Application Note 45 Main Mode IPSec VPN from Digi WR44 to a Cisco 3745. Using GRE over IPSec with the Cisco configured for VTI UK Support June 2011 1 Contents 1 Introduction .................................................................................................................................... 3 1.1 1.2 1.3 1.4 2 3 Scenario........................................................................................................................................... 4 Configure the Cisco. IPSec Responder ........................................................................................... 5 3.2 3.3 3.4 3.5 3.6 3.7 4 Using the Digi WR44 ............................................................................................................. 17 Using the Cisco 3745 ............................................................................................................. 19 Firmware versions ......................................................................................................................... 21 6.1 6.2 7 Configure the Ethernet interfaces ........................................................................................ 10 Configure the default route .................................................................................................. 11 Configure IPSec phase 1 parameters .................................................................................... 12 Configure the Pre-shared key ............................................................................................... 12 Configure phase 2 ................................................................................................................. 13 Configure the GRE tunnel ..................................................................................................... 15 Save the configuration .......................................................................................................... 16 Confirm IPSec & GRE is up and ping test the connection. ............................................................ 17 5.1 5.2 6 Configure the default route and enable NAT on the WAN interface ..................................... 6 Configure IPSec phase 1 parameters and pre-shared key ...................................................... 6 Configure IPSec phase 2 parameters ...................................................................................... 7 Configure the VTI tunnel interface ......................................................................................... 8 Add a route to the remote LAN subnet via Tunnel 0 .............................................................. 9 Exit global config mode and save the configuration ............................................................... 9 Configure the WR44. IPSec Initiator ............................................................................................ 10 4.1 4.2 4.3 4.4 4.5 4.6 4.7 5 Outline..................................................................................................................................... 3 Assumptions ............................................................................................................................ 3 Corrections .............................................................................................................................. 3 Version .................................................................................................................................... 3 Digi TransPort WR44 ............................................................................................................. 21 Cisco 3745 ............................................................................................................................. 22 Configuration Files ........................................................................................................................ 23 7.1 7.2 Digi Transport WR44 ............................................................................................................. 23 Cisco 3745 ............................................................................................................................. 