Encrypted GRE Tunnel VPN using AES 256 encryption
This
represents a simple encrypted VPN tunnel across a set of BGP links connected
via serial links. The GRE tunnel and the
encryption pieces are color coded. The
parts that apply the encryption to the GRE tunnel are also underlined. OSPF is configured to provide IGP routing via
the GRE tunnel. The mc3810bot router is
configured as the ntp master at level 5 and the other
is synchronized to it.
In
addition syslogging to a Linux box at 192.168.6.61 is
configured as is SSH access that is limited to the host 192.168.6.21. Syslogging requires
modifications to the RHL /etc/sysconfig/syslog:
change the line =”-m O” to =”-r –m O.” The /etc/syslog.conf
needs a line similar to “local3.* /var/cisco/router.log” added where the file /var/cisco/router.log must be previously created. Note in the line above that the separators
should be tabs, not spaces.
Key:
Encryption GRE Tunnel
SSH Encrypted GRE Tunnel VPN
SysLogging
mc3810top#sh
run ! version
12.3 service
timestamps debug uptime service
timestamps log datetime msec
localtime show-timezone no
service password-encryption ! hostname
mc3810top ! boot-start-marker boot-end-marker ! logging
buffered 8192 debugging ! ! clock timezone pst -8 clock
summer-time pdt recurring network-clock
base-rate 56k no aaa new-model ip subnet-zero ! ! ! ! ! ! ! ! ! ! ! crypto policy sets up the isakmp
negotiation and control parameters ! The index sets a priority for that set of features: lower
index, higher priority. ! This also
applies to the crypto map below crypto isakmp policy 10 encr
aes 256 authentication
pre-share group 2 lifetime 36000 crypto isakmp key
wH1n3r@! address 66.67.100.2 ! ! ! The transform-set defines the actual encryption and hashing
used ! It is applied in the crypto map and, optionally, in the crypto
profile crypto ipsec transform-set homelab1 esp-aes 256 esp-sha-hmac mode transport ! ! The profile is applied at the tunnel interface as a
protection command crypto ipsec profile IPS-Tun0 set
security-association lifetime kilobytes 200000 set
security-association lifetime seconds 28800 set transform-set
homelab1 set pfs
group2 ! ! ! Crypto map defines what encryption is applied and to what
traffic ! The crypto map is applied on a per-interface basis: See s0 crypto map homelab1 10 ipsec-isakmp description +++ Connection across BGP +++ set peer 66.67.101.2 set
security-association lifetime kilobytes 200000 set
security-association lifetime seconds 28800 ! The crypto map selects the transform-set to apply to the
interface set transform-set
homelab1 set pfs
group2 ! The access-list below controls what is encrypted ! The access-lists on either end are symmetrical wrt source and destination match address Tunnel1 ! interface
Loopback0 ip address
192.168.74.1 255.255.255.0 ip ospf network point-to-point ! interface
Loopback1 ip address
192.168.75.1 255.255.255.0 ip ospf network point-to-point ! ! this section sets up the GRE tunnel interface Tunnel0 ip
address 192.168.200.1 255.255.255.252 tunnel source Serial0 tunnel destination
66.67.100.2 ! The following line sets up the encryption of the GRE tunnel ! Without this line the GRE tunnel remains unencrypted tunnel protection ipsec profile IPS-Tun0 ! interface
Serial0 description To r7505-1 / s0/2 ip address
66.67.101.2 255.255.255.252 ! This line applies the crypt configs
to this interface crypto map homelab1 ! ! router
ospf 10 router-id 192.168.200.1 log-adjacency-changes network 192.168.7.0 0.0.0.255 area 2 network 192.168.74.0 0.0.1.255 area 2 network 192.168.200.0 0.0.0.3 area 2 ! ! router
bgp 65002 no synchronization bgp
log-neighbor-changes network 66.67.101.0 mask 255.255.255.252 neighbor 66.67.101.1 remote-as 65000 no auto-summary ! ip classless no ip http server no ip http secure-server ! ! ! ! ! ! ! ! ! ip access-list
extended Tunnel1 remark +++ Traffic for encrypted tunnel +++ permit gre host 192.168.200.1 host 192.168.200.2 log-input remark remark @@@ End A-L Tunnel1 @@@ remark ! ! ! ! ! ! ! alias
exec sracl show run | begin access-list alias
exec srbi show run | begin interface alias
exec sri show run interface alias
exec srb show run | begin alias
