Cisco Labs – Network Security (4) – GRE VPN tunnel using pre-shared keys on Router


Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul4 4.4.8a IOS task definition

Goal

  • Site to site GRE VPN tunnel using pre-share keys will be initialized on Router.
  • Router3 will only pass traffic to site routers. It simulates internet.
  • Only traffic from LAN 1 and LAN 2 will be encrypted.
  • Use OSPF routing protocol.
  • Clear and reinitialize VPN tunnel.
  • Do not forget to have configuration erased before startup and check if IOS is compatible with needed features.

Required time

3 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-4.4.8a_IOS_topology1_VIRTLAB

Configuration

PC1

ifconfig INT7 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT7

PC2

ifconfig INT8 10.0.0.100 netmask 255.255.255.0
route add default gw 10.0.0.1 dev INT8

Routers

1) interface settings + OSPF

R18@ostrava(config)#hostname Router1
Router1(config)#interface INT1
Router1(conf-if)#duplex half
Router1(conf-if)#ip address 192.168.0.1 255.255.255.0
Router1(conf-if)#no shutdown

Router1(config)#interface INT2
Router1(conf-if)#duplex half
Router1(conf-if)#ip address 172.16.1.1 255.255.255.0
Router1(conf-if)#no shutdown

Router1(config)#router ospf 1
Router1(config-router)#network 172.16.1.0 0.0.0.255 area 0

Router1(config)#interface tunnel 0	    						;set up of virtual tunnel interface
Router1(conf-if)#ip address 100.0.0.1 255.255.255.0	    				;virtual tunnel ip address
Router1(conf-if)#tunnel source 172.16.1.1	    					;tunnel source interface IP address
Router1(conf-if)#tunnel destination 172.16.0.1	    					;tunnel destination interface IP address
Router1(conf-if)#tunnel mode gre ip	    						;set tunnel mode to GRE over IP
R19@ostrava(config)#hostname Router2
Router2(config)#interface INT3
Router2(conf-if)#ip address 172.16.0.1 255.255.255.0
Router2(conf-if)#duplex half
Router2(conf-if)#no shutdown

Router2(config)#interface INT4
Router2(conf-if)#ip address 10.0.0.1 255.255.255.0
Router2(conf-if)#duplex half
Router2(conf-if)#no shutdown

Router2(config)#router ospf 1
Router2(config-router)#network 172.16.0.0 0.0.0.255 area 0

Router2(config)#interface tunnel 0
Router2(conf-if)#ip address 100.0.0.2 255.255.255.0
Router2(conf-if)#tunnel source 172.16.0.1 
Router2(conf-if)#tunnel destination 172.16.1.1
Router2(conf-if)#tunnel mode gre ip
R4@ostrava(config)#hostname Router3
Router3(config)#interface INT5
Router3(conf-if)#ip address 172.16.1.2 255.255.255.0
Router3(conf-if)#no shutdown

Router3(config)#interface INT6
Router3(conf-if)#ip address 172.16.0.2 255.255.255.0
Router3(conf-if)#no shutdown

Router3(config)#router ospf 1
Router3(config-router)#network 172.16.1.0 0.0.0.255 area 0
Router3(config-router)#network 172.16.0.0 0.0.0.255 area 0

2a) VPN tunnel settings phase 1 IKE/ISAKMP

Policy must be the same on both ends of tunnel (priority could be different)

Router1(config)#Crypto isakmp policy 10	    						;set up encryption policy
Router1(config-isakmp)#encryption 3des
Router1(config-isakmp)#hash sha
Router1(config-isakmp)#group 2
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#lifetime 1000	    						;set timeout for first phase (tunnel initialisation)
Router2(config)#Crypto isakmp policy 10    
Router2(config-isakmp)#encryption 3des
Router2(config-isakmp)#hash sha
Router2(config-isakmp)#group 2
Router2(config-isakmp)#authentication pre-share   
Router2(config-isakmp)#lifetime 1000

2b) VPN tunnel settings phase 2 IPSEC

Router1(config)#access-list 101 permit gre host 172.16.1.1 host 172.16.0.1	    	;permit traffic to be encapsulated via GRE
Router1(config)#crypto isakmp key PRESHAREDKEY address 172.16.0.1	    		;define preshared key for GRE tunnel
Router1(config)#crypto ipsec transform-set TRSETGRERouter1 esp-des esp-md5-hmac	    	;define transform set for GRE tunnel
Router1(cfg-crypto-trans)#crypto map CRYPTOMAPRouter1 10 ipsec-isakmp
Router1(config-crypto-map)#match address 101	    					;crypto map section will be applied to this access-list traffic
Router1(config-crypto-map)#set peer 172.16.0.1	    					;this is opposite site of virtual tunnel
Router1(config-crypto-map)#set transform-set TRSETGRERouter1
Router1(config)#ip route 10.0.0.0 255.255.255.0 tunnel 0	    			;specify traffic to be passed thru GRE tunnel
Router1(config)#interface INT2	    							;apply tunnel to this interface
Router1(conf-if)#crypto map CRYPTOMAPRouter1

Apply analogical settings to other side of the tunnel.

Router2(config)#access-list 101 permit gre host 172.16.0.1 host 172.16.1.1 
Router2(config)#crypto isakmp key PRESHAREDKEY address 172.16.1.1
Router2(config)#crypto ipsec transform-set TRSETGRERouter2 esp-des esp-md5-hmac
Router2(cfg-crypto-trans)#crypto map CRYPTOMAPRouter2 10 ipsec-isakmp
Router2(config-crypto-map)#match address 101
Router2(config-crypto-map)#set peer 172.16.1.1
Router2(config-crypto-map)#set transform-set TRSETGRERouter2
Router2(config)#ip route 192.168.0.0 255.255.255.0 tunnel 0
Router2(config)#interface INT3
Router2(conf-if)#crypto map CRYPTOMAPRouter2

3) Access list on Router3 to enable only needed traffic

Router3(config)#access-list 101 permit ospf any any
Router3(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.0.1
Router3(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.0.1 eq isakmp
Router3(config)#interface INT5
Router3(conf-if)#ip access-group 101 in

Function test

F1)Turn on debug

Router1 to see if tunnel had been initialized properly

Router1#debug crypto isakmp
Router1#debug crypto ipsec

F2)Initialize tunnel

PC1#ping 10.0.0.100

Picture shows result of commands from F1 and F2 sections.

NS2-4.4.8a_IOS_DIA2-1

NS2-4.4.8a_IOS_DIA2-2

F2)Initialize tunnel

F3)delete tunnel

Router1#clear crypto isakmp	    							;clear tunnel initialisation configuration
Router1#clear crypto sa				      					;clear existing tunnels
Router1#clear crypto session				    				;delete all existing tunnels and sessions

Picture shows result of commands from F1 and F2 sections.

NS2-4.4.8a_IOS_DIA3-1

NS2-4.4.8a_IOS_DIA3-2

F4)reinitialize tunnel from other side

Use ping 192.168.0.100 . Take a look on DST and SRC address. It depends on from which router a tunnel was initialized.

If SPI is mismatched, please refer to exercise 4.4.7, where this command is refferenced further: crypto isakmp invalid-spi-recovery .

Optional tasks

  • Define more transform sets to be able to select which could be fit to the other site of the tunnel.
  • Define different encryption and hashing algorithms – see point 2a.
  • Add one more router to topology and create another tunnel to this router.

Two or more tunnels to different locations and peers:

This will be accomplished by adding:

  • New policy section with definition of needed settings.
  • New access list.
  • New or existing transform set must be added to new crypto map.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s