Cisco: GRE Tunnel + NAT + IPsec

Introduction

GRE (Generic Routing Encapsulation) is said to be one of the favorite tools of network engineers due to the simplicity to set up. It’s often paired with IPsec to provide data encryption.

In this post, we will build up a GRE over IPsec tunnel in 3 steps:

1. Create a simple GRE tunnel, which does not provide any encryption.
2. Add NAT(Network Address Translation) for the hosts behind Cisco routers.
3. Add IPsec encryption to secure the tunnel.

Network Diagram

You may find the diagram a bit complex to read, because we don’t use lab IP like 1.1.1.1, or 2.2.2.2 as in usual network tutorials.

We are using real-world network setup in the articles, which includes cloud devices like Cisco CSR1000V and on-premise Cisco router.

IP Parameters

Create a simple GRE tunnel

Below is a side-to-side display of the configurations on both routers.

Creating GRE tunnel is really simple, just use “ip address” to configure a virtual IP that is not used anywhere else in the configuration.

We use virtual subnet 172.16.0.0/24 for the tunnel interfaces. R1 and R2 are in the same virtual subnet, therefore immediately they can talk to each other.

“tunnel source” can use name of the outgoing network interface, e.g “tunnel source GigabitEthernet0”, can as well use the IP address of the outgoing interface.

Below is the configuration applied on the left-side router.

R1(config)# interface Tunnel0
R1(config-if)# ip address 172.16.0.1 255.255.255.0
R1(config-if)# ip mtu 1400
R1(config-if)# ip tcp adjust-mss 1360
R1(config-if)# tunnel source 10.10.1.100
R1(config-if)# tunnel destination 31.xxx.xxx.48

R1(config)# ip route 192.168.1.2 255.255.255.255 Tunnel0

Because GRE is an encapsulating protocol, we must reduce the MTU to account for the extra overhead.

The “tunnel source” and “tunnel destination” is used to define the IP of the routers.

Notice that we use “tunnel source 10.10.1.100” for the router on the left side, because that’s how AWS works, the CSR instance does not know the elastic IP attached on the outfacing network interface, it only knows it’s private IP 10.10.1.100. We can as well simply use name of the outgoing network interface, e.g “tunnel source GigabitEthernet0”, and the result will be the same.

Similar configuration is applied to right-side router.

R2(config)# interface Tunnel0
R2(config-if)# ip address 172.16.0.2 255.255.255.0
R2(config-if)# ip mtu 1400
R2(config-if)# ip tcp adjust-mss 1360
R2(config-if)# tunnel source 31.xxx.xxx.48
R2(config-if)# tunnel destination 13.236.166.176

R2(config)# ip route 10.10.0.161 255.255.255.255 Tunnel0

The “ip route” command instruct the router to route related traffic via GRE tunnel.

Test our simple GRE tunnel

First, we verify if R1 can talk to R2 via the tunnel. Ping from R1 confirm that the tunnel is open.

R1# ping 172.16.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 275/275/276 ms

Then we make end to end test, ping from the host in Sydney site(IP 10.10.0.161) to the host in France site(IP 192.168.1.2).

PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=62 time=277 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=62 time=277 ms
64 bytes from 192.168.1.2: icmp_seq=3 ttl=62 time=278 ms
64 bytes from 192.168.1.2: icmp_seq=4 ttl=62 time=277 ms
64 bytes from 192.168.1.2: icmp_seq=5 ttl=62 time=279 ms
64 bytes from 192.168.1.2: icmp_seq=6 ttl=62 time=277 ms
^C
--- 192.168.1.2 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5005ms
rtt min/avg/max/mdev = 276.921/277.475/278.911/0.718 ms

GRE tunnel + NAT

Let’s recap the IP parameters here:

Now the hosts will try to talk to each other using a public IP instead of private IP.

On R1, we added only 3 lines:

R1(config-if)# ip nat outside
R1(config)# ip route 31.xxx.xxx.89 255.255.255.255 Tunnel0
R1(config)# ip nat inside source static 10.10.0.161 3.6.74.40

Test GRE tunnel + NAT

Now let’s ping from host in France site to host in Sydney site(public IP 3.6.74.40)

ping 3.6.74.40
PING 3.6.74.40 (3.6.74.40) 56(84) bytes of data.
64 bytes from 3.6.74.40: icmp_seq=1 ttl=62 time=277 ms
64 bytes from 3.6.74.40: icmp_seq=2 ttl=62 time=280 ms
64 bytes from 3.6.74.40: icmp_seq=3 ttl=62 time=278 ms
64 bytes from 3.6.74.40: icmp_seq=4 ttl=62 time=278 ms
64 bytes from 3.6.74.40: icmp_seq=5 ttl=62 time=278 ms
64 bytes from 3.6.74.40: icmp_seq=6 ttl=62 time=276 ms
^C
--- 3.6.74.40 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5006ms
rtt min/avg/max/mdev = 276.269/278.107/280.285/1.200 ms

Securing GRE tunnel with IPsec (GRE over IPsec)

Here is a side-by-side configuration display.

