GRE over IPSec Tunnel Between Cisco and VyOS

The previous tutorial shown GRE tunnel configuration between Cisco router and Linux Core. The big advantage of GRE protocol is that it encapsulates L3 and higher protocols inside the GRE tunnel so routing updates and other multicast traffic can be successfully transferred over the tunnel. The main drawback of GRE protocol is the lack of built-in security. Data are transferred in plain-text over the tunnel and peers are not authenticated (no confidentiality). Tunneled traffic can be changed by attacker (no integrity checking of  IP packets). For this reason GRE tunnel is very often used in conjunction with IPSec. Typically, GRE tunnel is encapsulated inside the IPSec tunnel and this model is called GRE over IPSec.

The tutorial shows configuration of OSPF routing protocol, GRE and IPSec tunnel on Cisco 7206 VXR router and appliance running VyOS network OS. Devices are running inside GNS3 lab an they are emulated by Dynamips (Cisco) and Qemu (VyOS).

Picture1-Topology

Picture 1 - Topology

Note: VyOS installation is described here. You can easily build your own VyOS Qemu appliance using the Expect and Bash script shared in the article.

1. R3 Configuration

R3(config)# interface gigabitEthernet 1/0
R3(config-if)# ip address 1.1.1.1 255.255.255.0
R3(config-if)# no shutdown

R3(config-if)# interface gigabitEthernet 0/0
R3(config-if)# ip address 2.2.2.2 255.255.255.0
R3(config-if)# no shutdown

2. R1 Configuration

2.1 Interfaces and Static Route Configuration

R1(config)# interface gigabitEthernet 0/0
R1(config-if)# ip address 1.1.1.10 255.255.255.0
R1(config-if)# no shutdown

R1(config)# interface gigabitEthernet 1/0
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)# no shutdown

A static route pointing to the subnet 2.2.2.0/24 via router R3 is needed in a routing table of the router R1 so we have to create it.

R1(config)# ip route 2.2.2.0 255.255.255.0 1.1.1.1

2.2 IPSec Tunnel Configuration

Internet Security Association and Key Management Protocol (ISAKMP), is the negotiation protocol that lets two hosts agree on how to build an IPsec security association. ISAKMP separates negotiation into two phases - Phase 1 and Phase 2.

Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data (IPSec).

ISAKMP Configuration - ISAKMP Phase 1

First we create isakmp policy and select encryption, the hash algorithm, type of authentication, Diffie-Hellman group and lifetime.

R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encryption aes 256
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 14
R1(config-isakmp)# lifetime 86400
R1(config-isakmp)# exit

Note: You can check these parameters in the Transform payload located in first and the sixth packet  of the attached pcap file.

Then we configure key the shared key and peer address.

R1(config)#crypto isakmp key test123 address 2.2.2.10

IPSec Configuration - ISAKMP Phase 2

In phase two we create  IPSec transform set and configure encryption and the hash algorithm. This is also a place where we define IPSec mode - either a tunnel (default) or transport mode. In the tunnel mode a completely new IP delivery header is inserted in each IPSec packet while in a transport mode IP header stays untouched (except of the changed protocol type  - 50 for ESP).

R1(config)# crypto ipsec transform-set MyTS esp-aes esp-md5-hmac
R1(cfg-crypto-trans)# mode tunnel

Continue with creating a new IPSec profile named Protect-Gre. Assign transform-set MyTS is to the profile Protect-GRE and configure the lifetime.

R1(config)# crypto ipsec profile Protect-GRE
R1(ipsec-profile)# set security-association lifetime seconds 86400
R1(ipsec-profile)# set transform-set MyTS

And finally assign IPSec profile to the interface tun0.

R1(config)# interface Tunnel 0
R1(config-if)# tunnel protection ipsec profile Protect-GRE

2.3 GRE Tunnel Configuration

R1(config)# interface tunnel 0
R1(config-if)# description Tunnel to R2
R1(config-if)# ip address 172.16.0.1 255.255.255.0
R1(config-if)# ip mtu 1400
R1(config-if)# ip tcp adjust-mss 1360
R1(config-if)# ip ospf network broadcast
R1(config-if)# tunnel source 1.1.1.10
R1(config-if)# tunnel destination 2.2.2.10

It is recommend to use the Cisco online IPSec overhead calculator to calculate Maximum Transmission Unit (MTU) for IP packet.

