CISCO GENERIC ROUTING ENCAPSULATION

Generic routing encapsulation (GRE) offers a protected private way to transport packets through encapsulating (or tunneling) the packets through an otherwise public network. GRE tunnels are performed by tunnel endpoints that encapsulate or decapsulate traffic. It is also A Cisco Systems' tunneling protocol that encapsulates a broad range of network layer protocols within a simulated point-to-point network or point-to-multipoint communication over an Internet Protocol network.

The hub and spoke topology

The hub is a virtual network which serves as a central connecting point to your network on site. The Spoke are virtual networks which look at the hub to separate workloads. Traffic flows via an Express Route or VPN gateway link from the nearby datacenter to the hub. So, based on the picture above, try to figure out how to apply the hub and spoke topology, follow the command below,

R1

  • hostname R1

    int lo 0

    ip addr 172.16.1.1 255.255.255.0

    no shutdown

    int e0/0

    ip addr 10.0.14.1 255.255.255.0

    no shutdown

    router rip

    version 2

    no auto-summary

    net 10.0.14.0

    net 172.16.0.0

  • R1 and R2 establish the tunnel

    • int tunnel 12

      ip addr 172.16.12.1 255.255.255.0

      tunnel source e0/0

      tunnel destination 10.0.24.2

    • R1 and R3 establish the tunnel

      • int tunnel 13

        ip addr 172.16.13.1 255.255.255.0

        tunnel source e0/0

        tunnel destination 10.0.34.2

      • R1 can ping R2 and R3 for tunnel connection test

        • do ping 172.16.12.2 source 172.16.12.1

          do ping 172.16.13.3 source 172.16.12.1

        • R2

          • hostname R2

            int lo 0

            ip addr 172.16.2.2 255.255.255.0

            no shutdown

            int e0/0

            ip addr 10.0.24.2 255.255.255.0

            no shutdown

            router rip

            version 2

            no auto-summary

            net 10.0.24.0

            net 172.16.0.0

          • R1 and R2 can establish a tunnel

            • int tunnel 12

              ip addr 172.16.12.2 255.255.255.0

              tunnel source e0/0

              tunnel destination 10.0.14.1

            • R1 can ping R2 and R3 for tunnel connection test

              • do ping 172.16.13.3 source 172.16.12.2

                exit

                traceroute 172.16.13.3 source 172.16.12.2

              • R3

                • hostname R3

                  int lo 0

                  ip addr 172.16.3.3 255.255.255.0

                  no shutdown

                  int e0/0

                  ip addr 10.0.34.3 255.255.255.0

                  no shutdown

                  router rip

                  version 2

                  no auto-summary

                  net 10.0.34.0

                  net 172.16.0.0

                • R1 and R3 establish a tunnel

                  • int tunnel 13

                    ip addr 172.16.13.3 255.255.255.0

                    tunnel source e0/0

                    tunnel destination 10.0.14.1

                  • R4

                    • hostname R4

                      int e0/0

                      ip addr 10.0.14.4 255.255.255.0

                      no shutdown

                      int e0/1

                      ip addr 10.0.24.2 255.255.255.0

                      no shutdown

                      int e0/2

                      ip addr 10.0.34.4 255.255.255.0

                      no shutdown

                      router rip

                      version 2

                      no auto-summary

                      net 10.0.24.0

                      net 10.0.14.0

                      net 10.0.34.0

                      net 172.16.0.0

                    Routing Protocol

                    A routing protocol specifies how routers communicate to transmit information and allows routes to be chosen by two nodes of a computer network. The "traffic directing" tasks are conducted on the Internet by routers; data packets are forwarded from router to router across the Internet to reach their target device. The precise route preference is determined by route algorithms. Now, we continue to apply teh Routing Protocol to the design,

