IPSEC over GRE Tunnel

    We can encrypt our GRE tunnels using IPsec, and it is also possible to have GRE over IPSEC, in other words: Sending GRE header inside the IPsec transport headers. (transport mode instead of tunnel mode)

     

    What we are trying to cover in this text is IPsec over GRE tunnels (as a transport) not GRE over IPSEC (tunneled).

     

    In this example, There’s no need to define Crypto-map as long as IPsec is defined inside the tunnel interface using "tunnel protection" command.

     

    The same concept is used in DMVPN implementations however we use multipoint GRE in Dynamic Multipoint Virtual Private Networks…

     

    GREIPSEC.png

     

     

    R1 and R2 are connected over internet and there’s a firewall before R2 protecting the R2 network from the internet threats….

     

    Template Configuration on Routers:

     

    crypto isakmp policy 10

    authentication pre-share

    crypto isakmp key CISCO address 217.218.1.1

    !

    crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac

    mode transport

    crypto ipsec profile MyProfile

    set transform-set MyTransSet

    !

    interface Tunnel0

    ip address 10.254.25.4 255.255.255.254

    tunnel source 81.12.50.1

    tunnel destination 217.218.1.1

    tunnel mode ipsec ipv4

    tunnel protection ipsec profile MyProfile

     

    After the configuration on both routers firewall will detect some  UDP port 500 (ISAKMP) followed by (if accepted) numerous ESP (Protocol number 50) packets over the link.

     

    The first activity is related to ISAKMP (over UDP 500):

     

    %PIX-2-106006: Deny inbound UDP from 81.12.50.1/500 to 217.218.1.1/500 on interface outside.

     

    The second one is related to ESP packets:

     

    %PIX-3-106010: Deny inbound protocol 50 src outside:81.12.50.1 dst inside:217.218.1.1 on interface outside

     

    • So we need to permit this traffic to the inside of the network to establish the GRE Tunnel… by:

     

    access-list outin permit udp host 81.12.50.1 eq 500 host 217.218.1.1 eq 500    
    access-list outin permit esp host 81.12.50.1 host 217.218.1.1

     

    Let’s ping the other side of tunnel to make sure everything is all right…

     

    R1#ping 10.254.25.5

    Type escape sequence to abort.    
    Sending 5, 100-byte ICMP Echos to 10.254.25.5, timeout is 2 seconds:     
    !!!!!     
    Success rate is 100 percent (5/5), round-trip min/avg/max = 20/137/312 ms

     

    Now, let’s check the ISAKMP and IPsec by show crypto command:

     

    R1#show crypto isakmp sa
    dst             src             state          conn-id slot status     
    81.12.50.1      217.218.1.1     QM_IDLE              1    0 ACTIVE

     

    R1#show crypto ipsec sa

    interface: Tunnel0    
        Crypto map tag: Tunnel0-head-0, local addr 81.12.50.1 
       current_peer 217.218.1.1 port 500     
         PERMIT, flags={origin_is_acl,}     
        #pkts encaps: 25, #pkts encrypt: 25, #pkts digest: 25     
        #pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25     
        #pkts compressed: 0, #pkts decompressed: 0

         local crypto endpt.: 81.12.50.1, remote crypto endpt.: 217.218.1.1

     

    Configurations:

     

    R1:

     

    version 12.4    
    !     
    hostname R1     
    !     
    ip cef     
    !     
    !     
    crypto isakmp policy 10     
    authentication pre-share     
    crypto isakmp key CISCO address 217.218.1.1     
    !     
    crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac     
    mode transport     
    !     
    crypto ipsec profile MyProfile     
    set transform-set MyTransSet     
    !     
    interface Tunnel0     
    ip address 10.254.25.4 255.255.255.254     
    tunnel source 81.12.50.1     
    tunnel destination 217.218.1.1     
    tunnel mode ipsec ipv4     
    tunnel protection ipsec profile MyProfile     
    !     
    interface FastEthernet0/0     
    ip address 81.12.50.1 255.255.255.0     
    duplex auto     
    speed auto     
    !     
    ip route 0.0.0.0 0.0.0.0 81.12.50.2     
    !     
    line con 0     
    line aux 0     
    line vty 0 4     
    !     
    !     
    end

     

    R2:

     

    version 12.4    
    !     
    hostname R2     
    !     
    !     
    !     
    ip cef     
    !     
    !     
    crypto isakmp policy 10     
    authentication pre-share     
    crypto isakmp key CISCO address 81.12.50.1     
    !     
    !     
    crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac     
    mode transport     
    !     
    crypto ipsec profile MyProfile     
    set transform-set MyTransSet     
    !     
    interface Tunnel0     
    ip address 10.254.25.5 255.255.255.254     
    tunnel source 217.218.1.1     
    tunnel destination 81.12.50.1     
    tunnel mode ipsec ipv4     
    tunnel protection ipsec profile MyProfile     
    !     
    interface FastEthernet0/0     
    ip address 217.218.1.1 255.255.255.0     
    duplex auto     
    speed auto     
    !     
    ip route 0.0.0.0 0.0.0.0 217.218.1.2     
    !     
    !     
    line con 0     
    line aux 0     
    line vty 0 4     
    !     
    !     
    end

     

    FW1:

     

    PIX Version 8.0(4)    
    !     
    hostname pixfirewall     
    names     
    !     
    interface Ethernet0     
    nameif outside     
    security-level 0     
    ip address 81.12.50.2 255.255.255.0     
    !     
    interface Ethernet1     
    nameif inside     
    security-level 100     
    ip address 217.218.1.2 255.255.255.0     
    !     
    !     
    access-list outin extended permit udp host 81.12.50.1 eq isakmp host 217.218.1.1 eq isakmp     
    access-list outin extended permit esp host 81.12.50.1 host 217.218.1.1

    !

    access-group outin in interface outside

    !

    : end

     

     

    Link:

    http://szandi.wordpress.com/2009/07/16/ipsec-and-gre/