Encrypted GRE Tunnel with IPSEC

Hi Victor,

That would also work. Crypto-maps are the “old” way of configuring IPsec and the crypto profiles are the “new” way of doing it.

Rene

i configure my tunnel and everything and i have the ping between the 2 ends but when i check the status of my tunnel it shows “down”

hi
i configure my tunnel and everything is set bur when was trying to ping
ping is not successful and my tunnel status is down.any solution for that ?

Hi Aicha,

I would start by disabling IPsec, make sure your GRE tunnel is working 100% first. Check if both routers are able to reach the other’s tunnel IP address. Your GRE tunnel should be up/up.

When that works, see if you can get IPsec to work.

Rene

Hi Rene,

Thank you very much for this informative post.

I would like to know whether IPSEC over GRE and IPSEC tunnel mode are the same or not.

If so, shouldn’t we see the tunnel ip addresses as dst and src ip addresses in the captures?

Thanks

Hi Mithun,

These are not the same. Take a look at this picture from my IPsec lesson:

Ipsec Encapsulation

When we use IPsec tunnel mode, we encapsulate the original IP packet and put an AH or ESP header and new IP header in front of it. IPsec only supports unicast packets.

GRE also encapsulates IP packets and it supports multicast traffic. It adds a GRE header in front of the original IP packet and then a new IP header. You can see this in this capture file:

GRE Encapsulated ICMP Capture

GRE and IPsec tunnel mode both encapsulate IP packets. GRE doesn’t offer any encryption though.

When we combine GRE and IPsec, normally we use IPsec transport mode. GRE has already added a new IP header so there’s no need for IPsec to do it again. That’s why you can use transport mode.

Hope this helps :slight_smile:

Rene

Hi Rene,

I try to change

crypto ipsec transform-set TRANS ah-sha-hmac   
 mode transport

.why in wireshark capture it still tunnel mode?

Thank you.

Hello LER-SAK.

Are you sure that you have applied the transform set? If you still have problems, please share the relevant portions of your configuration at both ends of the VPN .

I hope this has been helpful.

Laz

Hi Lazaros,

Thank for your reply. I still have problem, the configuration was follow Rene just at transform-set that I changed to ah-sha to see the packet, and the project is in attachments.

Thank you

BASIC-Encryption-Tunnel-with-IPsec.rar (40.0 KB)

Hello again LER-SAK.

Keep in mind that even if you manually set up the transport mode, it will only function as transport mode when the traffic to be encrypted is to or from the endpoints of the tunnel, such as routing updates from one router, destined to the other router.

However, traffic that is being transferred between PCs behind the routers will still end up using tunnel mode even if we configure transport mode.

More specifically:

Host A ----------------Router1----------Internet-------------Router2----------------Host B

If we have transport mode configured between Router1 and Router2, communication between Router1 and Router2 should be transport mode. However, if host A pings to host B for example, Router1 converts the packet to tunnel mode EVEN IF you have configured transport mode.

I hope this has been helpful!

Laz

Rene,
I have an interesting dilemma. I have a router that does not support IPSEC, however it is behind an ASA. I want to encrypt GRE Tunnel with the Cisco ASA. I have the L2L working between the loopbacks and have described interesting traffic as “permit ip” between the loopbacks. They ping each other. The gre tunnel still doesn’t come up. Am I barking up the wrong tree? It’s driving me crazy.

Hi Rene,

Awesome GRE-IPSEC lab.

Just had quick question im finding it impossible to remember all those commands.

How do you remember all these commands on the top of your head?.

Thanks.

19 posts were merged into an existing topic: Encrypted GRE Tunnel with IPSEC

@Sean it is possible to encrypt GRE traffic on your ASAs where the routers are sitting behind your ASAs. What kind of access-list are you using to match your GRE traffic? You should use something like this:

access-list GRE extended permit gre host x.x.x.x host y.y.y.y

Where x.x.x.x and y.y.y.y are the IP addresses of your routers that are used to establish the GRE tunnel.

