Net Talk - GRE over IPsec

good afternoon everyone and welcome to the first of a series of what I call network

talk

s in which I want to meet with you from time to time here on my youtube channel and share a specific network technology and I want to do it in about approximately 35 hours, about 30 to 45 minutes, that's my goal and for our first topic of our first web

talk

, we're going to cover GRE about IPSec tunnels and how to set up a Giri VPN over IPSec, this can be really useful for you if I'm looking for any of security certifications and Cisco track and the reason I hesitated was I was thinking I'm not sure how many people are looking for that yet but this is one of the topics of the new encore exam that will be posted next.

Next year, on the 24th, it will be like the basic exam that will be required for your CCNP Enterprise certification. It will also be the foundation exam as it will be the equivalent of the written exam for the new CCIE Enterprise Infrastructure Lab, so yes, it is quite important. exam and this is one of the topics, so I thought it would be useful for those people, as well as anyone in the security area, and I was looking in the chat here before we started, people talking about what they are doing now in terms certification I'm really curious, if you wouldn't mind sharing with me, can you tell me where you are right now in your certification journey?

Are you in the camp that I need to get this specific certification for 24 and If so, put that in the YouTube chat and tell me what that certification is or if you're going to go ahead and start studying for some of the new ones certifications. I'd love to know that too, where are you now? maybe you're here for the real world or maybe you just saw that Kevin is going to be live if you want to see what's up with that, so let's take a look and see what people, see if anyone says my sound. It's low, let me see if I can adjust it, okay, give me some feedback if you want, my sound is better.

Now that I'm testing a new system, you may notice that the resolution has improved dramatically from previous live streams. I'm actually streaming in 1080p at 30 frames. per second, so I couldn't do that before, but now I can and I hope it looks really good. Everyone says yes, the sound is much better now, thanks for those comments, you guys are kind of test subjects because I haven't used this. software in particular before, but yes, people were saying let's look beyond ICD one last week, preparing for icnd2, now scheduled for late December. I'm planning to pass a change and route before february ok awesome awesome just need to do my t-shirt exam and then I'm done with my ccp awesome so it seems like a lot of people are opting for the existing certs before new ones appear and right now I'm going to leave this on my YouTube channel for a long time, but let's see, today is November 26th and that's 2019, so yeah, for most of my students that's enough time to take another exam, another exam of NP level or another on a level exam, so yeah, I think it's great, in fact, let's get into that today, let's talk. so we can stay on our 30 to 45 minute timeline, let's talk about GRE over IPSec and so as not to obscure anything, let me take my image off the screen here and let's take a look at the agenda of exactly what we're doing. we're going to talk about today, we're going to start by talking about well, now we're in the middle of the introduction, but we're going to talk about why we need both, why we need both, a giri and an IPSec tunnel couldn't. we only use one or the other, we will see that they now depend on each other and we will see how to configure a Giri tunnel over IPSec.

We will do it for you in a live interface. I think you'll really enjoy it and we'll spend some time on QA at the end, but let's start by introducing myself to some of you who stumbled across the YouTube channel. They have no idea who I am here. Here's my super quick bio. I won't go into this further, but my super quick bio is yes, my name is Kevin Wallace. I got a pair of CC IIs. I now have an emeritus designation. I have been with CCA since 2001 and my CC ASR on collaboration paths I have been working with. his staff for the first Cisco router, the former AG s plus router back in 1989, taught courses with Cisco learning partners for about 14 years, was one of five network designers at Walt Disney World in Florida, and wrote a Lots of books for Cisco pressed and lots of training videos for them.

I've been a distinguished speaker a couple of times at Cisco. The bottom line is that I love this stuff and I can't wait to share today's content with you, so first of all, let's get right into it. I said we probably don't want to just use Jiri or IPSec independently, we want to use them together, why is that so good? I remember when I started working in networks back in the 90s, where we would interconnect LAN connections to which we might connect remote sites. a central site and in those days we had to use something like frame relay circuits which were the most popular ATMs.

