IPsec and GRE

Case

IPsec over GRE also known as GRE over IPsec, or Routed base tunnel, utilizes IPsec encryption in conjunction with GRE to represent a logical interface to route or perform fancy stuff like DMVPN that were not possible with Policy-based implementations! The same concept is used in DMVPN implementations however, the GRE in DMVPN would be mGRE or multipoint GRE.

  R1 and R2 are connected over the Internet. There’s a firewall before R2 protecting the network from the internet threats.

Template Configuration on Routers:

crypto isakmp policy 10
authentication pre-share
crypto isakmp key CISCO address 217.218.1.1
!
crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac
mode transport
crypto ipsec profile MyProfile
set transform-set MyTransSet
!
interface Tunnel0
ip address 10.254.25.4 255.255.255.254
tunnel source 81.12.50.1
tunnel destination 217.218.1.1
tunnel protection ipsec profile MyProfile

Firewall will block some UDP port 500 (ISAKMP) followed by (if accepted) numerous ESP (Protocol number 50) packets on the link. The first activity is related to ISAKMP (over UDP 500):

%PIX-2-106006: Deny inbound UDP from 81.12.50.1/500 to 217.218.1.1/500 on interface outside.

The second one is related to ESP packets:

%PIX-3-106010: Deny inbound protocol 50 src outside:81.12.50.1 dst inside:217.218.1.1 on interface outside

In order to permit the traffic through the firewall:

access-list outin permit udp host 81.12.50.1 eq 500 host 217.218.1.1 eq 500
access-list outin permit esp host 81.12.50.1 host 217.218.1.1

R1#ping 10.254.25.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.254.25.5, timeout is 2 seconds:
!!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/137/312 ms

R1#show crypto isakmp sa
dst         src            state     conn-id slot status
81.12.50.1  217.218.1.1     QM_IDLE        1    0 ACTIVE

R1#show crypto ipsec sa
interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 81.12.50.1 
   current_peer 217.218.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 25, #pkts encrypt: 25, #pkts digest: 25
    #pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25
    #pkts compressed: 0, #pkts decompressed: 0
     local crypto endpt.: 81.12.50.1, remote crypto endpt.: 217.218.1.1

Configurations

R1

version 12.4
hostname R1
ip cef
! 
crypto isakmp policy 10
authentication pre-share
crypto isakmp key CISCO address 217.218.1.1
! 
crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac
mode transport
! 
crypto ipsec profile MyProfile
set transform-set MyTransSet
! 
interface Tunnel0
ip address 10.254.25.4 255.255.255.254
tunnel source 81.12.50.1
tunnel destination 217.218.1.1 tunnel protection ipsec profile MyProfile
! 
interface FastEthernet0/0
ip address 81.12.50.1 255.255.255.0
duplex auto
speed auto
! 
ip route 0.0.0.0 0.0.0.0 81.12.50.2
! 
end

R2

version 12.4  
hostname R2
ip cef
! 
crypto isakmp policy 10
authentication pre-share
crypto isakmp key CISCO address 81.12.50.1
! 
crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac
mode transport
! 
crypto ipsec profile MyProfile
set transform-set MyTransSet
! 
interface Tunnel0
ip address 10.254.25.5 255.255.255.254
tunnel source 217.218.1.1
tunnel destination 81.12.50.1 tunnel protection ipsec profile MyProfile
! 
interface FastEthernet0/0
ip address 217.218.1.1 255.255.255.0
duplex auto
speed auto
! 
ip route 0.0.0.0 0.0.0.0 217.218.1.2
! 
end

FW1

PIX version 8.0(4)
! 
hostname pixfirewall
names
! 
interface Ethernet0
nameif outside
security-level 0
ip address 81.12.50.2 255.255.255.0
! 
interface Ethernet1
nameif inside
security-level 100
ip address 217.218.1.2 255.255.255.0
! 
! 
access-list outin extended permit udp host 81.12.50.1 eq isakmp host 217.218.1.1 eq isakmp
access-list outin extended permit esp host 81.12.50.1 host 217.218.1.1
!
access-group outin in interface outside
!
: end

(shafagh.com)