Scribd Logo
Upload

Welcome to Scribd!

  • Gre Over Ipsec VPN: Lab Topology

    Uploaded by

    yasser
    112 views8 pages
    The document describes configuring a site-to-site VPN tunnel using GRE over IPSec between two networks. The key steps are: 1. Configure GRE tunnels between routers to encapsulate traffic and assign IP addresses to the tunnels. 2. Configure routing protocols inside and outside the network to establish connectivity. 3. Configure IPSec policies on the edge routers to encrypt and authenticate the GRE tunnel traffic. 4. Verify connectivity by pinging devices and inspecting encryption of traffic over the public internet with Wireshark.

    Original Description:

    Original Title

    GRE-over-IPSec

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document describes configuring a site-to-site VPN tunnel using GRE over IPSec between two networks. The key steps are: 1. Configure GRE tunnels between routers to encapsulate traffic and assign IP addresses to the tunnels. 2. Configure routing protocols inside and outside the network to establish connectivity. 3. Configure IPSec policies on the edge routers to encrypt and authenticate the GRE tunnel traffic. 4. Verify connectivity by pinging devices and inspecting encryption of traffic over the public internet with Wireshark.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    112 views8 pages

    Gre Over Ipsec VPN: Lab Topology

    Uploaded by

    yasser
    The document describes configuring a site-to-site VPN tunnel using GRE over IPSec between two networks. The key steps are: 1. Configure GRE tunnels between routers to encapsulate traffic and assign IP addresses to the tunnels. 2. Configure routing protocols inside and outside the network to establish connectivity. 3. Configure IPSec policies on the edge routers to encrypt and authenticate the GRE tunnel traffic. 4. Verify connectivity by pinging devices and inspecting encryption of traffic over the public internet with Wireshark.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 8

    Download PNETLab Platform

    PNETLAB Store
    PNETLab.com

    GRE OVER IPSEC VPN

    Lab Topology:
    Please use the following topology to complete this lab exercise:

    https://user.pnetlab.com/store/labs/detail?id=16037655085598
    Lab Objectives:
    The objective of lab exercise is for you to learn and understand step-by-step
    config VPN site-to-site and config GRE over IPSec to increase security for local
    network.

    1
    Download PNETLab Platform
    PNETLAB Store
    PNETLab.com

    Task:
    1. Configure tunnel GRE and assign addresses
    2. Configure routing inside and outside network
    3. Configure VPN IPSEC only on R2 and R4
    + Configure the ISAKMP policy required to establish IKE phase 1
    + Set key and peer
    + Configure IPSec policy to establish IKE phase 2
    + Create crypto profile to the outgoing interface of the VPN device.
    + Apply the crypto map to the outgoing interface.
    + No IPSec VPN configuration on INTERNET.
    4. Verify result

    Solution:
    Task 1: Configure tunnel GRE and assign addresses
    On R1:

    Hostname R1
    interface Ethernet0/0
    ip address 192.168.12.1 255.255.255.0
    On CE1 ( R2):

    Hostname CE1
    interface Ethernet0/0
    ip address 192.168.12.2 255.255.255.0
    interface Ethernet0/1
    ip address 1.1.1.1 255.255.255.0
    !
    interface Tunnel0
    ip address 10.10.10.1 255.255.255.0
    tunnel source Ethernet0/1
    tunnel destination 2.2.2.4
    On Internet :

    Hostname Internet

    2
    Download PNETLab Platform
    PNETLAB Store
    PNETLab.com

    interface Ethernet0/0
    no shutdown
    ip address 1.1.1.2 255.255.255.0
    !
    interface Ethernet0/1
    ip address 2.2.2.2 255.255.255.0
    no shutdown
    On CE2:

    Hostname CE2
    interface Ethernet0/0
    ip address 2.2.2.4 255.255.255.0
    no shutdown
    !
    interface Ethernet0/1
    ip address 192.168.45.4 255.255.255.0
    no shutdown
    !
    interface Tunnel0
    ip address 10.10.10.2 255.255.255.0
    tunnel source Ethernet0/0
    tunnel destination 1.1.1.1
    On R5:

    Hostname R5
    interface Ethernet0/0
    ip address 192.168.45.5 255.255.255.0
    no shutdown

