|
15.03.2009
Vyatta VC5 - Advanced VPN Site-to-Site Connections - Part 13 - Configure GRE/IPsec Between a Vyatta Router and a Cisco Router Using IPsec ESP in Tunnel Mode and as GRE Tunnel Endpoints Private IP Addresses from the Loopback Interfaces
1. Intro
2. Configuration Example
1. Intro
In the previous parts we configured GRE or IPIP tunnels, protected or not by IPsec, only between Vyatta routers.
In this article we will establish a GRE tunnel between a Vyatta router(VC5) and a Cisco router(3725 IOS 12.4-7), and use IPsec ESP tunnel mode to protect the GRE tunnel, thus to obtain a VPN. We will also run OSPF(multicast) over the GRE tunnel to dynamically discover the networks behind the two routers.
A pre-shared key will be used for IKE MM authentication.
I've decided to put the commands used to configure the two routers in a table, to have them side-by-side.
As currently writing, the Cisco IOS CLI supports more options to be configured for this scenario(Vyatta's budget cannot be compared with Cisco's). However, even if some options are not exposed through Vyatta's CLI, they can still be configured, if one wants to do a little bit of "hacking".
For example, from Vyatta's CLI it cannot be specified that only the GRE IP protocol to be protected by IPsec(so we need to adapt the "usual" Cisco's Crypto ACL for this kind of scenario), but the underlying Openswan supports this.
Also, IPsec tunnel mode was used instead of ESP transport mode because as we previously saw a kernel route "interferes". Please refer to this forum topic.
But if one desires, with Vyatta, he can add his own CLI options. Please refer to this forum topic.
On the other side Cisco's IOS comes with its own limitations, which may be quite "fundamental".
For example, Cisco's IOS supports only one main "IKE MM Policy" per router(maybe not the most fortunate expression), that is you can define multiple ISAKMP policies, but you cannot assign such a policy with a specific remote peer, instead you can number these policies, thus order them as preferred(the lower the number, the higher the priority).
Also Cisco's IPsec configuration is somehow "disjointed" compared to Vyatta's configuration, who managed to group it in a node(the "vpn ipsec" node, with its respective sub-nodes). For example, Cisco uses ACLs, "Crypto ACLs" to specify the protected traffic, but ACLs are used to for other things too, like NAT or firewall. Indeed the ACLs are easy to use, but as soon the configuration grows, the lack of a general node to group the configuration of a specific feature may affect some people.
And not to forget the missing "commit" parameter(present on IOS XR). A possible work around.
2. Configuration Example
Figure1 shows the network diagram for this lab:
Figure1: Network Diagram
Note that only the IP addresses from Vyatta's eth0 interface and Cisco's f0/0 interface are considered to be public IP addresses within the bellow configuration, as IPsec ESP tunnel mode is used, and the IP addresses from these interfaces serve as IPsec VPN endpoints.
The bellow example only covers basic features. Please refer to each vendor's documentation for further details.
Vyatta's VCx documentation can be found here.
You can search for your specific Cisco router model at Cisco's web site (Cisco has a "habit" from moving and re-moving documents on its web site, so I will avoid posting links that sooner or later may cease to exist).
|
user@router:~$ ----> user@router#
(from Operational Mode to Configuration Mode)
configure
|
router# ----> router(config)#
(from Privileged Mode to Configuration Mode)
configure terminal
|
|
Configure the ethernet interfaces:
set interfaces ethernet eth0 address 192.168.60.2/24
set interfaces ethernet eth1 address 192.168.30.1/24
commit
|
Configure the ethernet interfaces:
interface f0/0
ip address 192.168.50.1 255.255.255.0
exit
interface f1/0
ip address 192.168.10.1 255.255.255.0
exit
|
|
Configure the loopback interface:
set interfaces loopback lo address 192.168.111.1/32
commit
|
Configure the loopback interface:
interface Loopback1
ip address 192.168.100.1 255.255.255.255
exit
|
|
Configure a default route:
set protocols static route 0.0.0.0/0 next-hop 192.168.60.1
commit
|
Configure a default route:
ip route 0.0.0.0 0.0.0.0 192.168.50.2
|
|
Configure the tunnel interface:
edit interfaces tunnel tun1
set address 192.168.200.2/30
set encapsulation gre
set local-ip 192.168.111.1
set remote-ip 192.168.100.1
top
|
Configure the tunnel interface, defaults to "tunnel mode
gre ip":
interface Tunnel0
ip address 192.168.200.1 255.255.255.252
tunnel mode gre ip
tunnel source Loopback1
tunnel destination 192.168.111.1
exit
|
|
Configure OSPF:
edit protocols ospf area 0
set network 192.168.30.0/24
set network 192.168.200.0/30
top
set protocols ospf log-adjacency-changes
|
Configure OSPF:
router ospf 10
log-adjacency-changes
network 192.168.10.0 0.0.0.255 area 0
network 192.168.200.0 0.0.0.3 area 0
exit
|
|
Protect the GRE tunnel with IPsec.
