PathToIE

Wednesday, June 10, 2015

DMVPN-Part1

DMVPN solves some of the scalability issues with GRE tunnels.

Highly scalable

Easy configuration

DMVPN Phase1:

In phase1 of DMVPN, the hub is a multipoint GRE tunnel and the spokes are point-to-point GRE tunnels. It means

· Spoke to spoke traffic must go through hub

· Simplified routing-just a default route on spokes will do

· Summarization and default routing can be used on the hub

· Next hop is always changed by the hub

Here is the sample topo for discussion

The IP address used is just to illustrate that the spoke just needs an internet connection to be part of DMVPN and each of them can be in any arbitrary network as along as connectivity is available.

For our discussions and configurations,

NBMA address –169.254.100.xx

Overlay DMVPN network—14.1.1.xx

We do ping tests on loopbacks of the devices, ip address is 150.1.x.x

Configuration:

Spoke Configuration,

R3# sh run int tun0

Building configuration...

Current configuration : 352 bytes

interface Tunnel0

ip address 14.1.1.3 255.255.255.0

ip mtu 1400

ip nhrp authentication NHRPAUTH

ip nhrp group INE

ip nhrp map multicast 169.254.100.5

ip nhrp map 14.1.1.5 169.254.100.5

ip nhrp network-id 1

ip nhrp nhs 14.1.1.5 ----------------àOverlay address of the HUB

ip tcp adjust-mss 1360

tunnel source GigabitEthernet0/0.100

tunnel destination 169.254.100.5--- àNBMA/Public/Underlay address of the HUB

tunnel key 2

end

HUB Configuration

R5#sh run int tun0

Building configuration...

Current configuration : 293 bytes

interface Tunnel0

ip address 14.1.1.5 255.255.255.0

no ip redirects

no ip split-horizon eigrp 100

ip nhrp authentication NHRPAUTH

ip nhrp group INE

ip nhrp map multicast dynamic

ip nhrp network-id 1

tunnel source GigabitEthernet0/0.100

tunnel mode gre multipoint----àMode must be multipoint on HUB, should specify destination on spokes.

tunnel key 2

end

Once the DMVPN network is established and a routing protocol say EIGRP is enabled, the routers will form adjacency as they are connected in a LAN.

The spoke will multicast the hello packets to HUB.

The hub will multicast the hello packets to the spokes, it’s basically replication of the packets.

The routes learned on a router

Ping from spoke R1 to spoke R3 will go as

The destination is reachable via dmvpn tunnel,so the icmp ping request will get gre encapsulated

Icmp ping request sent to hub

Hub will re encapsulate and send it to spoke3

Spoke3 will send the reply to hub

Hub will reencapsulate and send the reply to spoke1

Tuesday, June 9, 2015

IPSec -Part2

In this post we will focus on

GRE over IPSec

IPSec over GRE

GRE over IPSec falls under the category of Route-based VPNs.

The following are the limitations with the policy based VPNs

Does not support multicast or non IP traffic.
The interesting traffic must be defined through an ACL--increases the configuration complexity and maintenance.

GRE Over IPSec (IPSEC is transport):

It’s basically,

L2 Header

ESP

GRE

Data

When doing GRE over IPsec, what really changes comparing with normal IPsec encryption is WHAT MUST BE ENCRYPTED.

The decision of how traffic is encrypted or not depends on the routing protocols.

If ospf route points to a tunnel and the tunnel is running encryption, that particular traffic is encrypted.

This is how the limitation with the policy based VPNs is overcome and complex/frequent ACL changes are not required.

Configuration wise its same as traditional way of setting an IPSec tunnel.

The way we define the proxy acl changes.

In GRE over IPsec, proxy ACL will be just the endpoints of the GRE tunnel,

'permit gre hostA host B' (or permit gre any any)

Here the crypto map is applied under the physical interface which the GRE tunnel uses. So GRE encapsulation first and encryption second.

If we apply the crypto map to the gre interface, it becomes IPSec over GRE where encryption happens first and encapsulation second.

Eg:

R1----------R2==============R3-----------R4

R2==R3 -->GRE over IPSec tunnel.

R1,R4 are end host that run tcp,ping applications.

Configuration Steps:

Create a GRE tunnel between R2 and R3.

Create ISAKMP policy.

Create crypto map and associate it with the physical interface that the tunnel will use.

