Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

2821 router to router encryption

How do I secure this scenerio?

1) Site A has a 2821 router and a IP connection to site C's 2821 across another organizations IP network.

2) Site B has a 2821 router with an MPLS connection to site C's 2821.

This is easy enough to connect and get working clear text connections and GRE tunnels, but I'm leaving my network open to other other organization nor to the MPLS service provider.

I'm thinking some flavor of encryption between the routers with GRE tunnels for routing the actual traffic.

Thank you in advance for any recommendations and config examples.

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: 2821 router to router encryption

Hi Tod,

you can deploy a separate acl on the physical interface, which allows only the tunnel itself (udp/500 and esp). The acl on the VTI would control the traffic through the tunnel.

Rgds,

MiKa

3 REPLIES
Bronze

Re: 2821 router to router encryption

Hi Tod,

if you already operate GRE tunnels you can simply turn them into "VTI" interfaces.

A VTI (virtual tunnel interface) is similar to GRE but it uses IPsec direct instead of GRE to encapsulate the packets.

Here is a sample:

crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
crypto isakmp key [ike-key] address [address-of-other-router]  255.255.255.255
crypto isakmp keepalive 10

interface Tunnel0
  ip address 192.168.10.2 255.255.255.0
  tunnel source 10.0.149.220
  tunnel destination 10.0.149.221
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile VTI

taken from

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html

I wish you success with the encrypted tunnel

MiKa

New Member

Re: 2821 router to router encryption

A VTI sounds like most of my answer, thanks.

Does a VTI protect against intrustions into the physical interface?  I guess I'm wondering about how to configure the physical interface to allow only the tunnel and drop everything else (ssh, telnet, ping, etc). I'm expecting some sort of access list or something as well.

Bronze

Re: 2821 router to router encryption

Hi Tod,

you can deploy a separate acl on the physical interface, which allows only the tunnel itself (udp/500 and esp). The acl on the VTI would control the traffic through the tunnel.

Rgds,

MiKa

780
Views
0
Helpful
3
Replies