GRE over IPsec Cyrus

GRE over IPSEC Configuration

The difference between the configuration of IPSec-Over-GRE and GRE-Over-IPSec is:
                                  GRE-Over-IPSec IPSec-Over-GRE
ACL definition GRE data flow Intranet data flow
The remote-address specified in IKE peer The other party ’s public address The other party GRE tunnel address
Application port Public network egress GRE tunnel

技术特点:
IPSec (ESP) tunnel only IP unicast traffic
GRE encryption non-ip and ip multicast or broadcast packets into ip unicast packets
Using a GRE tunnel inside an ipsec tunnel uses only three SA (at maximum)

GRE --- Generic Routing Encapsulation
      GRE is a three-layer protocol with no connection and no security. Supported protocols: IP / IPX / Apple Talk 
      
Tunnel Mode Packet structure: | IP | ESP | IP | GRE | IP | TCP | Data | ESP |
                                   | <=== Encrypted Payload ===> |

Transport Mode 包结构:    | IP  |  ESP  |  GRE  |  IP  |  TCP  |  Data  |  ESP |
                                        |<===    Encrypted Payload  ===>|

Experiment 1:
The packet structure of Tunnel Mode in this experiment:
.. | Peer source Peer destination | ESP | GRE source address GRE target address | GRE | source IP target IP | data | ESP | ..
This experiment Transport Mode packet structure:     
    Since "Peer source Peer destination" (encryption point) is equal to "GRE's source address GRE's destination address" (communication point), the packet structure is changed to: ... | GRE's source address GRE's destination address | ESP | GRE | Source IP Destination IP | data | ESP | ...   

          
Old command:

起Tunnel:
R2(config)#interface tunnel 23
R2(config-if)#ip address 23.1.1.2 255.255.255.0            <===起tunnel地址
R2(config-if)#tunnel source 12.1.1.2
R2(config-if)#tunnel destination 13.1.1.3
--------------------------------------------
R3(config)#interface tunnel 23 
R3(config-if)#ip address 23.1.1.3 255.255.255.0
R3(config-if)#tunnel source 13.1.1.3
R3(config-if)#tunnel destination 12.1.1.2

Announcement:
R2 (config-if) # router eigrp 90 <=== Without announcing the interface to the Internet
R2 (config-router) #no auto-summary 
R2 (config-router) #network 100.2.2.0 0.0.0.255 <== == Announce internal network
R2 (config-router) #network 23.1.1.0 0.0.0.255 <==== Announce tunnel address
----------------------- ------------------------
R3 (config-if) #router eigrp 90
R3 (config-router) #no auto-summary 
R3 (config-router ) #network 100.3.3.0 0.0.0.255
R3 (config-router) #network 23.1.1.0 0.0.0.255

IKE Phase I Policy:
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#authentication pre-share 
R2(config-isakmp)#hash md5 
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#group 2
R2(config)#crypto isakmp key 0 wolf address 13.1.1.3         <===使用物理口地址                                        
-----------------------------------------------------
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#authentication pre-share 
R3(config-isakmp)#hash md5
R3(config-isakmp)#encryption 3des 
R3(config-isakmp)#group 2
R3(config)#crypto isakmp key 0 wolf address 12.1.1.2

IPSec Phase II Policy:
R2 (config) #crypto ipsec transform-set cisco esp-des esp-sha-hmac 
mode:
R2 (cfg-crypto-trans) #mode tunnel <=== use "tunnel" mode
or: R2 ( cfg-crypto-trans) #mode transport <=== Use "transport" mode. (Only in the special case where "Peer source Peer destination" is equal to "GRE source address GRE target address", can it be used, and can only be used at 25 Series routers)         
R2 (config) #ip access-list extended gre
R2 (config-ext-nacl) #permit gre any any <=== The conditions can be caught more finely (any: can be replaced by GRE's SOURCE / DESTINATION)
R2 (config) #crypto map huawei 10 ipsec-isakmp 
R2 (config-crypto-map) #set peer 13.1.1.3 <=== Use physical port address         
R2 (config-crypto-map) #set transform-set cisco
R2 (config-crypto-map) #set pfs 
R2 (config-crypto-map) #match address gre
-----------------------------------------------
R3(config)#crypto ipsec transform-set cisco esp-des esp-sha-hmac 
R3(cfg-crypto-trans)#mode tunnel
R3(config)#ip access-list extended gre
R3(config-ext-nacl)#permit gre any any          <===对条件可以抓的更细
R3(config)#crypto map huawei 10 ipsec-isakmp 
R3(config-crypto-map)#set peer 12.1.1.2   
R3(config-crypto-map)#set transform-set cisco
R3(config-crypto-map)#set pfs 
R3(config-crypto-map)#match address gre

Apply VPN Configuration
R2(config)#interface ethernet 0/0
R2(config-if)#crypto map huawei 
------------------------------------
R3(config)#interface ethernet 0/0
R3(config-if)#crypto map huawei

New command: No need for interested streams, no MAP, no need for set peer 
... <=== Same as before
IPSec Phase II Policy:
R2 (config) #crypto ipsec transform-set cisco esp-des esp-sha -hmac 
R2 (config) #crypto ipsec profile GREPRO <=== Only routers above 26 series support
R2 (ipsec-profile) #set transform-set cisco

Apply VPN Configuration
R2(config)#interface tunnel 23
R2(config-if)#tunnel protection ipsec profile GREPRO

R2 # show crypto ipsec sa <=== You can view the negotiation into "transport" mode