Mode IPSec VPN from Digi WR44 to a Cisco 3745.

advertisement
Application Note 45
Main Mode IPSec VPN from Digi WR44 to a Cisco
3745. Using GRE over IPSec with the Cisco
configured for VTI
UK Support
June 2011
1
Contents
1
Introduction .................................................................................................................................... 3
1.1
1.2
1.3
1.4
2
3
Scenario........................................................................................................................................... 4
Configure the Cisco. IPSec Responder ........................................................................................... 5
3.2
3.3
3.4
3.5
3.6
3.7
4
Using the Digi WR44 ............................................................................................................. 17
Using the Cisco 3745 ............................................................................................................. 19
Firmware versions ......................................................................................................................... 21
6.1
6.2
7
Configure the Ethernet interfaces ........................................................................................ 10
Configure the default route .................................................................................................. 11
Configure IPSec phase 1 parameters .................................................................................... 12
Configure the Pre-shared key ............................................................................................... 12
Configure phase 2 ................................................................................................................. 13
Configure the GRE tunnel ..................................................................................................... 15
Save the configuration .......................................................................................................... 16
Confirm IPSec & GRE is up and ping test the connection. ............................................................ 17
5.1
5.2
6
Configure the default route and enable NAT on the WAN interface ..................................... 6
Configure IPSec phase 1 parameters and pre-shared key ...................................................... 6
Configure IPSec phase 2 parameters ...................................................................................... 7
Configure the VTI tunnel interface ......................................................................................... 8
Add a route to the remote LAN subnet via Tunnel 0 .............................................................. 9
Exit global config mode and save the configuration ............................................................... 9
Configure the WR44. IPSec Initiator ............................................................................................ 10
4.1
4.2
4.3
4.4
4.5
4.6
4.7
5
Outline..................................................................................................................................... 3
Assumptions ............................................................................................................................ 3
Corrections .............................................................................................................................. 3
Version .................................................................................................................................... 3
Digi TransPort WR44 ............................................................................................................. 21
Cisco 3745 ............................................................................................................................. 22
Configuration Files ........................................................................................................................ 23
7.1
7.2
Digi Transport WR44 ............................................................................................................. 23
Cisco 3745 ............................................................................................................................. 25
2
1 INTRODUCTION
1.1 Outline
This document describes how to configure a GRE tunnel within an IPSec tunnel to secure
communications between a Digi TransPort router and a Cisco router configured with Virtual Tunnel
Interfaces (VTI). The GRE tunnel provides a point-to-point link between the routers that can be used
by routing protocols as well as for transferring regular data.
The Cisco VTI configuration is an updated and simpler method of creating GRE over IPSec VPNs on
Cisco routers.
There are two types of VTI interfaces: static VTIs (SVTIs) and dynamic VTIs (DVTIs). This example
will use SVTIs.
VTI information from Cisco’s website
Benefits of Using IPsec Virtual Tunnel Interfaces instead of Crypto Map
IPsec VTIs allow you to configure a virtual interface to which you can apply features. Features for
clear-text packets are configured on the VTI. Features for encrypted packets are applied on the
physical outside interface. When IPsec VTIs are used, you can separate the application of features
such as NAT, ACLs, and QoS and apply them to clear-text or encrypted text, or both. When crypto
maps are used, there is no simple way to apply encryption features to the IPsec tunnel.
1.2 Assumptions
This guide has been written for use by technically competent personnel with a good understanding of
the communications technologies used in the product, and of the requirements for their specific
application.
Configuration: This Application Note assumes the devices are set to their factory default
configurations. Most configuration commands are only shown if they differ from the factory default.
This application note applies to;
Models shown: Digi TransPort WR44 router and Cisco 3745 router.
Other Compatible Models: All other Digi Transport products.
Firmware versions: Digi 5130 or newer. Cisco 12.4 or newer.
1.3 Corrections
Requests for corrections or amendments to this application note are welcome and should be
addressed to: uksupport@digi.com
Requests for new application notes can be sent to the same address.
