470 likes | 639 Vues
Implementing Secure Converged Wide Area Networks (ISCW). Configuring GRE Tunnels over IPsec . Module 3 – Lesson 5. Module Introduction.
E N D
Configuring GRE Tunnels over IPsec Module 3 – Lesson 5
Module Introduction • Virtual private networks (VPNs) use advanced encryption techniques and tunneling to permit organisations to establish secure, end-to-end, private network connections over third-party networks such as the Internet • Cisco offers a wide range of VPN products, including VPN-optimised routers, PIX security and Adaptive Security Appliances (ASA), and dedicated VPN concentrators. These infrastructure devices are used to create VPN solutions that meet the security requirements of any organisation • This module explains fundamental terms associated with VPNs, including the IP Security protocol, and Internet Key Exchange. It then details how to configure various types of VPN, using various currently available methods
Objectives • At the completion of this fifth lesson, you will be able to: • Explain the requirement to use the GRE protocol • Describe GRE technology • Configure a GRE tunnel using SDM on IOS routers • Monitor and test the tunnel
Generic Routing Encapsulation GRE • GRE is an OSI Layer3 tunneling protocol: • Encapsulates a wide variety of protocol packet types inside IP tunnels • Creates a virtual point-to-point link to Cisco routers at remote points over an IP internetwork • Uses IP for transport • Uses an additional header to support any other OSI Layer3 protocol as payload (for example, IP, IPX, AppleTalk)
Generic Routing Encapsulation • IPsec only encapsulates IP traffic • This may be a problem for non-IP or multicast traffic that needs to be sent across a secure tunnel • GRE – a Cisco developed protocol – allows traffic other than IP to be transported using a powerful but simple tunnel technique • GRE supports any OSI Layer 3 protocol as payload, for which it provides virtual point-to-point connectivity. • GRE also allows the use of routing protocols across the tunnel • However, GRE offers minimum security (basic plaintext authentication using the tunnel key) to the payload, and so needs to be used with IPsec if security is required
Generic Routing Encapsulation • Some of the reasons for using GRE over IPsec: • To pass multicast and broadcast traffic across the tunnel securely • To pass non-IP traffic securely • To provide resiliency • To assist in saving memory and CPU cycles in the router, by reducing the number of SA that need to be set up
Basic GRE Header - GRE flags • GRE is stateless (no flow control mechanisms). • GRE offers no security (no confidentiality, data authentication, or integrity assurance). • GRE uses 24-byte overhead by default (20-byte IP header and 4-byte GRE header).
Basic GRE Header - GRE flags • The GRE flags are encoded in the first two octets. Bit 0 is the MSB, and bit 15 the LSB. Some of the GRE flags include the following: • Checksum Present (bit 0): If Checksum Present bit is set to 1, the optional checksum field is present in the GRE header • Key Present (bit 2): If Key Present bit is set to 1, the optional Key field is present in the GRE header • Sequence Number Present (bit 3): If Sequence Number Present bit is set to 1, the optional Sequence Number field is present in the GRE header • Version Number (bits 13–15): Version Number indicates the GRE implementation version. A value of 0 is typically used for basic GRE implementation. Point-to-Point Tunneling Protocol (PPTP) uses Version 1 • Protocol Type: Protocol Type field contains the protocol type of the payload packet. In general, the value will be the Ethernet protocol type field for the packet. For IP, the hexadecimal value of 0x800 is used. This field enables the GRE to tunnel any Layer 3 protocol
Optional GRE Extensions • GRE can optionally contain any one or more of these fields: • Tunnel checksum • Tunnel key • Tunnel packet sequence number • GRE keepalives can be used to track tunnel path status.
Optional GRE Extensions • The GRE tunnel header can contain additional optional header information, depending on the flags in the first two bytes of the GRE header • The optional GRE header information can include the following: • Tunnel checksum: The tunnel checksum detects packet corruption. This option is not used often because checksums are used on other layers in the protocol stack, typically to ensure the accuracy of the GRE packets • Tunnel key: Can be used for two purposes: • The tunnel key can be used for basic plaintext authentication of packets in which only the two GRE endpoints share a secret number that enables the tunnel to operate properly. However, anyone in the packet path can easily see the key and be able to spoof tunnel packets • A more common use of the tunnel key is when two routers want to establish parallel tunnels sourced from the same IP address. The tunnel key is then used to distinguish between GRE packets belonging to different tunnels • Tunnel sequence number: This number is used to ensure that GRE packets are accepted only if the packets arrive in the correct order.
