This page is still being verified.
#VTI / GRE / IPSec / VPN over IPSec
#VTI (Virtual Tunnel Interface) - it is a logical interface that IPSec tunnel provides
#Advantages:
#Easy to configure, looks like an interface configuring
#Supports routing protocols ie OSPF, BGP, EIGRP
#No need an additional protocol (unlike GRE)
#Supports encryption and authentication through IPSec
#Works ie P2P connection, that is make managemment easier
#Disadvantages
#Doesn`t support other protocols, IP only.
#GRE (Generic Routing Encapsulation)
#It is a tunnel protocol witch encapsulates different types of traffic over IP
#Advantages
#Supports multicast, OSPF, EIGRP, IPv6
#Can be used for routing different protocols through one tunnel
#Can be encapsulated with dynamic protocols
#Disadvantages
#Doesn`t support encryption and authentication itself
#Requires additional IPSec configuration to provide security
IPSec (Internet Protocol Security)
#IPSec is a security standard for encryption and authentication IP traffic
#Advantages
#Provides high level security (encryption, integrity, authentication)
#Can be used for S2S tunnels and defend transportation level
#Can work in Tunnel or Transport mode
#Disadvantages
#Doesn`t support multiplexing and complex routing without using VTI or GRE
#More complex configuration, unlike VTI
#IPSecVPN S2S (Site to Site)
#Advantages
#IPSec S2S is used to make a connection between two remote LANs through a secured tunnel
#Simple configuration for fixed routes and targets (Static routes)
#Disadvantages
#Limited features for complex routing without using VTI or GRE
#Not so flexible to work with dynamic protocols
#---------------------------------------------------------------------------|
#Function | VTI | GRE | IPSec | IPSec VPN S2S |
#---------------------------------------------------------------------------
#Dynamic routing support | Yes | Yes | No | Limited |
#---------------------------------------------------------------------------
#Encryption and security |Yes, thr IPSec | No | Yes | Yes |
#---------------------------------------------------------------------------
#Multicast transmission | No | Yes | No | No |
#---------------------------------------------------------------------------
#Easy to set up | Easy | Medium| Hard | Easy |
#---------------------------------------------------------------------------
#Flexible routing | High | High | Low | Low |
----------------------------------------------------------------------------
#The most useful option for modern networks is VTI with IPSec
#Use GRE over IPSec, then flexible and more protocols are required
#IPSec can work in two Different mode: Transport and Tunnel
#Both provide security and authentication, but they have different encupsulation
#Tunnel mode = puts a whole packet (header+payload) into a IPSec packet with a new IP header.
#It creates a tunnel between two points.
#New IP header points to the destination devices ie routes and firewalls
#Advantages
#Full protection of the entire original package (header and data)
#Used Site to Site VPN , when two points connection needed
#Hide original source and destination IP addresses, it increases security
#Scenario:
#To connect remote brunches to HQ networks
#To make a connection between two offices
crypto ipsec transform-set TUNNEL-SET esp-aes esp-sha-hmac
mode tunnel
#Transport Mode
#In this mode only payload of the IP packet will be encrypted, the original header of the IP packet still the same.ым.