    Task 2: Configure routing inside and outside network


    On R1:

    ip route 0.0.0.0 0.0.0.0 192.168.12.2


    On CE1:

    router eigrp 10
    3
    Download PNETLab Platform
    PNETLAB Store
    PNETLab.com

    network 10.10.10.0 0.0.0.255


    network 192.168.12.0
    !
    router ospf 100
    network 1.1.1.0 0.0.0.255 area 0
    On Internet:

    router ospf 100


    network 1.1.1.0 0.0.0.255 area 0
    network 2.2.2.0 0.0.0.255 area 0
    On CE2:

    router ospf 100


    network 2.2.2.0 0.0.0.255 area 0
    !
    router eigrp 10
    network 10.10.10.0 0.0.0.255
    network 192.168.45.0
    On R5:

    ip route 0.0.0.0 0.0.0.0 192.168.45.4

    Task 3: Configure VPN IPSEC only on CE1 and CE2


    CE1 CE2
    crypto isakmp policy 10 crypto isakmp policy 10
    encryption 3des encryption 3des
    hash md5 hash md5
    authentication pre-share authentication pre-share
    group 2 group 2
    exit exit
    ! !
    crypto isakmp key cisco address crypto isakmp key cisco address
    2.2.2.4 1.1.1.1
    ! !
    crypto ipsec transform-set MYSET esp- crypto ipsec transform-set MYSET esp-
    3des esp-md5-hmac 3des esp-md5-hmac
    4
    Download PNETLab Platform
    PNETLAB Store
    PNETLab.com

    mode tunnel mode tunnel


    ! !
    crypto ipsec profile MYMAP crypto ipsec profile MYMAP
    set transform-set MYSET set transform-set MYSET
    ! !
    interface Tunnel0 interface Tunnel0
    tunnel protection ipsec profile MYMAP tunnel protection ipsec profile MYMAP

    Task 4: Verify result


    CE1#show crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst src state conn-id status
    1.1.1.1 2.2.2.4 QM_IDLE 1001 ACTIVE

    CE1#show crypto isakmp policy

    Global IKE policy


    Protection suite of priority 10
    encryption algorithm:Three key triple DES
    hash algorithm:Message Digest 5
    authentication method:Pre-Shared Key
    Diffie-Hellman group:#2 (1024 bit)
    lifetime:86400 seconds, no volume limit

    CE1#show crypto isakmp key


    Keyring Hostname/Address Preshared Key

    default 2.2.2.4 cisco

    CE1#show crypto ipsec sa

    interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 1.1.1.1

    protected vrf: (none)


    local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)

    5
    Download PNETLab Platform
    PNETLAB Store
    PNETLab.com

    remote ident (addr/mask/prot/port): (2.2.2.4/255.255.255.255/47/0)


    current_peer 2.2.2.4 port 500
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 566, #pkts encrypt: 566, #pkts digest: 566
    #pkts decaps: 572, #pkts decrypt: 572, #pkts verify: 572
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
    local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.4
    plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/1
    current outbound spi: 0xC3A0ADDA(3282087386)
    PFS (Y/N): N, DH group: none

    inbound esp sas:


    spi: 0x5A13A490(1511236752)
    transform: esp-3des esp-md5-hmac ,
    in use settings ={Tunnel, }
    conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: Tunnel0-
    head-0
    sa timing: remaining key lifetime (k/sec): (4608000/1173)
    IV size: 8 bytes
    replay detection support: Y
    ecn bit support: Y status: off
    Status: ACTIVE(ACTIVE)
    spi: 0x3C144756(1007961942)
    transform: esp-3des esp-md5-hmac ,
    in use settings ={Tunnel, }
    conn id: 3, flow_id: SW:3, sibling_flags 80004040, crypto map: Tunnel0-head-0
    sa timing: remaining key lifetime (k/sec): (4608000/1178)
    IV size: 8 bytes
    replay detection support: Y
    ecn bit support: Y status: off
    Status: ACTIVE(ACTIVE)
    spi: 0x7CAF8C2F(2091879471)
    transform: esp-3des esp-md5-hmac ,
    in use settings ={Tunnel, }

    6
    Download PNETLab Platform
    PNETLAB Store
    PNETLab.com

    conn id: 5, flow_id: SW:5, sibling_flags 80004040, crypto map: Tunnel0-


    head-0
    sa timing: remaining key lifetime (k/sec): (4267975/1178)
    IV size: 8 bytes
    replay detection support: Y
    ecn bit support: Y status: off
    Status: ACTIVE(ACTIVE)

    Verify with Wireshark:


    On R1:
    R1#ping 192.168.45.5
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.45.5, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/3 ms

    On R5:
    R5#ping 192.168.12.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/5 ms

    Check the results with packet capture using Wireshark over Internet area
    transmission. Every packet is encoded as an ESP call and the actual source and
    destination address of the packet has changed.

    7
    Download PNETLab Platform
    PNETLAB Store
    PNETLab.com

    You might also like