                    R1

                    • router eigrp 1

                      ip addr 172.16.12.1 0.0.0.255

                      net 172.16.13.0 0.0.0.255

                      net 172.16.1.0

                      no auto-summary

                      do show ip route eigrp 1

                      do ping 172.16.2.2 source 172.16.1.1

                      do ping 172.16.3.3 source 172.16.1.1

                    • R2

                      • router eigrp 1

                        ip addr 172.16.12.0 0.0.0.255

                        net 172.16.12.0 0.0.0.255

                        net 172.16.2.0

                        no auto-summary

                        do show ip route eigrp 1

                        traceroute 172.16.13.3 source 172.16.12.2

                      • R3

                        • router eigrp 1

                          net 172.16.13.0 0.0.0.255

                          net 172.16.3.0

                          no auto-summary

                        • IPSec over GRE

                          IPSec over GRE is the branch for carried through a GRE tube to the headquarters. The organization wishes to protect the traffic between the headquarters and the branch, except multicast data. It can be set between virtual tunnel frameworks between IPSec and GRE in order to secure traffic between branch and headquarter.

                          R1

                          • crypto isakmp policy 10

                            authentication pre-share

                            crypto ipsec transform-set TS esp-3des ah-sha-hmac

                            exit

                            crypto isakmp key ccie add 10.0.24.2

                            crypto isakmp key ccie add 10.0.34.3

                            crypto ipsec profile PF

                            set transform-set TS

                            int tunnel 12

                            tunnel protection ipsec PRofile PF

                          • R2

                            • crypto isakmp policy 10

                              authentication pre-share

                              crypto ipsec transform-set TS esp-3des ah-sha-hmac

                              exit

                              crypto isakmp key ccie add 10.0.12.1

                              crypto isakmp key ccie add 10.0.34.3

                              crypto ipsec profile PF

                              set transform-set TS

                              int tunnel 12

                              tunnel protection ipsec PRofile PF

                            • R3

                              • exit

                                crypto isakmp policy 10

                                authentication pre-share

                                crypto ipsec transform-set TS esp-3des ah-sha-hmac

                                exit

                                crypto isakmp key ccie add 10.0.12.1

                                crypto isakmp key ccie add 10.0.24.2

                                crypto ipsec profile PF

                                set transform-set TS

                                int tunnel 12

                                tunnel protection ipsec PRofile PF

                              • IPsec

                                Internet Protocol Security (IPsec) in computing is a secure network protocol packets that authenticate and encrypt data packets to ensure secure secured communication over an internet protocol network between two computers. It is found in private virtual networks (VPNs). IPsec provides protocols for the creation and negotiation of cryptographic keys between agencies at the start of a session and to be used within a session. IPsec can secure data flows between a couple of host-to-host hosts, between a couple of security gates (network-to-network) and (network-to-host). See the figure below, and i will guide you to solve and practice by the following command

                                Configuration

                                R1

                                • hostname R1

                                  int e0/0

                                  ip addr 172.16.13.1 255.255.255.0

                                  no shutdown

                                  int e0/1

                                  ip addr 172.16.10.1 255.255.255.0

                                  no shutdown

                                  ip route 0.0.0.0 0.0.0.0 172.16.13.3

                                  do ping 172.16.23.2

                                  do ping 172.16.20.1

                                • R2

                                  • hostname R2

                                    int e0/0

                                    ip addr 172.16.23.2 255.255.255.0

                                    no shutdown

                                    int e0/1

                                    ip addr 172.16.20.1 255.255.255.0

                                    no shutdown

                                    ip route 0.0.0.0 0.0.0.0 172.16.23.3

                                  • R3

                                    • hostname R3

                                      int e0/0

                                      ip addr 172.16.13.3 255.255.255.0

                                      no shutdown

                                      int e0/1

                                      ip addr 172.16.23.3 255.255.255.0

                                      no shutdown

                                    • Defining Interesting Traffic Settings

                                      R1

                                      • ip access-list extended VPN-Traffic

                                        Permit ip 172.16.10.0 0.0.0.255 172.16.20.0 0.0.0.255

                                      • R2

                                        • ip access-list extended VPN-Traffic

                                          Permit ip 172.16.20.0 0.0.0.255 172.16.10.0 0.0.0.255

                                        IKE Phase 1

                                        IKE phase 1 occurs in two modes which are main mode and aggressive mode. The basic purpose of IKE phase1 is to authenticate the IPSec peers and to set up a secure channel between the peers to enable IKE exchanges. IKE phase1 performs the following functions:

