Select Page

IPsec VPN With GRE

by | 9-May-2021 | Cisco, Security, VPN

The Overview

Why use GRE and IPsec Together
  • IPsec using crypto maps have no interface in routing table
    • Dynamic IGP routing isn’t supported
    • Multihop BGP is overcomplicates the design
    • Static routing is hard to scale
  • Simple solution is to use GRE tunnel interface
    • Run routing inside GRE tunnel
    • Apply IPsec SA to GRE traffic
  • IPsec with GRE is multiprotocol encapsulation
    • IPv4, IPv6, IS-IS, etc

 

Correct design of IPsec with GRE

  • IPsec over GRE (bad design)
    • GRE is the underlay transport
    • Apply IPsec SA to user traffic
    • Route the IPsec traffic via GRE tunnel
    • Crypto map attached to physical interface
  • GRE over IPsec
    • IPsec is the underlay transport
    • Route the user traffic via GRE tunnel
    • Apply IPsec SA to GRE traffic
    • Crypto map attached to tunnel interface

GRE over IPsec “Transport Mode” with Crypto Map example

!! R2 !! !! R4 !!

! Routing

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.12.1

ip route 10.0.47.0 255.255.255.0 Tunnel24 172.16.24.4

 

! Tunnel Interface

interface Tunnel24

ip address 172.16.24.2 255.255.255.0

tunnel source 2.2.2.2

tunnel destination 4.4.4.4

tunnel mode gre ip

 

! Crypto endpoint authentication

crypto isakmp key ISAKMP_SECRET address 4.4.4.4

 

! Proxy ACL

ip access-list extended GRE2_TO_4

permit gre host 2.2.2.2 host 4.4.4.4

 

! ISAKMP/IKE Phase 1 security parameters

crypto isakmp policy 10

encryption des

hash md5

authentication pre-share

group 2

 

! ISAKMP/IKE Phase 2 security parameters

crypto ipsec transform-set XF esp-des esp-md5-hmac

mode transport

 

! Crypto map parameters

crypto map MAP1 10 ipsec-isakmp

set peer 4.4.4.4

set transform-set XF

set pfs group2

match address GRE2_TO_4

 

! Crypto map source address

crypto map MAP1 local-address Loopback0

 

! Apply crypto map

interface GigabitEthernet0/0

crypto map MAP1

 

! Routing

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.34.3

ip route 10.0.26.0 255.255.255.0 Tunnel24 172.16.24.2

 

! Tunnel Interface

interface Tunnel24

ip address 172.16.24.4 255.255.255.0

tunnel source 4.4.4.4

tunnel destination 2.2.2.2

tunnel mode gre ip

 

! Crypto endpoint authentication

crypto isakmp key ISAKMP_SECRET address 2.2.2.2

 

! Proxy ACL

ip access-list extended GRE4_TO_2

permit gre host 4.4.4.4 host 2.2.2.2

 

! ISAKMP/IKE Phase 1 security parameters

crypto isakmp policy 10

encryption des

hash md5

authentication pre-share

group 2

 

! ISAKMP/IKE Phase 2 security parameters

crypto ipsec transform-set XF esp-des esp-md5-hmac

mode transport

 

! Crypto map parameters

crypto map MAP1 10 ipsec-isakmp

set peer 2.2.2.2

set transform-set XF

set pfs group2

match address GRE4_TO_2

 

! Crypto map source address

crypto map MAP1 local-address Loopback0

 

! Apply crypto map

interface GigabitEthernet0/0

crypto map MAP1

 

Verification

! Reset security association

clear crypto sa

clear crypto isakmp

 

! ISAKMP SA

R2#show crypto isakmp sa

 

dst             src             state          conn-id status

4.4.4.4         2.2.2.2         QM_IDLE           1001 ACTIVE

 

! IPsec SA

R2#show crypto ipsec sa

 

interface: GigabitEthernet0/0

Crypto map tag: MAP1, local addr 2.2.2.2

local  ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/47/0)

current_peer 4.4.4.4 port 500

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

 

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 4.4.4.4

plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

PFS (Y/N): Y, DH group: group2

 

inbound esp sas:

spi: 0x3F40F8CD(1061222605)

in use settings ={Transport, }

Status: ACTIVE(ACTIVE)

 

outbound esp sas:

spi: 0x51508289(1364230793)

in use settings ={Transport, }

Status: ACTIVE(ACTIVE)

 

! Crypto Engine Connections

R2#show crypto engine connection active

 

ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address

5  IPsec   DES+MD5                   0        4        4 2.2.2.2

6  IPsec   DES+MD5                   4        0        0 2.2.2.2

1001  IKE     MD5+DES                   0        0        0 2.2.2.2

! Reset security association

clear crypto sa

clear crypto isakmp

 

! ISAKMP SA

R4#show crypto isakmp sa

 

dst             src             state          conn-id status

4.4.4.4         2.2.2.2         QM_IDLE           1001 ACTIVE

 

! IPsec SA

R4#show crypto ipsec sa

 

interface: GigabitEthernet0/0

Crypto map tag: MAP1, local addr 4.4.4.4

local  ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)

current_peer 2.2.2.2 port 500

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

 

local crypto endpt.: 4.4.4.4, remote crypto endpt.: 2.2.2.2

plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

PFS (Y/N): Y, DH group: group2

 

inbound esp sas:

spi: 0x51508289(1364230793)

in use settings ={Transport, }

Status: ACTIVE(ACTIVE)

 

outbound esp sas:

spi: 0x3F40F8CD(1061222605)

in use settings ={Transport, }

Status: ACTIVE(ACTIVE)

 

! Crypto Engine Connections

R4#show crypto engine connection active

 

ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address

5  IPsec   DES+MD5                   0        4        4 4.4.4.4

6  IPsec   DES+MD5                   4        0        0 4.4.4.4

1001  IKE     MD5+DES                   0        0        0 4.4.4.4

Recent Comments

    0 Comments

    Submit a Comment

    Your email address will not be published. Required fields are marked *