1.4 Version
Version Number
Status
1.0
Published
1.1
Updated for new GUI
3
2 SCENARIO
For the purposes of this application note, the following scenario will be used.
The IPSec VPN is a ‘Main mode’ configuration.
The Cisco 3745 is the IPSec responder. The Digi WR44 is the IPSec initiator.
The IP addressing used is as follows:
Digi WR44
WAN = Eth 0 = 10.0.149.217/24
LAN = Eth 1 = 10.0.36.203/24
GRE = Tun 0 = 172.16.1.2/30
Cisco 3745
WAN = Fa0/0 = 10.0.149.203/24
LAN = Fa0/1 = 10.0.35.203/24
GRE = Tun0 = 172.16.1.1/30
IPSec parameters:
IPSec Type:
Main mode
Phase 1
Encryption algorithm:
Hash algorithm:
Authentication method:
Diffie-Hellman group:
Lifetime:
Three key triple DES
Secure Hash Standard (SHA1)
Pre-Shared Key
#2 (1024 bit)
86400 seconds, no volume limit
Pre-shared key:
Cisco12345
Phase 2
Encryption algorithm:
Hash algorithm:
Mode:
DH group:
Lifetime:
Three key triple DES
Secure Hash Standard (SHA1)
Tunnel mode
No PFS
3600 seconds, no volume limit
4
3 CONFIGURE THE CISCO. IPSEC RESPONDER
3.1.1 Configure the Ethernet interfaces, Console port and hostname
From the Cisco console port configure the Ethernet interfaces with the addressing shown in Section 2.
Set the Console port exec-timeout and the hostname.
The relevant Cisco config from ‘sh run’ should be:
hostname Cisco
interface FastEthernet0/0
description WAN
ip address 10.0.149.203 255.255.255.0
speed auto
full-duplex
interface FastEthernet0/1
description LAN
ip address 10.0.35.203 255.255.255.0
speed auto
full-duplex
line con 0
exec-timeout 3000 0
5
3.2 Configure the default route and enable NAT on the WAN interface
The relevant Cisco config from ‘sh run’ should be:
interface FastEthernet0/0
description WAN
ip address 10.0.149.203 255.255.255.0
ip nat outside
duplex auto
speed auto
interface FastEthernet0/1
description LAN
ip address 10.0.35.203 255.255.255.0
ip nat inside
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 10.0.149.254
ip nat inside source list 1 interface FastEthernet0/0 overload
access-list 1 permit 10.0.35.0 0.0.0.255
3.3 Configure IPSec phase 1 parameters and pre-shared key
Create an ISAKMP policy and give it is priority of 1.
Set 3DES encryption, the authentication mode as pre-shared keys & the DH group to 2.
Set the pre-shared key as Cisco12345 for all remote devices.
The relevant Cisco config from ‘sh run’ should be:
crypto isakmp policy 1
encr 3des
authentication pre-share
6
group 2
crypto isakmp key Cisco12345 address 0.0.0.0 0.0.0.0
The phase 1 policy can be confirmed:
3.4 Configure IPSec phase 2 parameters
Create a transform set named T1 and enable 3DES & SHA1
Create an IPSec profile named P1
Link the transform set T1 to the IPSec profile P1
The relevant Cisco config from ‘sh run’ should be:
crypto ipsec transform-set T1 esp-3des esp-sha-hmac
!
crypto ipsec profile P1
set transform-set T1
The phase 2 transform set can be confirmed:
7
3.5 Configure the VTI tunnel interface
Create the Tunnel 0 interface.
Set the IP address
Enable Keep-alives for every 3 seconds and set to show link as down after 3 failures.
Set the load check interval to 30 seconds
Set the tunnel source & destination
Link the IPSec profile P1 to this tunnel so that traffic is encrypted.
Take note that the Cisco source and destination addressing on the IPSec tunnel uses WAN interface
addresses rather than private addressing as seen on regular Digi GRE / IPSec configurations.
