Encrypted GRE Tunnel VPN using AES 256 encryption

 

This represents a simple encrypted VPN tunnel across a set of BGP links connected via serial links.  The GRE tunnel and the encryption pieces are color coded.  The parts that apply the encryption to the GRE tunnel are also underlined.  OSPF is configured to provide IGP routing via the GRE tunnel.  The mc3810bot router is configured as the ntp master at level 5 and the other is synchronized to it.

 

In addition syslogging to a Linux box at 192.168.6.61 is configured as is SSH access that is limited to the host 192.168.6.21.  Syslogging requires modifications to the RHL /etc/sysconfig/syslog: change the line =”-m O” to =”-r –m O.”   The /etc/syslog.conf needs a line similar to “local3.*             /var/cisco/router.log” added where the file /var/cisco/router.log must be previously created.  Note in the line above that the separators should be tabs, not spaces.

 

 

Key:

Encryption                                                                   GRE Tunnel

SSH                                                                             Encrypted GRE Tunnel VPN

SysLogging

mc3810top#sh run

!

version 12.3

service timestamps debug uptime

service timestamps log datetime msec localtime show-timezone

no service password-encryption

!

hostname mc3810top

!

boot-start-marker

boot-end-marker

!

logging buffered 8192 debugging

!

!

clock timezone pst -8

clock summer-time pdt recurring

network-clock base-rate 56k

no aaa new-model

ip subnet-zero

!

!

!

!

!

!

!

!

!

!

! crypto policy sets up the isakmp negotiation and control parameters

! The index sets a priority for that set of features: lower index, higher priority.  ! This also applies to the crypto map below

crypto isakmp policy 10

 encr aes 256

 authentication pre-share

 group 2

 lifetime 36000

crypto isakmp key wH1n3r@! address 66.67.100.2

!

!

! The transform-set defines the actual encryption and hashing used

! It is applied in the crypto map and, optionally, in the crypto profile

crypto ipsec transform-set homelab1 esp-aes 256 esp-sha-hmac

 mode transport

!

! The profile is applied at the tunnel interface as a protection command

crypto ipsec profile IPS-Tun0

 set security-association lifetime kilobytes 200000

 set security-association lifetime seconds 28800

 set transform-set homelab1

 set pfs group2

!

!

! Crypto map defines what encryption is applied and to what traffic

! The crypto map is applied on a per-interface basis: See s0

crypto map homelab1 10 ipsec-isakmp

 description +++  Connection across BGP  +++

 set peer 66.67.101.2

 set security-association lifetime kilobytes 200000

 set security-association lifetime seconds 28800

! The crypto map selects the transform-set to apply to the interface

 set transform-set homelab1

 set pfs group2

! The access-list below controls what is encrypted

! The access-lists on either end are symmetrical wrt source and destination

 match address Tunnel1

!

interface Loopback0

 ip address 192.168.74.1 255.255.255.0

 ip ospf network point-to-point

!

interface Loopback1

 ip address 192.168.75.1 255.255.255.0

 ip ospf network point-to-point

!

! this section sets up the GRE tunnel

interface Tunnel0

 ip address 192.168.200.1 255.255.255.252

 tunnel source Serial0

 tunnel destination 66.67.100.2

! The following line sets up the encryption of the GRE tunnel

! Without this line the GRE tunnel remains unencrypted

 tunnel protection ipsec profile IPS-Tun0

!

interface Serial0

 description To r7505-1 / s0/2

 ip address 66.67.101.2 255.255.255.252

! This line applies the crypt configs to this interface

 crypto map homelab1

!

!

router ospf 10

 router-id 192.168.200.1

 log-adjacency-changes

 network 192.168.7.0 0.0.0.255 area 2

 network 192.168.74.0 0.0.1.255 area 2

 network 192.168.200.0 0.0.0.3 area 2

!

!

router bgp 65002

 no synchronization

 bgp log-neighbor-changes

 network 66.67.101.0 mask 255.255.255.252

 neighbor 66.67.101.1 remote-as 65000

 no auto-summary

!

ip classless

no ip http server

no ip http secure-server

!

!

!

!

!

!

!

!

!

ip access-list extended Tunnel1

 remark +++  Traffic for encrypted tunnel  +++

 permit gre host 192.168.200.1 host 192.168.200.2 log-input

 remark

 remark @@@  End A-L Tunnel1  @@@

 remark

!

!

!

!

!

!

!

alias exec sracl show run | begin access-list

alias exec srbi show run | begin interface

alias exec sri show run interface

alias exec srb show run | begin

alias exec srr show run | begin ^router

!

line con 0

 session-timeout 2880

 exec-timeout 2880 0

 logging synchronous

line aux 0

line 2 3

line vty 0 4

 privilege level 15

 password wiener

 no login

!

