Generic Routing Encapsulation GRE

GRE is an OSI Layer 3 tunneling protocol:Encapsulates a wide variety of protocol packet types inside IP tunnelsCreates a virtual point-to-point link to Cisco routers at remote points over an IP internetwork Uses IP for transportUses an additional header to support any other OSI Layer 3 protocol as payload (for example, IP, IPX, AppleTalk)

GRE over IPsec Encapsulation

GRE encapsulates an arbitrary payload. IPsec encapsulates unicast IP packet

(GRE):Tunnel mode (default): IPsec creates a new tunnel IP packet

Transport mode: IPsec reuses the IP header of the GRE (20 bytes less overhead than tunnel mode)

Module 3 – Lesson 4

Configuring IPsec VPN using SDM

Configuring GRE over IPsec Site-to-Site Tunnel Using SDM

5.

6.

2.

1.

3. 4.

IKE Proposals You can now use a predefined IKE policy, or click the Add button and

enter the required information to create a custom IKE policy:

You can also modify the existing policies by selecting an individual policy and clicking the Edit button

When adding or editing an IKE policy, define the required parameters that appear in the Add IKE Policy window

– IKE proposal priority

– Encryption algorithm (most commonly 3DES or AES; Software Encryption Algorithm [SEAL] can also be used to improve crypto performance on routers that do not have hardware IPsec accelerators; DES is no longer advised)

– HMAC (SHA-1 or MD5)

– Authentication method (pre-shared key or digital certificates)

– DH group (1, 2, or 5)

– IKE lifetime

– When you finish adding or editing IKE proposals, click Next button on the IKE proposals window to proceed to next task

IKE Proposals

Creating a Custom IKE Policy

Define all IKE policy parameters:Priority

Encryption algorithm: DES, 3DES, or AES

HMAC: SHA-1 or MD5

Authentication method: preshared secrets or digital certificates

Diffie-Hellman group: 1, 2, or 5

IKE lifetime

VPN Configuration Page

2.

1.3.

Wizards for IPsecsolutions

Individual IPseccomponents

Configuring the Transform Set

1.

2.

3.

Test Tunnel Configuration and Operation

1.

2.

4.

6.

3.

5.

Test Results

7.

Testing and Monitoring GRE Tunnel Configuration

show crypto isakmp sa

router#

To display all current IKE SAs, use the show crypto isakmp sa command in EXEC mode. QM_IDLE status indicates an active IKE SA

show crypto ipsec sa

router#

To display the settings used by current SAs, use the show crypto ipsec sa command in EXEC mode. Non-zero encryption and decryption statistics can indicate a working set of IPsec SA

show interfaces

router#

Use the show interfaces command to display statistics for all interfaces that are configured on the router, including the tunnel interfaces

Troubleshooting GRE Tunnel Configuration

debug crypto isakmp

router#

• Debugs IKE communication

• Advanced troubleshooting can be performed using the Cisco IOS CLI

• Troubleshooting requires knowledge of Cisco IOS CLI commands

Module 3 – Lesson 7

An Introduction to Cisco Easy VPN

Small or Medium Business Deployment

Mobile Worker With VPN Software

Client On Laptop

Teleworker With DSL Or Cable Modem & Cisco 806 or uBR900 With Easy VPN Remote Support

Nontechnical Users Can Use CRWS GUI To Set Up Easy VPNs

Internet

Remote Office With Cisco 800 or Cisco 1700 Series Router With Easy VPN Remote Support

Company Main Site

Cisco 1700, Cisco 2600 Or Cisco 3600 Series Router With Support To Terminate Cisco VPN Clients

VPN Tunnels

Easy VPN Server and Easy VPN Remote Operation

Step 1 The VPN client initiates the IKE Phase 1 processStep 2 The VPN client establishes an ISAKMP SAStep 3 The Easy VPN Server accepts the SA proposalStep 4 The Easy VPN Server initiates a username and

password challengeStep 5 The mode configuration process is initiatedStep 6 The RRI process is initiatedStep 7 IPsec quick mode completes the connection

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 27

Module 3 – Lesson 9

Implementing the Cisco VPN Client

Cisco VPN Client Configuration Tasks

1. Install Cisco VPN Client

2. Create a new client connection entry

3. Configure the client authentication properties

4. Configure transparent tunneling

5. Enable and add backup servers

6. Configure a connection to the Internet through dialup networking

Create a New Client Connection Entry—Main Window (Task 2)

2.

1.

VPN Client Main Window

DPD Configuration Example

Router will first try primary peer.

If primary peer is not available or becomes unavailable (DPD failure detection), the router tries backup peers in order as listed in the crypto map.

HSRP for Default Gateway at Remote Site

All remote devices use virtual IP as the default gateway.

The backup router is only used when the primary router is down.

HSRP for Head-End IPsec Routers

Remote sites peer with virtual IP address (HSRP) of the head-end.

RRI or HSRP can be used on the inside interface to ensure a proper return path.

Using an IPsec VPN to Back Up a WAN Connection

IGP used to detect PVC failures

Reroute to GRE over IPsec tunnel

Example Using GRE over IPsec