The GRE addressing does however use a regular 30 bit mask to create a point to point link.
The relevant Cisco config from ‘sh run’ should be:
interface Tunnel0
ip address 172.16.1.1 255.255.255.252
ip ospf mtu-ignore
load-interval 30
keepalive 3 3
tunnel source 10.0.149.203
tunnel destination 10.0.149.217
tunnel protection ipsec profile P1
Confirm the mode of the tunnel is GRE / IP
If the tunnel is showing anything other than GRE / IP, use the following commands to set the tunnel
mode correctly:
interface Tunnel0
tunnel mode gre ip
8
3.6 Add a route to the remote LAN subnet via Tunnel 0
Add a route so that 10.0.36.0/24 is directed via Tun0
3.7 Exit global config mode and save the configuration
9
4 CONFIGURE THE WR44. IPSEC INITIATOR
4.1 Configure the Ethernet interfaces
4.1.1 Ethernet 0 – The WAN interface
Browse to Configuration - Network > Interfaces > Ethernet > ETH 0
Set the Description, IP address & Mask.
Click Advanced and enable NAT & IPsec.
Configuration - Network > Interfaces > Ethernet > ETH 0 > Advanced
10
Parameter
Setting
Description
Description
WAN
Friendly name for this interface
IP address
10.0.149.217
IP address
Mask
Enable NAT on this
interface
Enable IPsec on
this interface
255.255.255.0
Ticked and IP
address selected
Subnet mask
Ticked
Enables NAT on this interface
Enables IPSec on this interface
4.1.2 Ethernet 1 – The LAN interface.
Browse to Configuration - Network > Interfaces > Ethernet > ETH 1
Set the Description and IP address. NAT and IPSec should remain disabled.
Parameter
Setting
Description
Description
LAN
Friendly name for this interface
IP address
10.0.36.203
IP address
Mask
255.255.255.0
Subnet mask
4.2 Configure the default route
Browse to Configuration - Network > IP Routing/Forwarding > Static Routes > Default Route 0
Set the Description, Gateway IP address and exit interface.
Parameter
Gateway
Setting
Default Route via
Eth 0
10.0.149.254
IP address of the next hop router
Interface
Ethernet 0
Exit interface
Description
Description
Friendly name for this interface
11
4.3 Configure IPSec phase 1 parameters
Browse to Configuration - Network > Virtual Private Networking (VPN) > IPsec > IKE > IKE 0
These parameters must match the Cisco phase 1 parameters.
Parameter
Setting
Description
Encryption
3DES
Use 3DES encryption
Authentication
MODP Group for
Phase 1
Renegotiate after
SHA1
Use SHA1 authentication
2 (1024)
Use DH group 2
24
Phase 1 lifetime in hours
4.4 Configure the Pre-shared key
Browse to the next available unused User in the user table. In this example, this is User 2.
The name is the IP address of the IPSec peer. This is what will be sent from the Cisco for its
authentication.
The Password is the Pre-shared key. Access level should be set to None, so if anyone knows these
credentials, they cannot access the router for configuration or management.
Browse to Configuration - Security > Users > User 0 - 9 > User 2
Parameter
Setting
Name
10.0.149.203
Password
Cisco12345
Description
IP address of IPSec Peer
(Cisco WAN address)
Pre-shared key
Confirm Password
Cisco12345
Pre-shared key
Access Level
None
No access to router management for this user
12
4.5 Configure phase 2
Browse to Configuration - Network > Virtual Private Networking (VPN) > IPsec > IPsec Tunnels
> IPsec 0
These parameters must match the Cisco phase 2 parameters.