Secure GRE Tunnels • IPsec provides what GRE lacks: • Confidentiality through encryption using symmetric algorithms • Data source authentication using HMACs Data integrity verification using HMACs • IPsec is not perfect at tunneling: • Older IOS versions do not support IP multicast over IPsec • IPsec was designed to tunnel IP only (no multiprotocol support) • Using crypto maps to implement IPsec does not allow the use of routing protocols across the tunnel • IPsec does not tunnel IP protocols; GRE does
GRE over IPsec • GRE over IPsec is typically used to do the following: • Create a logical hub-and-spoke topology of virtual point-to-point connections • Secure communication over an untrusted transport network (e.g. the Internet)
GRE over IPsec Encapsulation • GRE encapsulates an arbitrary payload. • IPsec encapsulates unicast IP packet (GRE): • Tunnel mode (default): IPsec creates a new tunnel IP packet • Transport mode: IPsec reuses the IP header of the GRE (20 bytes less overhead than tunnel mode)
Configuring GRE over IPsec Site-to-Site Tunnel Using SDM To configure a GRE over IPsec tunnel using SDM, follow these steps (see next slide): • Use a web browser to connect via HTTP server to the router. Click the Configure icon in the top navigation bar to enter the configuration page • Click the VPN icon in the vertical navigation bar to open the VPN page • Choose the Site to Site VPN wizard in the menu • Click the Create Site to Site VPN tab at the top of the section on the right • Click the Create a secure GRE tunnel (GRE over IPSec) radio button • Click the Launch the selected task button to start the wizard that will guide you through the configuration steps
Configuring GRE over IPsec Site-to-Site Tunnel Using SDM 1. 3. 4. 2. 5. 6.
Configuring GRE Tunnel Information Follow these steps for configuring the GRE tunnel (see next): • Under Tunnel Source, enter the GRE tunnel source IP address from a configured interface or manually specify the source IP address. This address must be a valid IP address configured on one of the interfaces on the router. Under Tunnel Destination, enter the tunnel destination IP address • In the IP address of the GRE tunnel section, define the inner IP address and subnet mask that is applied to the virtual point-to-point link • Note that the Enable path MTU discovery (PMTUD) button is enabled by default. This setting lets the router determine the maximum transmission unit (MTU) for the virtual interface. This is accomplished by using ICMP • Click the Next button to proceed to the next task • NOTE: ICMP unreachable message must be permitted by all ACLs and firewalls in the path between the two tunnel endpoints in order for PMTUD to work
Configuring GRE Tunnel Information 1. 2. 3. 4.
Configuring a Backup GRE Tunnel • To provide resilience to the VPN, create a second GRE tunnel in case the primary tunnel fails. (The steps are shown on next slide): • Check Create a backup secure GRE tunnel for resilience • Define the IP address of the backup VPN peer in the available field • In the TunnelIP address section, define the inner IP address and the subnet mask for the logical tunnel interface • Click the Next button to proceed to the next task
Configuring a Backup GRE Tunnel 1. 2. 3. 4.
Configuring VPN Authentication • After defining the GRE tunnel parameters, the SDM wizard proceeds to configure IPsec-specific parameters. This step ensures that both ends of the tunnel connect with the same secret key: • Click the radio button for the desired authentication method • Pre-shared keys • Digital certificates • If you choose pre-shared keys to provide authentication, then specify a pre-shared secret. The secret should be long and random
Configuring VPN Authentication 1A 1B 2.
IKE Proposals • You can now use a predefined IKE policy, or click the Add button and enter the required information to create a custom IKE policy: • You can also modify the existing policies by selecting an individual policy and clicking the Edit button • When adding or editing an IKE policy, define the required parameters that appear in the Add IKE Policy window • IKE proposal priority • Encryption algorithm (most commonly 3DES or AES; Software Encryption Algorithm [SEAL] can also be used to improve crypto performance on routers that do not have hardware IPsec accelerators; DES is no longer advised) • HMAC (SHA-1 or MD5) • Authentication method (pre-shared key or digital certificates) • DH group (1, 2, or 5) • IKE lifetime • When you finish adding or editing IKE proposals, click Next button on the IKE proposals window to proceed to next task
Creating a Custom IKE Policy Define all IKE policy parameters: • Priority • Encryption algorithm: DES, 3DES, or AES • HMAC: SHA-1 or MD5 • Authentication method: preshared secrets or digital certificates • Diffie-Hellman group: 1, 2, or 5 • IKE lifetime
Configuring the Transform Set • When creating an IPsec transform set, the same set of algorithms as were used with the configured IKE policy should be used: • There is a default IPsec transform set predefined by SDM that can be used. • If choosing to use the default, skip Step 2. A new transform set can also be created • If wanting to use a custom IPsec transform set, create the transform set by clicking the Add button and specifying these parameters: • Transform set name • Encryption algorithm • HMAC • Mode of operation • Optional compression • When finished adding sets, click the Next button to proceed to the next task.
