GRE over IPSec Tunnel Between Cisco and VyOS
The previous tutorial shown GRE tunnel configuration between Cisco router and Linux Core. The big advantage of GRE
protocol is that it encapsulates L3 and higher protocols inside the GRE
tunnel so routing updates and other multicast traffic can be
successfully transferred over the tunnel. The main drawback of GRE
protocol is the lack of built-in security. Data are transferred in
plain-text over the tunnel and peers are not authenticated (no
confidentiality). Tunneled traffic can be changed by attacker (no
integrity checking of IP packets). For this reason GRE tunnel is very
often used in conjunction with IPSec. Typically, GRE tunnel is
encapsulated inside the IPSec tunnel and this model is called GRE over IPSec.
The tutorial shows configuration of OSPF routing protocol, GRE and IPSec tunnel on Cisco 7206 VXR router and appliance running VyOS network OS. Devices are running inside GNS3 lab an they are emulated by Dynamips (Cisco) and Qemu (VyOS).
Picture 1 - Topology
R3(config)# interface gigabitEthernet 1/0
R3(config-if)# ip address 1.1.1.1 255.255.255.0
R3(config-if)# no shutdown
R3(config-if)# interface gigabitEthernet 0/0
R3(config-if)# ip address 2.2.2.2 255.255.255.0
R3(config-if)# no shutdown
2. R1 Configuration
2.1 Interfaces and Static Route Configuration
R1(config)# interface gigabitEthernet 0/0
R1(config-if)# ip address 1.1.1.10 255.255.255.0
R1(config-if)# no shutdown
R1(config)# interface gigabitEthernet 1/0
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)# no shutdown
A static route pointing to the subnet
2.2.2.0/24 via router R3 is needed in a routing table of the router R1
so we have to create it.
R1(config)# ip route 2.2.2.0 255.255.255.0 1.1.1.12.2 IPSec Tunnel Configuration
Internet Security Association and Key
Management Protocol (ISAKMP), is the negotiation protocol that lets two
hosts agree on how to build an IPsec security association. ISAKMP
separates negotiation into two phases - Phase 1 and Phase 2.
Phase 1 creates the first tunnel, which
protects later ISAKMP negotiation messages. Phase 2 creates the tunnel
that protects data (IPSec).
First we create isakmp policy and select
encryption, the hash algorithm, type of authentication, Diffie-Hellman
group and lifetime.
R1(config)# crypto isakmp policy 1R1(config-isakmp)# encryption aes 256
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 14
R1(config-isakmp)# lifetime 86400
R1(config-isakmp)# exit
Note: You can check these parameters in the Transform payload located in first and the sixth packet of the attached pcap file.
Then we configure key the shared key and peer address.
R1(config)#crypto isakmp key test123 address 2.2.2.10IPSec Configuration - ISAKMP Phase 2
In phase two we create IPSec transform
set and configure encryption and the hash algorithm. This is also a
place where we define IPSec mode - either a tunnel (default) or
transport mode. In the tunnel mode a completely new IP delivery header
is inserted in each IPSec packet while in a transport mode IP header
stays untouched (except of the changed protocol type - 50 for ESP).
R1(config)# crypto ipsec transform-set MyTS esp-aes esp-md5-hmacR1(cfg-crypto-trans)# mode tunnel
Continue with creating a new IPSec
profile named Protect-Gre. Assign transform-set MyTS is to the profile
Protect-GRE and configure the lifetime.
R1(config)# crypto ipsec profile Protect-GRER1(ipsec-profile)# set security-association lifetime seconds 86400
R1(ipsec-profile)# set transform-set MyTS
And finally assign IPSec profile to the interface tun0.
R1(config)# interface Tunnel 0
R1(config-if)# tunnel protection ipsec profile Protect-GRE
2.3 GRE Tunnel Configuration
R1(config)# interface tunnel 0
R1(config-if)# description Tunnel to R2
R1(config-if)# ip address 172.16.0.1 255.255.255.0
R1(config-if)# ip mtu 1400
R1(config-if)# ip tcp adjust-mss 1360
R1(config-if)# ip ospf network broadcast
R1(config-if)# tunnel source 1.1.1.10
R1(config-if)# tunnel destination 2.2.2.10
It is recommend to use the Cisco online IPSec overhead calculator to calculate Maximum Transmission Unit (MTU) for IP packet.
