GRE over IPsec - VRF aware (FVRF + IVRF)

Recently I worked on one problem with VRF aware VPN (GRE over IPsec), FVRF and IVRF. 

                           10.0.0.0/24

               /----\ .6                 .7 /----\
6.6.6.6 Loop0 |  R6  |---------------------|  R7  | Loop0 7.7.7.7
               \----/                       \----/
                 Tun1                       Tun1
          192.168.0.1                       192.168.0.2

--CLIENT------------>|<-----INTERNET------>|<---------CLIENT--
     VRF                      VRF                      VRF

Let’s configure it !

We have to start defining VRF:

!
ip vrf INTERNET
!
ip vrf CLIENT
!

and interfaces:

R6:

!
interface Loopback0
 ip vrf forwarding CLIENT
 ip address 6.6.6.6 255.255.255.0
!
interface Tunnel1
 ip vrf forwarding CLIENT
 ip address 192.168.0.1 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel destination 10.0.0.7
 tunnel vrf INTERNET
!
interface GigabitEthernet0/0
 ip vrf forwarding INTERNET
 ip address 10.0.0.6 255.255.255.0
!

and R7:

!
interface Loopback0
 ip vrf forwarding CLIENT
 ip address 7.7.7.7 255.255.255.0
!
interface Tunnel1
 ip vrf forwarding CLIENT
 ip address 192.168.0.2 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel destination 10.0.0.6
 tunnel vrf INTERNET
!
interface GigabitEthernet0/0
 ip vrf forwarding INTERNET
 ip address 10.0.0.7 255.255.255.0
!

then ACL to match GRE traffic:

R6:

ip access-list extended CRYPTO-ACL
 permit gre host 10.0.0.6 host 10.0.0.7
!

and R7:

ip access-list extended CRYPTO-ACL
 permit gre host 10.0.0.7 host 10.0.0.6
!

We need ISAKMP:

!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5

GRE protection requires a ISAKMP profile , so we need keyring:

R6:

crypto keyring KEYRING vrf INTERNET
  pre-shared-key address 10.0.0.7 key KEY
!

and R7:

crypto keyring KEYRING vrf INTERNET
  pre-shared-key address 10.0.0.6 key KEY
!

next ISAKMP profiles:

R6:

crypto isakmp profile IKE-PROFILE
   keyring KEYRING
   match identity address 10.0.0.7 255.255.255.255 INTERNET
   local-address GigabitEthernet0/0
!

and for R7:

crypto isakmp profile IKE-PROFILE
   keyring KEYRING
   match identity address 10.0.0.6 255.255.255.255 INTERNET
   local-address GigabitEthernet0/0
!

Next, like for traditional VPNs we need transform-set 

!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
 mode transport
!

and IPsec profile:

crypto ipsec profile IPSEC-PROFILE
 set transform-set ESP-AES256-SHA1
 set isakmp-profile IKE-PROFILE
!

The last two steps are routing and protection of tunnel traffic:

!
interface Tunnel1
tunnel protection ipsec profile IPSEC-PROFILE
!

and

ip route vrf KLIENT 0.0.0.0 0.0.0.0 Tunnel1

Let’s test the tunnel:

R6#sh crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 10.0.0.6

   protected vrf: KLIENT
   local  ident (addr/mask/prot/port): (10.0.0.6/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.0.0.7/255.255.255.255/47/0)
   current_peer 10.0.0.7 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
    #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.0.6, remote crypto endpt.: 10.0.0.7
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x20259C21(539335713)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x4F916E54(1334931028)

R6#

R6#ping vrf KLIENT 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 112/141/188 ms
R6#

R6#sh crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 10.0.0.6

   protected vrf: KLIENT
   local  ident (addr/mask/prot/port): (10.0.0.6/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.0.0.7/255.255.255.255/47/0)
   current_peer 10.0.0.7 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
    #pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.0.6, remote crypto endpt.: 10.0.0.7
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x20259C21(539335713)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x4F916E54(1334931028)
 
53
Kudos
 
53
Kudos

Now read this

L2 security – Dynamic ARP Inspection.

When we enable DHCP Snooping (in my previous post) we should also consider Dynamic ARP Inspection. This feature protects against ARP poisoning. Let’s test this feature on below example: DHCP SERVER /----\ | R1 | \----/ | / fa1/0/9... Continue →