IPSec over GRE Tunnel: Advantages: Will create a logical virtual interface between the two routers that the traffic will appear to flow across Allows us to run a IGP routing protocol Allows Multicast Routing Encrypted Traffic going through the Internet Pre-Configuration: ASA ! interface GigabitEthernet0 ip address 100.100.100.2 255.255.255.0 nameif outside security-level 0 no shutdown ! ! interface GigabitEthernet2 ip address 10.10.10.1 255.255.255.252 nameif inside security-level 100 no shutdown Corp ! interface FastEthernet 0/0 ip address 10.10.10.2 255.255.255.252 no shutdown interface FastEthernet 0/1 ip address 10.10.11.1 255.255.255.252 no shutdown Branch ! interface FastEthernet 0/0 ip address 100.100.100.10 255.255.255.0 no shutdown ! interface FastEthernet 0/1 ip address 10.10.14.1 255.255.255.252 no shutdown ASA ! interface GigabitEthernet1 no nameif security-level 0 no ip address no shut ! interface GigabitEthernet1.1 nameif DMZ security-level 50 ip address 20.20.20.1 255.255.255.0 SW1 vlan database vlan 10 name DMZ exit conf t ! no ip routing ! int fa1/0 switchport trunk encapsulation dot1q switchport mode trunk ! interface range FastEthernet 1/1 - 2 switchport mode access switchport access vlan 10 ! ip default-gateway 20.20.20.1 SW2 ! vlan database vlan 2 name Sales vlan 3 name Finance exit conf t ! interface FastEthernet 1/0 switchport mode access switchport access vlan 2 spanning-tree portfast ! interface FastEthernet 1/1 switchport mode access switchport access vlan 3 spanning-tree portfast ! interface vlan 2 ip address 10.10.12.1 255.255.255.0 no shut ! interface vlan 3 ip address 10.10.13.1 255.255.255.0 no shut ! interface FastEthernet 0/0 ip address 10.10.11.2 255.255.255.252 no shut ! ip dhcp excluded-address 10.10.12.1 10.10.12.9 ! ip dhcp pool VLAN2 network 10.10.12.0 /24 default-router 10.10.12.1 dns-server 8.8.8.8 ! ip dhcp excluded-address 10.10.13.1 10.10.13.9 ! ip dhcp pool VLAN3 network 10.10.13.0 /24 default-router 10.10.13.1 dns-server 8.8.8.8 SW3 ! vlan database vlan 2 name Accounting vlan 3 name Management exit conf t ! interface FastEthernet 1/0 switchport mode access switchport access vlan 2 spanning-tree portfast ! interface FastEthernet 1/1 switchport mode access switchport access vlan 3 spanning-tree portfast ! interface vlan 2 ip address 10.10.15.1 255.255.255.0 no shut ! interface vlan 3 ip address 10.10.16.1 255.255.255.0 no shut ! interface FastEthernet 0/0 ip address 10.10.14.2 255.255.255.252 no shut ! ip dhcp excluded-address 10.10.15.1 10.10.15.9 ! ip dhcp pool VLAN2 network 10.10.15.0 /24 default-router 10.10.15.1 dns-server 8.8.8.8 ! ip dhcp excluded-address 10.10.16.1 10.10.16.9 ! ip dhcp pool VLAN3 network 10.10.16.0 /24 default-router 10.10.16.1 dns-server 8.8.8.8 Advantages: Will create a logical virtual interface between the two routers that the traffic will appear to flow across Allows us to run a IGP routing protocol Allows Multicast Routing Encrypted Traffic going through the Internet Configuration GRE Tunnel: Step 1: Create OSPF routing process: CORP(config)# router ospf 123 CORP(config-router)# network 192.168.1.0 0.0.0.255 area 0 BRANCH(config)# router