VPN permit 10
match ip address CLASS_NAT_CUSTOMER_S2S_VPN
!
! NAT example for Scada IP
ip nat inside source static 100.100.0.220 10.212.93.1 route-map RM_NAT_CUSTOMER_S2S_VPN extendable
!
! NAT example for MULTIBRAND IP
! ip nat inside source static {{MULTIBRAND_DESTINATION_IP}} {{NAT_INSIDE_IP}} vrf MULTIBRAND route-map RM_NAT_CUSTOMER_S2S_VPN extendable
!
!
end
!

!
write memory

!
!### WAN1 end
!

i have the above configuration. is Site to Site GRE over IPSEC. Assume that there is a tunnel up.

company site are : inside zone and the Multibrand zone using vrf . customer has the company infrastrure.

this config is said , that the routing will not work. is it impossible to have the connection on both zones at the same time?

it is something that get me confused...

M02@rt37 · ‎10-09-2024

Hello @georgesofroniadis

First, routing conflicts could be an issue. You have a single Tunnel0 interface that’s set up for the VPN connection and has a static route to the INSIDE zone. However, since the MULTIBRAND zone is using a VRF, it might require a separate routing table. In a VRF setup, routing tables are isolated, which means traffic from the MULTIBRAND zone won’t follow the same routes as traffic from the INSIDE zone unless you configure VRF-aware tunnels. This would ensure that traffic from both zones can traverse the tunnel properly.

Another factor to consider is NAT configuration. You have a static NAT setup for certain IP addresses, but this is only applied for the INSIDE zone. If you want both zones to communicate through the VPN, you'll need to ensure that NAT rules are correctly applied to both the INSIDE and MULTIBRAND zones. The NAT rules for the MULTIBRAND zone must include VRF-aware settings, allowing the traffic from that zone to be properly translated and routed through the tunnel.

There is also the issue of security policies and zone separation. You have distinct security policies for traffic between the OUTSIDE zone and both the INSIDE and MULTIBRAND zones. However, if traffic needs to move between the INSIDE and MULTIBRAND zones, these zones need a direct relationship either through a zone-pair security policy or through inter-VRF routing. Without the proper setup here, traffic may get blocked between the zones, especially when they are isolated by VRF.

Finally, there may be a zone-pair mismatch in your configuration. The service policy for the MULTIBRAND zone is referenced as PM_OUTSIDE_IMULTIBRAND, which may be a typo. PleaR verify that the correct service policy is being applied to ensure traffic can flow properly between the zones. A mismatch here could lead to traffic being dropped or misrouted, leading to the issues you're encountering...

So, it is possible to have connections for both the INSIDE and MULTIBRAND zones working simultaneously, but the configuration requires proper handling of VRF-aware routing, NAT rules, and security policies...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

georgesofroniadis · ‎10-09-2024

Hello M02@rt37 ,

First of all, i would like to thank you for your detailed explanation.it is very helpful ! I believe with the curent configuration i will be able to establish communication only with inside zone.

For accessing both zones i have created a two separate ipsec tunnels . in that way i have isolate the traffic,it is not always needed to have connection on both zones.

About the typos, you are right, it is a typo indeed.

However it will be a good oportunity to improve this configuration to be able to handle the traffic on both zones.

I need to study on how to create VRF-aware tunnels. it will be a good exercise !

i would like to thank you again! for your support and help!really appreciated.