Enable ipsec vpn on the desired interface:
set vpn ipsec ipsec-interfaces interface eth0
Specify the IKE MM Policy:
edit vpn ipsec ike-group ciscoike proposal 1
set encryption aes128
set hash sha1
set dh-group 5
top
set vpn ipsec ike-group ciscoike lifetime 28800
Specify the IKE QM Policy(ESP tunnel mode is used by
default, also PFS for keys(QM) is enabled by default):
edit vpn ipsec esp-group ciscoesp proposal 1
set encryption aes128
set hash sha1
top
set vpn ipsec esp-group ciscoesp pfs enable
set vpn ipsec esp-group ciscoesp lifetime 3600
Create a vpn ipsec site-to-site for the remote peer,
specifying the authentication method, the IKE MM and
QM policies to be used and the traffic to be protected:
edit vpn ipsec site-to-site peer 192.168.50.1
set authentication mode pre-shared-secret
set authentication pre-shared-secret 12345
set ike-group ciscoike
set local-ip 192.168.60.2
edit tunnel 1
set local-subnet 192.168.111.1/32
set remote-subnet 192.168.100.1/32
set esp-group ciscoesp
top
commit
|
Protect the GRE tunnel with IPsec.
Specify the ISAKMP Policy:
crypto isakmp policy 25
hash sha
encr aes 128
group 5
lifetime 28800
authentication pre-share
exit
Match the remote peer with its pre-shared secret:
crypto isakmp key 12345 address 192.168.60.2
Specify the IKE QM Policy(ESP tunnel is used by
default):
crypto ipsec transform-set vyattaset esp-aes 128 esp-sha-hmac
exit
Define with a crypto ACL the protected traffic:
access-list 101 permit 0 host 192.168.100.1 host 192.168.111.1
Bind with a crypto map all the crypto parameters with the
remote gateway:
crypto map vyatta 50 ipsec-isakmp
set peer 192.168.60.2
set transform-set vyattaset
match address 101
set pfs group5
exit
Apply the crypto map to the desired interface:
interface f0/0
crypto map vyatta
exit
|
|
|
|
|
Show the running configuration:
show -all |
Show the running configuration:
router(config)# ----> router#
(from Privileged Mode to Configuration Mode)
exit
show run
|
|
Save the current configuration(the configuration will be
saved to the config.boot file if we do not specify another
file):
save |
Save the running configuration to the startup configuration
(running-config(DRAM) to startup-config(NVRAM)):
copy run start
|
|
Show the IKE MM and IPsec SAs.
user@router# ----> user@router:~$(from Configuration
Mode to Operational Mode)
exit
show vpn ike sa
show vpn ipsec sa
|
Show the IKE MM and IPsec SAs:
show crypto isakmp sa
show crypto ipsec sa
|
|
View IPsec VPN debug information:
show vpn debug
|
Enable IKE and IPsec debugging in IOS(disable it by
a "no" in front of the bellow commands):
debug crypto isakmp
debug crypto ipsec
|
|
View the routing table:
show ip route |
View the routing table:
show ip route
|
|
View various OSPF details:
show ip ospf
show ip ospf route
show ip ospf interface
show ip ospf interface tun1
|
View various OSPF details:
show ip ospf
show ip ospf route
show ip ospf interface
show ip ospf interface tunnel0
|
|
Test connectivity from the router itself:
/bin/ping -I 192.168.30.1 -c 4 192.168.10.1
|
Test connectivity from the router itself(use the extended
command):
ping
Protocol [ip]:
Target IP address: 192.168.30.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
|
|