Friday, February 5, 2010

VPN - Site-to-Site + GRE IPsec

The most exciting topic today - IPsec.
First of all my remarks:
1. When Site-to-Site IPsec VPN utilized the "interesting traffic" is selected based on ACL's, associated with crypto maps. With NAT, the route maps should be used, to define the traffic for NAT'ing and VPN'ing.
Like:
  • ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
  • route-map SDM_RMAP_1 permit 1
     match ip address 101
  • access-list 101 remark IPSec Rule
    access-list 101 deny   ip 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255
    access-list 101 permit ip 10.0.0.0 0.255.255.255 any
The meaning of the access-list is following: permit to NAT everything except the traffic for VPN IPsec.

2. When GRE tunnels are in use, the traffic is selected based on  routing table, that states which subnets are reachable through the tunnel. So the most important thing when we are dealing with GRE is to keep accurate routing table. After traffic is routed to GRE tunnel, it should be matched by ACL's associated with crypto map. And one more thing to conclude - IPsec transport mode is enough in conjunction with GRE. Anyway, original packet is encapsulated in GRE and than GRE is encrypted by IPsec. In tunneling mode both GRE IP header and ESP IP header contain identical addresses and that's wasteful overhead.

Like:
  • access-list 100 permit gre host 95.104.78.135 host 65.104.78.135
  • crypto map SDM_CMAP_1 2 ipsec-isakmp
     set peer 65.104.78.135
     set transform-set gre_branch
     match address 100
So, the most important thing is to define which destination subnets must be encapsulated in GRE tunnel. It could be done via static routes or routing protocol running in tunnel.

 Here is a few examples of hub and spoke routers:
Router 1 is a hub router. Running config:
 !
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
 lifetime 1800
!
crypto isakmp key 12345 address 55.104.78.135
crypto isakmp key 12345 address 65.104.78.135
!
crypto ipsec transform-set branch_transform esp-aes 256 esp-sha-hmac
crypto ipsec transform-set gre_branch esp-aes 256 esp-sha-hmac mode transport
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to55.104.78.135
 set peer 55.104.78.135
 set transform-set branch_transform
 match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp
 description Tunnel to65.104.78.135
 set peer 65.104.78.135
 set transform-set gre_branch
 match address 101
!
interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 ip mtu 1420
 ip ospf mtu-ignore
 tunnel source FastEthernet0/0
 tunnel destination 65.104.78.135
 tunnel path-mtu-discovery
 crypto map SDM_CMAP_1
!
access-list 100 remark IPSec Site-to-Site. Defines the subnets allowed for sending through VPN
access-list 100 remark to branch network. 1.0 - connected network and 3.0 - network of third branch

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
!
access-list 101 remark This rule matching packets, that will go through the tunnel
access-list 101 remark It's used then in crypto map to match traffic for encryption
access-list 101 permit gre host 95.104.78.135 host 65.104.78.135
!
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)