GRE over IPSec Tunnel and NAT Between Cisco and VyOS

The goal of this tutorial is to provide a configuration for Cisco and VyOS network devices with configured PAT (Port Address Translation) that connect two remote sides A and B through point-to-point GRE tunnel encapsulated into a IPsec tunnel. In a previous tutorial we proved that GRE tunnels in conjunction with IPsec tunnels transmit multicast traffic while data integrity, authentication and confidentiality was in place. I also provided a simple configuration of GRE, IPsec tunnel and OSPF routing protocol on the Cisco and VyOS routers. In this tutorial I will go further and provide full configuration of  the all network devices including PAT and access-lists.  picture1_network_infrastructure

Picture 1 - Network Topology

Topology Description - Side A

Each side has a Layer 2 Cisco switch located in a LAN network. A switch connects hosts to its switchports. Each switchport is assigned to a particular VLAN. For instance, a host PC1 is connected to the switch SW1 and the switchport is assigned to a VLAN 100. Hosts in VLAN 100 (subnet have guaranteed access to a remote subnet via GRE/IPsec tunnel. A NAT access-list configured on a router R1 ensures that IP address of the host in VLAN 100 is not translated by PAT when a destination address is inside a range However, if a destination address is not in a range, the PAT translates IP addresses of the hosts in VLAN 100 to a public IP address For instance it happens when a user logged on the host  PC1 tries to connect to the router R3 located in the Internet.

Hosts assigned to VLAN 100 have blocked access to a VLAN 300 ( because the VLAN 300 is reserved for guests. For this reason hosts assigned to the VLAN 300 have their access limited only to the Internet. The hosts assigned to the VLAN 100 have no access to the subnet configured on a remote VyOS router. The reason is that the subnet is hidden behind NAT  thus it is not reachable from the Internet.

Topology Description - Side B

The side A shares the similar connectivity principles with a side B. Hosts assigned to the VLAN 200 ( can reach the hosts in a remote subnet via GRE/IPsec tunnel. They can also reach the public addresses in the Internet. However in this case, their IP addresses from the subnet are translated to a public IP address by PAT. The VLAN 400 is where guests are connected. The hosts assigned to this VLAN have access only to the Internet and their IP addresses are translated to an IP address A detailed connectivity table for sides A and B is shown below.


Tab 1 - Connectivity Between Subnets

1. Internet Configuration

1.1 Router R3 Configuration

The following commands configured on a router R3 make the router to act as our simulated Internet which connects two remote sides A and B.

2. Side A Configuration

2.1 Layer2 Switch SW1 Configuration

Configure an interface Gi0/0 as a trunk port with allowed VLANs 100 and 300. Configure appropriate VLANs on access interfaces Gi0/1 and Gi0/2 and set interfaces as access ports. The actual commands are here.

2.2 Hosts PC1 and PC3 Configuration

All hosts located in infrastructure are based on Core Linux which requires additional configuration in order to keep IP settings after restart. To make configuration easier for you I have created a BASH script that configures an IP address, subnet mask and default gateway for a particular host. Just copy and paste the script to the vim editor on each PC and run the script as a user root with the command:

$ sudo bash ./ pcnumber

Replace a word pcnumber with a number:

$ sudo bash ./ 1

$ sudo bash ./ 3

2.3 Router R1 Configuration

2.3.1 Router R1 on the Stick and Default Route

This configuration provides routing between VLANs 100 and 300 and it creates a static default route to the Internet.

2.3.2 R1 - NAT

Here we configure sub-interfaces GigabitEthernet 1/.0.100 and 1/0.300 as the NAT inside interfaces and the interface GigabitEthernet 0/0 as the NAT outside interface. The PAT configuration consists of creating a named access-list PAT that permits a translation of a subnet to any subnet and it denies a translation of the subnet to the subnet The subnet will be translated to the public address only if traffic is not destined for a remote IPsec subnet The PAT access-list is applied on the interface GigabitEthernet 0/0.

2.3.3 R1 - ISAKMP - Phase 1

First we create isakmp policy and select encryption, the hash algorithm, type of authentication, Diffie-Hellman group and lifetime. Then we configure key the shared key and peer address.

2.3.4 R1 - IPSec - Phase 2

In phase two we are going to create  IPSec ipsec transform set MyTS and configure encryption and the hash algorithm. This is also a place where we define IPSec mode - either a tunnel (default) or transport mode. In the tunnel mode a completely new IP delivery header is inserted in each IPSec packet while in a transport mode IP header stays untouched (except of the changed protocol type - 50 for ESP). Continue with creating a new IPsec profile named Protect-GRE. Assign transform-set MyTS is to the profile Protect-GRE and configure the lifetime. And finally assign IPSec profile to the interface tun0.

2.3.5 R1 - GRE Tunnel

GRE tunnel configuration is here.

2.3.6 R1 - OSPF Routing Protocol

OSPF routing protocol is configured here. In order to prevent sending OSPF hello multicast messages to a LAN network we configure interfaces GigabitEthernet 1/0.100 and  1/0.300 as passive interfaces.