                                        Authenticates and protects the identities of the IPSec peers.
                                        Negotiates a matching IKE SA policy between peers to protect the IKE exchange.
                                        Performs an authenticated Diffie-Hellman exchange with the end result of having matching shared secret keys.
                                        Sets up a secure tunnel to negotiate IKE phase 2 parameters.

                                        R1

                                        • crypto isakmp policy 1

                                          encryption aes

                                          hash md5

                                          authentication pre-share

                                          group 2

                                          lifetime 30000

                                        • R2

                                          • crypto isakmp policy 1

                                            encryption aes

                                            hash md5

                                            authentication pre-share

                                            group 2

                                            lifetime 30000

                                          • IKE Phase 2

                                            IKE phase 2 has one mode, called quick mode. Quick mode occurs after IKE has established the secure tunnel in phase1. The purpose of IKE phase2 is to negotiate IPSec SAs to set up the IPSec tunnel. IKE phase2 performs the following functions:

                                            Negotiates IPSec SA parameters protected by an existing IKE SA.
                                            Establishes IPSec security associations.
                                            Periodically renegotiates IPSec SAs to ensure security.
                                            Optionally performs an additional Diffie-Hellman exchange.

                                            R1

                                            • exit

                                              crypto ipsec transform-set TS esp-3des ah-sha-hmac

                                            • R2

                                              • exit

                                                crypto ipsec transform-set TS esp-3des ah-sha-hmac

                                              • Pre-share Key Settings

                                                R1

                                                • crypto isakmp key 6 ccie add 172.16.23.2

                                                • R2

                                                  • crypto isakmp key 6 ccie add 172.16.13.1

                                                  • Define The Crypto Map

                                                    R1

                                                    • crypto map CMAP 1 ipsec-isakmp

                                                      set peer 172.16.23.2

                                                      set transform-set TS

                                                      match add VPN-Traffic

                                                      int e0/0

                                                      crypto map CMAP

                                                    • ping test

                                                      • do ping 172.16.20.1 source 172.16.10.1

                                                      • R2

                                                        • crypto map CMAP 1 ipsec-isakmp

                                                          set peer 172.16.13.1

                                                          set transform-set TS

                                                          match add VPN-Traffic

                                                          int e0/0

                                                          crypto map CMAP

                                                        • GRE OVER IPSEC VS IPSEC OVER GRE

                                                          GRE over IPSec Settings

                                                          Configuring a partial mesh topology within a p2p GRE over IPsec design requires obtaining static public IP addresses for the branch routers that peer between each another, now we will apply GRE over IPSec. So lets practice more by the following picture and following the command below,

