{"id":801,"date":"2024-12-07T11:41:31","date_gmt":"2024-12-07T08:41:31","guid":{"rendered":"https:\/\/itgen.itbumper.com\/?page_id=801"},"modified":"2024-12-10T02:39:09","modified_gmt":"2024-12-09T23:39:09","slug":"0027_cisco-vti-gre-ipsec-vpn-over-ipsec","status":"publish","type":"page","link":"https:\/\/itgen.itbumper.com\/?page_id=801","title":{"rendered":"0027_Cisco: VTI \/ GRE \/ IPSec \/ VPN over IPSec"},"content":{"rendered":"

This<\/span> page<\/span> is still<\/span> being verified.<\/span><\/p>\n\n

\n#VTI \/ GRE \/ IPSec \/ VPN over IPSec\n\n#VTI (Virtual Tunnel Interface) - it is a logical interface that IPSec tunnel provides\n\t#Advantages:\n\t\t#Easy to configure, looks like an interface configuring\n\t\t#Supports routing protocols ie OSPF, BGP, EIGRP\n\t\t#No need an additional protocol (unlike GRE)\n\t\t#Supports encryption and authentication through IPSec\n\t\t#Works ie P2P connection, that is make managemment easier\n\t\n\t#Disadvantages\n\t\t#Doesn`t support other protocols, IP only.\n\n\n#GRE (Generic Routing Encapsulation)\n#It is a tunnel protocol witch encapsulates different types of traffic over IP\n\t#Advantages\n\t\t#Supports multicast, OSPF, EIGRP, IPv6\n\t\t#Can be used for routing different protocols through one tunnel\n\t\t#Can be encapsulated with dynamic protocols\n\t\n\t#Disadvantages\n\t\t#Doesn`t support encryption and authentication itself\n\t\t#Requires additional IPSec configuration to provide security \n\t\t\n\t\t\nIPSec (Internet Protocol Security)\n#IPSec is a security standard for encryption and authentication IP traffic\n\t#Advantages\n\t\t#Provides high level security (encryption, integrity, authentication)\n\t\t#Can be used for S2S tunnels and defend transportation level\n\t\t#Can work in Tunnel or Transport mode\n\t\n\t#Disadvantages\n\t\t#Doesn`t support multiplexing and complex routing without using VTI or GRE\n\t\t#More complex configuration, unlike VTI\n\t\t\n\t\n#IPSecVPN S2S (Site to Site)\n\t#Advantages\n\t\t#IPSec S2S is used to make a connection between two remote LANs through a secured tunnel\t\n\t\t#Simple configuration for fixed routes and targets (Static routes)\n\t\n\t#Disadvantages\t\n\t\t#Limited features for complex routing without using VTI or GRE\n\t\t#Not so flexible to work with dynamic protocols\n\t\t\n#---------------------------------------------------------------------------|\t\t\n#Function\t\t\t\t\t|\t   VTI\t\t|  GRE\t| IPSec\t| IPSec VPN S2S\t|\n#---------------------------------------------------------------------------\n#Dynamic routing support\t|      Yes\t\t|  Yes\t|   No\t|    Limited\t|\n#---------------------------------------------------------------------------\n#Encryption and security\t|Yes, thr IPSec\t|   No\t|  Yes\t|      Yes\t\t|\n#---------------------------------------------------------------------------\n#Multicast transmission\t\t|       No\t\t|  Yes\t|   No\t|       No\t\t|\n#---------------------------------------------------------------------------\n#Easy to set up\t\t\t\t|       Easy\t| Medium|  Hard\t|\t\tEasy\t|\n#---------------------------------------------------------------------------\n#Flexible routing\t\t\t|\t\tHigh\t| High\t|\tLow\t|\t\tLow\t\t|\n----------------------------------------------------------------------------\n\n#The most useful option for modern networks is VTI with IPSec\n#Use GRE over IPSec, then flexible and more protocols are required\n\n#IPSec can work in two Different mode: Transport and Tunnel\n#Both provide security and authentication, but they have different encupsulation \n\n#Tunnel mode = puts a whole packet (header+payload) into a IPSec packet with a new IP header.