Download presentation
Presentation is loading. Please wait.
1
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW)
2
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 2 Module 3 – Lesson 5 Configuring GRE Tunnels over IPsec
3
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 3 Module Introduction Virtual private networks (VPNs) use advanced encryption techniques and tunneling to permit organisations to establish secure, end-to-end, private network connections over third-party networks such as the Internet Cisco offers a wide range of VPN products, including VPN- optimised routers, PIX security and Adaptive Security Appliances (ASA), and dedicated VPN concentrators. These infrastructure devices are used to create VPN solutions that meet the security requirements of any organisation This module explains fundamental terms associated with VPNs, including the IP Security protocol, and Internet Key Exchange. It then details how to configure various types of VPN, using various currently available methods
4
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 4 Objectives At the completion of this fifth lesson, you will be able to: Explain the requirement to use the GRE protocol Describe GRE technology Configure a GRE tunnel using SDM on IOS routers Monitor and test the tunnel
5
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 5 Generic Routing Encapsulation GRE GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside IP tunnels Creates a virtual point-to-point link to Cisco routers at remote points over an IP internetwork Uses IP for transport Uses an additional header to support any other OSI Layer 3 protocol as payload (for example, IP, IPX, AppleTalk)
6
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 6 Generic Routing Encapsulation IPsec only encapsulates IP traffic This may be a problem for non-IP or multicast traffic that needs to be sent across a secure tunnel GRE – a Cisco developed protocol – allows traffic other than IP to be transported using a powerful but simple tunnel technique GRE supports any OSI Layer 3 protocol as payload, for which it provides virtual point-to-point connectivity. GRE also allows the use of routing protocols across the tunnel However, GRE offers minimum security (basic plaintext authentication using the tunnel key) to the payload, and so needs to be used with IPsec if security is required
7
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 7 Generic Routing Encapsulation Some of the reasons for using GRE over IPsec: To pass multicast and broadcast traffic across the tunnel securely To pass non-IP traffic securely To provide resiliency To assist in saving memory and CPU cycles in the router, by reducing the number of SA that need to be set up
8
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 8 Basic GRE Header - GRE flags GRE is stateless (no flow control mechanisms). GRE offers no security (no confidentiality, data authentication, or integrity assurance). GRE uses 24-byte overhead by default (20-byte IP header and 4-byte GRE header).
9
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 9 Basic GRE Header - GRE flags The GRE flags are encoded in the first two octets. Bit 0 is the MSB, and bit 15 the LSB. Some of the GRE flags include the following: Checksum Present (bit 0): If Checksum Present bit is set to 1, the optional checksum field is present in the GRE header Key Present (bit 2): If Key Present bit is set to 1, the optional Key field is present in the GRE header Sequence Number Present (bit 3): If Sequence Number Present bit is set to 1, the optional Sequence Number field is present in the GRE header Version Number (bits 13–15): Version Number indicates the GRE implementation version. A value of 0 is typically used for basic GRE implementation. Point-to-Point Tunneling Protocol (PPTP) uses Version 1 Protocol Type: Protocol Type field contains the protocol type of the payload packet. In general, the value will be the Ethernet protocol type field for the packet. For IP, the hexadecimal value of 0x800 is used. This field enables the GRE to tunnel any Layer 3 protocol
10
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 10 Optional GRE Extensions GRE can optionally contain any one or more of these fields: Tunnel checksum Tunnel key Tunnel packet sequence number GRE keepalives can be used to track tunnel path status.
11
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 11 Optional GRE Extensions The GRE tunnel header can contain additional optional header information, depending on the flags in the first two bytes of the GRE header The optional GRE header information can include the following: Tunnel checksum: The tunnel checksum detects packet corruption. This option is not used often because checksums are used on other layers in the protocol stack, typically to ensure the accuracy of the GRE packets Tunnel key: Can be used for two purposes: The tunnel key can be used for basic plaintext authentication of packets in which only the two GRE endpoints share a secret number that enables the tunnel to operate properly. However, anyone in the packet path can easily see the key and be able to spoof tunnel packets A more common use of the tunnel key is when two routers want to establish parallel tunnels sourced from the same IP address. The tunnel key is then used to distinguish between GRE packets belonging to different tunnels Tunnel sequence number: This number is used to ensure that GRE packets are accepted only if the packets arrive in the correct order.