25 2 1 INTRODUCTION 1.1 Outline This document describes how to configure a GRE tunnel within an IPSec tunnel to secure communications between a Digi TransPort router and a Cisco router configured with Virtual Tunnel Interfaces (VTI). The GRE tunnel provides a point-to-point link between the routers that can be used by routing protocols as well as for transferring regular data. The Cisco VTI configuration is an updated and simpler method of creating GRE over IPSec VPNs on Cisco routers. There are two types of VTI interfaces: static VTIs (SVTIs) and dynamic VTIs (DVTIs). This example will use SVTIs. VTI information from Cisco’s website Benefits of Using IPsec Virtual Tunnel Interfaces instead of Crypto Map IPsec VTIs allow you to configure a virtual interface to which you can apply features. Features for clear-text packets are configured on the VTI. Features for encrypted packets are applied on the physical outside interface. When IPsec VTIs are used, you can separate the application of features such as NAT, ACLs, and QoS and apply them to clear-text or encrypted text, or both. When crypto maps are used, there is no simple way to apply encryption features to the IPsec tunnel. 1.2 Assumptions This guide has been written for use by technically competent personnel with a good understanding of the communications technologies used in the product, and of the requirements for their specific application. Configuration: This Application Note assumes the devices are set to their factory default configurations. Most configuration commands are only shown if they differ from the factory default. This application note applies to; Models shown: Digi TransPort WR44 router and Cisco 3745 router. Other Compatible Models: All other Digi Transport products. Firmware versions: Digi 5130 or newer. Cisco 12.4 or newer. 1.3 Corrections Requests for corrections or amendments to this application note are welcome and should be addressed to: uksupport@digi.com Requests for new application notes can be sent to the same address. 1.4 Version Version Number Status 1.0 Published 1.1 Updated for new GUI 3 2 SCENARIO For the purposes of this application note, the following scenario will be used. The IPSec VPN is a ‘Main mode’ configuration. The Cisco 3745 is the IPSec responder. The Digi WR44 is the IPSec initiator. The IP addressing used is as follows: Digi WR44 WAN = Eth 0 = 10.0.149.217/24 LAN = Eth 1 = 10.0.36.203/24 GRE = Tun 0 = 172.16.1.2/30 Cisco 3745 WAN = Fa0/0 = 10.0.149.203/24 LAN = Fa0/1 = 10.0.35.203/24 GRE = Tun0 = 172.16.1.1/30 IPSec parameters: IPSec Type: Main mode Phase 1 Encryption algorithm: Hash algorithm: Authentication method: Diffie-Hellman group: Lifetime: Three key triple DES Secure Hash Standard (SHA1) Pre-Shared Key #2 (1024 bit) 86400 seconds, no volume limit Pre-shared key: Cisco12345 Phase 2 Encryption algorithm: Hash algorithm: Mode: DH group: Lifetime: Three key triple DES Secure Hash Standard (SHA1) Tunnel mode No PFS 3600 seconds, no volume limit 4 3 CONFIGURE THE CISCO. IPSEC RESPONDER 3.1.1 Configure the Ethernet interfaces, Console port and hostname From the Cisco console port configure the Ethernet interfaces with the addressing shown in Section 2. Set the Console port exec-timeout and the hostname. The relevant Cisco config from ‘sh run’ should be: hostname Cisco interface FastEthernet0/0 description WAN ip address 10.0.149.203 255.255.255.0 speed auto full-duplex interface FastEthernet0/1 description LAN ip address 10.0.35.203 255.255.255.0 speed auto full-duplex line con 0 exec-timeout 3000 0 5 3.2 Configure the default route and enable NAT on the WAN interface The relevant Cisco config from ‘sh run’ should be: interface FastEthernet0/0 description WAN ip address 10.0.149.203 255.255.255.0 ip nat outside duplex auto speed auto interface FastEthernet0/1 description LAN ip address 10.0.35.203 255.255.255.0 ip nat inside duplex auto speed auto ip route 0.0.0.0 0.0.0.0 10.0.149.254 ip nat inside source list 1 interface FastEthernet0/0 overload access-list 1 permit 10.0.35.0 0.0.0.255 3.3 Configure IPSec phase 1 parameters and pre-shared key Create an ISAKMP policy and give it is priority of 1. Set 3DES encryption, the authentication mode as pre-shared keys & the DH group to 2. Set the pre-shared key as Cisco12345 for all remote devices. The relevant Cisco config from ‘sh run’ should be: crypto isakmp policy 1 encr 3des authentication pre-share 6 group 2 crypto isakmp key Cisco12345 address 0.0.0.0 0.0.0.0 The phase 1 policy can be confirmed: 3.4 Configure IPSec phase 2 parameters Create a transform set named T1 and enable 