\n#It creates a tunnel between two points.\n#New IP header points to the destination devices ie routes and firewalls\n#Advantages\n\t#Full protection of the entire original package (header and data)\n\t#Used Site to Site VPN , when two points connection needed\n\t#Hide original source and destination IP addresses, it increases security\n#Scenario:\n\t#To connect remote brunches to HQ networks\n\t#To make a connection between two offices \n\t\tcrypto ipsec transform-set TUNNEL-SET esp-aes esp-sha-hmac\n\t\tmode tunnel\n\t\t\n\t\t\n#Transport Mode\n#In this mode only payload of the IP packet will be encrypted, the original header of the IP packet still the same.\u044b\u043c.\n#The IPSec header will be added between original IP header and payload\n#The original IP header won`t be change and transmit with no encryption\n#Advantages\n\t#less overhaed, because a new IP header won`t be created\n\t#Good to use for End-to-End connections,ie between servers\n#Scenario\n\t#to secure traffic between devices in the LAN ie Host-Host VPN\n\t#to secure client-server traffic in secured networks\n\t\tcrypto ipsec transform-set TRANSPORT-SET esp-aes esp-sha-hmac\n\t\tmode transport\n\t\t\n#-------------------------------------------------------------------\t\t\n#\tParametrs\t\t\t\t|\tTunnel Mode\t\t|\tTransport Mode\t|\n#-------------------------------------------------------------------|\n#Encapsulation:\t\t\t\t|\t\t\t\t\t|\t\t\t\t\t|\n#\tIP header\t\t\t\t|\t\tYes\t\t\t|\t\tNo\t\t\t|\n#\tpayload\t\t\t\t\t|\t\tYes\t\t\t|\t\tYes\t\t\t|\n#---------------------------|-------------------|-------------------|\n#New IP header point\tto\t|\ttunnel devices\t|\tno change\t\t|\n#---------------------------|-------------------|-------------------|\t\n#Hide the IP addresses\t\t|\t\tYes\t\t\t|\t\tNo\t\t\t|\n#---------------------------|-------------------|-------------------|\n#Overhead\t\t\t\t\t|\t\tHigh\t\t|\t\tless\t\t|\n#---------------------------|-------------------|-------------------|\n#Scenario\t\t\t\t\t|\tSite-to_Site\t|\tEnd-to-End\t\t|\n#\t\t\t\t\t\t\t| Through Internet\t| Inside secured LAN|\n#\t\t\t\t\t\t\t| Rem brunches & HQ\t|\tServer-Server\t|\n#\t\t\t\t\t\t\t| Office to Office\t|\tClient-Server\t|\n#-------------------------------------------------------------------\n\n\n#=====================================================================\n#Examples:\n#IPSec VPN Site-to-Site\n#Topology\n#\tR1\n#\t\tWAN IP: 192.0.2.1\n#\t\tLAN: 192.168.1.0\/24\n\n#\tR2\n#\t\tWAN IP: 203.0.113.1\n#\t\tLAN: 192.168.2.0\/24\n\nenable\n\tconfigure terminal\n\t\n#\tR1\n#IKE configuration Phase 1\n\t\n\t\tcrypto isakmp policy 10\n\t\t\tencr aes\n\t\t\thash sha256\n\t\t\tauthentication pre-share\n\t\t\tgroup 2\n\t\t\tlifetime 86400\n\n\t\tcrypto isakmp key <MY_SECRET_KEY> address 203.0.113.1\n\n#IKE