Solved: IPSec & GRE queries ....

Manoj Wadhwa · ‎03-21-2008

Hi Friends,

I have been going through IPSec & GRE study guides and have a few queries that i am struggling to find an answer for. Kindly help me clear these.

1. IPSec does not support multicast whereas GRE does. I am wondering why IPSec goes not support multicast. I understand IPSec encrypts all data including the IP Header and creates a new IP Header. But from my understanding, even GRE encapsulates the IP Header and creates a new IP Header. Then how come only GRE supports routing?

2. In GRE configuration, we specify the Tunnel Source & Tunnel Destination. Will these ip addresses be the source & destination ip address of the new header that GRE creates?

3. When you run GRE over IPSec, which is the interface to apply crypto_map to? I have seen implementations wherein sometimes its in Tunnel interface, sometimes on the Internet facing interface and sometime even on both?

Thanks in advance for your active participation on this.

Best Regards,

Manoj

Richard Burts · ‎03-22-2008

Manoj

Here is a reference which explains the change in requirement for placement of the crypto map:

With IOS 12.2(13)T software and later (higher numbered T-train software, 12.3 and later), the configured IPSec crypto map only needs to be applied to the physical interface and is no longer required to be applied on the GRE tunnel interface. In software versions prior to this release, IPSec crypto maps need to be applied to both the tunnel interface and the physical interface. Having the crypto map on the physical and tunnel interface when using the 12.2.(13)T software and later should still work; however, Cisco highly recommends that you apply it just on the physical interface

If you want additional details here is the link:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a0080093f70.shtml

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎03-24-2008

Manoj

1) To assume that routing protocols do not work over IPSec is too much generalization. As you say later in your post the real issue is multicast traffic over IPSe (which does not work until very recent releases of IOS). Since BGP uses unicast (TCP) addressing it will work over IPSec.

2) BGP would still work. BGP will advertise whatever network you tell it to advertise (assuming that the network is found in the IP routing table). If you advertise network 150.x.x.x and that network is not included in the interesting traffic access list then the traffic to and from that network would not be encrypted and would be sent in clear text.

3) If you had configured EIGRP there would be a problem since EIGRP uses multicast advertisements.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎03-21-2008

Manoj

Here are my answers to your questions:

1) The specification of IPSec specifies that it processes unicast IP traffic. That was a design decision. The design decision probably could have been different but we can deal only with what it is and not what it might have been. The specification of GRE was different and does support multicast.

2) In GRE the address that we specify as tunnel source will be used as the source address of the GRE header and the address that we specify as tunnel destination will be used as the destination address of the GRE header.

3) This answer depends on what version of code you are running. In older versions of code you needed to put the crypto map on both the physical interface and the tunnel interface. In more recent versions of code you only need to put the crypto map on the physical interface.

HTH

Rick

HTH

Rick

Manoj Wadhwa · ‎03-21-2008

Hi Rick,

Thanks for your answers. Need a clarification with regards to point "3". Can you let me know which codes require both on Tunnel & Physical interface and above which codes does it require only on the physical interface? If there is any document pertaining to this, please let me know. Thanks again.

BR,

Manoj

Manoj Wadhwa · ‎03-21-2008

Hi,

While i was waiting for your answer for my point "3", i was setting up my sample lab trying to do testing for Gre over IPSec. I setup the IPSec connectivity and then run bgp over it just to verify that bgp does not come up (as should be the case). But to my surprise, the bgp did come up. I am totally confused on how come IPSec is allowing BGP. Kindly help me to clarify this. My topology is very simple

GreOverIPSEc1 ---> Internet ----> GreOverIPSec2. I have also attached the configs and the output which is under the Verification text. Thanks!

Manoj Wadhwa · ‎03-21-2008

Here is the last attachment .. which shows the bgp status ...

Richard Burts · ‎03-22-2008

Manoj

Here is a reference which explains the change in requirement for placement of the crypto map:

With IOS 12.2(13)T software and later (higher numbered T-train software, 12.3 and later), the configured IPSec crypto map only needs to be applied to the physical interface and is no longer required to be applied on the GRE tunnel interface. In software versions prior to this release, IPSec crypto maps need to be applied to both the tunnel interface and the physical interface. Having the crypto map on the physical and tunnel interface when using the 12.2.(13)T software and later should still work; however, Cisco highly recommends that you apply it just on the physical interface

If you want additional details here is the link:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a0080093f70.shtml

HTH

Rick

HTH

Rick

Richard Burts · ‎03-22-2008

Manoj

I have looked at the additional question that you ask about why BGP does run over the IPSec that you configured. Your assumption seems to be that BGP should not run here. Why do you think that BGP should not run?