We also had some leased line circuits, but it was expensive if you wanted to interconnect a couple of devices or a couple of sites over the Internet. You're going to pay some money for that, but these days we have the Internet. We have high speed Internet connections at my house. I have fiber optics. It's unreal that you have gig downloads and uploads. a home environment that would be unheard of a few years ago, so now we have these high-speed internet resources readily available, so what can we do with that? We can simply use the Internet to connect these remote offices. but I know you're worried, the worry is that even if we can use common broadband technologies, will it be safe?

Is it an untrusted network? Isn't the Internet scary? There are people on the Internet who are bad actors. They could do bad things with your data, but if we used the Internet it would be great because it would be transparent to the end devices and we can protect all our traffic using a VPN, a virtual private network that gives us privacy over this virtually. over this public communications network and we can have routers at each of our sites and they can do the heavy lifting of encrypting and decrypting so that it is completely transparent to the end users and yes, we can get very high speed connectivity between our sites.

If the Internet in that location is available at high speed and we can do it safely, let's talk about some of the VPN protocols that make this happen. One protocol we'll probably turn to is called GRE Generic Routing Encapsulation, it's super flexible and can encrypt. they're just not encrypting and encapsulating and putting it inside this virtual tunnel, it can encapsulate almost anything you can imagine, it will encapsulate unicast multicast transmission if you had Apple Talk or our Novell IPX that would work so well, it will encapsulate just over anything you can think of there A big drawback, although I hate to tell you, it has no security at all, so it doesn't really meet our needs, did we say we wanted to be able to communicate securely over the network?

Internet and I said, well, here's a way to make these two sites look adjacent. I mean, they appear to be layer two adjacent. They can form OSPF neighbor ships, but it is not safe. Well, let's turn to something that's safe. What's happening? IPSec, which is short for IP security and as the name suggests, it is super secure. Let's take a look at some of the features of IP SEC. I said it was safe. This is what I mean by it can maintain confidentiality and by that I mean it's going to give us encryption, it can run very strong encryption standards, so that if some bad person were to intercept our data on the way to the destination, they couldn't interpret them because everything is encoded and I couldn't decipher them either. will give us integrity to make sure the data is not modified in transit, that uses a technology called hashing.

Now a lot of people get very confused, they'll see a hash result called a hash summary and they'll say oh yeah. that's the encrypted password actually it's not like a fingerprint one of the not the strongest but just one of the popular hash algorithms that have been around for a while is called md5 message digest five and you can take a three letter word like cat and you would run it through the MDV md5 hash algorithm and the output would be 128 bits, what if I took a big book like I took my official big route guide that I made for a Cisco print shop?

I think it's like 700 pages. on it or something and ran it through the md5 algorithm, what would give me one hundred and twenty eight bits? Well obviously there's no way to extract a 700 page book from just 128 bits, so it's not an encryption, it's a fingerprint that we generate. One hundred and twenty eight bits based on this algorithm that we run on the data string, however large the unit of the data string is, it doesn't matter, the hash result will be 128 bits and we are going to do that calculation on each end of communication and if they agree, if the hashes are the same, that is a good indication that the data has not been modified in transit, we can also authenticate the other party, so we are talking to the person we believe What are we talking about.

Do that with a pre-shared key where we configure each endpoint, that's what we're going to do today in our demo or we could use digital certificates with digital signatures and it also defends against replay attacks. You may have someone capturing traffic. the network can't read it right now, but they captured the packets that were being exchanged when someone logged in successfully and they thought that was strange, these are the packets that would allow me to log in. I'll come back later and play them and that will allow me to log in no, no, not with IPSec, it essentially applies serial numbers to those packets, so if you come back later and try to play them out of order, it will tell you no, no, not that It's happening now.

