2821 router to router encryption

Answered Question
Jun 3rd, 2010
User Badges:

How do I secure this scenerio?


1) Site A has a 2821 router and a IP connection to site C's 2821 across another organizations IP network.


2) Site B has a 2821 router with an MPLS connection to site C's 2821.


This is easy enough to connect and get working clear text connections and GRE tunnels, but I'm leaving my network open to other other organization nor to the MPLS service provider.


I'm thinking some flavor of encryption between the routers with GRE tunnels for routing the actual traffic.


Thank you in advance for any recommendations and config examples.

Correct Answer by m.kafka about 6 years 11 months ago

Hi Tod,


you can deploy a separate acl on the physical interface, which allows only the tunnel itself (udp/500 and esp). The acl on the VTI would control the traffic through the tunnel.


Rgds,


MiKa

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
m.kafka Fri, 06/04/2010 - 01:15
User Badges:
  • Bronze, 100 points or more

Hi Tod,


if you already operate GRE tunnels you can simply turn them into "VTI" interfaces.

A VTI (virtual tunnel interface) is similar to GRE but it uses IPsec direct instead of GRE to encapsulate the packets.

Here is a sample:


crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
crypto isakmp key [ike-key] address [address-of-other-router]  255.255.255.255
crypto isakmp keepalive 10


interface Tunnel0
  ip address 192.168.10.2 255.255.255.0
  tunnel source 10.0.149.220
  tunnel destination 10.0.149.221
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile VTI


taken from

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html


I wish you success with the encrypted tunnel


MiKa

Tod Larson Fri, 06/04/2010 - 04:20
User Badges:

A VTI sounds like most of my answer, thanks.


Does a VTI protect against intrustions into the physical interface?  I guess I'm wondering about how to configure the physical interface to allow only the tunnel and drop everything else (ssh, telnet, ping, etc). I'm expecting some sort of access list or something as well.

Correct Answer
m.kafka Fri, 06/04/2010 - 04:41
User Badges:
  • Bronze, 100 points or more

Hi Tod,


you can deploy a separate acl on the physical interface, which allows only the tunnel itself (udp/500 and esp). The acl on the VTI would control the traffic through the tunnel.


Rgds,


MiKa

Actions

This Discussion

Related Content