We add IKE phase 1 and phase 2 parameters, and apply the IPsec profile on the tunnel.

Notice that IPsec mode is “transport”, not the default “tunnel”, this is due to the left-site network is hosted on AWS. Please check How to build GRE over IPsec on AWS Cisco CSR1000v, which explain the reason.

Below is the configuration applied on R1(Sydney site).

R1(config)# interface Tunnel0
R1(config-if)# ip address 172.16.0.1 255.255.255.0
R1(config-if)# ip mtu 1400
R1(config-if)# ip tcp adjust-mss 1360
R1(config-if)# tunnel source 10.10.1.100
R1(config-if)# tunnel destination 31.xxx.xxx.48
R1(config-if)# ip nat outside
R1(config-if)#tunnel protection ipsec profile protect-gre

R1(config)# ip route 31.xxx.xxx.89 255.255.255.255 Tunnel0

R1(config)# ip nat inside source static 10.10.0.161 3.6.74.40

R1(config)#crypto isakmp key test address 31.xxx.xxx.48

R1(config)#crypto isakmp policy 100
R1(config-isakmp)# encr aes 256
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2

R1(config-isakmp)# crypto ipsec transform-set vpn-sha1-aes256 esp-aes 256 esp-sha-hmac
R1(cfg-crypto-trans)#mode transport

R1(config)#crypto ipsec profile protect-gre
R1(ipsec-profile)#set transform-set vpn-sha1-aes256

ping from host in France site to Sydney site

$ ping 3.6.74.40
PING 3.6.74.40 (3.6.74.40) 56(84) bytes of data.
64 bytes from 3.6.74.40: icmp_seq=1 ttl=62 time=304 ms
64 bytes from 3.6.74.40: icmp_seq=2 ttl=62 time=287 ms
64 bytes from 3.6.74.40: icmp_seq=3 ttl=62 time=281 ms
64 bytes from 3.6.74.40: icmp_seq=4 ttl=62 time=301 ms
64 bytes from 3.6.74.40: icmp_seq=5 ttl=62 time=277 ms
64 bytes from 3.6.74.40: icmp_seq=6 ttl=62 time=292 ms
^C
--- 3.6.74.40 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5000ms
rtt min/avg/max/mdev = 277.305/290.623/304.303/9.824 ms

Check tunnel0 on R2(France site)

sho int tunnel 0
Tunnel0 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 172.16.0.2/24
  MTU 17858 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 2/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation up
  Tunnel source 31.xxx.xxx.48, destination 13.236.166.176
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255, Fast tunneling enabled
  Tunnel transport MTU 1418 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "protect-gre")
  Last input 00:02:12, output 00:27:19, output hang never
  Last clearing of "show interface" counters 00:00:18
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 1000 bits/sec, 1 packets/sec
     6 packets input, 648 bytes, 0 no buffer

Check IPsec SAs

Notice that the protected traffic marked as “local ident/remote ident” is between the GRE tunnel source/dest IPs. We did not add any access-list, this is automatically considered.

sho crypto ipsec sa peer 13.236.166.176
interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 31.xxx.xxx.48

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (31.xxx.xxx.48/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (13.236.166.176/255.255.255.255/47/0)
   current_peer 13.236.166.176 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 6, #pkts encrypt: 6, #pkts digest: 6
    #pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 31.xxx.xxx.48, remote crypto endpt.: 13.236.166.176
     plaintext mtu 1442, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet4
     current outbound spi: 0x235DBCB3(593345715)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x44130E84(1142099588)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Transport UDP-Encaps, }
        conn id: 2053, flow_id: Onboard VPN:53, sibling_flags 80004000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4608000/1948)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
      spi: 0x41A37BAE(1101233070)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Transport UDP-Encaps, }
        conn id: 2055, flow_id: Onboard VPN:55, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4265405/1948)
        IV size: 16 bytes
        replay detection support: Y

References

https://www.firewall.cx/cisco/cisco-routers/cisco-router-gre-ipsec.html

https://joanamanzano.com/ipsec-crypto-maps-gre-vti/