12
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 12 Secure GRE Tunnels IPsec provides what GRE lacks: Confidentiality through encryption using symmetric algorithms Data source authentication using HMACs Data integrity verification using HMACs IPsec is not perfect at tunneling: Older IOS versions do not support IP multicast over IPsec IPsec was designed to tunnel IP only (no multiprotocol support) Using crypto maps to implement IPsec does not allow the use of routing protocols across the tunnel IPsec does not tunnel IP protocols; GRE does
13
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 13 GRE over IPsec GRE over IPsec is typically used to do the following: Create a logical hub-and-spoke topology of virtual point-to-point connections Secure communication over an untrusted transport network (e.g. the Internet)
14
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 14 GRE over IPsec Encapsulation GRE encapsulates an arbitrary payload. IPsec encapsulates unicast IP packet (GRE): Tunnel mode (default): IPsec creates a new tunnel IP packet Transport mode: IPsec reuses the IP header of the GRE (20 bytes less overhead than tunnel mode)
15
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 15 Configuring GRE over IPsec Site-to-Site Tunnel Using SDM To configure a GRE over IPsec tunnel using SDM, follow these steps (see next slide): 1.Use a web browser to connect via HTTP server to the router. Click the Configure icon in the top navigation bar to enter the configuration page 2.Click the VPN icon in the vertical navigation bar to open the VPN page 3.Choose the Site to Site VPN wizard in the menu 4.Click the Create Site to Site VPN tab at the top of the section on the right 5.Click the Create a secure GRE tunnel (GRE over IPSec) radio button 6.Click the Launch the selected task button to start the wizard that will guide you through the configuration steps
16
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 16 Configuring GRE over IPsec Site-to-Site Tunnel Using SDM 5.5. 6.6. 2. 1. 3.3.4.4.
17
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 17 GRE Tunnel (GRE over IPsec)
18
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 18 Configuring GRE Tunnel Information Follow these steps for configuring the GRE tunnel (see next): 1.Under Tunnel Source, enter the GRE tunnel source IP address from a configured interface or manually specify the source IP address. This address must be a valid IP address configured on one of the interfaces on the router. Under Tunnel Destination, enter the tunnel destination IP address 2.In the IP address of the GRE tunnel section, define the inner IP address and subnet mask that is applied to the virtual point-to-point link 3.Note that the Enable path MTU discovery (PMTUD) button is enabled by default. This setting lets the router determine the maximum transmission unit (MTU) for the virtual interface. This is accomplished by using ICMP 4.Click the Next button to proceed to the next task NOTE: ICMP unreachable message must be permitted by all ACLs and firewalls in the path between the two tunnel endpoints in order for PMTUD to work
19
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 19 Configuring GRE Tunnel Information 1. 2. 3. 4.
20
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 20 Configuring a Backup GRE Tunnel To provide resilience to the VPN, create a second GRE tunnel in case the primary tunnel fails. (The steps are shown on next slide): 1.Check Create a backup secure GRE tunnel for resilience 2.Define the IP address of the backup VPN peer in the available field 3.In the TunnelIP address section, define the inner IP address and the subnet mask for the logical tunnel interface 4.Click the Next button to proceed to the next task
21
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 21 Configuring a Backup GRE Tunnel 1. 2. 3. 4.
22
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 22 Configuring VPN Authentication After defining the GRE tunnel parameters, the SDM wizard proceeds to configure IPsec-specific parameters. This step ensures that both ends of the tunnel connect with the same secret key: 1.Click the radio button for the desired authentication method Pre-shared keys Digital certificates 2.If you choose pre-shared keys to provide authentication, then specify a pre-shared secret. The secret should be long and random
23
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 23 Configuring VPN Authentication 2. 1A1B
24
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 24 IKE Proposals You can now use a predefined IKE policy, or click the Add button and enter the required information to create a custom IKE policy: You can also modify the existing policies by selecting an individual policy and clicking the Edit button When adding or editing an IKE policy, define the required parameters that appear in the Add IKE Policy window 1.IKE proposal priority 2.Encryption algorithm (most commonly 3DES or AES; Software Encryption Algorithm [SEAL] can also be used to improve crypto performance on routers that do not have hardware IPsec accelerators; DES is no longer advised) 3.HMAC (SHA-1 or MD5) 4.Authentication method (pre-shared key or digital certificates) 5.DH group (1, 2, or 5) 6.IKE lifetime 7.When you finish adding or editing IKE proposals, click Next button on the IKE proposals window to proceed to next task
25
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 25 IKE Proposals
26
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 26 Creating a Custom IKE Policy Define all IKE policy parameters: Priority Encryption algorithm: DES, 3DES, or AES HMAC: SHA-1 or MD5 Authentication method: preshared secrets or digital certificates Diffie-Hellman group: 1, 2, or 5 IKE lifetime
27
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 27 Configuring the Transform Set When creating an IPsec transform set, the same set of algorithms as were used with the configured IKE policy should be used: 1.There is a default IPsec transform set predefined by SDM that can be used. If choosing to use the default, skip Step 2. A new transform set can also be created 2.If wanting to use a custom IPsec transform set, create the transform set by clicking the Add button and specifying these parameters: Transform set name Encryption algorithm HMAC Mode of operation Optional compression 3.When finished adding sets, click the Next button to proceed to the next task.
28
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 28 Transform Set 1. 2. 3.