3DES & SHA1 Create an IPSec profile named P1 Link the transform set T1 to the IPSec profile P1 The relevant Cisco config from ‘sh run’ should be: crypto ipsec transform-set T1 esp-3des esp-sha-hmac ! crypto ipsec profile P1 set transform-set T1 The phase 2 transform set can be confirmed: 7 3.5 Configure the VTI tunnel interface Create the Tunnel 0 interface. Set the IP address Enable Keep-alives for every 3 seconds and set to show link as down after 3 failures. Set the load check interval to 30 seconds Set the tunnel source & destination Link the IPSec profile P1 to this tunnel so that traffic is encrypted. Take note that the Cisco source and destination addressing on the IPSec tunnel uses WAN interface addresses rather than private addressing as seen on regular Digi GRE / IPSec configurations. The GRE addressing does however use a regular 30 bit mask to create a point to point link. The relevant Cisco config from ‘sh run’ should be: interface Tunnel0 ip address 172.16.1.1 255.255.255.252 ip ospf mtu-ignore load-interval 30 keepalive 3 3 tunnel source 10.0.149.203 tunnel destination 10.0.149.217 tunnel protection ipsec profile P1 Confirm the mode of the tunnel is GRE / IP If the tunnel is showing anything other than GRE / IP, use the following commands to set the tunnel mode correctly: interface Tunnel0 tunnel mode gre ip 8 3.6 Add a route to the remote LAN subnet via Tunnel 0 Add a route so that 10.0.36.0/24 is directed via Tun0 3.7 Exit global config mode and save the configuration 9 4 CONFIGURE THE WR44. IPSEC INITIATOR 4.1 Configure the Ethernet interfaces 4.1.1 Ethernet 0 – The WAN interface Browse to Configuration - Network > Interfaces > Ethernet > ETH 0 Set the Description, IP address & Mask. Click Advanced and enable NAT & IPsec. Configuration - Network > Interfaces > Ethernet > ETH 0 > Advanced 10 Parameter Setting Description Description WAN Friendly name for this interface IP address 10.0.149.217 IP address Mask Enable NAT on this interface Enable IPsec on this interface 255.255.255.0 Ticked and IP address selected Subnet mask Ticked Enables NAT on this interface Enables IPSec on this interface 4.1.2 Ethernet 1 – The LAN interface. Browse to Configuration - Network > Interfaces > Ethernet > ETH 1 Set the Description and IP address. NAT and IPSec should remain disabled. Parameter Setting Description Description LAN Friendly name for this interface IP address 10.0.36.203 IP address Mask 255.255.255.0 Subnet mask 4.2 Configure the default route Browse to Configuration - Network > IP Routing/Forwarding > Static Routes > Default Route 0 Set the Description, Gateway IP address and exit interface. Parameter Gateway Setting Default Route via Eth 0 10.0.149.254 IP address of the next hop router Interface Ethernet 0 Exit interface Description Description Friendly name for this interface 11 4.3 Configure IPSec phase 1 parameters Browse to Configuration - Network > Virtual Private Networking (VPN) > IPsec > IKE > IKE 0 These parameters must match the Cisco phase 1 parameters. Parameter Setting Description Encryption 3DES Use 3DES encryption Authentication MODP Group for Phase 1 Renegotiate after SHA1 Use SHA1 authentication 2 (1024) Use DH group 2 24 Phase 1 lifetime in hours 4.4 Configure the Pre-shared key Browse to the next available unused User in the user table. In this example, this is User 2. The name is the IP address of the IPSec peer. This is what will be sent from the Cisco for its authentication. The Password is the Pre-shared key. Access level should be set to None, so if anyone knows these credentials, they cannot access the router for configuration or management. Browse to Configuration - Security > Users > User 0 - 9 > User 2 Parameter Setting Name 10.0.149.203 Password Cisco12345 Description IP address of IPSec Peer (Cisco WAN address) Pre-shared key Confirm Password Cisco12345 Pre-shared key Access Level None No access to router management for this user 12 4.5 Configure phase 2 Browse to Configuration - Network > Virtual Private Networking (VPN) > IPsec > IPsec Tunnels > IPsec 0 These parameters must match the Cisco phase 2 parameters. 