...

Friday, June 4, 2010

Misc 29


Recall that GRE doesn't have its own encryption capabilities. In this case we would have to run GRE over IPSec. Configuration in this case is strikingly similar to the site-to-site VPN that is described in the VPN Introduction section. The biggest difference is that instead of using tunnel mode which is the default, we would have to switch to transport mode.

Recall that tunnel mode encrypts the entire IP packet including its header and encapsulates it in a new packet. Transport mode only encrypts the payload of a packet. Tunnel mode's operation is strikingly similar to GRE. In this case, we would use transport mode because GRE takes care of the outer IP encapsulation.

Let's begin on R1. As previously mentioned, the procedures are the same so you would need to read VPN Introduction if you need some revision on what the commands do. Head on to R1's console and enable ISAKMP:
crypto isa en

Next, create a policy map:
crypto isa pol 1
hash sha
auth pre
group 5
life 60
encr aes


Since authentication is pre-shared, we would have to specify a common key:
crypto isa key 0 cisco add 3.3.3.2

Now we would have to create the transport transform set. The only difference is that you would have to change the modes in the transform set prompt:
crypto transform TRANSFORM esp-aes
mode transport


Now we'll create the list of interesting traffic. Note that for traffic going through the tunnel, you would only have to specify the tunnel interface as interesting:
ip access-l extended INTERESTING
permit ip 1.1.1.2 0.0.0.0 3.3.3.2 0.0.0.0


Now we finally create the crypto map:
crypto map MAP 1 ipsec-isakmp
set peer 3.3.3.2
set transform TRANSFORM
match add INTERESTING


We do the same, mirrored, for R2:
crypto isa pol 1
hash sha
auth pre
group 5
life 60
encr aes
crypto isa key 0 cisco add 1.1.1.2
crypto transform TRANSFORM esp-aes
mode transport
ip access-l extended INTERESTING
permit ip 3.3.3.2 0.0.0.0 1.1.1.2 0.0.0.0
crypto map MAP 1 ipsec-isakmp
set peer 1.1.1.2
set transform TRANSFORM
match add INTERESTING


In this example, any traffic going through the GRE tunnel would be automatically encrypted by IPSec. If you need to specify more VPN endpoints, you would create a new set of interesting traffic list and use the command "crypto map MAP 2 ipsec-isakmp" to specify the alternate mappings to use.

No comments :

Post a Comment

<