!

ntp clock-period 17179854

ntp server 192.168.200.2

end

 

mc3810top#

mc3810bot#sh run

!

version 12.3

service timestamps debug uptime

service timestamps log datetime msec localtime show-timezone

no service password-encryption

!

hostname mc3810bot

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 debugging

enable secret 5 $1$JKRW$VFb4zLDE4mXsNzvCO19SX0

!

clock timezone pst -8

clock summer-time pdt recurring

network-clock base-rate 56k

aaa new-model    !required to get SSH to run

!also need ‘crypto key generate rsa general-keys modulus 1024’

!

aaa session-id common  !auto-generated

ip subnet-zero

!

ip domain name personal.com

!

ip ssh authentication-retries 5

!

username admin password 0 wH1n3r@!

!

! crypto policy sets up the isakmp negotiation and control parameters

! The index sets a priority for that set of features: lower index, higher priority.  ! This also applies to the crypto map below

crypto isakmp policy 10

 encr aes 256

 authentication pre-share

 group 2

 lifetime 36000

crypto isakmp key wH1n3r@! address 66.67.101.2

!

!

! The transform-set defines the actual encryption and hashing used

! It is applied in the crypto map and, optionally, in the crypto profile

crypto ipsec transform-set homelab1 esp-aes 256 esp-sha-hmac

 mode transport

!

! The profile is applied at the tunnel interface as a protection command

crypto ipsec profile IPS-Tun0

 set security-association lifetime kilobytes 200000

 set security-association lifetime seconds 28800

 set transform-set homelab1

 set pfs group2

!

!

! Crypto map defines what encryption is applied and to what traffic

! The crypto map is applied on a per-interface basis: See s0

crypto map homelab1 10 ipsec-isakmp

 description +++  Connection across BGP  +++

 set peer 66.67.101.2

 set security-association lifetime kilobytes 200000

 set security-association lifetime seconds 28800

! The crypto map selects the transform-set to apply to the interface

 set transform-set homelab1

 set pfs group2

! The access-list below controls what is encrypted

! The access-lists on either end are symmetrical wrt source and destination

 match address Tunnel1

!

interface Loopback0

 ip address 192.168.180.1 255.255.255.240

 ip ospf network point-to-point

!

interface Loopback1

 ip address 192.168.181.1 255.255.255.240

 ip ospf network point-to-point

!

! this section sets up the GRE tunnel

interface Tunnel0

 ip address 192.168.200.2 255.255.255.252

 tunnel source Serial0

 tunnel destination 66.67.101.2

! The following line sets up the encryption of the GRE tunnel

! Without this line the GRE tunnel remains unencrypted

 tunnel protection ipsec profile IPS-Tun0

!

interface Serial0

 ip address 66.67.100.2 255.255.255.252

 no fair-queue

! This line applies the crypt configs to this interface

 crypto map homelab1

!

!

router ospf 10

 router-id 192.168.200.2

 log-adjacency-changes

 network 192.168.6.0 0.0.0.255 area 0

 network 192.168.180.0 0.0.0.15 area 1

 network 192.168.181.0 0.0.0.15 area 0

 network 192.168.200.0 0.0.0.3 area 2

!

router bgp 65001

 no synchronization

 bgp log-neighbor-changes

 network 66.67.100.0 mask 255.255.255.252

 neighbor 66.67.100.1 remote-as 65000

 no auto-summary

!

ip classless

no ip http server

no ip http secure-server

!

!

ip access-list standard SecShl

 remark +++  Limit SSH traffic to the Win2k Pro Box  +++

 permit 192.168.6.21

 remark

 remark @@@  End A-L SecShl  @@@

 remark

!

ip access-list extended Tunnel1

 remark +++  Traffic for encrypted tunnel  +++

 permit gre host 192.168.200.2 host 192.168.200.1 log-input

 remark

 remark @@@  End A-L Tunnel1  @@@

 remark

!

logging trap debugging

logging facility local3

logging 192.168.6.61

!

!

 

alias exec sracl show run | begin access-list

alias exec srbi show run | begin interface

alias exec sri show run interface

alias exec srb show run | begin

alias exec srr show run | begin ^router

!

line con 0

 session-timeout 2880

 exec-timeout 2880 0

 logging synchronous

line aux 0

line 2 3

line vty 0 4

! These lines apply SSH parameters to the VTY lines

 access-class SecShl in

 transport input ssh

!

!

ntp master 5

!

end

 

mc3810bot#

 

Back to Routers Page