Tuesday, August 26, 2014

GRE over IPsec - VRF aware (FVRF + IVRF)

Recently I worked on one problem with VRF aware VPN (GRE over IPsec), FVRF and IVRF.


                           10.0.0.0/24

               /----\ .6                 .7 /----\
6.6.6.6 Loop0 |  R6  |---------------------|  R7  | Loop0 7.7.7.7
               \----/                       \----/
                 Tun1                       Tun1
          192.168.0.1                       192.168.0.2

--CLIENT------------>|<-----INTERNET------>|<---------CLIENT--
     VRF                      VRF                      VRF


Let’s configure it !
We have to start defining VRF:
 
!
ip vrf INTERNET
!
ip vrf CLIENT
!  

and interfaces:

R6:
 
!
interface Loopback0
 ip vrf forwarding CLIENT
 ip address 6.6.6.6 255.255.255.0
!
interface Tunnel1
 ip vrf forwarding CLIENT
 ip address 192.168.0.1 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel destination 10.0.0.7
 tunnel vrf INTERNET
!
interface GigabitEthernet0/0
 ip vrf forwarding INTERNET
 ip address 10.0.0.6 255.255.255.0
! 

and R7:
 
!
interface Loopback0
 ip vrf forwarding CLIENT
 ip address 7.7.7.7 255.255.255.0
!
interface Tunnel1
 ip vrf forwarding CLIENT
 ip address 192.168.0.2 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel destination 10.0.0.6
 tunnel vrf INTERNET
!
interface GigabitEthernet0/0
 ip vrf forwarding INTERNET
 ip address 10.0.0.7 255.255.255.0
! 

then ACL to match GRE traffic:

R6:
 
ip access-list extended CRYPTO-ACL
 permit gre host 10.0.0.6 host 10.0.0.7
! 

and R7:
 
ip access-list extended CRYPTO-ACL
 permit gre host 10.0.0.7 host 10.0.0.6
! 

We need ISAKMP:
 
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5 

GRE protection requires a ISAKMP profile , so we need keyring:

R6:
 
crypto keyring KEYRING vrf INTERNET
  pre-shared-key address 10.0.0.7 key KEY
! 

and R7:
 
crypto keyring KEYRING vrf INTERNET
  pre-shared-key address 10.0.0.6 key KEY
! 

next ISAKMP profiles:

R6:
 
crypto isakmp profile IKE-PROFILE
   keyring KEYRING
   match identity address 10.0.0.7 255.255.255.255 INTERNET
   local-address GigabitEthernet0/0
! 

and for R7:
 
crypto isakmp profile IKE-PROFILE
   keyring KEYRING
   match identity address 10.0.0.6 255.255.255.255 INTERNET
   local-address GigabitEthernet0/0
! 

Next, like for traditional VPNs we need transform-set
 
!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
 mode transport
!

and IPsec profile:
 
crypto ipsec profile IPSEC-PROFILE
 set transform-set ESP-AES256-SHA1
 set isakmp-profile IKE-PROFILE
! 

The last two steps are routing and protection of tunnel traffic:
 
!
interface Tunnel1
tunnel protection ipsec profile IPSEC-PROFILE
! 

and
 
ip route vrf KLIENT 0.0.0.0 0.0.0.0 Tunnel1 

Let’s test the tunnel:
 
R6#sh crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 10.0.0.6

   protected vrf: KLIENT
   local  ident (addr/mask/prot/port): (10.0.0.6/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.0.0.7/255.255.255.255/47/0)
   current_peer 10.0.0.7 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
    #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.0.6, remote crypto endpt.: 10.0.0.7
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x20259C21(539335713)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x4F916E54(1334931028)

R6#

 
R6#ping vrf KLIENT 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 112/141/188 ms
R6#

 
R6#sh crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 10.0.0.6

   protected vrf: KLIENT
   local  ident (addr/mask/prot/port): (10.0.0.6/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.0.0.7/255.255.255.255/47/0)
   current_peer 10.0.0.7 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
    #pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.0.6, remote crypto endpt.: 10.0.0.7
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x20259C21(539335713)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x4F916E54(1334931028)
 

No comments:

Post a Comment