29
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 29 Configuring Routing Information A GRE tunnel supports multicast across the addressed point-to- point link. Static routing is typically used for simple stub sites with a single GRE over IPsec tunnel. Complex topologies with sites that use backup tunnels or have multiple IP subnets require a routing protocol to dynamically distribute routing information, detect failures, and reroute to backup tunnels. The SDM wizard allows choosing from three options: 1.Static routing 2.Dynamic routing using Enhanced Interior Gateway Routing Protocol (EIGRP) 3.Dynamic routing using Open Shortest Path First (OSPF)
30
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 30 Configuring Routing Information
31
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 31 Static Routing If choosing to configure using static routing, select static routing button and then click Next. In the first drop-down menu, disable split tunneling by choosing the Tunnel all traffic option. This option results in a default route pointing into the tunnel. Unless more specific routes are in the routing table all traffic will be sent through the tunnel. Alternatively, choose the Do split tunneling option from this drop-down menu and specify the IP address and subnet mask of the destination that is reachable through the tunnel. All other destinations are reachable by bypassing the tunnel.
32
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 32 Static Routing
33
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 33 Dynamic Routing Using EIGRP If choosing to configure using dynamic routing using EIGRP, select EIGRP button on routing choice screen There are two steps for configuring EIGRP across the tunnel: 1.Select an existing or define a new EIGRP autonomous system (AS) number by clicking the appropriate button and entering the number. 2.Define one or more local subnets (IP address and wildcard mask) on which EIGRP will run and thus advertise to EIGRP neighbors.
34
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 34 Dynamic Routing Using EIGRP 1. 2.2.
35
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 35 Dynamic Routing Using OSPF If choosing to configure using dynamic routing using OSFP, click OSPF button on initial routing screen and then click Next. There are three steps used to configure OSPF across the tunnel: 1.Select an existing or define a new OSPF process number by clicking the appropriate radio button and entering the number 2.Enter an OSPF area number for the tunnels 3.Enter the network IP address, subnet mask, and area number of one or more local subnets that you want to advertise to OSPF neighbors
36
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 36 Dynamic Routing Using OSPF 1. 3.3. 2.2.
37
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 37 Review the Configuration
38
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 38 Review the Configuration (Cont.)
39
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 39 Testing, Monitoring and Troubleshooting GRE Tunnel Configuration After creating the GRE over IPsec site-to-site tunnel, the tunnel status can immediately be seen. A test can be run to determine the configuration correctness of the tunnel, or generate a mirroring configuration. The information in the mirror configuration is required to set up the other end of the tunnel. The mirror configuration is useful if the other router at the other end of the tunnel does not have SDM and CLI is to be used to configure the tunnel. To test the tunnel: 1.Click the Configure icon in the top navigation bar of the SDM home page to enter the configuration page 2.Click the VPN icon in the vertical navigation bar to open the VPN page 3.Choose the Site to Site VPN wizard from the list in the middle section 4.Click the Edit Site to Site VPN tab at the top of the section on the right side. 5.Choose and highlight the tunnel that you want to test 6.Click the Test Tunnel button. The testing screen appears. 7.Click the Start button and wait until the test is complete 8.For each failed task, the bottom part of the window shows the reason and recommended actions to resolve the issue
40
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 40 Test Tunnel Configuration and Operation 1. 2. 4. 6.6. 3. 5.
41
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 41 Test Results 7.7.
42
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 42 Monitor Tunnel Operation Use the Monitor page to view the status of the tunnel. To see all IPsec tunnels, their parameters, and status, follow this procedure: 1. Click the Monitor icon in the top navigation bar of the SDM home page. 2. Click the VPN Status icon in the vertical navigation bar. 3. Click the IPSec Tunnels tab. Testing and Monitoring Use the show commands to determine the status of IPsec VPN connections Troubleshooting Connect a terminal to the Cisco IOS router to use debugging commands to troubleshoot VPN connectivity. Figure [5] shows the syntax and an example of how to use the debug crypto isakmp command The debug crypto isakmp EXEC command displays detailed information about the IKE Phase 1 and Phase 2 negotiation processes
43
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 43 Monitor Tunnel Operation 1. 2. 3.
44
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 44 Testing and Monitoring GRE Tunnel Configuration show crypto isakmp sa router# To display all current IKE SAs, use the show crypto isakmp sa command in EXEC mode. QM_IDLE status indicates an active IKE SA show crypto ipsec sa router# To display the settings used by current SAs, use the show crypto ipsec sa command in EXEC mode. Non-zero encryption and decryption statistics can indicate a working set of IPsec SA show interfaces router# Use the show interfaces command to display statistics for all interfaces that are configured on the router, including the tunnel interfaces
45
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 45 Troubleshooting GRE Tunnel Configuration debug crypto isakmp router# Debugs IKE communication Advanced troubleshooting can be performed using the Cisco IOS CLI Troubleshooting requires knowledge of Cisco IOS CLI commands
46
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 46
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.