LAB 4 ADVANCED VPNS GRE/IPSEC TUNNEL MODE, TRANSPORT MODE, AND S-VTI

As this lab topology shares the previous lab, clone the lab from eve-ng, make the necessary changes such as title change, erase the configuration in lab 2 if configuration is present in routers. Ultimately reachability needs to be achieved between R1 and R2 peer interface, with R4 acting as the ISP gateway for R1, and R2. Don’t forget to add the loopback networks for each routers.

Next configure a basic GRE tunnel between R1 and R2 using the 192.168.1.0/24 network. Use .1 for R1 and .2 for R2.

Lab Tasks

Task 1

Configurations

In order to configure a tunnel on both routers use the following commands, configuration needs to be applied on R1 and R2 to establish a basic GRE tunnel.

When configuring GRE tunnels the source must reference the outside interface of the local router; the destination must be the outside interface of the peer router. In our lab that will be 192.1.10.1 R1 and 192.1.20.2 R2

R1
!
interface tunnel 1
ip address 192.168.1.1 255.255.255.0
tunnel source 192.1.10.1
tunnel destination 192.1.20.2
!
!
R2
!
interface tunnel 1
ip address 192.168.1.2
tunnel source 192.1.20.2
tunnel destination 192.1.10.1  
!
!!
! Test the far end of the tunnel from R1
!
ping 192.168.1.2

If your ping was reachable, you have successfully setup a basic GRE tunnel between R1 and R2, continue to the next steps.

Now that we have established an GRE tunnel between R1 and R2, we will next use OSPF as the routing protocol to allow dynamic routing between each site, that being R1’s private loopback networks and R2’s private loopback networks.

Task 2

Feel free to use any dynamic routing protocol of your choice however in this lab I will be using OSPFv4 to advertise the private loopback networks.

R1
!
router ospf 1
network 1.1.1.1 0.0.0.0 area 0
network 10.1.1.1 0.0.0.0 area 0
network 11.1.1.1 0.0.0.0 area 0
!
!
R2
!
router ospf 1
network 2.2.2.2 0.0.0.0 area 0
network 10.2.2.2 0.0.0.0 area 0
network 22.2.2.2 0.0.0.0 area 0
!
!!

Task 3

Verify that each router can see the advertised routes.

On Both Routers R1 & R2:-

show ip route ospf | begin Gate

At this point in the lab both routers should now be aware of the private loopback network, and they should be reachable over the GRE Tunnel. Ping each loopback interface to confirm that all networks are reachable.

Now that we have established a GRE Tunnel between R1 and R2, the next task is to protect the GRE tunnel using IPSec, this will prevent data, or our payload being visible in clear text. By default the payload or data is currently in clear text form and is viewable by our ISP R4 or anyone monitoring our native connection.

As we learnt from our last lab, in order to setup IPSec on a Cisco router we need to first build a ISAKMP policy, and that is way we will do now, remember this is Phase 1.

Task 4

R1

ISAKMP policy 10

Task 5

CONFIGURE ISAKMP KEY

crypto isakmp key cisco123 address 192.1.20.2

Task 6

CONFIGURE IPSEC TRANSFORM SET

crypto ipsec transform-set ABC esp-3des esp-md5-hmac
 mode tunnel

Task 7

CONFIGURE IPSEC PROFILE

crypto ipsec profile IPROF
  set transform-set ABC 

Task 8

Add IPSEC PROFILE TO TUNNEL

interface tunnel 1
 tunnel protection ipsec profile IPROF

Task 9

R2

ISAKMP policy 10

Task 10

R2

CONFIGURE ISAKMP KEY

crypto isakmp key cisco123 address 192.1.10.1

Task 11

R2

CONFIGURE IPSEC TRANSFORM SET

crypto ipsec transform-set ABC esp-3des esp-md5-hmac
 mode tunnel

Task 12

R2

CONFIGURE IPSEC PROFILE

crypto ipsec profile IPROF
  set transform-set ABC 

Task 13

R2

Add IPSEC PROFILE TO TUNNEL

interface tunnel 1
 tunnel protection ipsec profile IPROF

As of now the tunnel should have reestablished providing both sides have been configured correctly. Test connectivity between the loopback networks, and view the ipsec security associations.

Task 14

R1, R2

Clear Previous Security Associations (SA's)

clear crypto sa
! clears the previous SA’s negotiated  

Next we need to verify that the GRE/IPSec are running on the tunnels, and that tunnel mode is being used.

This is verified by using the following command:

show crypto ipsec sa | begin spi

As we can see from the output above, the tunnel is using tunnel-mode.

Another way to confirm that we are running tunnel-mode is by using the following command:

show interface tunnel1 | include Tunnel protocol

Due to the nature of this type of configuration every packet traversing over the tunnel has a duplicate IP address in the header. We need to keep the GRE tunnel, however we need to eliminate the duplicate IP addresses in the header of every packet trans-versing the tunnel.

To resolve this issue in Cisco IOS requires a modification within the transform-set called ABC we created earlier. Note that when defining a transform-set the default is tunnel-mode.

On both R1 and R2 change the configured transform-set mode to transport.

Task 15

R1, R2

!
crypto ipsec transform-set ABC esp-3des esp-md5-hmac
  mode transport
! !
clear crypto sa
show crypto ipsec sa
show interface tunnel 1 | include Tunnel protocol

Task 16

Next, we will be optimizing our tunnel by configuring both sides as IPSec natively, this will optimize router system load due to 88 bits used as the GRE overhead.

Let’s make the configuration changes in our tunnel using the following command:

R1 & R2 

!
interface tunnel 1
  tunnel mode ipsec ipv4
!!

This will break the OSPF routing we have recently established, Don’t Panic! Once we make the same changes on R1 and R2, dynamic routing should be reestablished.

Verify that the new configuration changes have worked.

!
show crypto ipsec sa
show interface tunnel 1 | include Tunnel protocol
!!

If everything went well, you should see the the new security association, now in tunnel mode to reflect the native IPSec changes. Ping both sides, if your test are reachable this concludes this lab.