13 Parameter Setting Description Description The IP address or hostname of the remote unit IPSec to Cisco Friendly name for this VPN 10.0.149.203 IPSec peer IP address (Cisco WAN address) Local LAN IP Address Mask Use these settings for the local LAN 10.0.149.217 Use the specified settings below Local IPSec endpoint (WR44 WAN address) 255.255.255.255 Use these settings for the remote LAN 10.0.149.203 Remote IPSec endpoint (Cisco WAN address) Mask Use the following security on this tunnel Our ID 255.255.255.255 Remote IPSec endpoint mask (Must be /32) Preshared Keys Use Preshared keys for authentication between routers 10.0.149.217 Local router IPSec ID (WR44 WAN address) Our ID type IPv4 Address Type of IDs used. IPv4 addresses. Remote ID Use x encryption on this tunnel Use x authentication on this tunnel 10.0.149.203 IPSec peer ID (Cisco WAN address) 3DES Use 3DES encryption SHA1 Use SHA1 authentication Bring this tunnel up All the time Create SAs, but only if there is a valid route and interface to create the IPSec tunnel on. Bring the tunnel up If there is no IPSec SA, use IKE to create one. 1 hrs / 4608000 KBytes Lifetime of phase 2 SA in seconds / Lifetime of phase 2 SA in kilobytes Remote LAN IP Address If the tunnel is down and a packet is ready to be sent Renew the tunnel after Local IPSec endpoint mask (Must be /32) Use the specified settings below 14 4.6 Configure the GRE tunnel This is the Digi TransPort end of the point to point GRE tunnel. Configure the tunnel IP address, and source and destination. Note that the source and destination addresses are the WAN interface addresses of the 2 routers. Browse to Configuration - Network > Interfaces > GRE > Tunnel 0 Parameter Setting Description Description GRE to Cisco Friendly name for this interface IP address 172.16.1.2 GRE local endpoint IP address Mask 255.255.255.252 Use IP Address / 10.0.149.217 GRE local endpoint subnet mask Source IP address of this tunnel (WR44 WAN interface) 10.0.149.203 Destination IP address of this tunnel (Cisco WAN interface) Ticked Enables GRE keepalives 3 Sends 1 keepalive every 3 seconds 3 If 3 keepalive packets fail, the tunnel is marked as down Source IP Address Destination IP Address or Hostname Enable keepalives on this GRE tunnel Send a keepalive every x seconds Bring this GRE tunnel down after no replies to x keepalives 15 4.7 Save the configuration Browse to Administration - Save configuration Save the configuration to profile 0, the default power up config. 16 5 CONFIRM IPSEC & GRE IS UP AND PING TEST THE CONNECTION. 5.1 Using the Digi WR44 5.1.1 Check the IPSec SA status Browse to Management - Connections > Virtual Private Networking (VPN) > IPsec > IPsec Tunnels 5.1.2 Check the GRE tunnel status Browse to Management - Network Status > Interfaces > GRE 5.1.3 Ping an IP address on the Cisco LAN subnet Browse to Administration - Execute a command 17 18 5.2 Using the Cisco 3745 5.2.1 Check the IPSec SA status 19 5.2.2 Check the GRE tunnel status 5.2.3 Ping an IP address on the Cisco LAN subnet 20 6 FIRMWARE VERSIONS 6.1 Digi TransPort WR44 Digi TransPort WR44-HX00-WE1-XX Ser#:140837 HW Revision: 7902a Software Build Ver5130. Jun 30 2011 01:33:02 SW ARM Bios Ver 6.06 v39 400MHz B512-M512-F80-O80001,2 MAC:00042d022625 Power Up Profile: 0 Async Driver Revision: 1.19 Int clk IX Revision: 1.0 Ethernet Hub Driver Revision: 1.11 Firewall Revision: 1.0 EventEdit Revision: 1.0 Timer Module Revision: 1.1 (B)USBHOST Revision: 1.0 L2TP Revision: 1.10 PPTP Revision: 1.00 TACPLUS Revision: 1.00 MODBUS Revision: 0.00 LAPB Revision: 1.12 X25 Layer Revision: 1.19 MACRO Revision: 1.0 PAD Revision: 1.4 X25 Switch Revision: 1.7 V120 Revision: 1.16 TPAD Interface Revision: 1.12 GPS Revision: 1.0 SCRIBATSK Revision: 1.0 BASTSK Revision: 1.0 PYTHON Revision: 1.0 ARM Sync Driver Revision: 1.18 TCP (HASH mode) Revision: 1.14 TCP Utils Revision: 1.13 PPP Revision: 1.19 WEB Revision: 1.5 SMTP Revision: 1.1 FTP Client Revision: 1.5 FTP Revision: 1.4 IKE Revision: 1.0 PollANS Revision: 1.2 PPPOE Revision: 1.0 BRIDGE Revision: 1.1 MODEM CC (Ericsson 3G) Revision: 1.4 FLASH Write Revision: 1.2 Command Interpreter Revision: 1.38 SSLCLI Revision: 1.0 OSPF Revision: 1.0 BGP Revision: 1.0 QOS Revision: 1.0 RADIUS Client Revision: 1.0 SSH Server Revision: 1.0 SCP Revision: 1.0 CERT Revision: 1.0 LowPrio Revision: 1.0 Tunnel Revision: 1.2 QDL Revision: 1.0 Wi-Fi Revision: 2.0 iDigi Revision: 1.0 OK 21 6.2 Cisco 3745 Cisco#sh ver Cisco Internetwork Operating System Software IOS (tm) 3700 Software (C3745-ADVIPSERVICESK9-M), Version 12.3(24), RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Thu 18-Oct-07 18:22 by stshen Image text-base: 0x60008AF4, data-base: 0x61F80000 ROM: ROMMON Emulation Microcode ROM: 3700 Software (C3745-ADVIPSERVICESK9-M), Version 12.3(24), RELEASE SOFTWARE (fc4) Cisco uptime is 24 minutes System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19 System image file is "tftp://255.255.255.255/unknown" This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. cisco 3745 (R7000) processor (revision 2.0) with 120832K/10240K bytes of memory. Processor board ID XXXXXXXXXXX R7000 CPU at 100MHz, Implementation 39, Rev 2.1, 256KB L2, 512KB L3 Cache Bridging software. X.25 software, Version 3.0.0. 