Multiple Protocols over IPSec

Last week we examined a Cisco VPN construct called SVTI. This is basically using a “tunnel interface” in conjunction with an IPSec Protection profile. One of the limitations I mentioned was that, in comparison to GRE based tunnel interfaces, VTI would not allow the transport of multiple protocols. This week we will expand our use of the tunnel interface and use GRE, or generic routing encapsulation.

GRE adds an additional IP and GRE header onto the original packet. As compared to VTI, we should not be concerned with the additional IP header. In VTI, we used a phase 2 SA in tunnel mode which added a header anyway. With GRE, we will allow the GRE to carry the tunnelled IP information and use a “transport mode” phase 2 SA. Therefore, the only additional header information is the “GRE” header. This additional GRE header is what gives us the ability to run multiple protocols using the same tunnel interface.

For this configuration, we will use a three router configuration in GNS3. The intermediary router only speaks IPv4. As with our previous example, we will use dynamic routing protocols for our tunnelled traffic. In this case, I am using EIGRP for IPv4, RIPng for IPv6 and IPX RIP. I seriously doubt that many of my readers are using IPX, but this is included for illustration purposes.

The topology

In this topology, R2 is our IPv4 only speaking Router. This could be the Internet, or other IPv4 only area of our production network.

hostname R2
!
interface Serial0/0
 ip address 1.1.1.1 255.255.255.252
!
interface Serial0/1
 ip address 1.1.2.1 255.255.255.252
!

That’s it for our IPv4 only router. Now let’s take a look at the relevant parts of the configuration for R1 and R3.

Router 1

//base configuration
hostname R1
!
ipv6 unicast-routing
ipx routing
!
interface Serial0/0
 ip address 1.1.1.2 255.255.255.252
!
//Loopback 0 can emulate our LAN
interface Loopback0
 ip address 10.10.10.1 255.255.255.0
 ipv6 address 2001:1::1/64
 ipv6 rip IPNG enable
 ipx network F1
!
//Now we need a tunnel interface
interface Tunnel0
 ip address 20.20.20.1 255.255.255.0
 ipv6 address 2001:2::1/64
 ipv6 rip IPNG enable
 ipx network F2
 tunnel source 1.1.1.2
 tunnel destination 1.1.2.2
!
//The routing protocols for IPv4 and IPv6
//IPX does not require an explicit definition
router eigrp 1
 network 10.10.10.0 0.0.0.255
 network 20.20.20.0 0.0.0.255
ipv6 router rip IPNG

Router 3

//base configuration
hostname R3
!
ipv6 unicast-routing
ipx routing
!
interface Serial0/0
 ip address 1.1.2.2 255.255.255.252
!
//Loopback 0 can emulate our LAN
interface Loopback0
 ip address 30.30.30.1 255.255.255.0
 ipv6 address 2001:3::1/64
 ipv6 rip IPNG enable
 ipx network F3
!
//Now we need a tunnel interface
interface Tunnel0
 ip address 20.20.20.3 255.255.255.0
 ipv6 address 2001:2::2/64
 ipv6 address 2001:2::3/64
 ipv6 rip IPNG enable
 ipx network F2
 tunnel source 1.1.2.2
 tunnel destination 1.1.1.2
!
//The routing protocols for IPv4 and IPv6
//IPX does not require an explicit definition
router eigrp 1
 network 30.30.30.0 0.0.0.255
 network 20.20.20.0 0.0.0.255
ipv6 router rip IPNG
!

At this point, we should have a fully functional network. However, the traffic is not being encrypted by any network layer process. In order to rectify this, we will want to configure our IPSec connection profiles.

Router 1

//Phase 1 policy
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
//Pre Shared Key
crypto isakmp key Cisco12345 address 1.1.2.2
!
//Transform Set--Note Transport mode
//the tunnelled IP header is in GRE, not ESP
crypto ipsec transform-set MyTunnel esp-3des esp-sha-hmac
 mode transport
!
//IPSec Profile that calls the transform set
crypto ipsec profile MyProf
 set transform-set MyTunnel
!
//connect the protection profile to the existing tunnel interface
interface Tunnel0
 tunnel protection ipsec profile MyProf

Router 3

//Phase 1 policy
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
//Pre Shared Key
crypto isakmp key Cisco12345 address 1.1.1.2
!
//Transform Set--Note Transport mode
//the tunnelled IP header is in GRE, not ESP
crypto ipsec transform-set MyTunnel esp-3des esp-sha-hmac
 mode transport
!
//IPSec Profile that calls the transform set
crypto ipsec profile MyProf
 set transform-set MyTunnel
!
//connect the protection profile to the tunnel interface
interface Tunnel0
 tunnel protection ipsec profile MyProf

Now we need to verify. I am going to only show the verification from R1. The verification from R3 would be similar.

R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/30 is subnetted, 2 subnets
C       1.1.1.0 is directly connected, Serial0/0
S       1.1.2.0 [1/0] via 1.1.1.1
     20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       20.20.20.0/24 is directly connected, Tunnel0
D       20.0.0.0/8 is a summary, 00:29:31, Null0
     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.10.10.0/24 is directly connected, Loopback0
D       10.0.0.0/8 is a summary, 00:29:31, Null0
D    30.0.0.0/8 [90/297372416] via 20.20.20.3, 00:29:27, Tunnel0
!
!
R1#show ipv6 route
IPv6 Routing Table - 7 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C   2001:1::/64 [0/0]
     via ::, Loopback0
L   2001:1::1/128 [0/0]
     via ::, Loopback0
C   2001:2::/64 [0/0]
     via ::, Tunnel0
L   2001:2::1/128 [0/0]
     via ::, Tunnel0
R   2001:3::/64 [120/2]
     via FE80::C20A:14FF:FE84:0, Tunnel0
L   FE80::/10 [0/0]
     via ::, Null0
L   FF00::/8 [0/0]
     via ::, Null0
!
!
R1#show ipx route
Codes: C - Connected primary network,    c - Connected secondary network
       S - Static, F - Floating static, L - Local (internal), W - IPXWAN
       R - RIP, E - EIGRP, X - External, A - Aggregate
       s - seconds, u - uses, U - Per-user static/Unknown, H - Hold-down

3 Total IPX routes. Up to 1 parallel paths and 16 hops allowed.

No default route known.

C         F1 (UNKNOWN),       Lo0
C         F2 (TUNNEL),        Tu0
R         F3 [151/01] via       F2.c003.0d60.0000,   28s, Tu0
!
!
//IPv4
R1#ping 30.30.30.1 source loop0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 30.30.30.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
!
!
//IPv6
R1#ping 2001:3::1 sourc loop0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:3::1, timeout is 2 seconds:
Packet sent with a source address of 2001:1::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/3/4 ms
!
!
//IPX--note that you cannot specify the source
//the destination can be determined by
//show ipx interface loop0 (on R3)
R1#ping ipx F3.c003.0d60.0000

Type escape sequence to abort.
Sending 5, 100-byte IPX Novell Echoes to F3.c003.0d60.0000, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
!
!
//and let's check the crypto
//phase 1
R1#show crypto isakmp sa
dst             src             state          conn-id slot status
1.1.2.2         1.1.1.2         QM_IDLE              2    0 ACTIVE
1.1.1.2         1.1.2.2         QM_IDLE              1    0 ACTIVE
!
//phase 2--note protocol 47 is GRE
R1#show crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 1.1.1.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (1.1.1.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (1.1.2.2/255.255.255.255/47/0)
   current_peer 1.1.2.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 646, #pkts encrypt: 646, #pkts digest: 646
    #pkts decaps: 654, #pkts decrypt: 654, #pkts verify: 654
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 1.1.1.2, remote crypto endpt.: 1.1.2.2
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
     current outbound spi: 0xF60F6C59(4128205913)

     inbound esp sas:
      spi: 0x822E6230(2184077872)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2001, flow_id: SW:1, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4446862/1388)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
      spi: 0x17CA5937(399137079)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2003, flow_id: SW:3, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4395460/1375)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x396E4129(963526953)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2002, flow_id: SW:2, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4446942/1375)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
      spi: 0xF60F6C59(4128205913)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2004, flow_id: SW:4, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4395380/1373)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

So I need to admit something. The title of this article suggested that I was planning a discussion about running multiple routed protocols over IPSec. In actuality what we performed is routing multiple routed protocols over GRE. Then we ultimately encrypted the GRE in a transport mode ESP tunnel. Since ESP is part of the IPSec suite, my title is partially correct. What we have basically done is a double encapsulation. In other words, we now have IPv4 over GRE over IPSec, IPv6 over GRE over IPSec, and IPX over GRE over IPSec. The GRE protocol does add an additional header overhead, but does give us added flexibility for those cases when we need it.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Design. Bookmark the permalink.

4 Responses to Multiple Protocols over IPSec

  1. Robert Hughes says:

    Hi Paul. An old article I know, but following the example, you’ve given no routing information between 1.1.1.2 and 1.1.2.2. The GRE tunnel won’t come up without a route on R1 and R3 to get between the two. Considering it would probably be over the Internet, I guess a static route would be the best example?

    • Paul Stewart, CCIE 26009 (Security) says:

      Correct. The tunnel source/destination addresses need to be able to reach one another. This would typically be a static route, a default router, or a BGP learned route. Good point.

  2. Abbas says:

    Hello Paul,

    MPLS is one of my dream topic. thank you very much for this article to make understanding easily for tecky ppls.

    I have replicated the same LAB in my GNS3 but this setp is not working, is there any route is required ?

    R1(config)#int loop 10
    R1(config-if)$ip vrf forwarding red
    R1(config-if)#ip address 10.10.10.10 255.255.255.0
    R1(config-if)#int loop 20
    R1(config-if)$ip vrf forwarding blue
    R1(config-if)#ip address 20.20.20.20 255.255.255.0
    R1(config-if)#exit

    Please advice….

Comments are closed.