Scribd
Upload
87 views

Configuring Gre Tunnels Over Ipsec

GRE tunnels can encapsulate various layer 3 protocols and IPsec provides security. Configuring GRE over IPsec allows creating secure logical point-to-point connections while supporting multiprotocol payloads. The Cisco SDM tool guides users to configure GRE over IPsec site-to-site tunnels by defining IPsec parameters, generating router configurations, and allowing routing protocol usage across the secure tunnels.

Uploaded by

rajkumarlodh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
87 views

Configuring Gre Tunnels Over Ipsec

GRE tunnels can encapsulate various layer 3 protocols and IPsec provides security. Configuring GRE over IPsec allows creating secure logical point-to-point connections while supporting multiprotocol payloads. The Cisco SDM tool guides users to configure GRE over IPsec site-to-site tunnels by defining IPsec parameters, generating router configurations, and allowing routing protocol usage across the secure tunnels.

Uploaded by

rajkumarlodh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 39

IPsec VPNs

Configuring GRE Tunnels over IPsec


Generic Routing
Encapsulation
Generic Routing Encapsulation

OSI Layer 3 tunneling protocol:


• Uses IP for transport
• Uses an additional header to support any other OSI Layer 3
protocol as payload (e.g., IP, IPX, AppleTalk)
Default GRE Characteristics

• Tunneling of arbitrary OSI Layer 3 payload is the primary goal of GRE


• Stateless (no flow control mechanisms)
• No security (no confidentiality, data authentication, or integrity assurance)
• 24-byte overhead by default (20-byte IP header and 4-byte GRE header)
Optional GRE Extensions

• GRE can optionally contain any one or more of these fields:


– Tunnel checksum
– Tunnel key
– Tunnel packet sequence number
• GRE keepalives can be used to track tunnel path status.
GRE Configuration Example

• GRE tunnel is up and protocol up if:


– Tunnel source and destination are configured
– Tunnel destination is in routing table
– GRE keepalives are received (if used)
• GRE is the default tunnel mode.
Introducing Secure
GRE Tunnels
Introducing Secure GRE Tunnels

• GRE is good at tunneling:


– Multiprotocol support
– Provides virtual point-to-point connectivity, allowing routing
protocols to be used
• GRE is poor at security—only very basic plaintext authentication
can be implemented using the tunnel key (not very secure)
• GRE cannot accommodate typical security requirements:
– Confidentiality
– Data source authentication
– Data integrity
IPsec Characteristics

• IPsec provides what GRE lacks:


– Confidentiality through encryption using symmetric algorithms
(e.g., 3DES or AES)
– Data source authentication using HMACs (e.g., MD5 or SHA-1)
– Data integrity verification using HMACs
• IPsec is not perfect at tunneling:
– Older Cisco IOS software versions do not support IP multicast over
IPsec
– IPsec was designed to tunnel IP only (no multiprotocol support)
– Using crypto maps to implement IPsec does not allow the usage of
routing protocols across the tunnel
– IPsec does not tunnel IP protocols; GRE does
GRE over IPsec

GRE over IPsec is typically used to do the following:


• Create a logical hub-and-spoke topology of virtual point-to-
point connections
• Secure communication over an untrusted transport network
(e.g., Internet)
GRE over IPsec Characteristics

• GRE encapsulates arbitrary payload.


• IPsec encapsulates unicast IP packet (GRE):
– Tunnel mode (default): IPsec creates a new tunnel IP packet
– Transport mode: IPsec reuses the IP header of the GRE (20 bytes
less overhead)
Configuring GRE over
IPsec Site-to-Site
Tunnel Using SDM
Configuring GRE over IPsec
Site-to-Site Tunnel Using SDM

1.

3. 4.

2.

5.

6.
Configuring GRE over IPsec
Site-to-Site Tunnel Using SDM (Cont.)
Configuring GRE over IPsec
Site-to-Site Tunnel Using SDM (Cont.)

1.

2.

3.

4.
Backup GRE Tunnel
Information
Backup GRE Tunnel Information

1.
2.

3.

4.
VPN Authentication
Information
VPN Authentication Information

1A 1B
2.
IKE Proposals
IKE Proposals
Creating a Custom IKE Policy

Define all IKE policy parameters:


• Priority
• Encryption algorithm: DES, 3DES, AES
• HMAC: SHA-1 or MD5
• Authentication method: preshared secrets or digital certificates
• Diffie-Hellman group: 1, 2, or 5
• IKE lifetime
Transform Set
Transform Set

1.

2.

3.
Routing Information
Routing Information
Option 1: Static Routing
Option 2: Dynamic Routing Using EIGRP

1.

2.
Option 3: Dynamic Routing Using OSPF

1.

2.

3.
Completing the
Configuration
Review the Generated Configuration
Review the Generated Configuration (Cont.)
Test Tunnel Configuration and Operation

1.

3. 4.

5.
2.

6.
Test Tunnel Configuration
and Operation (Cont.)

7.
Monitor Tunnel Operation

1.

3.

2.
Advanced Monitoring

router#
show crypto isakmp sa
• Lists active IKE sessions
router#
show crypto ipsec sa
• Lists active IPsec security
associations
router#
show interfaces
• Lists interface and the statistics
including the statistics of tunnel
interfaces
• Advanced monitoring can be performed using the default Cisco IOS HTTP server interface.
• Requires knowledge of Cisco IOS CLI commands.
Troubleshooting

router#
debug crypto isakmp

• Debugs IKE communication


• Advanced troubleshooting can be performed using the Cisco
IOS CLI
• Requires knowledge of Cisco IOS CLI commands
Summary

• GRE is a multiprotocol tunneling technology.


• SDM can be used to implement GRE over IPsec site-to-site VPNs.
• Backup tunnels can be configured in addition to one primary
tunnel.
• Routing can be configured through the tunnel interfaces:
– Static for simple sites
– OSPF or EIGRP for more complex sites (more networks,
multiple tunnels)
• Upon completing the configuration, the SDM converts the
configuration into the Cisco IOS CLI format.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy