Combining GRE and IPSec with a Front Side VRF

Privacy concept: Red Closed Padlock on digital backgroundThe article last week focused on the process of taking a typical GRE configuration and reconfiguring it so the transport network was in a separate VRF. This type of VRF is called a FVRF or front-end vrf. While this provides a substantial level of isolation, it does nothing to hide the contents from prying eyes in untrusted parts of the transit network.

Today’s article examines the process of protecting the GRE tunnel with IPSec and further securing the router with and ACL on the physical interface. The┬ábaseline for this process is where we previously left off.

GRE tunnel VRF Configuration

GREtunnelvrf

R1

ip vrf FVRF

interface Tunnel1
 ip address 192.168.1.1 255.255.255.0
 tunnel source Serial0/0
 tunnel destination 1.1.2.3
 tunnel vrf FVRF

interface Serial0/0
 ip vrf forwarding FVRF 
 ip address 1.1.1.1 255.255.255.0

interface loopback0
 ip address 10.10.10.1 255.255.255.0

router eigrp 1
 network 10.10.10.1 0.0.0.0
 network 192.168.1.1 0.0.0.0
 no auto-summary

ip route vrf FVRF 0.0.0.0 0.0.0.0 1.1.1.2

R3

ip vrf FVRF

interface Tunnel1
 ip address 192.168.1.3 255.255.255.0
 tunnel source Serial0/0
 tunnel destination 1.1.1.1
 tunnel vrf FVRF

interface Serial0/0 
 ip vrf forwarding FVRF 
 ip address 1.1.2.3 255.255.255.0

interface loopback0
 ip address 10.30.30.3 255.255.255.0

router eigrp 1
 network 10.30.30.3 0.0.0.0
 network 192.168.1.3 0.0.0.0
 no auto-summary

ip route vrf FVRF 0.0.0.0 0.0.0.0 1.1.2.2

R2 (Transit Router)

interface Serial0/0 
 ip address 1.1.1.2 255.255.255.0

interface Serial0/1 
 ip address 1.1.2.2 255.255.255.0

The goal is to create a connection profile that provides the protection of IPSec. This should be assigned to the tunnel interfaces and allow the GRE tunnels to utilized the protection. While this seems incredibly straightforward, there are required specifics when working with VRFs, IPSec and GRE. I spent some time figuring out the correct combination and wanted to save others the grief of troubleshooting each of the options.

GREIPsecVRF

R1

//create the keyring
crypto keyring vpn vrf FVRF
 pre-shared-key address 1.1.2.3 key cisco

//create the isakmp policy
crypto isakmp policy 10
 authentication pre-share

//associate the peer with the FVRF
//**crypto isakmp peer address 1.1.2.3 vrf FVRF**
//above command is not required and should
//only be used in aggressive mode

//map the peer to the keyring
crypto isakmp profile ikeprof
 keyring vpn
 match identity address 1.1.2.3 255.255.255.255 FVRF

//configure the transform set
crypto ipsec transform-set myset esp-des
 mode transport

//create the ipsec profile
crypto ipsec profile myprof 
 set transform-set myset
 set isakmp-profile ikeprof

//apply the profile to the tunnel
interface Tunnel1
 ip address 192.168.1.1 255.255.255.0
 tunnel source Serial0/0
 tunnel destination 1.1.2.3
 tunnel vrf FVRF
 tunnel protection ipsec profile myprof

R3

//create the keyring
crypto keyring vpn vrf FVRF
 pre-shared-key address 1.1.1.1 key cisco

//create the isakmp policy
crypto isakmp policy 10
 authentication pre-share

//associate the peer with the FVRF
//**crypto isakmp peer address 1.1.1.1 vrf FVRF**
//above command is not required and should
//only be used in aggressive mode

//map the peer to the keyring
crypto isakmp profile ikeprof
 keyring vpn
 match identity address 1.1.1.1 255.255.255.255 FVRF

//configure the transform set
crypto ipsec transform-set myset esp-des
 mode transport

//create the ipsec profile
crypto ipsec profile myprof 
 set transform-set myset
 set isakmp-profile ikeprof

//apply the profile to the tunnel
interface Tunnel1
 ip address 192.168.1.3 255.255.255.0
 tunnel source Serial0/0
 tunnel destination 1.1.1.1
 tunnel vrf FVRF
 tunnel protection ipsec profile myprof

