Skip to main content

VPN - GRE over IPsec

Today I would like to play with GRE tunnels and their protections by IPsec profiles. Below you can find scenario I use today:
blog-gre-over-ipsec1.jpg
R3:
 
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key cisco address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile IPSEC-PRF
 set transform-set TS
!
interface Tunnel0
 ip address 7.7.7.3 255.255.255.0
 tunnel source FastEthernet1/0
 tunnel destination 10.1.0.5
 tunnel protection ipsec profile IPSEC-PRF
!
router eigrp 10
 network 7.7.7.0 0.0.0.255
 network 10.2.0.0 0.0.0.255
!

And R5:
 
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key cisco address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile IPSEC-PRF
 set transform-set TS
!
interface Tunnel0
 ip address 7.7.7.5 255.255.255.0
 tunnel source FastEthernet0/1
 tunnel destination 10.1.0.3
 tunnel protection ipsec profile IPSEC-PRF
!
router eigrp 10
 network 7.7.7.0 0.0.0.255
 network 10.0.0.0 0.0.0.255
!

Let’s check the GRE tunnels status:
 
r3#sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.2.0.3        YES manual up                    up
FastEthernet0/1            unassigned      YES unset  administratively down down
FastEthernet1/0            10.1.0.3        YES manual up                    up
FastEthernet1/1            unassigned      YES unset  administratively down down
Tunnel0                    7.7.7.3         YES manual up                    up
r3#

r5#sh ip int b
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        10.0.0.5        YES manual up                    up
FastEthernet0/1        10.1.0.5        YES manual up                    up
FastEthernet1/0        unassigned      YES unset  administratively down down
FastEthernet1/1        unassigned      YES unset  administratively down down
Tunnel0                7.7.7.5         YES manual up                    up
r5#'

I try now to send ping from R12 to R6 to check if the traffic is encrypted:
 
r3#sh crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Tunnel0
Uptime: 00:25:26
Session status: UP-ACTIVE
Peer: 10.1.0.5 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 10.1.0.5
      Desc: (none)
  IKEv1 SA: local 10.1.0.3/500 remote 10.1.0.5/500 Active
          Capabilities:(none) connid:1002 lifetime:23:34:22
  IKEv1 SA: local 10.1.0.3/500 remote 10.1.0.5/500 Active
          Capabilities:(none) connid:1001 lifetime:23:34:20
  IPSEC FLOW: permit 47 host 10.1.0.3 host 10.1.0.5
        Active SAs: 6, origin: crypto map
        Inbound:  #pkts dec'ed 330 drop 22 life (KB/Sec) 4375496/2082
        Outbound: #pkts enc'ed 346 drop 0 life (KB/Sec) 4375497/2082

r3#
 
r5#sh crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Tunnel0
Uptime: 00:25:51
Session status: UP-ACTIVE
Peer: 10.1.0.3 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 10.1.0.3
      Desc: (none)
  IKEv1 SA: local 10.1.0.5/500 remote 10.1.0.3/500 Active
          Capabilities:(none) connid:1001 lifetime:23:33:54
  IKEv1 SA: local 10.1.0.5/500 remote 10.1.0.3/500 Active
          Capabilities:(none) connid:1002 lifetime:23:33:57
  IPSEC FLOW: permit 47 host 10.1.0.5 host 10.1.0.3
        Active SAs: 6, origin: crypto map
        Inbound:  #pkts dec'ed 338 drop 13 life (KB/Sec) 4357161/2057
        Outbound: #pkts enc'ed 358 drop 0 life (KB/Sec) 4357160/2057

r5#
 
R12#ping 10.0.0.6 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.0.0.6, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!
!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!
Success rate is 96 percent (96/100), round-trip min/avg/max = 20/69/136 ms
R12#

And check now the numbers:
 
r3#sh crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Tunnel0
Uptime: 00:26:51
Session status: UP-ACTIVE
Peer: 10.1.0.5 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 10.1.0.5
      Desc: (none)
  IKEv1 SA: local 10.1.0.3/500 remote 10.1.0.5/500 Active
          Capabilities:(none) connid:1002 lifetime:23:32:57
  IKEv1 SA: local 10.1.0.3/500 remote 10.1.0.5/500 Active
          Capabilities:(none) connid:1001 lifetime:23:32:54
  IPSEC FLOW: permit 47 host 10.1.0.3 host 10.1.0.5
        Active SAs: 6, origin: crypto map
        Inbound:  #pkts dec'ed 444 drop 23 life (KB/Sec) 4375477/1997
        Outbound: #pkts enc'ed 465 drop 0 life (KB/Sec) 4375477/1997

r3#
 
r5#sh crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Tunnel0
Uptime: 00:26:56
Session status: UP-ACTIVE
Peer: 10.1.0.3 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 10.1.0.3
      Desc: (none)
  IKEv1 SA: local 10.1.0.5/500 remote 10.1.0.3/500 Active
          Capabilities:(none) connid:1001 lifetime:23:32:50
  IKEv1 SA: local 10.1.0.5/500 remote 10.1.0.3/500 Active
          Capabilities:(none) connid:1002 lifetime:23:32:52
  IPSEC FLOW: permit 47 host 10.1.0.5 host 10.1.0.3
        Active SAs: 6, origin: crypto map
        Inbound:  #pkts dec'ed 452 drop 14 life (KB/Sec) 4357142/1992
        Outbound: #pkts enc'ed 468 drop 0 life (KB/Sec) 4357142/1992

r5#
 
R12#traceroute 10.0.0.6

Type escape sequence to abort.
Tracing the route to 10.0.0.6

  1 10.2.0.3 48 msec 44 msec 36 msec
  2 7.7.7.5 76 msec 92 msec 48 msec
  3 10.0.0.6 92 msec 56 msec 76 msec
R12#

As you see the traffic is passing through the tunnel and it is encrypted properly. There is one problem with this scenario because I don’t have any tunnel between R12 and R6. I’m going now to add the second tunnel and implement HA.

blog-gre-over-ipsec2.jpg

On r5 I add a new tunnel interface:
 
r5#sh run int Tun1
Building configuration...

Current configuration : 162 bytes
!
interface Tunnel1
 ip address 7.7.8.5 255.255.255.0
 tunnel source FastEthernet0/1
 tunnel destination 10.1.0.4
 tunnel protection ipsec profile IPSEC-PRF
end

r5#

and the same on R4:
 
r4#sh run int tun1
Building configuration...

Current configuration : 162 bytes
!
interface Tunnel1
 ip address 7.7.8.4 255.255.255.0
 tunnel source FastEthernet0/1
 tunnel destination 10.1.0.5
 tunnel protection ipsec profile IPSEC-PRF
end

r4#

Now I check the routing table on both: r12 and r5:
 
R12#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     7.0.0.0/24 is subnetted, 2 subnets
D       7.7.7.0 [90/26882560] via 10.2.0.3, 02:25:21, FastEthernet1/0
D       7.7.8.0 [90/26882560] via 10.2.0.4, 00:45:48, FastEthernet1/0
     10.0.0.0/24 is subnetted, 2 subnets
C       10.2.0.0 is directly connected, FastEthernet1/0
D       10.0.0.0 [90/26885120] via 10.2.0.4, 00:44:19, FastEthernet1/0
                 [90/26885120] via 10.2.0.3, 00:44:19, FastEthernet1/0
R12#
 
r5#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      7.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        7.7.7.0/24 is directly connected, Tunnel0
L        7.7.7.5/32 is directly connected, Tunnel0
C        7.7.8.0/24 is directly connected, Tunnel1
L        7.7.8.5/32 is directly connected, Tunnel1
      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C        10.0.0.0/24 is directly connected, FastEthernet0/0
L        10.0.0.5/32 is directly connected, FastEthernet0/0
C        10.1.0.0/24 is directly connected, FastEthernet0/1
L        10.1.0.5/32 is directly connected, FastEthernet0/1
D        10.2.0.0/24 [90/26882560] via 7.7.8.4, 00:45:08, Tunnel1
                     [90/26882560] via 7.7.7.3, 00:45:08, Tunnel0
r5#

In my case both physical links are exactly the same. If you need to have one preferred node you can change some eigrp parameters like delay.

Let’s test now the failure of one device:
 
R12#ping 10.0.0.6 repeat 10000

Type escape sequence to abort.
Sending 10000, 100-byte ICMP Echos to 10.0.0.6, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!
!!!.!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!
!!!!!.!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!.......!!!!!!!!!!!!!!!!!..!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!
.
Success rate is 92 percent (260/281), round-trip min/avg/max = 24/75/184 ms
R12#
 
r5(config-if)#int tun
*Nov 19 16:44:45.911: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up0
r5(config-if)#
*Nov 19 16:44:45.935: %LINK-3-UPDOWN: Interface Tunnel1, changed state to upsh
r5(config-if)#
*Nov 19 16:44:49.587: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 7.7.7.3 (Tunnel0) is down: interface down
*Nov 19 16:44:51.519: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 19 16:44:51.523: %LINK-5-CHANGED: Interface Tunnel0, changed state to administratively down
*Nov 19 16:44:58.519: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 7.7.8.4 (Tunnel1) is up: new adjacency
*Nov 19 16:45:01.171: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=25 spi=500B46EE seqno=00000007
*Nov 19 16:45:04.987: %CRYPTO-4-IKMP_NO_SA: IKE message from 10.1.0.4 has no SA and is not an initialization offer

As you see I lost 7 packets when I shut down one tunnel. Now the switchover time is dependent on routing protocol characteristic. In my next post I will add HA with stateful switchover (SSO).

Comments

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an ...

FortiGate and GRE tunnel

Recently I worked on one project where a client requested to re-route web traffic to the GRE tunnel to perform traffic inspection. I would like to share with you what is required if you configure it on FortiGate. We need a new GRE interface and policy base routing (PBR) to change the route for specific source IPs. Of course you need firewall policies to permit the traffic. Let's start with GRE interface. Unfortunately you can't configure it using the GUI, only CLI is the option: config system gre-tunnel edit "gre1" set interface "port1" set local-gw 55.55.55.55 set remote-gw 44.44.44.44 next end When the end peer is Cisco router, you need to set the IP for the GRE interface: config system interface edit gre1 set ip 192.168.10.10 255.255.255.255 set remote-ip192.168.10.20 end In next step we need to fix routing. We need the alternate path via GRE but to keep the route in the active routing table you need to set the same AD (adminis...

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze ...