Featured image

Table of Contents Link to heading

Virtual Private Network (VPN) Link to heading

VPN is an overlay network that enables private networks to communicate with each other across an untrusted network (the Internet)

The most common VPN encryption algorithm used is Internet Protocol Security (IPsec).

To create VPNs between private networks, a tunnelling overlay technology is necessary, and the most commonly used one is GRE.

Generic Routing Encapsulation (GRE) Tunnels Link to heading

Info
A GRE tunnel creates a virtual P2P link between two routers across an IP network so routing protocols, multicast, and private IPs can pass through.

When a router encapsulates a packet for a GRE tunnel, it adds:

  1. GRE IP header: remote endpoint public IP address
  2. GRE flags: 47

The packet’s payload remains intact. After the packet reaches the remote endpoint, it is decapsulated and the packet is forwarded out the remote router.

Configure GRE by creating a tunnel interface, assigning IP addresses (overlay IP), defining tunnel source and destination (underlay IP), and enabling routing across the tunnel.

Example

Configuration Link to heading

Basic GRE Topology

R1 =====( Internet )===== R2

R1 WAN: 100.1.1.1
R2 WAN: 200.1.1.1

R1 Tunnel: 10.10.10.1/30
R2 Tunnel: 10.10.10.2/30

Basic GRE Configuration

Router R1

interface Tunnel0
 ip address 10.10.10.1 255.255.255.252
 tunnel source 100.1.1.1
 tunnel destination 200.1.1.1
 tunnel mode gre ip

Router R2

interface Tunnel0
 ip address 10.10.10.2 255.255.255.252
 tunnel source 200.1.1.1
 tunnel destination 100.1.1.1
 tunnel mode gre ip

Routing Over GRE

Router R1

router ospf 1
 network 10.10.10.0 0.0.0.3 area 0

Router R2

router ospf 1
 network 10.10.10.0 0.0.0.3 area 0

Now routing protocols run across the tunnel.

Verify GRE Tunnel

show ip interface brief | include Tunnel
show interface tunnel0
show ip route

Tunnel should be up/up.

Recursive Routing Link to heading

Note
Recursive routing is caused by advertising the tunnel transport network (underlay IP) into the tunnel routing protocol (OSPF).

Accidentally telling the routers to reach the tunnel destination through the tunnel itself creates a logical loop โ†’ tunnel breaks.

Internet Protocol Security (IPsec) Link to heading

Info

IPsec is a framework of open standards for creating highly secure VPNs that encapsulate unicast packets.

To secure multicast and broadcast traffic, GRE over IPsec must be used, which sees all traffic as unicast GRE packets..

IPsec provides the following security services:

  1. Peer authentication:
  • Verifies the identity of the VPN peer through authentication.
  • Methods: PSK, Digital certificates
  1. Data confidentiality:
  • Changes plaintext into encrypted ciphertext
  • Methods: DES, 3DES, AES
  1. Data integrity:
  • Ensure that data has not been tampered with during its transit
  • Methods: MD5, SHA-1
  1. Anti-replay:
  • Prevents MitM attacks where an attacker captures VPN traffic and replays it back to a VPN peer with the intention of building an illegitimate VPN tunnel.
  • Methods: applies serial numbers to packets

IPsec packet header: Link to heading

  1. Authentication Header (AH):
  • Authentication + Integrity
  • IP protocol: 51
  1. Encapsulating Security Payload (ESP):
  • All 4 services
  • IP protocol: 50

ESP transport mode: Link to heading

  1. Tunnel mode:
  • Encrypts the entire packet
  • Higher overhead
  • Adds a new set of IPsec headers to route the packet and provide overlay functions.
  • The IPsec IP header is used for routing
  1. Transport mode:
  • Encrypts only the packet’s original header
  • Does not provide overlay functions and routes based on the original IP headers.
  • The GRE IP header is used for routing
  • Lower overhead

Internet Key Exchange (IKE) Link to heading

Info
IKE is a protocol that performs authentication between two endpoints to establish security associations (SAs), also known as IKE tunnels.