Confirming Connectivity

R1

R1#ping 10.30.30.3 source loopback 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.30.3, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 2 subnets
D       10.30.30.0 [90/297372416] via 192.168.1.3, 02:28:34, Tunnel1
C       10.10.10.0 is directly connected, Loopback0
C    192.168.1.0/24 is directly connected, Tunnel1
R1#show cryp
R1#show crypto isak
R1#show crypto isakmp sa
dst             src             state          conn-id slot status
1.1.1.1         1.1.2.3         QM_IDLE              1    0 ACTIVE

R1#show crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 1.1.1.1

   protected vrf: FVRF
   local  ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (1.1.2.3/255.255.255.255/47/0)
   current_peer 1.1.2.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1959, #pkts encrypt: 1959, #pkts digest: 1959
    #pkts decaps: 1955, #pkts decrypt: 1955, #pkts verify: 1955
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.2.3
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
     current outbound spi: 0xAA19E327(2853823271)

     inbound esp sas:
      spi: 0x6B0FA75(112261749)
        transform: esp-des ,
        in use settings ={Transport, }
        conn id: 2002, flow_id: SW:2, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4456270/1574)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xAA19E327(2853823271)
        transform: esp-des ,
        in use settings ={Transport, }
        conn id: 2001, flow_id: SW:1, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4456270/1572)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

The final thing I mentioned was further securing the physical interface with access-lists. It is worth noting that all outbound traffic can be fully blocked. Remember that packets produced by the router are not checked against the outbound acl. From the perspective of a router, the ESP and ISAKMP packets only need to be permitted inbound.

R1

ip access-list extended PHY-OUT
 deny ip any any

ip access-list extended PHY-IN
 permit udp host 1.1.2.3 host 1.1.1.1 eq 500
 permit esp host 1.1.2.3 host 1.1.1.1 

int s0/0
 ip access-group PHY-OUT out
 ip access-group PHY-IN in

R3

ip access-list extended PHY-OUT
 deny ip any any

ip access-list extended PHY-IN
 permit udp host 1.1.1.1 host 1.1.2.3 eq 500
 permit esp host 1.1.1.1 host 1.1.2.3 

int s0/0
 ip access-group PHY-OUT out
 ip access-group PHY-IN in

ACL Verification

R1

R1#ping 10.30.30.3 source loop 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.30.3, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/8 ms
R1#show access-list
Extended IP access list PHY-IN
    10 permit udp host 1.1.2.3 host 1.1.1.1 eq isakmp (14 matches)
    20 permit esp host 1.1.2.3 host 1.1.1.1 (85 matches)
Extended IP access list PHY-OUT
    10 deny ip any any

Conclusion

Moving the physical interface into a separate VRF creates an elegant solution to configurations requiring tunnels. While this creates some level of isolation, it doesn’t provide secure transport for the payload. Adding an IPSec profile to the configuration securely obfuscates the original packets and payload. Finally, locking the physical interface down with ACLs provides a final layer of security.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Network, Technology and tagged , , , , . Bookmark the permalink.

8 Responses to Combining GRE and IPSec with a Front Side VRF

  1. Pingback: Using a GRE Tunnel VRF to Separate the Physical Interface - PacketU

  2. Todd McFadden says:

    Great article Paul. This really helped me with setting up a secure DMVPN solution in our enterprise. Kudos!

  3. Jaybee says:

    Thank You for sharing Todd!! You’re a genuine expert.

  4. Nick Hesson says:

    Thank you for this Post. But i don’t believe you need:

    crypto isakmp peer address 1.1.2.3 vrf FVRF

    That command is for aggressive mode deployments. In fact the association to the VRF happens in the ISAKMP Profilre with this command:

    match identity address 1.1.2.3 255.255.255.255 FVRF

  5. Krishna says:

    When I apply vrf on the serial interface as IP route vrf public 0.0.0.0 0.0.0.0 next hop (x.x.x.x) I am not any ping do know why it is behaving like that and any solution or suggestion for it

  6. Krishna says:

    I am not able to ping

  7. Pingback: VRF Series Article 4 - VRF-lite in a DMVPN Network - PacketU

Comments are closed.