The previous tutorial shown GRE tunnel configuration between Cisco router and Linux Core. The big advantage of GRE protocol is that it encapsulates L3 and higher protocols inside the GRE tunnel so routing updates and other multicast traffic can be successfully transferred over the tunnel. The main drawback of GRE protocol is the lack of built-in security. Data are transferred in plain-text over the tunnel and peers are not authenticated (no confidentiality). Tunneled traffic can be changed by attacker (no integrity checking of IP packets). For this reason GRE tunnel is very often used in conjunction with IPSec. Typically, GRE tunnel is encapsulated inside the IPSec tunnel and this model is called GRE over IPSec.
The tutorial shows configuration of OSPF routing protocol, GRE and IPSec tunnel on Cisco 7206 VXR router and appliance running VyOS network OS. Devices are running inside GNS3 lab an they are emulated by Dynamips (Cisco) and Qemu (VyOS).
Picture 1 - Topology
Note: VyOS installation is described here. You can easily build your own VyOS Qemu appliance using the Expect and Bash script shared in the article.
1. R3 Configuration
R3(config)# interface gigabitEthernet 1/0
R3(config-if)# ip address 1.1.1.1 255.255.255.0
R3(config-if)# no shutdown
R3(config-if)# interface gigabitEthernet 0/0
R3(config-if)# ip address 2.2.2.2 255.255.255.0
R3(config-if)# no shutdown
2. R1 Configuration
2.1 Interfaces and Static Route Configuration
R1(config)# interface gigabitEthernet 0/0
R1(config-if)# ip address 1.1.1.10 255.255.255.0
R1(config-if)# no shutdown
R1(config)# interface gigabitEthernet 1/0
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)# no shutdown
A static route pointing to the subnet 2.2.2.0/24 via router R3 is needed in a routing table of the router R1 so we have to create it.
R1(config)# ip route 2.2.2.0 255.255.255.0 1.1.1.1
2.2 IPSec Tunnel Configuration
Internet Security Association and Key Management Protocol (ISAKMP), is the negotiation protocol that lets two hosts agree on how to build an IPsec security association. ISAKMP separates negotiation into two phases - Phase 1 and Phase 2.
Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data (IPSec).
ISAKMP Configuration - ISAKMP Phase 1
First we create isakmp policy and select encryption, the hash algorithm, type of authentication, Diffie-Hellman group and lifetime.
R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encryption aes 256
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 14
R1(config-isakmp)# lifetime 86400
R1(config-isakmp)# exit
Note: You can check these parameters in the Transform payload located in first and the sixth packet of the attached pcap file.
Then we configure key the shared key and peer address.
R1(config)#crypto isakmp key test123 address 2.2.2.10
IPSec Configuration - ISAKMP Phase 2
In phase two we create IPSec transform set and configure encryption and the hash algorithm. This is also a place where we define IPSec mode - either a tunnel (default) or transport mode. In the tunnel mode a completely new IP delivery header is inserted in each IPSec packet while in a transport mode IP header stays untouched (except of the changed protocol type - 50 for ESP).
R1(config)# crypto ipsec transform-set MyTS esp-aes esp-md5-hmac
R1(cfg-crypto-trans)# mode tunnel
Continue with creating a new IPSec profile named Protect-Gre. Assign transform-set MyTS is to the profile Protect-GRE and configure the lifetime.
R1(config)# crypto ipsec profile Protect-GRE
R1(ipsec-profile)# set security-association lifetime seconds 86400
R1(ipsec-profile)# set transform-set MyTS
And finally assign IPSec profile to the interface tun0.
R1(config)# interface Tunnel 0
R1(config-if)# tunnel protection ipsec profile Protect-GRE
2.3 GRE Tunnel Configuration
R1(config)# interface tunnel 0
R1(config-if)# description Tunnel to R2
R1(config-if)# ip address 172.16.0.1 255.255.255.0
R1(config-if)# ip mtu 1400
R1(config-if)# ip tcp adjust-mss 1360
R1(config-if)# ip ospf network broadcast
R1(config-if)# tunnel source 1.1.1.10
R1(config-if)# tunnel destination 2.2.2.10
It is recommend to use the Cisco online IPSec overhead calculator to calculate Maximum Transmission Unit (MTU) for IP packet.
Picture 2 - IPSec and GRE Tunnel Overhead Calculation
The total calculated IPsec packet size is 1592 bytes. The IPSec and GRE protocol overhead add additional 92 bytes to original 1500B MTU. To avoid fragmentation by devices on the path we have to decrease MTU from 1500 to 1400 bytes.
Picture 3 - Total Overhead of IPSec and GRE Tunnel
The maximum Segment Size (MSS) for TCP segments is always 40 Bytes (IP 20B + TCP 20B) lower than MTU. For this reason we set MSS to 1360 bytes.
2.4 OSPF Configuration
R1(config)# router ospf 10
R1(config-router)# network 172.16.0.0 0.0.0.255 area 0
R1(config-router)# network 192.168.1.0 0.0.0.255 area 0
R1(config-router)# passive-interface gigabitEthernet 1/0
3. VyOS Configuration
3.1 Interfaces and Static Route Configuration
vyos@vyos:~$ configure
vyos@vyos# set interfaces ethernet eth0 address 2.2.2.10/24
vyos@vyos# set interfaces ethernet eth1 address 192.168.2.1/24
Again we have to configure static route pointing to the subnet 1.1.10/24.
vyos@vyos# set protocols static route 1.1.1.0/24 next-hop 2.2.2.2
3.2 IPSec Tunnel Configuration
Enable IPSec on interface eth0.