This is a replay attack and we are going to reject that. Now, the downside of IPSec. I have bad news here, as well as great news when it comes to security. Its big limitation is that it only has the ability to encapsulate unicast IP. packets, what about transmission? I mean, you might need ARP. What about multicast? I mean, OSPF version two and three and a gr pian or even rip version 2 and there, they all use multicast for routing protocols. We use multicast for other things too. we won't be sending multicast traffic so it won't carry everything we want, we'll address that and something that will be important for our setup today.

I want you to understand that there are two different modes that IPSec can run in one mode which is called transparent mode or excuse me transport mode this is where the packets will not replace the original header they will use the packets header they will just encapsulate and encrypt the payload or we could using tunnel mode which encapsulates absolutely everything and when we're setting up an IPSec tunnel it's really a two step process, the first step I liken to I don't know if you've seen the old TV show Get Smart or a few years ago they made a movie with Steve Carell, that was very funny.

The way I highly recommend it, but if you watch the movie of the TV show, you might remember the scene where Max tries to talk to the boss and wants to do it privately, so they attract the cone of silence. it comes down to max on max and the boss and it never works well in the movie or the tv show, but the idea is that it gives them a safe communication channel where they can discuss plans well, that's what's happening here in the first step of configuration. an IPSec tunnel, you may want to take some notes on this.

The first step is creating what is called an Ike one tunnel. It has another name. Also known as ISO camp tunnel. Ike is Internet Key Exchange and AIESEC Hemp is Internet Security. there on the screen for you, but those are synonyms, we are going to establish a phase one night tunnel and it is within the protection of that Ike tunnel phase one that we are going to go to, it is located within the protection of the Ike tunnel phase one We are going to negotiate the parameters for the Ike tunnel phase two, also known as IPSec tunnel, so here is the dilemma we have friends, we have a protocol that we love for its flexibility.

Giri will pretty much encapsulate everything, but he does. zero security and then we have IPSec, which we would love for its expensive security capabilities, but it will only encapsulate unicast IP traffic. We'd really like to have a third option where it's the best of both worlds. What if we did this? What if I combined the two, follow me on this, what would happen if I took everything? I don't care if it's unicast, multicast, Appletalk IP Second, what is a Giri package? A Giri packet is a unicast IP packet.See where I'm going with this once we put everything into Giri?

It is now a series of unicast packets that can then be sent within an IPSec tunnel where they can be encrypted. Ah, we are working as a team, teamwork makes the dream work. That's what we're doing here. We are associating GRE with IPSec and we can put. everything in GRE to convert everything into an IP unicast packet and then we'll take those IP unicast packets and send them securely in signal of an IPSec tunnel and I want to take them to a live interface now and show you exactly how to configure it before we do it, here there is the topology that we are going to work on, we are going to work on this topology where we have four routers now follow me on this we are pretending that our company has a couple of sites one of our sites uses router r1 another site uses router r4 and between our site between our two sites between r1 and r4 we We are going through a service provider and coincidentally they number their routers r2 and r3.

The bottom line is that we have no control over those routers, we cannot control r2 or r3 because they belong to the service provider. We want to create a tunnel through them and I want to encapsulate the traffic that goes between these two different routers and the first thing we're going to do is set up a Giri tunnel and a Giri tunnel will use a virtual interface, it will be like a tunnel interface. I'll probably number it tunnel 1 and we'll give it an IP address for each end of that tunnel, obviously part of the same subnet, it's part of the same network segment and we'll make sure it works once we've set up that unsecured tunnel. so let's configure IPSec.

Now, when you configure IPSec, you don't have to send everything within that encrypted tunnel. You can tell which traffic deserves this high security treatment. Maybe we don't need to ship everything securely. let's easily alleviate the processor demand on our routers, but in our case we will say no, the interesting thing, what is qualified to be encrypted is all of our Giri traffic, so we will make our GRE traffic our interesting traffic and then Lo we'll send over that IPSec tunnel and then we'll verify it, so let's go to our topology here and our routers and let's configure this now.

