Generic Routing Encapsulation GRE GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside IP tunnels Creates a virtual point-to-point link to Cisco routers at remote points over an IP internetwork Uses IP for transport Uses an additional header to support any other OSI Layer 3 protocol as payload (for example, IP, IPX, AppleTalk)
GRE over IPsec Encapsulation GRE encapsulates an arbitrary payload. IPsec encapsulates unicast IP packet (GRE): Tunnel mode (default): IPsec creates a new tunnel IP packet Transport mode: IPsec reuses the IP header of the GRE (20 bytes less overhead than tunnel mode)
Module 3 – Lesson 4 Configuring IPsec VPN using SDM
Configuring GRE over IPsec Site-to-Site Tunnel Using SDM
IKE Proposals You can now use a predefined IKE policy, or click the Add button and enter the required information to create a custom IKE policy: You can also modify the existing policies by selecting an individual policy and clicking the Edit button When adding or editing an IKE policy, define the required parameters that appear in the Add IKE Policy window –IKE proposal priority –Encryption algorithm (most commonly 3DES or AES; Software Encryption Algorithm [SEAL] can also be used to improve crypto performance on routers that do not have hardware IPsec accelerators; DES is no longer advised) –HMAC (SHA-1 or MD5) –Authentication method (pre-shared key or digital certificates) –DH group (1, 2, or 5) –IKE lifetime –When you finish adding or editing IKE proposals, click Next button on the IKE proposals window to proceed to next task
IKE Proposals
Creating a Custom IKE Policy Define all IKE policy parameters: Priority Encryption algorithm: DES, 3DES, or AES HMAC: SHA-1 or MD5 Authentication method: preshared secrets or digital certificates Diffie-Hellman group: 1, 2, or 5 IKE lifetime
VPN Configuration Page Wizards for IPsec solutions Individual IPsec components
Configuring the Transform Set
Test Tunnel Configuration and Operation
Test Results 7.
Testing and Monitoring GRE Tunnel Configuration show crypto isakmp sa router# To display all current IKE SAs, use the show crypto isakmp sa command in EXEC mode. QM_IDLE status indicates an active IKE SA show crypto ipsec sa router# To display the settings used by current SAs, use the show crypto ipsec sa command in EXEC mode. Non-zero encryption and decryption statistics can indicate a working set of IPsec SA show interfaces router# Use the show interfaces command to display statistics for all interfaces that are configured on the router, including the tunnel interfaces
Troubleshooting GRE Tunnel Configuration debug crypto isakmp router# Debugs IKE communication Advanced troubleshooting can be performed using the Cisco IOS CLI Troubleshooting requires knowledge of Cisco IOS CLI commands
Module 3 – Lesson 7 An Introduction to Cisco Easy VPN
Small or Medium Business Deployment Mobile Worker With VPN Software Client On Laptop Teleworker With DSL Or Cable Modem & Cisco 806 or uBR900 With Easy VPN Remote Support Nontechnical Users Can Use CRWS GUI To Set Up Easy VPNs Internet Remote Office With Cisco 800 or Cisco 1700 Series Router With Easy VPN Remote Support Company Main Site Cisco 1700, Cisco 2600 Or Cisco 3600 Series Router With Support To Terminate Cisco VPN Clients VPN Tunnels
Easy VPN Server and Easy VPN Remote Operation Step 1The VPN client initiates the IKE Phase 1 process Step 2The VPN client establishes an ISAKMP SA Step 3The Easy VPN Server accepts the SA proposal Step 4The Easy VPN Server initiates a username and password challenge Step 5The mode configuration process is initiated Step 6The RRI process is initiated Step 7IPsec quick mode completes the connection
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 27 Module 3 – Lesson 9 Implementing the Cisco VPN Client
Cisco VPN Client Configuration Tasks 1.Install Cisco VPN Client 2.Create a new client connection entry 3.Configure the client authentication properties 4.Configure transparent tunneling 5.Enable and add backup servers 6.Configure a connection to the Internet through dialup networking
Create a New Client Connection Entry—Main Window (Task 2) VPN Client Main Window
DPD Configuration Example Router will first try primary peer. If primary peer is not available or becomes unavailable (DPD failure detection), the router tries backup peers in order as listed in the crypto map.
HSRP for Default Gateway at Remote Site All remote devices use virtual IP as the default gateway. The backup router is only used when the primary router is down.
HSRP for Head-End IPsec Routers Remote sites peer with virtual IP address (HSRP) of the head-end. RRI or HSRP can be used on the inside interface to ensure a proper return path.
Using an IPsec VPN to Back Up a WAN Connection IGP used to detect PVC failures Reroute to GRE over IPsec tunnel Example Using GRE over IPsec