Multiple IPSEC/GRE tunnel setup - router and feature set recommendation?

Answered Question
Sep 9th, 2010

I know a sales engineer is the person who will tell me what equipment/feature set I need in the end, but I want to make sure I'm asking the right questions (and that what I'm trying to do can be done!)

This is a continuation of this discussion (which I appreciate Christopher Gatlin's help with):

https://supportforums.cisco.com/message/3165713

Here's an example of the setup I'm pondering:

Site A

Router 1:

Fa0/0 - 10.0.0.1/24 (connected to local network)

Fa0/1 - 172.25.1.1/24 (connected to carrier ethernet)

Fa0/2 - 99.99.99.1/29 (connected to DSL Internet)

ASA1:

Ethernet0/1 - 10.0.1.2/24 (local network)

Ethernet0/0 - 88.88.88.88/29 (connected to 10Mb fiber Internet)

Site B

Router 2:

Fa0/0 - 10.0.10.1/24 (local network)

Fa0/1 - 172.25.1.2/24 (carrier ethernet)

Fa0/2 - 77.77.77.1/29 (DSL Internet)

Site C

Router 3:

Fa0/0 - 10.0.20.1/24 (local network)

Fa0/1 - 172.25.1.3/24 (carrier ethernet)

Fa0/2 - 66.66.66.1/29 (DSL Internet)

I need to achieve the following:

1. Traffic between sites will be encrypted, whether it is over carrier ethernet or DSL.

2. All Internet-bound traffic will route through the ASA1 at Site A.

3. If the carrier ethernet fails, traffic will route between sites over the DSL lines.

Here's the direction I was going:

1. Router 1 will have a default route of 10.0.1.2 (ASA1).

2. Router 2 and 3 will have a default route of 172.25.1.1 (carrier ethernet interface on Router 1).

3. Router 1, 2, and 3 will have static routes for the IPs of the DSL interfaces on their neighboring routers.

4. Point-to-point VPN tunnels between Routers will be built over the DSL connections.

5. GRE tunnels over the VPN tunnels over DSL will be built.

6. EIGRP will be enabled on the GRE interfaces, and the carrier ethernet interfaces.  Routes should be discovered through the carrier ethernet and the GRE tunnels at that point.

The disadvantage I can see so far is that if the carrier ethernet is down, and Site B or C is routing traffic over the GRE over VPN over DSL, they will lose Internet access (because the default route to 172.25.1.1 will be down).  Maybe I can do something with route tracking for this, but it actually isn't a big concern - this scenario should be in place a tiny percentage of the time, and users will still have access to the Internet through Citrix servers located at Site A.

Here are the questions I have:

1. Will this work?  And will it work with one router per site, as in my example?

2. How should I encrypt traffic on the carrier ethernet network?  Obviously the route is already there - no internal traffic has to be NAT'd or anything to reach another internal network, because I'm using internal IPs on the carrier ethernet interfaces of the routers.  The traffic can pass right through.  But I don't want that traffic to go through unencrypted!  Do I need another VPN tunnel and another GRE tunnel over it for each carrier ethernet connection?  Or can I encrypt using Transport mode, as opposed to Tunnel, so I can just use the route that's already there, or is that not a viable option?  Really, I just need to make sure local network traffic is encrypted while it routes over the 172.25.1.x network - I don't actually care if Internet-bound traffic is.

3. If this will all work, what feature set do I need to make sure I purchase with the routers?  I'm thinking I'll want firewall, IPSEC, and dynamic routing.  Anything I'm missing?

I have this problem too.
0 votes

To answer your questions:-

1) Yes - I suggest that you configure keepalives in the GRE tunnels, this will take care to losing dynamic routing updates, circuits going down int a timely mannor.

2) Encrypt the traffic using the src/dest IP addresses of the GRE tunnel.  Build your VPN's on thoss IP addresses.  Anything that enters/exits the tunnels is encrypted.  Anything that does not traverse the tunnel is not encrypted.

3) IP Plus/FW/3DES/AES

HTH>

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer

To answer your questions:-

1) Yes - I suggest that you configure keepalives in the GRE tunnels, this will take care to losing dynamic routing updates, circuits going down int a timely mannor.

2) Encrypt the traffic using the src/dest IP addresses of the GRE tunnel.  Build your VPN's on thoss IP addresses.  Anything that enters/exits the tunnels is encrypted.  Anything that does not traverse the tunnel is not encrypted.

3) IP Plus/FW/3DES/AES

HTH>

RHITCHCOCK Fri, 09/10/2010 - 09:05

Thanks, Andrew.

So, you would recommend a GRE tunnel over the carrier ethernet, correct?

Obviously I don't want traffic discovering it has a route over the carrier ethernet, since I would only want it to go over the GRE interface.  As long as I don't have EIGRP advertising on the carrier ethernet interfaces, and only my GRE interfaces, that should work, shouldn't it?

In response

The only way you can get any dynamic routing over any IPSEC connection is in a GRE tunnel.

IPSEC tunnels are unicast only.  So to overcome this you have a GRE tunnel to travel inside the IPSEC tunnel.  Inside the GRE tunnel you have your normal traffic from site to site and your dynamic routing information.

RHITCHCOCK Fri, 09/10/2010 - 09:36

You're right, I knew that.  Temporary lapse in memory.  Thanks!

I appreciate your help.  I know I should be able to do what I'm attempting, and I know what feature set I need to look for when I buy the routers.  Thanks very much for all your help!  I'm marking your answer correct.

Actions

This Discussion