configuration Phase 2 (IPSec)\n\t\tcrypto ipsec transform-set VPN-TRANSFORM esp-aes esp-sha-hmac\n\t\t\tmode tunnel\n\n\t\tcrypto map VPN-MAP 10 ipsec-isakmp\n\t\t\tset peer 203.0.113.1\n\t\t\tset transform-set VPN-TRANSFORM\n\t\t\tmatch address VPN-ACL\n\n#ACL for VPN traffic\n\t\t\tip access-list extended VPN-ACL\n\t\t\t\tpermit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255\n\n\t\tinterface GigabitEthernet0\/0\n\t\t\tip address 192.0.2.1 255.255.255.0\n\t\t\tcrypto map VPN-MAP\n\n\t\t\t\n#\tR2\n#IKE configuration Phase 1\n\t\tcrypto isakmp policy 10\n\t\t\tencr aes\n\t\t\thash sha256\n\t\t\tauthentication pre-share\n\t\t\tgroup 2\n\t\t\tlifetime 86400\n\t\t\n\t\tcrypto isakmp key <MY_SECRET_KEY> address 192.0.2.1\n\n#IKE configuration Phase 2 (IPSec)\n\t\tcrypto ipsec transform-set VPN-TRANSFORM esp-aes esp-sha-hmac\n\t\t\tmode tunnel\n\n\t\tcrypto map VPN-MAP 10 ipsec-isakmp\n\t\t\tset peer 192.0.2.1\n\t\t\tset transform-set VPN-TRANSFORM\n\t\t\tmatch address VPN-ACL\n\n#ACL for VPN traffic\n\t\tip access-list extended VPN-ACL\n\t\t\tpermit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255\n\n\t\tinterface GigabitEthernet0\/0\n\t\t\tip address 203.0.113.1 255.255.255.0\n\t\t\tcrypto map VPN-MAP\n#=====================================================================\n#GRE (not secured)\n\n#Topology\n#\tR1\n#\t\tWAN IP: 192.0.2.1\n#\t\tLAN: 10.1.1.1 (tunnel)\n\n#\tR2\n#\t\tWAN IP: 203.0.113.1\n#\t\tLAN: 10.1.1.2 (tunnel)\nenable\n\tconfigure terminal\n#\tR1\n\t\tinterface Tunnel0\n\t\t\tip address 10.1.1.1 255.255.255.252\n\t\t\ttunnel source 192.0.2.1\n\t\t\ttunnel destination 203.0.113.1\n\t\t\texit\n\t\t\n#\tR2\n\n\t\tinterface Tunnel0\n\t\t\tip address 10.1.1.2 255.255.255.252\n\t\t\ttunnel source 203.0.113.1\n\t\t\ttunnel destination 192.0.2.1\n\t\t\texit\n\n\t\n#=====================================================================\n\n#GRE over IPSec\n#GRE for encupsulation multicast and other protocols, IPSec provides security.\n\n#Topology\n#\tR1\n#\t\tWAN IP: 192.0.2.1\n#\t\tLAN: 10.1.1.1 (tunnel)\n\n#\tR2\n#\t\tWAN IP: 203.0.113.1\n#\t\tLAN: 10.1.1.2 (tunnel)\nenable\n\tconfigure terminal\n#\tR1\n\t\tinterface Tunnel0\n\t\t\tip address 10.1.1.1 255.255.255.252\n\t\t\ttunnel source 192.0.2.1\n\t\t\ttunnel destination 203.0.113.1\n\n\t\tcrypto isakmp policy 10\n\t\t\tencr aes\n\t\t\tauthentication pre-share\n\t\t\tgroup 2\n\n\t\tcrypto isakmp key <GRE_KEY> address 203.0.113.1\n\t\t\n\t\tcrypto ipsec transform-set GRE-TRANSFORM esp-aes esp-sha-hmac\n\t\t\tmode transport\n\n\t\tcrypto map GRE-MAP 10 ipsec-isakmp\n\t\t\tset peer 203.0.113.1\n\t\t\tset transform-set GRE-TRANSFORM\n\t\t\tmatch address GRE-ACL\n\n\t\tip access-list extended GRE-ACL\n\t\t\tpermit gre host 192.0.2.1 host 203.0.113.1\n\n\t\tinterface GigabitEthernet0\/0\n\t\t\tcrypto map GRE-MAP\n\n#\tR2\n\n\t\tinterface Tunnel0\n\t\t\tip address 10.1.1.2 255.255.255.252\n\t\t\ttunnel source 203.0.113.1\n\t\t\ttunnel destination 192.0.2.1\n\n\t\tcrypto isakmp policy 10\n\t\t\tencr aes\n\t\t\tauthentication pre-share\n\t\t\tgroup 2\n\n\t\tcrypto isakmp key <GRE_KEY> address 192.0.2.1\n\n\t\tcrypto ipsec transform-set GRE-TRANSFORM esp-aes esp-sha-hmac\n\t\t\tmode transport\n\n\t\tcrypto map GRE-MAP 10 