exec srr show run | begin ^router ! line
con 0 session-timeout 2880 exec-timeout 2880 0 logging synchronous line
aux 0 line 2
3 line vty 0 4 privilege level 15 password wiener no login ! ! ntp clock-period 17179854 ntp server 192.168.200.2 end mc3810top# |
mc3810bot#sh
run ! version
12.3 service
timestamps debug uptime service
timestamps log datetime msec
localtime show-timezone no
service password-encryption ! hostname
mc3810bot ! boot-start-marker boot-end-marker ! logging
buffered 4096 debugging enable
secret 5 $1$JKRW$VFb4zLDE4mXsNzvCO19SX0 ! clock timezone pst -8 clock
summer-time pdt recurring network-clock
base-rate 56k aaa new-model
!required to get SSH to run !also need ‘crypto key generate rsa
general-keys modulus 1024’ ! aaa session-id common !auto-generated ip subnet-zero ! ip domain name personal.com ! ip ssh authentication-retries
5 ! username admin password 0 wH1n3r@! ! ! crypto policy sets up the isakmp
negotiation and control parameters ! The index sets a priority for that set of features: lower
index, higher priority. ! This also
applies to the crypto map below crypto isakmp policy 10 encr
aes 256 authentication
pre-share group 2 lifetime 36000 crypto isakmp key
wH1n3r@! address 66.67.101.2 ! ! ! The transform-set defines the actual encryption and hashing
used ! It is applied in the crypto map and, optionally, in the crypto
profile crypto ipsec transform-set homelab1 esp-aes 256 esp-sha-hmac mode transport ! ! The profile is applied at the tunnel interface as a
protection command crypto ipsec profile IPS-Tun0 set
security-association lifetime kilobytes 200000 set
security-association lifetime seconds 28800 set transform-set
homelab1 set pfs
group2 ! ! ! Crypto map defines what encryption is applied and to what
traffic ! The crypto map is applied on a per-interface basis: See s0 crypto map homelab1 10 ipsec-isakmp description +++ Connection across BGP +++ set peer 66.67.101.2 set
security-association lifetime kilobytes 200000 set
security-association lifetime seconds 28800 ! The crypto map selects the transform-set to apply to the
interface set transform-set
homelab1 set pfs
group2 ! The access-list below controls what is encrypted ! The access-lists on either end are symmetrical wrt source and destination match address Tunnel1 ! interface
Loopback0 ip address
192.168.180.1 255.255.255.240 ip ospf network point-to-point ! interface
Loopback1 ip address
192.168.181.1 255.255.255.240 ip ospf network point-to-point ! ! this section sets up the GRE tunnel interface Tunnel0 ip
address 192.168.200.2 255.255.255.252 tunnel source Serial0 tunnel destination
66.67.101.2 ! The following line sets up the encryption of the GRE tunnel ! Without this line the GRE tunnel remains unencrypted tunnel
protection ipsec profile IPS-Tun0 ! interface
Serial0 ip address
66.67.100.2 255.255.255.252 no fair-queue ! This line applies the crypt configs
to this interface crypto map homelab1 ! ! router
ospf 10 router-id 192.168.200.2 log-adjacency-changes network 192.168.6.0 0.0.0.255 area 0 network 192.168.180.0 0.0.0.15 area 1 network 192.168.181.0 0.0.0.15 area 0 network 192.168.200.0 0.0.0.3 area 2 ! router
bgp 65001 no synchronization bgp
log-neighbor-changes network 66.67.100.0 mask 255.255.255.252 neighbor 66.67.100.1 remote-as 65000 no auto-summary ! ip classless no ip http server no ip http secure-server ! ! ip access-list standard SecShl remark +++ Limit SSH traffic to the Win2k Pro Box +++ permit 192.168.6.21 remark remark @@@ End A-L SecShl @@@ remark ! ip access-list
extended Tunnel1 remark +++ Traffic for encrypted tunnel +++ permit gre host 192.168.200.2 host 192.168.200.1 log-input remark remark @@@ End A-L Tunnel1 @@@ remark ! logging trap debugging logging facility local3 logging 192.168.6.61 ! ! alias
exec sracl show run | begin access-list alias
exec srbi show run | begin interface alias
exec sri show run interface alias
exec srb show run | begin alias
exec srr show run | begin ^router ! line
con 0 session-timeout 2880 exec-timeout 2880 0 logging synchronous line
aux 0 line 2
3 line vty 0 4 ! These lines apply SSH parameters to the VTY lines access-class SecShl in transport input ssh ! ! ntp master 5 ! end mc3810bot# |