Transform Set 1. 2. 3.
Configuring Routing Information • A GRE tunnel supports multicast across the addressed point-to-point link. • Static routing is typically used for simple stub sites with a single GRE over IPsec tunnel. Complex topologies with sites that use backup tunnels or have multiple IP subnets require a routing protocol to dynamically distribute routing information, detect failures, and reroute to backup tunnels. • The SDM wizard allows choosing from three options: • Static routing • Dynamic routing using Enhanced Interior Gateway Routing Protocol (EIGRP) • Dynamic routing using Open Shortest Path First (OSPF)
Static Routing • If choosing to configure using static routing, select static routing button and then click Next. • In the first drop-down menu, disable split tunneling by choosing the Tunnel all traffic option. This option results in a default route pointing into the tunnel. Unless more specific routes are in the routing table all traffic will be sent through the tunnel. • Alternatively, choose the Do split tunneling option from this drop-down menu and specify the IP address and subnet mask of the destination that is reachable through the tunnel. All other destinations are reachable by bypassing the tunnel.
Dynamic Routing Using EIGRP • If choosing to configure using dynamic routing using EIGRP, select EIGRP button on routing choice screen • There are two steps for configuring EIGRP across the tunnel: • Select an existing or define a new EIGRP autonomous system (AS) number by clicking the appropriate button and entering the number. • Define one or more local subnets (IP address and wildcard mask) on which EIGRP will run and thus advertise to EIGRP neighbors.
Dynamic Routing Using OSPF • If choosing to configure using dynamic routing using OSFP, click OSPF button on initial routing screen and then click Next. • There are three steps used to configure OSPF across the tunnel: • Select an existing or define a new OSPF process number by clicking the appropriate radio button and entering the number • Enter an OSPF area number for the tunnels • Enter the network IP address, subnet mask, and area number of one or more local subnets that you want to advertise to OSPF neighbors
Dynamic Routing Using OSPF 1. 2. 3.
Testing, Monitoring and Troubleshooting GRE Tunnel Configuration • After creating the GRE over IPsec site-to-site tunnel, the tunnel status can immediately be seen. A test can be run to determine the configuration correctness of the tunnel, or generate a mirroring configuration. The information in the mirror configuration is required to set up the other end of the tunnel. The mirror configuration is useful if the other router at the other end of the tunnel does not have SDM and CLI is to be used to configure the tunnel. • To test the tunnel: • Click the Configure icon in the top navigation bar of the SDM home page to enter the configuration page • Click the VPN icon in the vertical navigation bar to open the VPN page • Choose the Site to Site VPN wizard from the list in the middle section • Click the Edit Site to Site VPN tab at the top of the section on the right side. • Choose and highlight the tunnel that you want to test • Click the Test Tunnel button. The testing screen appears. • Click the Start button and wait until the test is complete • For each failed task, the bottom part of the window shows the reason and recommended actions to resolve the issue
Test Tunnel Configuration and Operation 1. 3. 4. 5. 2. 6.
Test Results 7.
Monitor Tunnel Operation • Use the Monitor page to view the status of the tunnel. To see all IPsec tunnels, their parameters, and status, follow this procedure: • Click the Monitor icon in the top navigation bar of the SDM home page. • Click the VPN Status icon in the vertical navigation bar. • Click the IPSec Tunnels tab. • Testing and Monitoring • Use the show commands to determine the status of IPsec VPN connections • Troubleshooting • Connect a terminal to the Cisco IOS router to use debugging commands to troubleshoot VPN connectivity. Figure [5] shows the syntax and an example of how to use the debug crypto isakmp command • The debug crypto isakmp EXEC command displays detailed information about the IKE Phase 1 and Phase 2 negotiation processes
Monitor Tunnel Operation 1. 3. 2.
Testing and Monitoring GRE Tunnel Configuration router# show crypto isakmp sa • To display all current IKE SAs, use the show crypto isakmp sa command in EXEC mode. QM_IDLE status indicates an active IKE SA router# show crypto ipsec sa • To display the settings used by current SAs, use the show crypto ipsec sa command in EXEC mode. Non-zero encryption and decryption statistics can indicate a working set of IPsec SA router# show interfaces • Use the show interfaces command to display statistics for all interfaces that are configured on the router, including the tunnel interfaces
Troubleshooting GRE Tunnel Configuration router# debug crypto isakmp • Debugs IKE communication • Advanced troubleshooting can be performed using the Cisco IOS CLI • Troubleshooting requires knowledge of Cisco IOS CLI commands