CCIEv5 Unprotected GRE Tunnel, Protected GRE Tunnel with IPsec - VTI

By CCSI: Yasser Auda

Unprotected GRE Tunnel , Protected GRE Tunnel with IPsec -VTI

GRE (Generic Routing Encapsulation) is a tunneling protocol that can encapsulate a wide variety of
protocol packet types inside IP tunnels, such as IP . IPX , Apple Talk..etc

Creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. By
connecting multiprotocol subnets in a single-protocol backbone environment.

GRE add header with tunneling IP header create at least 24 bytes of additional overhead for tunneled
packets, that is why we need to decrease MTU to 1400 to free some space to these additional bytes.

GRE Tunnel can be used to make two endpoint communicate with each Private subnet while physical
interface assigned public IP , we can also used to let two IPv6 islands communicate through a sea of
IPv4 networks

GRE tunnel will not encrypt or secure your data goes through it unless we use IPsec

GRE without IPsec

R1
interface Tunnel1
ip address 180.180.180.1 255.255.255.0
ip mtu 1400
tunnel source 10.1.12.1
tunnel destination 10.1.12.2
!
interface FastEthernet0/0
ip address 10.1.12.1 255.255.255.0

R2
interface Tunnel1
ip address 180.180.180.2 255.255.255.0
ip mtu 1400
tunnel source 10.1.12.2
tunnel destination 10.1.12.1
!
interface FastEthernet0/0
ip address 10.1.12.2 255.255.255.0

1
CCIEv5 Unprotected GRE Tunnel, Protected GRE Tunnel with IPsec - VTI
By CCSI: Yasser Auda

GRE with IPsec (GRE over IPSec) using VTI Virtual Tunnel Interface

To secure data goes through tunnel we will need to use IPsec Framework
Frist we create GRE normally

R3
interface Tunnel1
ip address 170.170.170.3 255.255.255.0
ip mtu 1400
tunnel source 10.1.34.3
tunnel destination 10.1.34.4

interface FastEthernet0/0
ip address 10.1.34.3 255.255.255.0

R4
interface Tunnel1
ip address 170.170.170.4 255.255.255.0
ip mtu 1400
tunnel source 10.1.34.4
tunnel destination 10.1.34.3
!
interface FastEthernet0/0
ip address 10.1.34.4 255.255.255.0

Now time to configure IPsec to secure this tunnel

(1) Configure ISAKMP (ISAKMP Phase 1)

(2) Configure IPSec (ISAKMP Phase 2)

Configure ISAKMP (IKE) - (ISAKMP Phase 1)

IKE exists only to establish SAs (Security Association) for IPsec. Before it can do this, IKE must
negotiate an SA (an ISAKMP SA) relationship with the peer.

2
CCIEv5 Unprotected GRE Tunnel, Protected GRE Tunnel with IPsec - VTI
By CCSI: Yasser Auda

R3
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400

3DES - The encryption method to be used for Phase 1.

MD5 - The hashing algorithm
Pre-share - Use Pre-shared key as the authentication method
Group 2 - Diffie-Hellman group to be used
86400 – Session key lifetime. Expressed in either kilobytes (after x-amount of traffic, change the
key) or seconds. Value set is the default value.

Next we are going to define a pre shared key for authentication with R1's peer, 2.2.2.10:

crypto isakmp key cbtme address 10.1.34.4

The peer’s pre shared key is set to cbtme. This key will be used for all ISAKMP negotiations
with peer 10.1.34.4 (R4).

Create IPSec Transform (ISAKMP Phase 2 policy)

Now we need to create the transform set used to protect our data. We’ve named this TS

crypto ipsec transform-set TS esp-3des esp-md5-hmac

mode transport

- ESP-3DES - Encryption method

- MD5 - Hashing algorithm
- Set IPSec to transport mode

Finally, we create an IPSec profile to connect the previously defined ISAKMP and IPSec
configuration together. We’ve named our IPSec profile protect-gre:

crypto ipsec profile protect-gre

set security-association lifetime seconds 86400
set transform-set TS

3
CCIEv5 Unprotected GRE Tunnel, Protected GRE Tunnel with IPsec - VTI
By CCSI: Yasser Auda

We are ready to apply the IPSec encryption to the Tunnel interface

interface Tunnel1
ip address 170.170.170.3 255.255.255.0
ip mtu 1400
tunnel source 10.1.34.3
tunnel destination 10.1.34.4
tunnel protection ipsec profile protect-gre
!
interface FastEthernet0/0
ip address 10.1.34.3 255.255.255.0