IKE = Internet Security Association and Key Management Protocol (ISAKMP)

  • UDP port 500
  • Implemented using the Oakley and Skeme key exchange techniques
  • Oakley provides Perfect Forward Secrecy (PFS) for keys, identity protection, and authentication
  • Skeme provides anonymity, repudiability, and quick key refreshment

IKEv1 Phases Link to heading

Phase 1 - ISAKMP Link to heading

Info
  1. Authenticates peers (PSKs / Digital certificates)
  2. Establish a bidirectional SA (ISAKMP SA) tunnel between two IKE peers
  1. Main mode (MM) or aggressive mode (AM)
    • MM (6 messages exchanged): identities of the two IKE peers are encrypted
    • AM (3 messages exchanged): identities of the two IKE peers are not encrypted
  2. Negotiate ISAKMP policy:
    • Hash algorithm
    • Encryption algorithm
    • Authentication method
    • Diffie-Hellman (DH) Group
    • Lifetime

Phase 2 - Transform Set Link to heading

Info
Establish unidirectional IPsec SAs by leveraging the ISAKMP SA.
  1. Quick mode (QM): 3 messages exchanged
  2. Negotiate IPsec security parameters:
    • Encapsulation protocol
    • Hashing algorithm
    • Encryption algorithm
    • Tunnel mode (transport/tunnel)

Configuration Link to heading

GRE over IPsec can be configured using crypto maps applied to the WAN interface or IPsec profiles applied directly to the tunnel interface.

Transport mode is preferred because it provides lower overhead, while tunnel mode encrypts the entire GRE packet and is rarely used.

Example 
R1 =====( Internet )===== R2

R1 WAN: 100.1.1.1
R2 WAN: 200.1.1.1

Tunnel IP:
R1: 10.10.10.1/30
R2: 10.10.10.2/30

GRE over IPsec using Crypto Maps Link to heading

Example

Step 1 โ€” IKE Phase 1

R1 & R2

crypto isakmp policy 10
 encryption aes
 hash sha
 authentication pre-share
 group 14
 lifetime 86400

crypto isakmp key cisco address <peer-wan-ip>

Step 2 โ€” IKE Phase 2

crypto ipsec transform-set TS esp-aes esp-sha-hmac
 mode <transport | tunnel>

Step 3 โ€” Interesting Traffic (GRE only)

access-list 100 permit gre host 100.1.1.1 host 200.1.1.1

Step 4 โ€” Crypto Map

crypto map GRE-IPSEC 10 ipsec-isakmp
 set peer 200.1.1.1
 set transform-set TS
 match address 100

Step 5 โ€” Apply Crypto Map to WAN Interface

interface Gig0/0
 crypto map GRE-IPSEC

Step 6 โ€” Configure GRE Tunnel

interface Tunnel0
 ip address 10.10.10.1 255.255.255.252
 tunnel source 100.1.1.1
 tunnel destination 200.1.1.1

GRE over IPsec using IPsec Profiles Link to heading

Info

Step 1 โ€” IKE Phase 1

crypto isakmp policy 10
 encryption aes
 hash sha
 authentication pre-share
 group 14

crypto isakmp key cisco address <peer-wan-ip>

Step 2 โ€” IKE Phase 2

crypto ipsec transform-set TS esp-aes esp-sha-hmac
 mode <transport | tunnel>

Step 3 โ€” Create IPsec Profile

crypto ipsec profile GRE-PROFILE
 set transform-set TS

Step 4 โ€” Configure GRE Tunnel + Apply Profile

interface Tunnel0
 ip address 10.10.10.1 255.255.255.252
 tunnel source 100.1.1.1
 tunnel destination 200.1.1.1
 tunnel protection ipsec profile GRE-PROFILE