13
Parameter
Setting
Description
Description
The IP address or
hostname of the
remote unit
IPSec to Cisco
Friendly name for this VPN
10.0.149.203
IPSec peer IP address (Cisco WAN address)
Local LAN
IP Address
Mask
Use these settings
for the local LAN
10.0.149.217
Use the specified settings below
Local IPSec endpoint (WR44 WAN address)
255.255.255.255
Use these settings
for the remote LAN
10.0.149.203
Remote IPSec endpoint (Cisco WAN address)
Mask
Use the following
security on this
tunnel
Our ID
255.255.255.255
Remote IPSec endpoint mask (Must be /32)
Preshared Keys
Use Preshared keys for authentication
between routers
10.0.149.217
Local router IPSec ID (WR44 WAN address)
Our ID type
IPv4 Address
Type of IDs used. IPv4 addresses.
Remote ID
Use x encryption
on this tunnel
Use x
authentication on
this tunnel
10.0.149.203
IPSec peer ID (Cisco WAN address)
3DES
Use 3DES encryption
SHA1
Use SHA1 authentication
Bring this tunnel up
All the time
Create SAs, but only if there is a valid route
and interface to create the IPSec tunnel on.
Bring the tunnel up
If there is no IPSec SA, use IKE to create one.
1 hrs /
4608000 KBytes
Lifetime of phase 2 SA in seconds /
Lifetime of phase 2 SA in kilobytes
Remote LAN
IP Address
If the tunnel is
down and a packet
is ready to be sent
Renew the tunnel
after
Local IPSec endpoint mask (Must be /32)
Use the specified settings below
14
4.6 Configure the GRE tunnel
This is the Digi TransPort end of the point to point GRE tunnel.
Configure the tunnel IP address, and source and destination. Note that the source and destination
addresses are the WAN interface addresses of the 2 routers.
Browse to Configuration - Network > Interfaces > GRE > Tunnel 0
Parameter
Setting
Description
Description
GRE to Cisco
Friendly name for this interface
IP address
172.16.1.2
GRE local endpoint IP address
Mask
255.255.255.252
Use IP Address /
10.0.149.217
GRE local endpoint subnet mask
Source IP address of this tunnel
(WR44 WAN interface)
10.0.149.203
Destination IP address of this tunnel
(Cisco WAN interface)
Ticked
Enables GRE keepalives
3
Sends 1 keepalive every 3 seconds
3
If 3 keepalive packets fail, the tunnel is marked
as down
Source IP Address
Destination IP
Address or
Hostname
Enable keepalives
on this GRE tunnel
Send a keepalive
every x seconds
Bring this GRE
tunnel down after
no replies to x
keepalives
15
4.7 Save the configuration
Browse to Administration - Save configuration
Save the configuration to profile 0, the default power up config.
16
5 CONFIRM IPSEC & GRE IS UP AND PING TEST THE CONNECTION.
5.1 Using the Digi WR44
5.1.1 Check the IPSec SA status
Browse to Management - Connections > Virtual Private Networking (VPN) > IPsec > IPsec
Tunnels
5.1.2 Check the GRE tunnel status
Browse to Management - Network Status > Interfaces > GRE
5.1.3 Ping an IP address on the Cisco LAN subnet
Browse to Administration - Execute a command
17
18
5.2 Using the Cisco 3745
5.2.1 Check the IPSec SA status
19
5.2.2 Check the GRE tunnel status
5.2.3 Ping an IP address on the Cisco LAN subnet
20
6 FIRMWARE VERSIONS