R4
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400

crypto isakmp key cbtme address 10.1.34.3

crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport

crypto ipsec profile protect-gre

set security-association lifetime seconds 86400
set transform-set TS

interface Tunnel1
ip address 170.170.170.4 255.255.255.0
ip mtu 1400
tunnel source 10.1.34.4
tunnel destination 10.1.34.3
tunnel protection ipsec profile protect-gre
!
interface FastEthernet0/0
ip address 10.1.34.4 255.255.255.0

While many might think a GRE IPSec tunnel between two routers is similar to a site to site IPSec VPN
(crypto), it is not. A major difference is that GRE tunnels allow multicast packets to traverse the tunnel
whereas IPSec VPN does not support multicast packets. In large networks where routing protocols
such as OSPF, EIGRP are necessary, GRE tunnels are your best bet. For this reason, plus the fact that
GRE tunnels are much easier to configure, engineers prefer to use GRE rather than IPSec VPN.

R3#ping 170.170.170.4
!!!!!
R3#sh crypto session
Session status: UP-ACTIVE

4
CCIEv5 Unprotected GRE Tunnel, Protected GRE Tunnel with IPsec - VTI
By CCSI: Yasser Auda

Since we use tunnel protection command under tunnel interface, we don’t need to define crypto map,
instead, we need to define ipsec profile. Then, we need apply ipsec protection profile to the tunnel
interface.

Static or dynamic VTI tunnels ?

-Dynamic VTI tunnels should be for the hub in large hub-and-spoke implementations. Otherwise, static
VTI tunnels are recommended , Dynamic VTI works a little bit in similar concept like DMVPN

-Static VTI tunnels are permanently established immediately after being configured
In CCIEv5 Blueprint we only need to understand Static VTI for Lab exam

Here are some considerations for IPSec VTI.

 The IPsec VTI is limited to IP unicast and multicast traffic only, as opposed to GRE tunnels, which
have a wider application for IPsec implementation. Thus, for some non-IP traffic, we still need
IPSec over GRE.

 What we have with VTI is a pure Virtual tunnel, no GRE MTU issues to worry about and no real
drawbacks

 It is recommended that the VTI tunnel use unnumbered IP addressing to conserve IP address
space.

 Using dynamic routing protocols instead of static routing statements will increase the scalability
and manageability of a VTI-based VPN deployment.

 To prevent recursive routing lookups, make sure that the tunnel destination is learned over the
physical interface and not the tunnel interface

5
CCIEv5 Unprotected GRE Tunnel, Protected GRE Tunnel with IPsec - VTI
By CCSI: Yasser Auda

Let’s practice another Lab :

I want to ping R1 loop 0 from R2 using my IPsec VTI tunnel

R1
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto isakmp key cbtme address 0.0.0.0 0.0.0.0

crypto ipsec transform-set R1_TO_R2 esp-aes 192 esp-sha-hmac

crypto ipsec profile TEST

set transform-set R1_TO_R2 <after creating a named IPsec profile . Inside profile configuration
mode, the administrator has specified a custom transform set using the set transform-set command
and specifying the name of the custom transform set.

interface Tunnel0
ip address 150.1.121.1 255.255.255.0
tunnel source 10.1.12.1
tunnel destination 10.1.12.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile TEST <configures the IPsec encapsulation on the tunnel using the
tunnel mode ipsec ipv4 command and applies the traffic protection policy to the tunnel by using the
tunnel protection ipsec profile command.

ip route 2.2.2.2 255.255.255.255 Tunnel0

6
CCIEv5 Unprotected GRE Tunnel, Protected GRE Tunnel with IPsec - VTI
By CCSI: Yasser Auda

R2
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto isakmp key cbtme address 0.0.0.0 0.0.0.0

crypto ipsec transform-set R1_TO_R2 esp-aes 192 esp-sha-hmac

crypto ipsec profile TEST
set transform-set R1_TO_R2

interface Tunnel0
ip address 150.1.121.2 255.255.255.0
tunnel source 10.1.12.2
tunnel destination 10.1.12.1
tunnel protection ipsec profile TEST
tunnel mode ipsec ipv4

ip route 1.1.1.1 255.255.255.255 Tunnel0

Notice I did not need to set mtu size or even apply any crypto map to physical interfaces like VPN Site
to Site using IPsec.

Verifications :
■ show interface tunnel verifies the status of the virtual tunnel interface.
■ debug crypto isakmp displays debugging messages about IKE events.
■ debug crypto ipsec displays debugging messages about IPsec SA establishment.
■ show crypto ipsec sa can directly verify the status of an IPsec SA.
■ show ip route | include Tunnel displays all routes pointing to local tunnels interfaces.