GRE tunneling with IPSec encryption

Some times ago, a frequently mentioned feature in networking blogs was “GRE tunneling with IPSec encryption”. I tried it out and found it awesome.  (in the meanwhile, we use it in production) . When i need encrypted communication between to endpoints, i would prefer IPSec-encrypted GRE rather than Site-to-Site IPSec-VPN because:

  • its easier to configure (no longer creating ugly ACLs for encrypted or not-natted traffic)
  • configuration looks more well-aranged, when you have a lot of endpoints
  • it will gives you an interface, which can be used for routing

Here is my simple example for an encrypted GRE tunnel:

 gre_ipsec

This setup is using  c3725-adventerprisek9-mz.124-15.T6.bin running on GNS3.

But now, let’s start out configuration…  

First, we setup static host routes for the tunnel endpoints on maria and jenny:

maria:
ip route 172.16.17.6 255.255.255.255 172.16.17.2
hilde:
ip route 172.16.17.1 255.255.255.255 172.16.17.5

And now, let’s prepare crypto stuff…

maria:
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key 0 IpSeC address 172.16.17.6
!
!
crypto ipsec transform-set TS_TUNNEL_PROTECTION esp-aes esp-sha-hmac
!
crypto ipsec profile CP_TUNNEL_PROTECTION
 set transform-set TS_TUNNEL_PROTECTION
!
hilde:
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key 0 IpSeC address 172.16.17.1
!
!
crypto ipsec transform-set TS_TUNNEL_PROTECTION esp-aes esp-sha-hmac
!
crypto ipsec profile CP_TUNNEL_PROTECTION
 set transform-set TS_TUNNEL_PROTECTION
!

As final step, we had to configure interface “Tunnel1″ on both sides:

maria:
interface Tunnel1
 description encrypted GRE tunnel to hilde
 ip address 10.99.88.1 255.255.255.252
 tunnel source FastEthernet0/1
 tunnel destination 172.16.17.6
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CP_TUNNEL_PROTECTION
!
hilde:
interface Tunnel1
 description encrypted GRE tunnel to maria
 ip address 10.99.88.2 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 172.16.17.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CP_TUNNEL_PROTECTION
!

After adding ipsec protection to the tunnel interface, a crypto map is activated on interface FastEthernet0/1 and the router ist listen at udp/500 for ISAKMP connections.

%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Here’s an example output of some show commands from maria:

maria#sh int tu1 | inc Tun|TU|tu
Tunnel1 is up, line protocol is up
  Hardware is Tunnel
  Description: encrypted GRE tunnel to hilde
  MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
  Encapsulation TUNNEL, loopback not set
  Tunnel source 172.16.17.1 (FastEthernet0/1), destination 172.16.17.6
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Fast tunneling enabled
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "CP_TUNNEL_PROTECTION")
maria#
maria#sh crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.
1003  172.16.17.1     172.16.17.6              ACTIVE aes  sha  psk  5  23:54:56
       Engine-id:Conn-id =  SW:3
IPv6 Crypto ISAKMP SA
maria#
maria#sh crypto ipsec sa
interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 172.16.17.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 172.16.17.6 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 3115, #pkts encrypt: 3115, #pkts digest: 3115
    #pkts decaps: 3111, #pkts decrypt: 3111, #pkts verify: 3111
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 172.16.17.1, remote crypto endpt.: 172.16.17.6
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x231F8FB2(589270962)
     inbound esp sas:
      spi: 0x745B92B6(1952158390)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 7, flow_id: SW:7, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4534116/3109)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x231F8FB2(589270962)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 8, flow_id: SW:8, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4534106/3108)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
maria#

As you can see, the connection from my Laptop 192.168.222.1 to 172.16.1.1 (and vice versa) is working:

debian:~# route add -net 172.16.1.0/24 gw 192.168.222.250
debian:~# ping -c 5 172.16.1.1
PING 172.16.1.1 (172.16.1.1) 56(84) bytes of data.
64 bytes from 172.16.1.1: icmp_seq=1 ttl=254 time=112 ms
64 bytes from 172.16.1.1: icmp_seq=2 ttl=254 time=75.2 ms
64 bytes from 172.16.1.1: icmp_seq=3 ttl=254 time=89.0 ms
64 bytes from 172.16.1.1: icmp_seq=4 ttl=254 time=89.9 ms
64 bytes from 172.16.1.1: icmp_seq=5 ttl=254 time=81.0 ms
 
--- 172.16.1.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4003ms
rtt min/avg/max/mdev = 75.299/89.537/112.340/12.611 ms
debian:~# traceroute -d 172.16.1.1
traceroute to 172.16.1.1 (172.16.1.1), 30 hops max, 40 byte packets
 1  192.168.222.250 (192.168.222.250)  26.389 ms  9.448 ms  2.720 ms
 2  10.99.88.2 (10.99.88.2)  91.624 ms *  93.814 ms
debian:~#
hilde#ping 192.168.222.140 source 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.222.140, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/41/80 ms
hilde#trace 192.168.222.140 source 172.16.1.1 numeric
Type escape sequence to abort.
Tracing the route to 192.168.222.140
  1 10.99.88.1 68 msec 68 msec 56 msec
  2 192.168.222.140 64 msec 44 msec 56 msec
hilde#

Don’t care about the round-trip-time. This setup is running under GNS3 ;-) Last, but not least an sample tcpdump of jennys FastEthernet0/1 while pinging around with ping -f.
As you can see, jenny only forwards encrypted traffic and doesn’t know anything about the traffic between maria and 192.168.222.140.

 

jenny_to_maria

Title: jenny_to_maria.cap
Description: jenny_to_maria.cap
File: jenny_to_maria.cap
Size: 24 kB

4 comments to GRE tunneling with IPSec encryption

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>