6.1 Digi TransPort WR44
Digi TransPort WR44-HX00-WE1-XX Ser#:140837 HW Revision: 7902a
Software Build Ver5130. Jun 30 2011 01:33:02 SW
ARM Bios Ver 6.06 v39 400MHz B512-M512-F80-O80001,2 MAC:00042d022625
Power Up Profile: 0
Async Driver
Revision: 1.19 Int clk
IX
Revision: 1.0
Ethernet Hub Driver
Revision: 1.11
Firewall
Revision: 1.0
EventEdit
Revision: 1.0
Timer Module
Revision: 1.1
(B)USBHOST
Revision: 1.0
L2TP
Revision: 1.10
PPTP
Revision: 1.00
TACPLUS
Revision: 1.00
MODBUS
Revision: 0.00
LAPB
Revision: 1.12
X25 Layer
Revision: 1.19
MACRO
Revision: 1.0
PAD
Revision: 1.4
X25 Switch
Revision: 1.7
V120
Revision: 1.16
TPAD Interface
Revision: 1.12
GPS
Revision: 1.0
SCRIBATSK
Revision: 1.0
BASTSK
Revision: 1.0
PYTHON
Revision: 1.0
ARM Sync Driver
Revision: 1.18
TCP (HASH mode)
Revision: 1.14
TCP Utils
Revision: 1.13
PPP
Revision: 1.19
WEB
Revision: 1.5
SMTP
Revision: 1.1
FTP Client
Revision: 1.5
FTP
Revision: 1.4
IKE
Revision: 1.0
PollANS
Revision: 1.2
PPPOE
Revision: 1.0
BRIDGE
Revision: 1.1
MODEM CC (Ericsson 3G)
Revision: 1.4
FLASH Write
Revision: 1.2
Command Interpreter
Revision: 1.38
SSLCLI
Revision: 1.0
OSPF
Revision: 1.0
BGP
Revision: 1.0
QOS
Revision: 1.0
RADIUS Client
Revision: 1.0
SSH Server
Revision: 1.0
SCP
Revision: 1.0
CERT
Revision: 1.0
LowPrio
Revision: 1.0
Tunnel
Revision: 1.2
QDL
Revision: 1.0
Wi-Fi
Revision: 2.0
iDigi
Revision: 1.0
OK
21
6.2 Cisco 3745
Cisco#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 3700 Software (C3745-ADVIPSERVICESK9-M), Version 12.3(24), RELEASE
SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by cisco Systems, Inc.
Compiled Thu 18-Oct-07 18:22 by stshen
Image text-base: 0x60008AF4, data-base: 0x61F80000
ROM: ROMMON Emulation Microcode
ROM: 3700 Software (C3745-ADVIPSERVICESK9-M), Version 12.3(24), RELEASE
SOFTWARE (fc4)
Cisco uptime is 24 minutes
System returned to ROM by unknown reload cause - suspect
boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System image file is "tftp://255.255.255.255/unknown"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found
at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco 3745 (R7000) processor (revision 2.0) with 120832K/10240K bytes of
memory.
Processor board ID XXXXXXXXXXX
R7000 CPU at 100MHz, Implementation 39, Rev 2.1, 256KB L2, 512KB L3 Cache
Bridging software.
X.25 software, Version 3.0.0.
3 FastEthernet/IEEE 802.3 interface(s)
DRAM configuration is 64 bits wide with parity enabled.
151K bytes of non-volatile configuration memory.
16384K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x2102
Cisco#
22
7 CONFIGURATION FILES
7.1 Digi Transport WR44
config c show
eth 0 descr "WAN"
eth 0 IPaddr "10.0.149.217"
eth 0 ipsec 1
eth 0 ipanon ON
eth 1 descr "LAN"
eth 1 IPaddr "10.0.36.203"
eth 1 ipanon ON
eth 2 IPaddr "10.1.51.4"
eth 2 mask "255.255.0.0"
lapb 0 ans OFF
lapb 0 tinact 120
lapb 1 tinact 120
lapb 3 dtemode 0
lapb 4 dtemode 0
lapb 5 dtemode 0
lapb 6 dtemode 0
ip 0 cidr ON
route 0 IPaddr "10.0.35.0"
route 0 ll_ent "tun"
def_route 0 ll_ent "ppp"
def_route 0 ll_add 1
eroute 0 peerip "10.0.149.203"