ipsec-isakmp\n\t\t\tset peer 192.0.2.1\n\t\t\tset transform-set GRE-TRANSFORM\n\t\t\tmatch address GRE-ACL\n\n\t\tip access-list extended GRE-ACL\n\t\t\tpermit gre host 203.0.113.1 host 192.0.2.1\n\n\t\tinterface GigabitEthernet0\/0\n\t\t\tcrypto map GRE-MAP\n======================================================================\n\t\t\t\n#VTI (Virtual Tunnel Interface)\n\n#\tR1\n\t\tcrypto isakmp policy 10\n\t\t\tencr aes\n\t\t\thash sha256\n\t\t\tauthentication pre-share\n\t\t\tgroup 2\n\t\tcrypto isakmp key <VTI_KEY> address 203.0.113.1\n\t\t\n\t\tcrypto ipsec transform-set VTI-TRANSFORM esp-aes esp-sha-hmac\n\t\t\tmode tunnel\n\n\t\tcrypto ipsec profile VTI-PROFILE\n\t\t\tset transform-set VTI-TRANSFORM\n\n\t\tinterface Tunnel0\n\t\t\tip address 10.1.1.1 255.255.255.252\n\t\t\ttunnel source 192.0.2.1\n\t\t\ttunnel destination 203.0.113.1\n\t\t\ttunnel mode ipsec ipv4\n\t\t\ttunnel protection ipsec profile VTI-PROFILE\n\n#\tR2\n\n\t\tcrypto isakmp policy 10\n\t\t\tencr aes\n\t\t\thash sha256\n\t\t\tauthentication pre-share\n\t\t\tgroup 2\n\t\tcrypto isakmp key <VTI_KEY> address 192.0.2.1\n\n\t\tcrypto ipsec transform-set VTI-TRANSFORM esp-aes esp-sha-hmac\n\t\t\tmode tunnel\n\n\t\tcrypto ipsec profile VTI-PROFILE\n\t\t\tset transform-set VTI-TRANSFORM\n\n\t\tinterface Tunnel0\n\t\t\tip address 10.1.1.2 255.255.255.252\n\t\t\ttunnel source 203.0.113.1\n\t\t\ttunnel destination 192.0.2.1\n\t\t\ttunnel mode ipsec ipv4\n\t\t\ttunnel protection ipsec profile VTI-PROFILE\t\t\t\n======================================================================\n\n#Troubleshooting\n#\n\tshow crypto isakmp sa\t\t\t#to check IKE Phase 1 (ISAKMP)\n#Take a look to SA (Security Association) must be MM_ACTIVE\n\n\tshow crypto ipsec sa\t\t\t#to check IKE Phase 2 (IPSec SA)\n#Take a look to (encrypt\/decrypt) !=0\n\n\tshow access-lists\t\t\t\t#to check if the traffic matches the ACL\n#Take a look, the counters must grow\n\n\tshow crypto map\t\t\t\t\t#to check a tunnel (crypto map)\n#Take a look, the tunnel must be linked to the interface\n#Take a look, is there the crypto profile\n\n\tshow running-config interface <interface>\t\n#Take a look, is there a crypto-map for the interface\n\n#DEBUG MODE\n\tdebug crypto isakmp\n\tdebug crypto ipsec\n#\tTake a look, on errors\n\n#IKE Phase 1 can`t be estabilisheed****\n\tshow crypto isakmp sa \t\t#shows: MM_NO_STATE.\n#\t\t#Reasons\n#\t\t\t-Pre-Shared Key (PSK)is not correct\n#\t\t\t-There are differences in IKE param (encryption, hash, group).\n#\t\t\t-The peer IP is not correct \n\n#\t\t#Solutions\n#\t\t\t-Check PSK\n\t\tcrypto isakmp key <KEY> address <peer IP address>\n\t\t\t\n\t\t\t-Check both sides, IKE param must be the same\n\t\t\t\n\tshow running-config | section crypto isakmp policy\n\t\t\t-Check routing table. The peer IP must be reacheble\n\t\t\t\n\n#IKE Phase 2 can`t be estabilisheed****\n#Symptom: there is no status for SA\n\tshow crypto ipsec sa\n\t\t#Reasons:\n#\t\t\t-Traffic does not match the ACL\n\t\t\t-The transform-set does not match\n\t\t\t\n#\t\tSolutions:\n\t\t\t-Check ACLs on both sides and check the IP ranges match\n\tshow access-lists\n\t\n\t\t\t-Compare transform-set on both sides\n\tshow crypto ipsec transform-set\n\t\n\t\n#Traffic doesn`t