#The IPSec header will be added between original IP header and payload
#The original IP header won`t be change and transmit with no encryption
#Advantages
#less overhaed, because a new IP header won`t be created
#Good to use for End-to-End connections,ie between servers
#Scenario
#to secure traffic between devices in the LAN ie Host-Host VPN
#to secure client-server traffic in secured networks
crypto ipsec transform-set TRANSPORT-SET esp-aes esp-sha-hmac
mode transport
#-------------------------------------------------------------------
# Parametrs | Tunnel Mode | Transport Mode |
#-------------------------------------------------------------------|
#Encapsulation: | | |
# IP header | Yes | No |
# payload | Yes | Yes |
#---------------------------|-------------------|-------------------|
#New IP header point to | tunnel devices | no change |
#---------------------------|-------------------|-------------------|
#Hide the IP addresses | Yes | No |
#---------------------------|-------------------|-------------------|
#Overhead | High | less |
#---------------------------|-------------------|-------------------|
#Scenario | Site-to_Site | End-to-End |
# | Through Internet | Inside secured LAN|
# | Rem brunches & HQ | Server-Server |
# | Office to Office | Client-Server |
#-------------------------------------------------------------------
#=====================================================================
#Examples:
#IPSec VPN Site-to-Site
#Topology
# R1
# WAN IP: 192.0.2.1
# LAN: 192.168.1.0/24
# R2
# WAN IP: 203.0.113.1
# LAN: 192.168.2.0/24
enable
configure terminal
# R1
#IKE configuration Phase 1
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 2
lifetime 86400
crypto isakmp key <MY_SECRET_KEY> address 203.0.113.1
#IKE configuration Phase 2 (IPSec)
crypto ipsec transform-set VPN-TRANSFORM esp-aes esp-sha-hmac
mode tunnel
crypto map VPN-MAP 10 ipsec-isakmp
set peer 203.0.113.1
set transform-set VPN-TRANSFORM
match address VPN-ACL
#ACL for VPN traffic
ip access-list extended VPN-ACL
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
interface GigabitEthernet0/0
ip address 192.0.2.1 255.255.255.0
crypto map VPN-MAP
# R2
#IKE configuration Phase 1
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 2
lifetime 86400
crypto isakmp key <MY_SECRET_KEY> address 192.0.2.1
#IKE configuration Phase 2 (IPSec)
crypto ipsec transform-set VPN-TRANSFORM esp-aes esp-sha-hmac
mode tunnel
crypto map VPN-MAP 10 ipsec-isakmp
set peer 192.0.2.1
set transform-set VPN-TRANSFORM
match address VPN-ACL
#ACL for VPN traffic
ip access-list extended VPN-ACL
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
interface GigabitEthernet0/0
ip address 203.0.113.1 255.255.255.0
crypto map VPN-MAP
#=====================================================================
#GRE (not secured)
#Topology
# R1
# WAN IP: 192.0.2.1
# LAN: 10.1.1.1 (tunnel)
# R2
# WAN IP: 203.0.113.1
# LAN: 10.1.1.2 (tunnel)
enable
configure terminal
# R1
interface Tunnel0
ip address 10.1.1.1 255.255.255.252
tunnel source 192.0.2.1
tunnel destination 203.0.113.1
exit
# R2
interface Tunnel0
ip address 10.1.1.2 255.255.255.252
tunnel source 203.0.113.1
tunnel destination 192.0.2.1
exit
#=====================================================================
#GRE over IPSec
#GRE for encupsulation multicast and other protocols, IPSec provides security.
#Topology
# R1
# WAN IP: 192.0.2.1
# LAN: 10.1.1.1 (tunnel)
# R2
# WAN IP: 203.0.113.1
# LAN: 10.1.1.2 (tunnel)
enable
configure terminal
# R1
interface Tunnel0
ip address 10.1.1.1 255.255.255.252
tunnel source 192.0.2.1
tunnel destination 203.0.113.1
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key <GRE_KEY> address 203.0.113.1
crypto ipsec transform-set GRE-TRANSFORM esp-aes esp-sha-hmac
mode transport
crypto map GRE-MAP 10 ipsec-isakmp
set peer 203.0.113.1
set transform-set GRE-TRANSFORM
match address GRE-ACL
ip access-list extended GRE-ACL
permit gre host 192.0.2.1 host 203.0.113.1
interface GigabitEthernet0/0
crypto map GRE-MAP
# R2
interface Tunnel0
ip address 10.1.1.2 255.255.255.252
tunnel source 203.0.113.1
tunnel destination 192.0.2.1
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key <GRE_KEY> address 192.0.2.1
crypto ipsec transform-set GRE-TRANSFORM esp-aes esp-sha-hmac
mode transport
crypto map GRE-MAP 10 ipsec-isakmp
set peer 192.0.2.1
set transform-set GRE-TRANSFORM
match address GRE-ACL
ip access-list extended GRE-ACL
permit gre host 203.0.113.1 host 192.0.2.1