In looking at your configs it seems fairly direct:

- you configure BGP between the end routers specifying BGP addresses as 10.10.10.x and 10.20.20.x

- you configure bgp update-source and ebgp multihop so that the addresses used for the TCP BGP packets will have source and destination addresses in 10.10.10.0 or 10.20.20.0

- your access list for interesting traffic permits any ip between 10.10.10.0 and 10.20.20.0

So the routers establish their IPSec negotiation and the IPSec connection is established. BGP is running and sends its TCP packet over the IPSec connection. The BGP traffic is permitted by the interesting traffic access list. Why would you expect that this would not work?

HTH

Rick

HTH

Rick

Manoj Wadhwa · ‎03-23-2008

Hi,

I sincerely thank you for all your replies. It makes me think so foolish after i read your replies :-) ... But you know what, i have something for you again .. plz dont mind, hopefully this will be the last one.

1. The reason i thought BGP won't work is because i was under the impression that any routing protocol/ multicast traffic will not work over IPSec. But i was wrong.

2. Now in the above scenario, if i would have advertised a network say 150.x.x.x, it is not part of the interesting traffic. So will the BGP still work but just that for this update, the packet will not be encrypted and be sent in clear text?

3. What if i would have configured EIGRP instead of BGP (a different setup). As EIGRP uses multicast, will the EIGRP still work?

Thanks for your patience and time again for making things clarified for me.

Best Regards,

Manoj

Richard Burts · ‎03-24-2008

Manoj

1) To assume that routing protocols do not work over IPSec is too much generalization. As you say later in your post the real issue is multicast traffic over IPSe (which does not work until very recent releases of IOS). Since BGP uses unicast (TCP) addressing it will work over IPSec.

2) BGP would still work. BGP will advertise whatever network you tell it to advertise (assuming that the network is found in the IP routing table). If you advertise network 150.x.x.x and that network is not included in the interesting traffic access list then the traffic to and from that network would not be encrypted and would be sent in clear text.

3) If you had configured EIGRP there would be a problem since EIGRP uses multicast advertisements.

HTH

Rick

HTH

Rick

Manoj Wadhwa · ‎04-02-2008

Hi Rick,

Sorry for my late reply, i was sick hence unable to reply to you. I would thank you for the information you provided. I implemented IPSEC, GRE and GRE Over IPSec in my lab and was able to set things up though with some difficulty initially. Most of my doubts have been clarified and you were very helpful in clarifying those. I sincerely thank you for your help. As always, you are a champ for this forum :-). Take care always.

Regards,

Manoj

Richard Burts · ‎04-02-2008

Manoj

I am sorry to hear that you were sick and am glad you are now recovered. I am glad that you have got it working in your lab - and agree that in the first few times these things can be difficult to set up and get to work.

Thank you for the compliments. I am glad that my information was helpful to you. The forum is an excellent place and I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick

lamav · ‎04-02-2008

Manoj:

Just a quick clarification...

you said

"I understand IPSec encrypts all data including the IP Header and creates a new IP Header."

Actually, IPSec running in transport mode does not encrypt the original IP header. What you are describing is tunnel mode.

guruprasadr · ‎04-03-2008

HI Rick / Manoj,

In am running IPSec Tunnel beween the HUB and Spoke Locations.

By default, the IPSec Session will stay for only 60 minutes and it will re-establish even if there is an traffic / interesting traffic. Unless until there is not interesting traffic, the session will not come up.

Can you provide me an soulution where my IPSec session should not go off and it should be always Up and Running.

Best Regards,

Guru Prasad R

Manoj Wadhwa · ‎04-03-2008

Guru,

One of the security features of IPSec is to re-establish the sessions even though the interesting traffic is going through it. This help not to compromise on any kind of attacks if any. By fault, if you exectute show cryto map command, you can see the lifetime that is configured. Below is the output on one of my routers which has default life time configured.

show crypto map

: 4608000 kilobytes/3600 seconds

In case you would like to increase the lifetime, you can execute the command "set security-association lifetime seconds xxxx" under crypto map.

Rick,

Plz let me know if i am right. Thanks!

Regards,

Manoj

Richard Burts · ‎04-03-2008

Guru

In some of the IPSec implementations I have done we run a routing protocol (could be EIGRP or OSPF) through the IPSec. The hello messages or keepalives are interesting traffic and serve to keep the connection up and active. I have not done it and so can not address the possibility from direct experience but I would assume that if you are running IPSec with GRE that configuring GRE tunnel keepalives would also accomplish this.

[edit] Manoj I believe that your statements are correct.

HTH

Rick

HTH

Rick