Picture2-IPSec_and_GRE_Overhead_Calculation

Picture 2 - IPSec and GRE Tunnel Overhead Calculation

The total calculated IPsec packet size is 1592 bytes. The IPSec and GRE protocol overhead add additional 92 bytes to original 1500B MTU. To avoid fragmentation by devices on the path we have to decrease MTU from 1500 to 1400 bytes.

Picture3-IPSec_and_GRE_overhead

Picture 3 - Total Overhead of IPSec and GRE Tunnel 

The maximum Segment Size (MSS) for TCP segments is always 40 Bytes (IP 20B + TCP 20B) lower than MTU. For this reason we set MSS to 1360 bytes.

2.4 OSPF Configuration

R1(config)# router ospf 10
R1(config-router)# network 172.16.0.0 0.0.0.255 area 0
R1(config-router)# network 192.168.1.0 0.0.0.255 area 0
R1(config-router)# passive-interface gigabitEthernet 1/0

3. VyOS Configuration

3.1 Interfaces and Static Route Configuration

vyos@vyos:~$ configure
vyos@vyos# set interfaces ethernet eth0 address 2.2.2.10/24
vyos@vyos# set interfaces ethernet eth1 address 192.168.2.1/24

Again we have to configure static route pointing to the subnet 1.1.10/24.

vyos@vyos# set protocols static route 1.1.1.0/24 next-hop 2.2.2.2

3.2 IPSec Tunnel Configuration

Enable IPSec on interface eth0.

vyos@vyos# set vpn ipsec ipsec-interfaces interface eth0

Configure an IKE Group - Phase 1

Set the encryption, the hash algorithm, DH group and lifetime for phase 1.

vyos@vyos# set vpn ipsec ike-group cisco proposal 1
vyos@vyos# set vpn ipsec ike-group cisco proposal 1 encryption aes256
vyos@vyos# set vpn ipsec ike-group cisco proposal 1 hash md5
vyos@vyos# set vpn ipsec ike-group cisco proposal 1 dh-group 14

vyos@vyos# set vpn ipsec ike-group cisco lifetime 86400

Configure an ESP Group - Phase 2

Set the encryption, the hash algorithm and lifetime for phase 2.

vyos@vyos# set vpn ipsec esp-group cisco proposal 1
vyos@vyos# set vpn ipsec esp-group cisco proposal 1 encryption aes128
vyos@vyos# set vpn ipsec esp-group cisco proposal 1 hash md5

vyos@vyos# set vpn ipsec esp-group cisco pfs enable
vyos@vyos# set vpn ipsec esp-group cisco lifetime 86400
vyos@vyos# set vpn ipsec esp-group cisco mode tunnel

Configure tunnel peer and pre-shared key.

vyos@vyos# set vpn ipsec site-to-site peer 1.1.1.10 authentication pre-shared-secret test123

Configure ike-group used for the tunnel.

vyos@vyos# set vpn ipsec site-to-site peer 1.1.1.10 ike-group cisco

Configure esp-group used for the tunnel.

vyos@vyos# set vpn ipsec site-to-site peer 1.1.1.10 tunnel 0 esp-group cisco

Configure local address used for connection.

vyos@vyos# set vpn ipsec site-to-site peer 1.1.1.10 local-address 2.2.2.10

Configure protocol encapsulated inside IPSec.

vyos@vyos# set vpn ipsec site-to-site peer 1.1.1.10 tunnel 0 protocol gre

3.3 GRE Tunnel Configuration

Create a new route policy that changes TCP MSS to 1360 bytes.

vyos@vyos# set policy route change-mss rule 1 set tcp-mss 1360
vyos@vyos# set policy route change-mss rule 1 protocol tcp
vyos@vyos# set policy route change-mss rule 1 tcp flags SYN