R2(config)#ip access-list ext GRE

R2(config-ext-nacl)#permit gre any any

R2(config)#crypto map GRE_O_IPSEC 50 ipsec-isakmp

R2(config-crypto-map)#match address GRE

R2(config-crypto-map)#set peer 4.4.4.4

R2(config-crypto-map)#set transform-set 3DES_MD5

Transport mode is negotiated only when the traffic is from one router to other router(i.e. sourced locally to the other end point).

This is controlled by the proxy ACL.

For traffic going through the router-->Always Tunnel mode is negotiated irrespective of configuration.

For traffic going to the router-->As per the configuration in the crypto map tunnel or transport.

If the proxy on R2 is configured as 'permit gre any any' -->ipsec mode will be tunnel irrespective of crypto map config.

If the proxy acl on R2 is configured as 'permit gre host 10.2.2.2 host 10.4.4.4 ' and tunnel mode transport in crypto map,ipsec

tunnel will comeup in transport mode.

Because of GRE header and esp header, the MTU gets reduced. So if traffic is sent with default MTU,the routers at the tunnel ends have to do

Fragmentation resulting in higher CPU usage.

So to avoid fragmentation,set the mtu to lower values.

If the hosts dont run PMTUD,set the MSS in tcp syn & syn ack packets.

On R2,R3:

int tunnel0

ip tcp adjust-mss 1400

For UDP, we need to do on the end host.

On R1,R4:

ip tcp mss 1450-->This is when the tcp session if from the router,affects bgp,msdp...

IPSec VTI:

Conceptually same as GRE over IPSec but without the additional GRE header overhead

Static VTI àused for site to site

Dynamic VTI àused for remote access

GRE over IPSec	VTI
More overhead but negligible(4 bytes) We use GRE over IPsec because crypto map cannot define an interface in the routing table, so dynamic routing protocol couldn't run without the the tunnel interface.	Saves 4 bytes of gre overhead With IPsec VTI we have an interface in the routing table, this remove the need to have an extra GRE IP header encapsulation.
Multiprotocol encapsulation Ipv4,ipv6,is-is,etc	Single protocol Ipv4 only over ipv4 ipsec tunnel Ipv6 only over ipv6 ipsec tunnel
Line protocol based on route to destination	Line protocol status is accurate based on the ipsec phase2 negotiation
R4(config)#int tun0 R4(config-if)#tunnel mode gre ip R4(config-if)#tunnel protection ipsec profile PROFILE1	R4(config)#int tun0 R4(config-if)#tunnel mode ipsec ipv4 R4(config-if)#tunnel protection ipsec profile PROFILE1
the frame is [Eth Header][IP Header][GRE][Data]	[Eth Header][IP Header][ESP header][Data][ESP trailer]
Supports both tunnel and transport modes	Supports only tunnel mode
Df-bit is not carried upto esp header,so applications cannot do path mtu discovery	In VTI mode,df-bit is carried upto the esp header. Applications can do path MTU discovery and we need not configure ‘ip mtu’ under the tunnel interface. We can still configure ‘ip tcp adjust-mss’ for applications that cant do path mtu discovery.
Tunnel and then encrypt	Encrypt and then tunnel

VTI configuration:

Phase 1 is same as in crypto map based tunnel.

For phase 2,

The tunnel defines who the end point i.e. tunnel destination is

The tunnel already defines the traffic i.e. ip any any

We just need to configure how the traffic must be treated using ‘crypto ipsec profiles’.

An IPSec profile just specifies the transform set to be used in protecting the data plane.

R2(config)#crypto ipsec profile PROFILE2

R2(ipsec-profile)#set transform-set 3DES_MD5

The profiles can be applied to both GRE tunnel and IPSec VTI tunnel.

Some platforms may not do hardware switching of GRE packets.

IPSec over DMVPN:

DMPN is p-t-m layer 3 overlay VPN.

Logical hub and spoke topology, direct spoke-to-spoke traffic is supported.

DMVPN is an mgre routing technique

Order of operations:

Crypto first

NHRP second

Routing third

So if crypto ipsec tunnel configuration is wrong, dmvpn will not work.

Configuration is same as in GRE over IPSec.

The peer address to use in the ISAKMP Policy is the NBMA Address, this is important to understand and not to confuse configuring the Tunnel Private address (10.1.100.x in this case).

Crypto Process is the first thing to start, IF IPSEC IS NOT COMPLETED TUNNELS WILL NOT GO UP.

show crypto ipsec sa | i pkts|peer

show ip traffic | i Frag|frag

IPSec over GRE :

It’s basically,

L2 Header

GRE

ESP

Data

Apply the crypto map under the tunnel interface

Proxy ACL has to match end-end entities.

Encryption first and then GRE tunnel encapsulation.

IPSec-Part1

IPSEC is a suite of protocols to secure the data plane by using some encryption techniques.

IPSec tunnel setup happens in two phases.

PHASE 1 -->negotiates the parameters to setup a tunnel for PHASE2

PHASE 2 --->Creates SA and establishes a tunnel for data flow

PHASE 1 ISAKMP Configuration:

Create a ISAKMP policy which defines the following parameters

· authentication
· encryption
· hash
· DH group

The two routers must agree upon a policy to establish the tunnel.

The policy with lower value will have higher priority.

Define ISAKMP policy

We need to define a pre-shared key for authentication with peer

R2(config)#crypto isakmp key 0 APPLE address 10.1.34.4

In case if the ip address of the other end is not known,

R2(config)#crypto isakmp key 0 APPLE address 0.0.0.0

whoever wants to establish the ipsec tunnel with R2 should use APPLE as the pre-shared authentication key

R2(config)#crypto isakmp policy 30

R2(config-isakmp)#authentication pre-share

R2(config-isakmp)#hash md5

R2(config-isakmp)#encryption 3des

R2(config-isakmp)#group 20

Phase1 negotiation will fail if the authentication key is different or any of the parameters is different.

Once the phase1 negotiation is completed successfully, the state for the peer will be QM_IDLE.
Any other state means phase1 negotiation failed.

The following show command can be used for verifying the phase1 result,

R2#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

4.4.4.4 2.2.2.2 QM_IDLE 1003 ACTIVE

Phase 1 negotiation happens in two modes

Main Mode: TBU

Aggressive Mode:TBU

Phase 2 IPSEC Configuration:

Phase2 kicks in once the phase1 negotiation is done and secure tunnel is formed.

In phase2, the routers will exchange the symmetric keys for the session and establishes SA.

For phase2 configuration, we need to setup the following

· Create extended access-list- to match the interesting traffic. IPsec tunnel setup will trigger when the traffic that matching the acl is seen.
· Create IPSec transform set –this defines the encryption and hashing methods to be used
· Create Crypto Map- this connects the access-list, transform set and the peer to which the tunnel must be established.
· Apply the crypto map to an interface—always outbound

Create extended access-list as

R2(config)#ip access-list extended 111

R2(config-ext-nacl)#permit ip 1.1.1.1 0.0.0.0 5.5.5.5 0.0.0.0

Create IPSec transform set as

R2(config)#crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

Esp-3desàencryption

Esp-sha-hmacàhashing

Create Crypto map connecting the peer, transform set and acl as

R2(config)#crypto map MAP9 90 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.

R2(config-crypto-map)#set peer 10.1.34.4

R2(config-crypto-map)#match address 111

R2(config-crypto-map)#set transform-set 3DES-SHA

Apply the crypto map to an interface

R2(config)#int s1/0

R2(config-if)#crypto map MAP9

If we do a ping from R1 to R5,ipsec tunnel will not be created because the acl wont match the traffic.

If we do a ping from loopback of R1 to loopback of R5,ipsec tunnel will get established as this matches the acl 111.

As only the traffic that matches the acl gets encrypted and the rest is forwarded without security, this way of setting up the ipsec tunnel comes

under policy based ipsec vpn.

Some show commands to verify the ipsec tunnel creation

R4#sh crypto isakmp sa --> gives phase1 negotiation result

IPv4 Crypto ISAKMP SA

dst src state conn-id status

10.1.34.4 10.1.23.2 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

R4#sh crypto ipsec sa -->gives phase2 negotiation result

interface: Serial1/0

Crypto map tag: MAP2, local addr 10.1.34.4

protected vrf: (none)

local ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)

current_peer 10.1.23.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 -->These counters should go on increasing

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 10.1.34.4, remote crypto endpt.: 10.1.23.2

path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0

current outbound spi: 0x10E1542D(283202605)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x396B966C(963352172)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: MAP2

sa timing: remaining key lifetime (k/sec): (4259623/3582)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x10E1542D(283202605)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: MAP2

sa timing: remaining key lifetime (k/sec): (4259623/3582)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

R4#

If we want to set the tunnel using the loopback interfaces,

Change the pre-shared key IP association

Change the peer address in the crypto map and add the following command

R4(config)#crypto map MAP9 local-address loopback 0

Misc: