Skip to main content

GRE over IPsec - VRF aware (FVRF + IVRF)

Recently I worked on one problem with VRF aware VPN (GRE over IPsec), FVRF and IVRF.


                           10.0.0.0/24

               /----\ .6                 .7 /----\
6.6.6.6 Loop0 |  R6  |---------------------|  R7  | Loop0 7.7.7.7
               \----/                       \----/
                 Tun1                       Tun1
          192.168.0.1                       192.168.0.2

--CLIENT------------>|<-----INTERNET------>|<---------CLIENT--
     VRF                      VRF                      VRF


Let’s configure it !
We have to start defining VRF:
 
!
ip vrf INTERNET
!
ip vrf CLIENT
!

and interfaces:

R6:
 
!
interface Loopback0
 ip vrf forwarding CLIENT
 ip address 6.6.6.6 255.255.255.0
!
interface Tunnel1
 ip vrf forwarding CLIENT
 ip address 192.168.0.1 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel destination 10.0.0.7
 tunnel vrf INTERNET
!
interface GigabitEthernet0/0
 ip vrf forwarding INTERNET
 ip address 10.0.0.6 255.255.255.0
!

and R7:
 
!
interface Loopback0
 ip vrf forwarding CLIENT
 ip address 7.7.7.7 255.255.255.0
!
interface Tunnel1
 ip vrf forwarding CLIENT
 ip address 192.168.0.2 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel destination 10.0.0.6
 tunnel vrf INTERNET
!
interface GigabitEthernet0/0
 ip vrf forwarding INTERNET
 ip address 10.0.0.7 255.255.255.0
!

then ACL to match GRE traffic:

R6:
 
ip access-list extended CRYPTO-ACL
 permit gre host 10.0.0.6 host 10.0.0.7
!

and R7:
 
ip access-list extended CRYPTO-ACL
 permit gre host 10.0.0.7 host 10.0.0.6
!

We need ISAKMP:
 
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5

GRE protection requires a ISAKMP profile , so we need keyring:

R6:
 
crypto keyring KEYRING vrf INTERNET
  pre-shared-key address 10.0.0.7 key KEY
!

and R7:
 
crypto keyring KEYRING vrf INTERNET
  pre-shared-key address 10.0.0.6 key KEY
!

next ISAKMP profiles:

R6:
 
crypto isakmp profile IKE-PROFILE
   keyring KEYRING
   match identity address 10.0.0.7 255.255.255.255 INTERNET
   local-address GigabitEthernet0/0
!

and for R7:
 
crypto isakmp profile IKE-PROFILE
   keyring KEYRING
   match identity address 10.0.0.6 255.255.255.255 INTERNET
   local-address GigabitEthernet0/0
!

Next, like for traditional VPNs we need transform-set 
 
!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
 mode transport
!

and IPsec profile:
 
crypto ipsec profile IPSEC-PROFILE
 set transform-set ESP-AES256-SHA1
 set isakmp-profile IKE-PROFILE
!

The last two steps are routing and protection of tunnel traffic:
 
!
interface Tunnel1
tunnel protection ipsec profile IPSEC-PROFILE
!

and
 
ip route vrf KLIENT 0.0.0.0 0.0.0.0 Tunnel1

Let’s test the tunnel:
 
R6#sh crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 10.0.0.6

   protected vrf: KLIENT
   local  ident (addr/mask/prot/port): (10.0.0.6/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.0.0.7/255.255.255.255/47/0)
   current_peer 10.0.0.7 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
    #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.0.6, remote crypto endpt.: 10.0.0.7
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x20259C21(539335713)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x4F916E54(1334931028)

R6#

 
R6#ping vrf KLIENT 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 112/141/188 ms
R6#

 
R6#sh crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 10.0.0.6

   protected vrf: KLIENT
   local  ident (addr/mask/prot/port): (10.0.0.6/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.0.0.7/255.255.255.255/47/0)
   current_peer 10.0.0.7 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
    #pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.0.6, remote crypto endpt.: 10.0.0.7
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x20259C21(539335713)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x4F916E54(1334931028)
 
Labels:

Comments

  1. vipinv00000August 16, 2021 at 1:16 PM

    You've created a crypto ACL, but you've used Tunnel Protection which is a route-based VPN.

    Could you also show the same example with Crypto Map Based GRE over IPSEC scenario, that wud be gr8 !

    ReplyDelete
  2. DududaddySeptember 23, 2021 at 6:35 PM

    Hello,
    I am seeing that you are creating access lists but they are not applied anywhere. What is the purpose for those access lists?

    ReplyDelete
  3. DududaddySeptember 23, 2021 at 6:37 PM

    Hello,
    I see that you are creating access lists in this setup but I am not seeing where are they applied. Is there any reason for creating these lists?
    Thank you

    ReplyDelete

Post a Comment

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an ...
8 comments
Read more

FortiGate and GRE tunnel

Recently I worked on one project where a client requested to re-route web traffic to the GRE tunnel to perform traffic inspection. I would like to share with you what is required if you configure it on FortiGate. We need a new GRE interface and policy base routing (PBR) to change the route for specific source IPs. Of course you need firewall policies to permit the traffic. Let's start with GRE interface. Unfortunately you can't configure it using the GUI, only CLI is the option: config system gre-tunnel edit "gre1" set interface "port1" set local-gw 55.55.55.55 set remote-gw 44.44.44.44 next end When the end peer is Cisco router, you need to set the IP for the GRE interface: config system interface edit gre1 set ip 192.168.10.10 255.255.255.255 set remote-ip192.168.10.20 end In next step we need to fix routing. We need the alternate path via GRE but to keep the route in the active routing table you need to set the same AD (adminis...
Post a Comment
Read more

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze ...
1 comment
Read more