3 FastEthernet/IEEE 802.3 interface(s) DRAM configuration is 64 bits wide with parity enabled. 151K bytes of non-volatile configuration memory. 16384K bytes of ATA System CompactFlash (Read/Write) Configuration register is 0x2102 Cisco# 22 7 CONFIGURATION FILES 7.1 Digi Transport WR44 config c show eth 0 descr "WAN" eth 0 IPaddr "10.0.149.217" eth 0 ipsec 1 eth 0 ipanon ON eth 1 descr "LAN" eth 1 IPaddr "10.0.36.203" eth 1 ipanon ON eth 2 IPaddr "10.1.51.4" eth 2 mask "255.255.0.0" lapb 0 ans OFF lapb 0 tinact 120 lapb 1 tinact 120 lapb 3 dtemode 0 lapb 4 dtemode 0 lapb 5 dtemode 0 lapb 6 dtemode 0 ip 0 cidr ON route 0 IPaddr "10.0.35.0" route 0 ll_ent "tun" def_route 0 ll_ent "ppp" def_route 0 ll_add 1 eroute 0 peerip "10.0.149.203" eroute 0 peerid "10.0.149.203" eroute 0 ourid "10.0.149.217" eroute 0 locip "10.0.149.217" eroute 0 locmsk "255.255.255.255" eroute 0 remip "10.0.149.203" eroute 0 remmsk "255.255.255.255" eroute 0 ESPauth "SHA1" eroute 0 ESPenc "MD5" eroute 0 ltime 3600 eroute 0 authmeth "PRESHARED" eroute 0 nosa "TRY" eroute 0 autosa 1 dhcp 0 IPmin "192.168.1.100" dhcp 0 mask "255.255.255.0" dhcp 0 gateway "192.168.1.1" dhcp 0 DNS "192.168.1.1" dhcp 0 respdelms 500 dyndns 0 epassword "aTFwSBFeFFECSRI=" ppp 0 timeout 300 ppp 1 r_chap OFF ppp 1 IPaddr "0.0.0.0" ppp 1 phonenum "*98*1#" ppp 1 name "W-WAN (HSPA 3G)" ppp 1 timeout 0 ppp 1 use_modem 1 ppp 3 defpak 16 ppp 4 defpak 16 ike 0 encalg "3DES" ike 0 authalg "SHA1" ike 0 ltime 80000 ike 0 ikegroup 2 ike 0 deblevel 4 23 modemcc 0 info_asy_add 6 modemcc 0 init_str "+CGQREQ=1" modemcc 0 init_str1 "+CGQMIN=1" modemcc 0 apn "Your.APN.goes.here" modemcc 0 sms_interval 1 modemcc 0 sms_access 1 modemcc 0 sms_concat 0 modemcc 0 init_str_2 "+CGQREQ=1" modemcc 0 init_str1_2 "+CGQMIN=1" modemcc 0 apn_2 "Your.APN.goes.here" modemcc 0 link_retries_2 10 modemcc 0 stat_retries_2 30 ana 0 anon ON ana 0 l2on OFF ana 0 xoton OFF ana 0 lapdon 0 ana 0 lapbon 0 ana 0 ipfilt "23,80" ana 0 logsize 45 cmd 0 unitid "ss%s>" cmd 0 cmdnua "99" cmd 0 hostname "digi.router" cmd 0 asyled_mode 2 cmd 0 tremto 1200 user 0 epassword "aTFwSBFeFFECSRI=" user 0 access 0 user 1 name "username" user 1 epassword "KD5lSVJDVVg=" user 1 access 0 user 2 name "10.0.149.203" user 2 epassword "GzZlWUodFQ8GCA==" user 2 access 0 user 10 epassword "Ig==" local 0 transaccess 2 sslsvr 0 certfile "cert01.pem" sslsvr 0 keyfile "privrsa.pem" ssh 0 hostkey1 "privSSH.pem" ssh 0 nb_listen 5 ssh 0 v1 OFF tun 0 IPaddr "172.16.1.2" tun 0 mask "255.255.255.252" tun 0 source "10.0.149.217" tun 0 dest "10.0.149.203" tun 0 kadelay 3 Power Up Profile: 0 OK 24 7.2 Cisco 3745 Cisco#sh run Building configuration... Current configuration : 1250 bytes ! version 12.3 service timestamps debug datetime service timestamps log datetime no service password-encryption ! hostname Cisco ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging ! no aaa new-model ip subnet-zero ip cef ! ! ip audit po max-events 100 ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key Cisco12345 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set T1 esp-md5 esp-sha-hmac ! crypto ipsec profile P1 set transform-set T1 ! ! interface Tunnel0 ip address 172.16.1.1 255.255.255.252 ip ospf mtu-ignore load-interval 30 keepalive 3 3 tunnel source 10.0.149.203 tunnel destination 10.0.149.217 tunnel protection ipsec profile P1 ! interface FastEthernet0/0 description WAN ip address 10.0.149.203 255.255.255.0 speed auto full-duplex ! interface FastEthernet0/1 description LAN ip address 10.0.35.203 255.255.255.0 speed auto full-duplex ! 25 interface FastEthernet1/0 no ip address shutdown duplex auto speed auto ! ip classless ip route 10.0.36.0 255.255.255.0 Tunnel0 ! no ip http server no ip http secure-server ! no cdp run ! ! line con 0 exec-timeout 3000 0 line aux 0 line vty 0 4 login ! end 26