encrypt\/decrypt\n#Symptom: Counters don`t grow\n\tshow crypto ipsec sa\n#\t\t#Reasons:\n#\t\t\t-Traffic doesn`t mutch ACLs\n\t\t\t-Trouble with routiing\n\t\t\t-NAT configuration is not correct\n\t\t\t\n#\t\tSolutions:\n\n\tshow ip route\n\t\n\t\tip access-list extended NO-NAT\t\t\t\t\t\t\t\t#exclude VPN traffic fron NAT\n\t\t\tpermit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255\n\tip nat inside source list NO-NAT interface GigabitEthernet0\/0 overload\n\n\n\n#The Tunneled traffic drops\n#\t\t#Symptom: The tunnel is estabilisheed, traffic doesn`t flow through it\n#\t\t#Reasons:\n#\t\t\t-MTU is not correct, packet fragmetation\n#\t\t\t-Firewall blocks traffic\n\n#\t\t#Solutions:\n\t\t\t-Check firewall rules\n\t\t\t-reduce MTU for the tunnel interface\n\t\t\t\n\t\tinterface Tunnel0\n\t\t\tip mtu 1400\n\n\n#Multisact doesn`t flow though the tunnel (it is necessary for OSPF\/EIGRP)\n#Reasons: IPSec doesn`t multicast directly\n#\t\t#Solutions:\n\t\t\t-Use Transport Mode instead Tunnel Mode\n\t\t\t-Use GRE over IPSec to support multicast \n\t\t\t-Check routes\n\t\t\t-check time on both sides NTP\n\t\tntp server <IP address>\n\n\n\n#EXAMPLE (VTI + IPSEc)\n#STEPS\n#\t1. Create a vti interface\n#\t2. Set up an IKE Phase 1\n#\t3. Set a PSK for the remote host\n#\t4. Set up an IKE Phase 2 (IPSec profile)\n#\t5. Binding an IPSec profile to a VTI interface\n#\t6. Set up the route\n\n#Example\n#\t1. Create a vti interface\nenable\n\tconfigure terminal\n\t\tinterface tunnel0\n\t\t\tip address 10.0.0.1\t255.255.255.252\n\t\t\ttunnel source GigabitEthernet0\/0\n\t\t\ttunnel mode ipsec ipv4\n\n#\t2. Set up an IKE Phase 1\n\t\tcrypto isakmp policy 10\t\t#10 is a priority\n\t\t\tencr aes 256\n\t\t\thash sha256\n\t\t\tauthentication pre-share\n\t\t\tgroup 14\n\t\t\tlifetime 86400\t\n\t\t\t\n#\t3. Set a PSK for the remote host\n\t\tcrypto isakmp key MySecretKey address 203.0.113.2\n\t\t\n#\t4. Set up an IKE Phase 2 (IPSec profile)\n\t\tcrypto ipsec transform-set TRANSFORM-SET esp-aes 256 esp-sha-hmac\n\t\t\tmode tunnel\n\t\tcrypto ipsec security-association lifetime seconds <value>\n\n\t\tcrypto ipsec profile VTI-PROFILE\n\t\t\tset transform-set TRANSFORM-SET\n\t\t\tset pfs group14\n\t\t\t\n#\t5. Binding an IPSec profile to a VTI interface\n\t\tinterface Tunnel0\n\t\t\ttunnel protection ipsec profile VTI-PROFILE\n\t\t\t\n#\t6. Set up the route\n\t\tip route 192.168.2.0 255.255.255.0 Tunnel0\n\n<\/pre><\/div>","protected":false},"excerpt":{"rendered":"
This page is still being verified.<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"categories":[],"tags":[],"_links":{"self":[{"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/pages\/801"}],"collection":[{"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=801"}],"version-history":[{"count":4,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/pages\/801\/revisions"}],"predecessor-version":[{"id":815,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/pages\/801\/revisions\/815"}],"wp:attachment":[{"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=801"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=801"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=801"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}