2.3.7 R1 - Access Lists

First we create an extended named access-list incoming_traffic_g0/0. The rule 10 permits UDP packets from source IP to a destination IP address, the destination UDP port 500. This is a port that ISAKMP protocol uses. The rule 20 permits ESP packets from the IP address to the IP address The rules 10 and 20 are required by IPSec tunnel. The rule 30 permits icmp echo-reply traffic from any subnet to the IP address We need this rule to allow our hosts behind NAT to ping hosts in the Internet. The rule 40 permits established TCP traffic from any host to the IP address  This rule is needed in order to pass incoming established TCP traffic previously sent by our hosts behind NAT to the Internet. The rule 1000 blocks any other traffic. Finally, we will apply the access-list on the interface GigabitEthernet 0/0 in an incoming direction.

The extended access-list outgoing_traffic_tun0 permits outgoing traffic from the subnet to the subnet and it blocks any other traffic. The access-list is applied on the interface tun0. It ensures that only traffic from the subnet destined for the subnet is encapsulated into the GRE tunnel.

To prevent sending packets with private addresses to the Internet when the IPsec tunnel fails, we need to create the access-list outgoing_traffic_gi0/0. The rule 10 ensures that any packets with source address from the subnet leave the router R1. The access-list is configured in an outgoing direction on the interface GigabitEthernet0/0. The rule 1000 permits any other traffic.

The extended named access-list incoming_traffic_gi1/0.300 applied on the interface GigabitEthernet 1/0.300 for incoming packets prevents hosts on the subnet to reach the hosts inside the subnet

The extended named access-list incoming_traffic_gi1/0.100 applied on the interface GigabitEthernet 1/0.100 for incoming packets prevents hosts on the subnet to to reach the hosts inside the subnet

3. Side B Configuration

3.1 Layer 2 SW2 Configuration

The following commands configure a trunk port, access ports and VLANs on L2 switch SW2.

3.2 Hosts PC2 and PC4 Configuration

$ sudo bash ./ 2

$ sudo bash ./ 4

3.3 Router VyOS Configuration

3.3.1 Router VyOS on Stick and Default Static Route

First, we configure an IP address on the interface eth0 and the particular IP addresses on the sub-interfaces eth1.200 and eth1.400. Then we create a default static route with the IP address as a next hop.  The actual configuration is here.

3.3.2 VyOS - NAT

We will create a source NAT with the rule 5 that excludes translation of the packets sent from the IP subnet to the subnet The rule 10 translates the source IP addresses of packets from the subnet to a public IP address The IP address is configured on the outbound interface eth0. The rule 15 translates IP addresses of hosts from the subnet to the IP address when they sent traffic to the Internet. NAT configuration is here.

3.3.3 VyOS IPSec Tunnel

Enable IPSec on interface eth0.

3.3.4 R1 IKE Group - Phase 1

Create the ike-group named cisco and  configure encryption, the hash algorithm, DH group and lifetime.

3.3.5 VyOS - ESP Group - Phase 2

Create the esp-group named cisco and configure encryption, the hash algorithm and lifetime. Configure tunnel peer and pre-shared key. Associate ike group cisco and esp group cisco with the peer Configure a local address used for connection. And finally, configure GRE protocol that is going to be encapsulated inside IPSec tunnel.

3.3.6 VyOS - GRE Tunnel

Create a new route policy change_mss that changes TCP MSS (Maximum Segment Size) to 1360 bytes. Then we can create GRE tunnel.

3.3.7 OSPF Configuration

Here is OSPF routing protocol configuration on VyOS.

3.3.7 VyOS - Firewall Configuration

The firewall incoming_traffic consists of the rules 1, 5 and 10 with a configured default action drop. The rule 1 allows incoming established and related traffic generated by the hosts assigned to VLAN 200 and 400. The rule 5 accepts incoming packets from the IP address to the IP address and to the destination port UDP 500. This is the port a ISAKMP protocol uses. The rule 10 accepts incoming packets with esp protocol from the IP address to the IP address The firewall name incoming_traffic is applied on the interface eth0 for incoming traffic passing the firewall and traffic destined for firewall itself (keyword local).

The firewall outgoing_traffic_tun0 inspects outgoing traffic from the interface tun0. The rule 10 allows outgoing traffic  from the subnet to the subnet All other traffic is dropped.

The firewall outgoing_traffic_eth0 with the rule 10 applied on the interface eth0 in the outgoing direction prevents packets with source addresses destined for the subnet to leak to the Internet when the VPN tunnel fails.

The firewall incoming_traffic_eth1_400 with the rule 10 applied on the sub-interface eth1.400 in the incoming direction blocks traffic with source IP address from the subnet to the subnet Similarly, the firewall incoming_traffic_eth1_200 with the rule 10 applied on the sub-interface eth1.200 in the incoming direction blocks traffic with source IP address from the subnet to the subnet




Leave a comment

Your email address will not be published. Required fields are marked *