                                                          R1

                                                          • hostname R1

                                                            int lo 0

                                                            ip add 1.1.1.1 255.255.255.0

                                                            no shutdown

                                                            int e0/0

                                                            ip addr 172.16.13.1 255.255.255.0

                                                            no shutdown

                                                            ip route 172.16.23.0 255.255.255.0 172.16.13.3

                                                            do ping 172.16.23.2 source 172.16.13.1

                                                            do ping 2.2.2.2 source 1.1.1.1

                                                          • Defining Interesting Traffic Settings

                                                            • ip access-list extended IPSEC_TUNNEL

                                                              permit ip host 172.16.13.1 host 172.16.23.2

                                                            • Configure IPSec

                                                              • crypto isakmp key ccie add 172.16.23.2

                                                                crypto isakmp policy 10

                                                                encryption aes

                                                                authentication pre-share

                                                                group 2

                                                                crypto ipsec transform-set TS esp-3des

                                                                crypto map GRE_OVER_IPSEC 10 ipsec-isakmp

                                                                set peer 172.16.23.2

                                                                set transform-set TS

                                                                match add IPSEC_TUNNEL

                                                              • Apply Crypto Map Interface

                                                                • int e0/0

                                                                  crypto map GRE_OVER_IPSEC

                                                                • Settings GRE Tunnel

                                                                  • int tunnel 0

                                                                    ip add 172.16.12.1 255.255.255.0

                                                                    tunnel source e0/0

                                                                    tunnel destination 172.16.23.2

                                                                  • Ping Test

                                                                    • do ping 172.16.12.2 source 172.16.12.1

                                                                      do show crypto ipsec sa

                                                                    • Routing Protocol Configuration

                                                                      • router eigrp 1

                                                                        no auto-summary

                                                                        net 172.16.12.0 0.0.0.255

                                                                        net net 1.1.1.0 0.0.0.255

                                                                      • View Neighbor

                                                                        • do show ip eigrp neighbor

                                                                          do ping 2.2.2.2 source 1.1.1.1

                                                                        • R2

                                                                          • hostname R2

                                                                            int lo 0

                                                                            ip add 2.2.2.2 255.255.255.0

                                                                            no shutdown

                                                                            int e0/0

                                                                            ip addr 172.16.23.2 255.255.255.0

                                                                            no shutdown

                                                                            ip route 172.16.13.0 255.255.255.0 172.16.13.3

                                                                          • Defining Interesting Traffic Settings

                                                                            • ip access-list extended IPSEC_TUNNEL

                                                                              permit ip host 172.16.23.2 host 172.16.13.2

                                                                            • Configure IPSec

                                                                              • crypto isakmp key ccie add 172.16.13.1

                                                                                crypto isakmp policy 10

                                                                                encryption aes

                                                                                authentication pre-share

                                                                                group 2

                                                                                crypto ipsec transform-set TS esp-3des

                                                                                crypto map GRE_OVER_IPSEC 10 ipsec-isakmp

                                                                                set peer 172.16.13.1

                                                                                set transform-set TS

                                                                                match add IPSEC_TUNNEL

                                                                              • Apply Crypto Map Interface

                                                                                • int e0/0

                                                                                  crypto map GRE_OVER_IPSEC

                                                                                • Settings GRE Tunnel

                                                                                  • int tunnel 0

                                                                                    ip add 172.16.12.1 255.255.255.0

                                                                                    tunnel source e0/0

                                                                                    tunnel destination 172.16.13.1

                                                                                  • Routing Protocol Configuration

                                                                                    • router eigrp 1

                                                                                      no auto-summary

                                                                                      net 172.16.12.0 0.0.0.255

                                                                                      net net 2.2.2.0 0.0.0.255

                                                                                    • R3

                                                                                      • hostname R3

                                                                                        int e0/0

                                                                                        ip addr 172.16.13.3 255.255.255.0

                                                                                        no shutdown

                                                                                        int e0/1

                                                                                        ip addr 172.16.23.0 255.255.255.0

                                                                                        no shutdown

                                                                                      • IPsec GRE Settings

                                                                                        A service provider may provide VPN service through the ip backbone using the IPsec-to-GRE model. Both VPN customers are terminated on the IPsec-to-IPsec model. Then, we also can say it is  encapsulated. IPsec covers the GRE packet. The embedded prefixes are sent from the central VPN location to the other end-point of GRE's customer head-end router. IPsec-protected GRE packets deliver the IP backbone of the service provider network with secure networking. By this definition, you can apply to the simple topology design by the picture below, and also try the following command,

