Cisco introduced new configuration guidelines for VRF aware IPSec. I spent a day worth and finally got it working. The understanding of Front Door VRF (FVRF) and and Inside VRF (IVRF) is key. Each IPsec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, which Cisco called it FVRF. The inner & encrypted IP packet belongs to another domain called the IVRF.
Part 1 is the base configuration without any IPSec. I'm using Loopback interface to simulate internal trusted network address (e.g. LAN). GRE tunnel is setup to bridge 2 separate LANs. In part 2, IPSec profile is applied to encrypt GRE tunnel (a.k.a GRE over IPSec).
Part 1 - Base Configuration
hostname Router1
ip vrf FVRF
rd 0:0
!
ip vrf IVRF
rd 1:1
!
interface Loopback0 # internal address
ip vrf forwarding IVRF
ip address 192.168.255.1 255.255.255.255
!
interface Tunnel0
ip vrf forwarding IVRF
ip add 192.168.1.1 255.255.255.252
tunnel source Serial1/0
tunnel destination 192.168.1.2
tunnel vrf FVRF
!
interface Serial1/0
ip vrf forwarding FVRF
ip address 192.168.1.1 255.255.255.252
!
ip route vrf IVRF 192.168.255.2 255.255.255.255 Tunnel0
----
hostname Router2
ip vrf FVRF
rd 0:0
!
ip vrf IVRF
rd 1:1
!
interface Loopback0
ip vrf forwarding IVRF
ip address 192.168.255.2 255.255.255.255
!
interface Tunnel0
ip vrf forwarding IVRF
ip add 192.168.1.2 255.255.255.252
tunnel source Serial1/0
tunnel destination 192.168.1.1
tunnel vrf FVRF
!
interface Serial1/0
ip vrf forwarding FVRF
ip address 192.168.1.2 255.255.255.252
!
ip route vrf IVRF 192.168.255.1 255.255.255.255 Tunnel0
Part 2 - IPSec related crypto configuration
Router1
crypto keyring vpnKey vrf FVRF
pre-shared-key add 192.168.1.2 key vpnkey
no crypto xauth s1/0 #exempt extended authentication for physical interface
!
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp profile isaPro
vrf FVRF
keyring vpnKey
match identity add 192.168.1.2 255.255.255.255 FVRF
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto ipsec profile ipsecPro
set transform myset
set isakmp-profile isaPro
!
int Tunnel0
tunnel mode ipsec ipv4 #apply IPSec to protect GRE tunnel
tunnel protection ipsec profile ipsecPro
!
-------
Router2
crypto keyring vpnKey vrf FVRF
pre-shared-key add 192.168.1.1 key vpnkey
!
no crypto xauth s1/0
!
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp profile isaPro
vrf FVRF
keyring vpnKey
match identity add 192.168.1.1 255.255.255.255 FVRF
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto ipsec profile ipsecPro
set transform myset
set isakmp-profile isaPro
!
int Tunnel0
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecPro
Verification
Router1#ping vrf IVRF 192.168.255.2 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.255.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.255.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 372/429/512 ms
Router1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.1.1 192.168.1.2 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
Router1#sh crypto session
Crypto session current status
Interface: Tunnel0
Profile: isaPro
Session status: UP-ACTIVE
Peer: 192.168.1.2 port 500
IKE SA: local 192.168.1.1/500 remote 192.168.1.2/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
I have a wide scope of interests in IT, which includes hyper-v private cloud, remote desktop services, server clustering, PKI, network security, routing & switching, enterprise network management, MPLS VPN on enterprise network etc. Started this blog for my quick reference and to share technical knowledge with our team members.
Thursday, November 26, 2009
VRF aware Site-to-Site IPSec
Labels:
cisco vpn,
network security
Thursday, November 5, 2009
SID reset on Win7 image
If you want a quick SID reset on a Win7 clone, the official way is to use sysprep on "c:\Windows\System32\sysprep\sysprep.exe" and select "Generalize". Remember to perform this task before joining the machine to domain.
For corporate Windows 7 deployment, Microsoft provides a free toolkit called Microsoft Deployment Toolkit (MDT) 2010, which is specifically designed for imaging & deploying Windows 7 machines.
For corporate Windows 7 deployment, Microsoft provides a free toolkit called Microsoft Deployment Toolkit (MDT) 2010, which is specifically designed for imaging & deploying Windows 7 machines.
Labels:
active directory,
virtualization
Subscribe to:
Posts (Atom)