eroute 0 peerid "10.0.149.203"
eroute 0 ourid "10.0.149.217"
eroute 0 locip "10.0.149.217"
eroute 0 locmsk "255.255.255.255"
eroute 0 remip "10.0.149.203"
eroute 0 remmsk "255.255.255.255"
eroute 0 ESPauth "SHA1"
eroute 0 ESPenc "MD5"
eroute 0 ltime 3600
eroute 0 authmeth "PRESHARED"
eroute 0 nosa "TRY"
eroute 0 autosa 1
dhcp 0 IPmin "192.168.1.100"
dhcp 0 mask "255.255.255.0"
dhcp 0 gateway "192.168.1.1"
dhcp 0 DNS "192.168.1.1"
dhcp 0 respdelms 500
dyndns 0 epassword "aTFwSBFeFFECSRI="
ppp 0 timeout 300
ppp 1 r_chap OFF
ppp 1 IPaddr "0.0.0.0"
ppp 1 phonenum "*98*1#"
ppp 1 name "W-WAN (HSPA 3G)"
ppp 1 timeout 0
ppp 1 use_modem 1
ppp 3 defpak 16
ppp 4 defpak 16
ike 0 encalg "3DES"
ike 0 authalg "SHA1"
ike 0 ltime 80000
ike 0 ikegroup 2
ike 0 deblevel 4
23
modemcc 0 info_asy_add 6
modemcc 0 init_str "+CGQREQ=1"
modemcc 0 init_str1 "+CGQMIN=1"
modemcc 0 apn "Your.APN.goes.here"
modemcc 0 sms_interval 1
modemcc 0 sms_access 1
modemcc 0 sms_concat 0
modemcc 0 init_str_2 "+CGQREQ=1"
modemcc 0 init_str1_2 "+CGQMIN=1"
modemcc 0 apn_2 "Your.APN.goes.here"
modemcc 0 link_retries_2 10
modemcc 0 stat_retries_2 30
ana 0 anon ON
ana 0 l2on OFF
ana 0 xoton OFF
ana 0 lapdon 0
ana 0 lapbon 0
ana 0 ipfilt "23,80"
ana 0 logsize 45
cmd 0 unitid "ss%s>"
cmd 0 cmdnua "99"
cmd 0 hostname "digi.router"
cmd 0 asyled_mode 2
cmd 0 tremto 1200
user 0 epassword "aTFwSBFeFFECSRI="
user 0 access 0
user 1 name "username"
user 1 epassword "KD5lSVJDVVg="
user 1 access 0
user 2 name "10.0.149.203"
user 2 epassword "GzZlWUodFQ8GCA=="
user 2 access 0
user 10 epassword "Ig=="
local 0 transaccess 2
sslsvr 0 certfile "cert01.pem"
sslsvr 0 keyfile "privrsa.pem"
ssh 0 hostkey1 "privSSH.pem"
ssh 0 nb_listen 5
ssh 0 v1 OFF
tun 0 IPaddr "172.16.1.2"
tun 0 mask "255.255.255.252"
tun 0 source "10.0.149.217"
tun 0 dest "10.0.149.203"
tun 0 kadelay 3
Power Up Profile: 0
OK
24
7.2 Cisco 3745
Cisco#sh run
Building configuration...
Current configuration : 1250 bytes
!
version 12.3
service timestamps debug datetime
service timestamps log datetime
no service password-encryption
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
no aaa new-model
ip subnet-zero
ip cef
!
!
ip audit po max-events 100
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key Cisco12345 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set T1 esp-md5 esp-sha-hmac
!
crypto ipsec profile P1
set transform-set T1
!
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.252
ip ospf mtu-ignore
load-interval 30
keepalive 3 3
tunnel source 10.0.149.203
tunnel destination 10.0.149.217
tunnel protection ipsec profile P1
!
interface FastEthernet0/0
description WAN
ip address 10.0.149.203 255.255.255.0
speed auto
full-duplex
!
interface FastEthernet0/1
description LAN
ip address 10.0.35.203 255.255.255.0
speed auto
full-duplex
!
25
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
ip classless
ip route 10.0.36.0 255.255.255.0 Tunnel0
!
no ip http server
no ip http secure-server
!
no cdp run
!
!
line con 0
exec-timeout 3000 0
line aux 0
line vty 0 4
login
!
end
26
Download