                                                                                        R4

                                                                                        • hostname R4

                                                                                          int lo 0

                                                                                          ip addr 1.1.1.1 255.255.255.0

                                                                                          no shutdown

                                                                                          int e0/0

                                                                                          ip addr 172.16.13.1 255.255.255.0

                                                                                          no shutdown

                                                                                          exit

                                                                                          ip route 172.16.23.0 255.255.255.0 172.16.13.3

                                                                                        • GRE Tunnel Settings

                                                                                          • int tunnel 0

                                                                                            ip addr 172.16.12.1 255.255.255.0

                                                                                            no shutdown

                                                                                            tunnel source e0/0

                                                                                            tunnel destination 172.16.23.2

                                                                                            do ping 172.16.12.2 source 172.16.12.1

                                                                                          • Routing Protocol Configuration

                                                                                            • router eigrp 1

                                                                                              no auto-summary

                                                                                              net 172.16.12.0 0.0.0.255

                                                                                              net 1.1.1.0 0.0.0.255

                                                                                              do show ip eigrp neighbor

                                                                                              do ping 2.2.2.2 source 1.1.1.1

                                                                                            • Defining Interesting Traffic Settings

                                                                                              • ip access-list extended IPSEC_TUNNEL

                                                                                                Permit ip host 1.1.1.1 host 2.2.2.2

                                                                                              • Configure IPSec

                                                                                                • crypto isakmp key ccie add 172.16.12.2

                                                                                                  crypto isakmp policy 10

                                                                                                  encryption aes

                                                                                                  authentication pre-share

                                                                                                  group 2

                                                                                                  crypto ipsec transform-set TS esp-3des

                                                                                                  crypto map IPSEC_OVER_GRE 10 ipsec-isakmp

                                                                                                  set peer 172.16.12.2

                                                                                                  set transform-set TS

                                                                                                  match add IPSEC_TUNNEL

                                                                                                • Apply the Crypto Map to Tunnel Interface

                                                                                                  • int tunnel 0

                                                                                                    crypto map IPSEC_OVER_GRE

                                                                                                    do ping 2.2.2.2 source 1.1.1.1

                                                                                                    do sh crypto ipsec sa

                                                                                                  • R5

                                                                                                    • hostname R5

                                                                                                      int lo 0

                                                                                                      ip addr 2.2.2.2 255.255.255.0

                                                                                                      no shutdown

                                                                                                      int e0/0

                                                                                                      ip addr 172.16.23.2 255.255.255.0

                                                                                                      no shutdown

                                                                                                      exit

                                                                                                      ip route 172.16.13.0 255.255.255.0 172.16.23.3

                                                                                                    • GRE Tunnel Settings

                                                                                                      • int tunnel 0

                                                                                                        ip addr 172.16.12.2 255.255.255.0

                                                                                                        no shutdown

                                                                                                        tunnel source e0/0

                                                                                                        tunnel destination 172.16.13.1

                                                                                                      • Routing Protocol Configuration

                                                                                                        • router eigrp 1

                                                                                                          no auto-summary

                                                                                                          net 172.16.12.0 0.0.0.255

                                                                                                          net 2.2.2.0 0.0.0.255

                                                                                                        • Defining Interesting Traffic Settings

                                                                                                          • ip access-list extended IPSEC_TUNNEL

                                                                                                            Permit ip host 2.2.2.2 host 1.1.1.1

                                                                                                          • Configure IPSec

                                                                                                            • crypto isakmp key ccie add 172.16.12.1

                                                                                                              crypto isakmp policy 10

                                                                                                              encryption aes

                                                                                                              authentication pre-share

                                                                                                              group 2

                                                                                                              crypto ipsec transform-set TS esp-3des

                                                                                                              crypto map IPSEC_OVER_GRE 10 ipsec-isakmp

                                                                                                              set peer 172.16.12.1

                                                                                                              set transform-set TS

                                                                                                              match add IPSEC_TUNNEL

                                                                                                            • Apply the Crypto Map to Tunnel Interface

                                                                                                              • int tunnel 0

                                                                                                                crypto map IPSEC_OVER_GRE

                                                                                                              • R6

                                                                                                                • hostname R6

                                                                                                                  int e0/0

                                                                                                                  ip addr 172.16.13.2 255.255.255.0

                                                                                                                  no shutdown

                                                                                                                  int e0/1

                                                                                                                  ip addr 172.16.23.3 255.255.255.0

                                                                                                                  no shutdown