3. VyOS Configuration
3.1 Interfaces and Static Route Configuration
vyos@vyos:~$ configure
vyos@vyos# set interfaces ethernet eth0 address 2.2.2.10/24
vyos@vyos# set interfaces ethernet eth1 address 192.168.2.1/24
Again we have to configure static route pointing to the subnet 1.1.10/24.
vyos@vyos# set protocols static route 1.1.1.0/24 next-hop 2.2.2.2
3.2 IPSec Tunnel Configuration
Enable IPSec on interface eth0.
vyos@vyos# set vpn ipsec ipsec-interfaces interface eth0
Configure an IKE Group - Phase 1
Set the encryption, the hash algorithm, DH group and lifetime for phase 1.
vyos@vyos# set vpn ipsec ike-group cisco proposal 1
vyos@vyos# set vpn ipsec ike-group cisco proposal 1 encryption aes256
vyos@vyos# set vpn ipsec ike-group cisco proposal 1 hash md5
vyos@vyos# set vpn ipsec ike-group cisco proposal 1 dh-group 14
vyos@vyos# set vpn ipsec ike-group cisco lifetime 86400
Configure an ESP Group - Phase 2
Set the encryption, the hash algorithm and lifetime for phase 2.
vyos@vyos# set vpn ipsec esp-group cisco proposal 1
vyos@vyos# set vpn ipsec esp-group cisco proposal 1 encryption aes128
vyos@vyos# set vpn ipsec esp-group cisco proposal 1 hash md5
vyos@vyos# set vpn ipsec esp-group cisco pfs enable
vyos@vyos# set vpn ipsec esp-group cisco lifetime 86400
vyos@vyos# set vpn ipsec esp-group cisco mode tunnel
Configure tunnel peer and pre-shared key.
vyos@vyos# set vpn ipsec site-to-site peer 1.1.1.10 authentication pre-shared-secret test123Configure ike-group used for the tunnel.
vyos@vyos# set vpn ipsec site-to-site peer 1.1.1.10 ike-group cisco
Configure esp-group used for the tunnel.
vyos@vyos# set vpn ipsec site-to-site peer 1.1.1.10 tunnel 0 esp-group cisco
Configure local address used for connection.
vyos@vyos# set vpn ipsec site-to-site peer 1.1.1.10 local-address 2.2.2.10
Configure protocol encapsulated inside IPSec.
vyos@vyos# set vpn ipsec site-to-site peer 1.1.1.10 tunnel 0 protocol gre
3.3 GRE Tunnel Configuration
Create a new route policy that changes TCP MSS to 1360 bytes.
vyos@vyos# set policy route change-mss rule 1 set tcp-mss 1360
vyos@vyos# set policy route change-mss rule 1 protocol tcp
vyos@vyos# set policy route change-mss rule 1 tcp flags SYN
Configure GRE tunnel.
vyos@vyos# set interfaces tunnel tun0 encapsulation gre
vyos@vyos# set interfaces tunnel tun0 address 172.16.0.2/24
vyos@vyos# set interfaces tunnel tun0 description "Tunnel to R1"
vyos@vyos# set interfaces tunnel tun0 mtu 1400
vyos@vyos# set interfaces tunnel tun0 policy route change-mss
vyos@vyos# set interfaces tunnel tun0 local-ip 2.2.2.10
vyos@vyos# set interfaces tunnel tun0 remote-ip 1.1.1.10
vyos@vyos# set interfaces tunnel tun0 multicast enable
3.4 OSPF Configuration
vyos@vyos# set interfaces tunnel tun0 ip ospf network broadcast
vyos@vyos# set protocols ospf area 0.0.0.0 network 172.16.0.0/24
vyos@vyos# set protocols ospf area 0.0.0.0 network 192.168.2.0/24
vyos@vyos# commit
vyos@vyos# save
4. Verification
4.1 Verification on VyOS
Below are various show commands that help you to verify status of tunnels on VyOS.
List all currently active IKE Security Associations (SA) - Phase 1:vyos@vyos# show vpn ike sa
vyos@vyos# show vpn ipsec sa
vyos@vyos# show interfaces tunnel tun0
4.2 Verification on Cisco
Below are various show commands that help you to verify status of tunnels on Cisco device.
List all currently active IKE Security Associations (SA) - Phase 1:
List all active IPsec Security Associations (SA) - Phase 2:
R1# show crypto ipsec sa
Check status of GRE tunnel interface:
R1# show interfaces tunnel 0
Tunnel line state evaluation:
R1# show tunnel int
End.
References:
http://brezular.com/2015/10/06/gre-over-ipsec-tunnel-between-cisco-and-vyos/
http://cromwell-intl.com/tcpip/what-is-ipsec.html
http://www.carbonwind.net/VyattaOFR/AdvVPN/AdvVPN14.htm