vyos@vyos# set vpn ipsec ipsec-interfaces interface eth0
Configure an IKE Group - Phase 1
Set the encryption, the hash algorithm, DH group and lifetime for phase 1.
vyos@vyos# set vpn ipsec ike-group cisco proposal 1
vyos@vyos# set vpn ipsec ike-group cisco proposal 1 encryption aes256
vyos@vyos# set vpn ipsec ike-group cisco proposal 1 hash md5
vyos@vyos# set vpn ipsec ike-group cisco proposal 1 dh-group 14
vyos@vyos# set vpn ipsec ike-group cisco lifetime 86400
Configure an ESP Group - Phase 2
Set the encryption, the hash algorithm and lifetime for phase 2.
vyos@vyos# set vpn ipsec esp-group cisco proposal 1
vyos@vyos# set vpn ipsec esp-group cisco proposal 1 encryption aes128
vyos@vyos# set vpn ipsec esp-group cisco proposal 1 hash md5
vyos@vyos# set vpn ipsec esp-group cisco pfs enable
vyos@vyos# set vpn ipsec esp-group cisco lifetime 86400
vyos@vyos# set vpn ipsec esp-group cisco mode tunnel
Configure tunnel peer and pre-shared key.
vyos@vyos# set vpn ipsec site-to-site peer 1.1.1.10 authentication pre-shared-secret test123
Configure ike-group used for the tunnel.
vyos@vyos# set vpn ipsec site-to-site peer 1.1.1.10 ike-group cisco
Configure esp-group used for the tunnel.
vyos@vyos# set vpn ipsec site-to-site peer 1.1.1.10 tunnel 0 esp-group cisco
Configure local address used for connection.
vyos@vyos# set vpn ipsec site-to-site peer 1.1.1.10 local-address 2.2.2.10
Configure protocol encapsulated inside IPSec.
vyos@vyos# set vpn ipsec site-to-site peer 1.1.1.10 tunnel 0 protocol gre
3.3 GRE Tunnel Configuration
Create a new route policy that changes TCP MSS to 1360 bytes.
vyos@vyos# set policy route change-mss rule 1 set tcp-mss 1360
vyos@vyos# set policy route change-mss rule 1 protocol tcp
vyos@vyos# set policy route change-mss rule 1 tcp flags SYN
Configure GRE tunnel.
vyos@vyos# set interfaces tunnel tun0 encapsulation gre
vyos@vyos# set interfaces tunnel tun0 address 172.16.0.2/24
vyos@vyos# set interfaces tunnel tun0 description "Tunnel to R1"
vyos@vyos# set interfaces tunnel tun0 mtu 1400
vyos@vyos# set interfaces tunnel tun0 policy route change-mss
vyos@vyos# set interfaces tunnel tun0 local-ip 2.2.2.10
vyos@vyos# set interfaces tunnel tun0 remote-ip 1.1.1.10
vyos@vyos# set interfaces tunnel tun0 multicast enable
3.4 OSPF Configuration
vyos@vyos# set interfaces tunnel tun0 ip ospf network broadcast
vyos@vyos# set protocols ospf area 0.0.0.0 network 172.16.0.0/24
vyos@vyos# set protocols ospf area 0.0.0.0 network 192.168.2.0/24
vyos@vyos# commit
vyos@vyos# save
4. Verification
4.1 Verification on VyOS
Below are various show commands that help you to verify status of tunnels on VyOS.
List all currently active IKE Security Associations (SA) - Phase 1.
Picture 4 - Active IKE Security Associations
List all active IPsec Security Associations (SA) - Phase 2.
Picture 5 - Active IPSec Security Associations
Check status of GRE tunnel interface.
Picture 6 - Status of GRE Tunnel Interface Tun0
4.2 Verification on Cisco
Below are various show commands that help you to verify status of tunnels on Cisco device.
List all currently active IKE Security Associations (SA) - Phase 1.
Picture 7 - Active IKE Security Associations
List all active IPsec Security Associations (SA) - Phase 2.
Picture 8 - Active IPSec Security Associations
Check status of GRE tunnel interface.
Picture 9 - Status of GRE Interface Tunnel0
Tunnel line state evaluation.
Picture 10 - Tunnel Line State Evaluation
End.
References:
http://cromwell-intl.com/tcpip/what-is-ipsec.html
http://www.carbonwind.net/VyattaOFR/AdvVPN/AdvVPN14.htm
Radovan,
Very straight forward explanation. Thank you!
I am not familiar with Vyatta yet, but noticed that you set the TCP MSS size on the Cisco router to 1360, is that not necessary on the Vyatta?
Just so you know, I forward your blog information to all my students to use as an excellent resource for their studies.
Thank you for all your excellent work and tutorials.
Jim
TCP MSS should match on both sides of tunnel. I've added configuration for VyOS. Thank you!
hi i am facing on issue on vyos to vyos ipsec vpn configure when i configure ipsec vpn tunnel without gre protocol its working fine but when i use gre protocol with ipsec vpn tunnel its show me down can you please help me what is the isuue on my mail id ankit.kumar@tekmindz.com
Is there way to check GRE status in VYOS
Hi rakesh,
According to Vyatta GRE guide:
So we should be able to enable keep-alive messages and monitor status of GRE tunnel but I haven't found it in VyOS configuration.
I think your GRE tunnel is not IPSec protected but unencrypted.
Your GRE tunnel is directly between 2.2.2.10 and 1.1.1.10.
IPSec transport mode. Not tunnel mode.
Hi Sir, I try this configuration on two Vyos routers and Im new with Vyos. I can ping LAN to LAN but I can't ping Tunnel ip address 172.16.X.X. I can ping if i do with Cisco router. Please advise. TQ