ospf 123 BRANCH(config-router)# network 10.1.1.0 0.0.0.255 area 0 Step 2: Configure layer 3 tunnel interfaces: CORP(config)# interface tunnel 0 CORP(config-if)# tunnel source f0/0 CORP(config-if)# tunnel destination 192.168.137.10 CORP(config-if)# ip address 10.10.1.1 255.255.255.252 CORP(config-if)# tunnel path-mtu-discovery CORP(config-if)# ip ospf mtu-ignore BRANCH(config)# interface tunnel 0 BRANCH(config-if)# tunnel source f0/0 BRANCH(config-if)# tunnel destination 192.168.137.2 BRANCH(config-if)# ip address 10.10.1.2 255.255.255.252 BRANCH(config-if)# tunnel path-mtu-discovery BRANCH(config-if)# ip ospf mtu-ignore Verify: CORP# ping 10.10.1.2 Step 3: Update OSPF Network Statements: CORP(config)# router ospf 123 CORP(config-router)# network 10.10.1.0 0.0.0.3 area 0 BRANCH(config)# router ospf 123 BRANCH(config-router)# network 10.10.1.0 0.0.0.3 area 0 Verify: CORP# show ip ospf neighbor Configure IPSec: Step 1: Define Traffic to be encrypted CORP(config)# ip access-list extended IPSEC-TRAFFIC CORP(config-ext-nacl)# remark VPN Traffic CORP(config-ext-nacl)# permit gre host 192.168.137.2 host 192.168.137.10 BRANCH(config)# ip access-list extended IPSEC-TRAFFIC BRANCH(config-ext-nacl)# remark VPN Traffic BRANCH(config-ext-nacl)# permit gre host 192.168.137.10 host 192.168.137.2 Step 2: Phase 1: Isakmp policy CORP(config)# crypto isakmp policy 1 CORP(config-isakmp)# authentication pre-share CORP(config-isakmp)# encryption aes 128 CORP(config-isakmp)# hash sha CORP(config-isakmp)# group 2 BRANCH(config)# crypto isakmp policy 1 BRANCH(config-isakmp)# authentication pre-share BRANCH(config-isakmp)# encryption aes 128 BRANCH(config-isakmp)# hash sha BRANCH(config-isakmp)# group 2 Step 3: Define Shared Secret CORP(config)# crypto isakmp key 0 CISCO address 192.168.137.10 BRANCH(config)# crypto isakmp key 0 CISCO address 192.168.137.2 Step 4: Phase 2: IPSec transform set CORP(config)# crypto ipsec transform-set TRANS-SET-GRE-TUNNEL esp-aes 128 esp-sha-hmac CORP(cfg-crypto-trans)# mode tunnel BRANCH(config)# crypto ipsec transform-set TRANS-SET-GRE-TUNNEL esp-aes 128 esp-sha-hmac BRANCH(cfg-crypto-trans)# mode tunnel Step 5: Create crypto-map CORP(config)# crypto map CRYPTO-MAP 1 ipsec-isakmp CORP(config-crypto-map)# description to BRANCH CORP(config-crypto-map)# match address IPSEC-TRAFFIC CORP(config-crypto-map)# set peer 192.168.137.10 CORP(config-crypto-map)# set transform-set TRANS-SET-GRE-TUNNEL BRANCH(config)# crypto map CRYPTO-MAP 1 ipsec-isakmp BRANCH(config-crypto-map)# description to CORP BRANCH(config-crypto-map)# match address IPSEC-TRAFFIC BRANCH(config-crypto-map)# set peer 192.168.137.2 BRANCH(config-crypto-map)# set transform-set TRANS-SET-GRE-TUNNEL Step 6: Apply crypto-map to interfaces CORP(config)# interface f0/0 CORP(config-if)# crypto map CRYPTO-MAP CORP(config-if)# interface tunnel 0 CORP(config-if)# crypto map CRYPTO-MAP BRANCH(config)# interface f0/0 BRANCH(config-if)# crypto map CRYPTO-MAP BRANCH(config-if)# interface tunnel 0 BRANCH(config-if)# crypto map CRYPTO-MAP Step 7: Verification CORP# show ip ospf neighbor CORP# show crypto ipsec sa CORP# ping 10.10.1.2 repeat 50