Configure GRE tunnel.

vyos@vyos# set interfaces tunnel tun0 encapsulation gre
vyos@vyos# set interfaces tunnel tun0 address 172.16.0.2/24
vyos@vyos# set interfaces tunnel tun0 description "Tunnel to R1"
vyos@vyos# set interfaces tunnel tun0 mtu 1400
vyos@vyos# set interfaces tunnel tun0 policy route change-mss
vyos@vyos# set interfaces tunnel tun0 local-ip 2.2.2.10
vyos@vyos# set interfaces tunnel tun0 remote-ip 1.1.1.10
vyos@vyos# set interfaces tunnel tun0 multicast enable

3.4 OSPF Configuration

vyos@vyos# set interfaces tunnel tun0 ip ospf network broadcast
vyos@vyos# set protocols ospf area 0.0.0.0 network 172.16.0.0/24
vyos@vyos# set protocols ospf area 0.0.0.0 network 192.168.2.0/24
vyos@vyos# commit
vyos@vyos# save

4. Verification

4.1 Verification on VyOS

Below are various show commands that help you to verify status of tunnels on VyOS.

List all currently active IKE Security Associations (SA) - Phase 1.

picture4_active_ike-security-association

Picture 4 - Active IKE Security Associations

List all active IPsec Security Associations (SA) - Phase 2.

picture5_active_ipsec_security-association
Picture 5 - Active IPSec Security Associations

Check status of GRE tunnel interface.

picture6_tunnel_interface_tun0_status

Picture 6 - Status of  GRE Tunnel Interface Tun0

4.2 Verification on Cisco

Below are various show commands that help you to verify status of tunnels on Cisco device.

List all currently active IKE Security Associations (SA) - Phase 1.

picture7_active_ike-security-association

Picture 7 - Active IKE Security Associations

List all active IPsec Security Associations (SA) - Phase 2.

picture8_active_ipsec_security-association

Picture 8 - Active IPSec Security Associations

Check status of GRE tunnel interface.

picture9_tunnel_interface_tun0_status

Picture 9 - Status of  GRE  Interface Tunnel0

Tunnel line state evaluation.

picture10_tunnel_hidden_command

Picture 10 - Tunnel Line State Evaluation

End.

References:
http://cromwell-intl.com/tcpip/what-is-ipsec.html
http://www.carbonwind.net/VyattaOFR/AdvVPN/AdvVPN14.htm

 

8 thoughts on “GRE over IPSec Tunnel Between Cisco and VyOS

  1. Radovan,

    Very straight forward explanation. Thank you!

    I am not familiar with Vyatta yet, but noticed that you set the TCP MSS size on the Cisco router to 1360, is that not necessary on the Vyatta?

    Just so you know, I forward your blog information to all my students to use as an excellent resource for their studies.

    Thank you for all your excellent work and tutorials.

    Jim

  2. hi i am facing on issue on vyos to vyos ipsec vpn configure when i configure ipsec vpn tunnel without gre protocol its working fine but when i use gre protocol with ipsec vpn tunnel its show me down can you please help me what is the isuue on my mail id ankit.kumar@tekmindz.com

    1. Hi rakesh,
      According to Vyatta GRE guide:

      GRE tunnels are stateless, which means that the protocol does not automatically monitor
      the state or availability of other endpoints. You can, however, direct the router to monitor
      the far end of the tunnel by sending keep-alive messages. If the other end of the tunnel
      becomes unavailable, its failure to respond to the messages will alert the router

      So we should be able to enable keep-alive messages and monitor status of GRE tunnel but I haven't found it in VyOS configuration.

  3. I think your GRE tunnel is not IPSec protected but unencrypted.
    Your GRE tunnel is directly between 2.2.2.10 and 1.1.1.10.

  4. Hi Sir, I try this configuration on two Vyos routers and Im new with Vyos. I can ping LAN to LAN but I can't ping Tunnel ip address 172.16.X.X. I can ping if i do with Cisco router. Please advise. TQ

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.