@Sina the more you do it, the easier it becomes. Some stuff like L2/L3 I do often enough to keep everything fresh in my memory. Other things (like IPsec) I also have to look up sometimes. It’s best to keep something like a notebook for yourself with notes/examples so that you can quickly look up something. Evernote works well for this.

Hi Rene,

Thank you for your excellent explanation!!! Can you add IKEv2 configuration? That will be great to learn since it was out in 2005.

19 posts were merged into an existing topic: Encrypted GRE Tunnel with IPSEC

Dear Rene,
Thanks for your nice article as always.
I am little bit confused about your two article “Encrypted GRE Tunnel with IPSEC” and GRE over IPSEC . What is the basic/ main difference between two ?? Pls help me to understand it clearly .Thanks
Br/zaman

Hello Mohammad.

What exactly is meant by each of the two phrases depends on the context. Encrypted GRE Tunnel with IPSec refers to the encryption of the information sent over a GRE tunnel using the functionalities of IPSec. GRE over IPSec is not that specific and it depends on what the person speaking really means.

IPSec used in combination with GRE can function in two ways, either in tunnel mode, or transport mode.

Tunnel mode, which is the default, which is also what Rene has configured in the lesson, the whole GRE packet is encapsulated and encrypted within the IPSec packet.

Transport mode on the other hand, involves the encapsulation of only the GRE payload. The GRE header in this case is not encrypted.

Take a look at this post by Rene for more details.

I hope this has been helpful!

Laz

Hi Rene,

Can you give me an example about how to configure both ipsec AH only and ipsec AH combined with ESP ( in wireshark I can see both AH & ESP ) just like you describe in IPsec (Internet Protocol Security) lessons ??
and I need another example about how to use virtual tunnel interfaces instead of the crypto map ??

Hi Hussein,

The only thing you have to change is the transform set:

R1(config)#crypto ipsec transform-set MY_TRANSFORM_SET ?
  ah-md5-hmac      AH-HMAC-MD5 transform
  ah-sha-hmac      AH-HMAC-SHA transform
  ah-sha256-hmac   AH-HMAC-SHA256 transform
  ah-sha384-hmac   AH-HMAC-SHA384 transform
  ah-sha512-hmac   AH-HMAC-SHA512 transform
  comp-lzs         IP Compression using the LZS compression algorithm
  esp-3des         ESP transform using 3DES(EDE) cipher (168 bits)
  esp-aes          ESP transform using AES cipher
  esp-des          ESP transform using DES cipher (56 bits)
  esp-gcm          ESP transform using GCM cipher
  esp-gmac         ESP transform using GMAC cipher
  esp-md5-hmac     ESP transform using HMAC-MD5 auth
  esp-null         ESP transform w/o cipher
  esp-seal         ESP transform using SEAL cipher (160 bits)
  esp-sha-hmac     ESP transform using HMAC-SHA auth
  esp-sha256-hmac  ESP transform using HMAC-SHA256 auth
  esp-sha384-hmac  ESP transform using HMAC-SHA384 auth
  esp-sha512-hmac  ESP transform using HMAC-SHA512 auth

For example, if you want to use AH:

R1(config)#crypto ipsec transform-set MY_TRANSFORM_SET ah-sha-hmac

or ESP:

R1(config)#crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac

or ESP+AH:

R1(config)#crypto ipsec transform-set MY_TRANSFORM_SET esp-sha-hmac ah-sha-hmac esp-aes

If you want to test this, change the transform-set and then clear the current SA:

R1#clear crypto sa

You can verify if you are using ESP/AH by looking at the SA. For example, here’s ESP:

R1#show crypto ipsec sa | begin inbound esp
     inbound esp sas:
      spi: 0x52BDAEFA(1388162810)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: SW:5, sibling_flags 80004040, crypto map: MY_CRYPTO_MAP
        sa timing: remaining key lifetime (k/sec): (4241877/3557)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x7D2533B3(2099590067)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: SW:6, sibling_flags 80004040, crypto map: MY_CRYPTO_MAP
        sa timing: remaining key lifetime (k/sec): (4241877/3557)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

Above you see that it only shows inbound/outbound ESP, nothing at AH.

