GRE over IPsec - VRF aware (FVRF + IVRF)

Recently I worked on one problem with VRF aware VPN (GRE over IPsec), FVRF and IVRF. 

                           10.0.0.0/24

               /----\ .6                 .7 /----\
6.6.6.6 Loop0 |  R6  |---------------------|  R7  | Loop0 7.7.7.7
               \----/                       \----/
                 Tun1                       Tun1
          192.168.0.1                       192.168.0.2

--CLIENT------------>|<-----INTERNET------>|<---------CLIENT--
     VRF                      VRF                      VRF

Let’s configure it !

We have to start defining VRF:

!
ip vrf INTERNET
!
ip vrf CLIENT
!

and interfaces:

R6:

!
interface Loopback0
 ip vrf forwarding CLIENT
 ip address 6.6.6.6 255.255.255.0
!
interface Tunnel1
 ip vrf forwarding CLIENT
 ip address 192.168.0.1 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel destination 10.0.0.7
 tunnel vrf INTERNET
!
interface GigabitEthernet0/0
 ip vrf forwarding INTERNET
 ip address 10.0.0.6 255.255.255.0
!

and R7:

!
interface Loopback0
 ip vrf forwarding CLIENT
 ip address 7.7.7.7 255.255.255.0
!
interface Tunnel1
 ip vrf forwarding CLIENT
 ip address 192.168.0.2 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel destination 10.0.0.6
 tunnel vrf INTERNET
!
interface GigabitEthernet0/0
 ip vrf forwarding INTERNET
 ip address 10.0.0.7 255.255.255.0
!

then ACL to match GRE traffic:

R6:

ip access-list extended CRYPTO-ACL
 permit gre host 10.0.0.6 host 10.0.0.7
!

and R7:

ip access-list extended CRYPTO-ACL
 permit gre host 10.0.0.7 host 10.0.0.6
!

We need ISAKMP:

!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5

GRE protection requires a ISAKMP profile , so we need keyring:

R6:

crypto keyring KEYRING vrf INTERNET
  pre-shared-key address 10.0.0.7 key KEY
!

and R7:

crypto keyring KEYRING vrf INTERNET
  pre-shared-key address 10.0.0.6 key KEY
!

next ISAKMP profiles:

R6:

crypto isakmp profile IKE-PROFILE
   keyring KEYRING
   match identity address 10.0.0.7 255.255.255.255 INTERNET
   local-address GigabitEthernet0/0
!

and for R7:

crypto isakmp profile IKE-PROFILE
   keyring KEYRING
   match identity address 10.0.0.6 255.255.255.255 INTERNET
   local-address GigabitEthernet0/0
!

Next, like for traditional VPNs we need transform-set 

!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
 mode transport
!

and IPsec profile:

crypto ipsec profile IPSEC-PROFILE
 set transform-set ESP-AES256-SHA1
 set isakmp-profile IKE-PROFILE
!

The last two steps are routing and protection of tunnel traffic:

!
interface Tunnel1
tunnel protection ipsec profile IPSEC-PROFILE
!

and

ip route vrf KLIENT 0.0.0.0 0.0.0.0 Tunnel1

Let’s test the tunnel:

R6#sh crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 10.0.0.6

   protected vrf: KLIENT
   local  ident (addr/mask/prot/port): (10.0.0.6/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.0.0.7/255.255.255.255/47/0)
   current_peer 10.0.0.7 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
    #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.0.6, remote crypto endpt.: 10.0.0.7
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x20259C21(539335713)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x4F916E54(1334931028)

R6#

R6#ping vrf KLIENT 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 112/141/188 ms
R6#

R6#sh crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 10.0.0.6

   protected vrf: KLIENT
   local  ident (addr/mask/prot/port): (10.0.0.6/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.0.0.7/255.255.255.255/47/0)
   current_peer 10.0.0.7 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
    #pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.0.6, remote crypto endpt.: 10.0.0.7
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x20259C21(539335713)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x4F916E54(1334931028)
 
53
Kudos
 
53
Kudos

Now read this

Zone Base Firewall Policy - self zone

In my last post I tested some features of ZBFP and how traffic is processed by the firewall and some interfaces are not part of ZBFP configuration. Today I’d like to test ‘self-zone’ because it works a bit different. I’m going to work on... Continue →