interface GigabitEthernet0/0
crypto map GRE-MAP
======================================================================
#VTI (Virtual Tunnel Interface)
# R1
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 2
crypto isakmp key <VTI_KEY> address 203.0.113.1
crypto ipsec transform-set VTI-TRANSFORM esp-aes esp-sha-hmac
mode tunnel
crypto ipsec profile VTI-PROFILE
set transform-set VTI-TRANSFORM
interface Tunnel0
ip address 10.1.1.1 255.255.255.252
tunnel source 192.0.2.1
tunnel destination 203.0.113.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI-PROFILE
# R2
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 2
crypto isakmp key <VTI_KEY> address 192.0.2.1
crypto ipsec transform-set VTI-TRANSFORM esp-aes esp-sha-hmac
mode tunnel
crypto ipsec profile VTI-PROFILE
set transform-set VTI-TRANSFORM
interface Tunnel0
ip address 10.1.1.2 255.255.255.252
tunnel source 203.0.113.1
tunnel destination 192.0.2.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI-PROFILE
======================================================================
#Troubleshooting
#
show crypto isakmp sa #to check IKE Phase 1 (ISAKMP)
#Take a look to SA (Security Association) must be MM_ACTIVE
show crypto ipsec sa #to check IKE Phase 2 (IPSec SA)
#Take a look to (encrypt/decrypt) !=0
show access-lists #to check if the traffic matches the ACL
#Take a look, the counters must grow
show crypto map #to check a tunnel (crypto map)
#Take a look, the tunnel must be linked to the interface
#Take a look, is there the crypto profile
show running-config interface <interface>
#Take a look, is there a crypto-map for the interface
#DEBUG MODE
debug crypto isakmp
debug crypto ipsec
# Take a look, on errors
#IKE Phase 1 can`t be estabilisheed****
show crypto isakmp sa #shows: MM_NO_STATE.
# #Reasons
# -Pre-Shared Key (PSK)is not correct
# -There are differences in IKE param (encryption, hash, group).
# -The peer IP is not correct
# #Solutions
# -Check PSK
crypto isakmp key <KEY> address <peer IP address>
-Check both sides, IKE param must be the same
show running-config | section crypto isakmp policy
-Check routing table. The peer IP must be reacheble
#IKE Phase 2 can`t be estabilisheed****
#Symptom: there is no status for SA
show crypto ipsec sa
#Reasons:
# -Traffic does not match the ACL
-The transform-set does not match
# Solutions:
-Check ACLs on both sides and check the IP ranges match
show access-lists
-Compare transform-set on both sides
show crypto ipsec transform-set
#Traffic doesn`t encrypt/decrypt
#Symptom: Counters don`t grow
show crypto ipsec sa
# #Reasons:
# -Traffic doesn`t mutch ACLs
-Trouble with routiing
-NAT configuration is not correct
# Solutions:
show ip route
ip access-list extended NO-NAT #exclude VPN traffic fron NAT
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip nat inside source list NO-NAT interface GigabitEthernet0/0 overload
#The Tunneled traffic drops
# #Symptom: The tunnel is estabilisheed, traffic doesn`t flow through it
# #Reasons:
# -MTU is not correct, packet fragmetation
# -Firewall blocks traffic
# #Solutions:
-Check firewall rules
-reduce MTU for the tunnel interface
interface Tunnel0
ip mtu 1400
#Multisact doesn`t flow though the tunnel (it is necessary for OSPF/EIGRP)
#Reasons: IPSec doesn`t multicast directly
# #Solutions:
-Use Transport Mode instead Tunnel Mode
-Use GRE over IPSec to support multicast
-Check routes
-check time on both sides NTP
ntp server <IP address>
#EXAMPLE (VTI + IPSEc)
#STEPS
# 1. Create a vti interface
# 2. Set up an IKE Phase 1
# 3. Set a PSK for the remote host
# 4. Set up an IKE Phase 2 (IPSec profile)
# 5. Binding an IPSec profile to a VTI interface
# 6. Set up the route
#Example
# 1. Create a vti interface
enable
configure terminal
interface tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
# 2. Set up an IKE Phase 1
crypto isakmp policy 10 #10 is a priority
encr aes 256
hash sha256
authentication pre-share
group 14
lifetime 86400
# 3. Set a PSK for the remote host
crypto isakmp key MySecretKey address 203.0.113.2
# 4. Set up an IKE Phase 2 (IPSec profile)
crypto ipsec transform-set TRANSFORM-SET esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec security-association lifetime seconds <value>
crypto ipsec profile VTI-PROFILE
set transform-set TRANSFORM-SET
set pfs group14
# 5. Binding an IPSec profile to a VTI interface
interface Tunnel0
tunnel protection ipsec profile VTI-PROFILE
# 6. Set up the route
ip route 192.168.2.0 255.255.255.0 Tunnel0