Here’s AH:

R1#show crypto ipsec sa | begin inbound ah
     inbound ah sas:
      spi: 0xC412FE1D(3289579037)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 7, flow_id: SW:7, sibling_flags 80004050, crypto map: MY_CRYPTO_MAP
        sa timing: remaining key lifetime (k/sec): (4189277/3584)
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:
      spi: 0xBF33F950(3207854416)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 8, flow_id: SW:8, sibling_flags 80004050, crypto map: MY_CRYPTO_MAP
        sa timing: remaining key lifetime (k/sec): (4189277/3584)
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     outbound pcp sas:

Above you only see inbound/outbound ESP, no AH.

Here is AH+ESP:

R1#show crypto ipsec sa | begin inbound
     inbound esp sas:
      spi: 0xD68D5E92(3599589010)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 9, flow_id: SW:9, sibling_flags 80004070, crypto map: MY_CRYPTO_MAP
        sa timing: remaining key lifetime (k/sec): (4298169/3577)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:
      spi: 0x58397E06(1480162822)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 9, flow_id: SW:9, sibling_flags 80004070, crypto map: MY_CRYPTO_MAP
        sa timing: remaining key lifetime (k/sec): (4298169/3577)
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound pcp sas:

     outbound esp sas:
      spi: 0x2CA509F3(749013491)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 10, flow_id: SW:10, sibling_flags 80004070, crypto map: MY_CRYPTO_MAP
        sa timing: remaining key lifetime (k/sec): (4298169/3577)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     outbound ah sas:
      spi: 0x110A4D8E(285887886)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 10, flow_id: SW:10, sibling_flags 80004070, crypto map: MY_CRYPTO_MAP
        sa timing: remaining key lifetime (k/sec): (4298169/3577)
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

Here is a quick example for a virtual tunnel interface. I’ll turn this one into a lesson later:

ipsec-tunnel-interface-topology

Here are the configs of the routers.

R1:

hostname R1
!
ip cef
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key MY_PASSWORD address 10.10.10.2     
!
crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
 set transform-set MY_TRANSFORM_SET 
!
interface Tunnel0
 ip address 12.12.12.1 255.255.255.0
 tunnel source 10.10.10.1
 tunnel mode ipsec ipv4
 tunnel destination 10.10.10.2
 tunnel protection ipsec profile IPSEC_PROFILE
!
interface GigabitEthernet0/1
 ip address 192.168.1.254 255.255.255.0
!
interface GigabitEthernet0/2
 ip address 10.10.10.1 255.255.255.0
!
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
end

And R2:

hostname R2
!
ip cef
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key MY_PASSWORD address 10.10.10.1     
!
crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
 set transform-set MY_TRANSFORM_SET 
!
interface Tunnel0
 ip address 12.12.12.2 255.255.255.0
 tunnel source 10.10.10.2
 tunnel mode ipsec ipv4
 tunnel destination 10.10.10.1
 tunnel protection ipsec profile IPSEC_PROFILE
!
interface GigabitEthernet0/1
 ip address 192.168.2.254 255.255.255.0
!
interface GigabitEthernet0/2
 ip address 10.10.10.2 255.255.255.0
!
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
end

The main difference is that we don’t use a crypto-map anymore. We still have a crypto isakmp policy and a transform set. What is new is that we have a crypto ipsec profile that refers to our transform-set. We also use a tunnel interface where we refer to our IPSec profile and where Ipsec is enabled.

The tunnel interface now shows IPSEC/IP:

R1#show interfaces tunnel 0
Tunnel0 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is 12.12.12.1/24
  MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation up
  Tunnel source 10.10.10.1, destination 10.10.10.2
  Tunnel protocol/transport IPSEC/IP

We can verify that it works:

R1#show crypto session 
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE     
Peer: 10.10.10.2 port 500 
  Session ID: 0  
  IKEv1 SA: local 10.10.10.1/500 remote 10.10.10.2/500 Active 
  Session ID: 0  
  IKEv1 SA: local 10.10.10.1/500 remote 10.10.10.2/500 Active 
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 
        Active SAs: 6, origin: crypto map

Hope this helps!

Rene

1 Like