We'll do it nice and slow if you want. make some notes on this again, the first step is that we want to set up a Giri tunnel between r1 and r4. Those are the only routers that are under our control, I can't control r2 or r3. Someone says I'm taking notes. I'm going to buy the cone of silence for the next meeting. That's funny, okay, let's do a GRE configuration on r1 now, like I said, we're going to create just a virtual tunnel interface. let's say interface tunnel 1 and I need to give it an IP address and this is its own network segment so it's not right which of my router's interfaces I'm using for that, this network is a separate network it's like a new one router interface It will have its own network segment and based on the topology that you see on the screen, I will give it an IP address of 192, I will say IP address 192 dot one sixty-eight dot zero dot one and we have a 30-bit subnet mask which is 255 points 255 points 255 to saan r1.

I'm going to go out of gigabit 0/1, so I'm going to say that the source of my tunnel is gigabit 0/1, whose destination well, I'm going to go into that top. interface on r4 has an IP address of 190 8.51 dot 102 so I'll say my tunnel destination is an IP address of 190 8.51 dot 100 dot 2 and we're done with our GRE configuration on r1 let's move on to r4 because we're not lets tap our r3 and we'll do a sort of mirror setup here. We'll create this virtual tunnel interface the way I use tunnel 1. In both cases, those don't have to match, that's not information that's exchanged. and a half yes, it's not that it's not that an autonomous edger peeper system doesn't have to match.

I only like to use one because it's easy to remember and I'll give my IP address at the end of that tunnel according to our topology. a ninety-two dot one sixty-eight dot zero dot two IP address again we have a thirty-bit subnet mask and I say who is the source and who is the destination, it will be the other way around from the perspective of our local interface. I'll say tunnel source, my top interface goes to ours, which will be gigabit zero Szechwan and the tunnel destination will be that ingress interface on r1, which is one ninety 2.0 2.1.

I'm just checking that because that would break everything. If I entered a wrong IP address, but I think it looks good and we're done, now we have a tunnel configuration between r1 and r4, let's check that, although if I do a summary of the IP interface, it shows that this tunnel interface is in the been above we also saw look at this, we had an OS PF adjacency change because r1 and r4 now appear to be layer two adjacent to each other. I think we form an OSPF neighbor ship. Let's do an IP ospf show. neighbor command look it's not only our for a member or a neighbor with r3 that it's directly connected to, but it's also a neighbor with r1 that it's virtually directly connected to and I can do a display interface tunnel one and we can see information about this.

We see that it seems to be working fine, we would probably want to go in and change the line, we might not want to operate at 100 kilobits per second, but we could certainly go in with the bandwidth command and alter that setting. but that's a good thing to check now, trying to think, yeah, let's do another check command, let's do a trace path to that bottom interface on r1, does it show that we're going through our three and then our two and then our one? Does it just show that we go directly to ours and when I say the interface of ours I mean the other side of the tunnel interface in ours?

Let's do a trace route to one ninety-two points one sixty-eight points zero point One look, it was a jump even though I'm physically traveling through r3, r2 and then to r1 to get there, it said no for the adjacent side, it's just one, now we have configured and verified our Giri tunnel. Let's now move on to the slightly more challenging IPSec configuration, remember we said that IPSec is configured in two phases. There is Ike phase one aka AIESEC imp and phase 2 aka IPSec. Let's do Ik's right now and I'll go back to In ours we'll still do things in the same order, but in ours I'm going to create my ike phase one policy.

I'm going to say cryptography, let's use contextual help here. I'm going to say crypto eisah. Kemp this is for Ike phase one cryptography, so Kemp's policy and I can give it a priority now what it's about is that the two sides of this tunnel have to agree on what authentication, what encryption we're going to use and I can create . a policy that says "okay", this policy uses this encryption and this authentication. Can you make it have a policy that matches this and the other party might say no? I don't have a policy that exactly matches that.

I have this other policy. so we keep comparing policies, we could have a bunch of policies on one side, but we have to have a set of matching parameters in some policy on each of the ends of this tunnel. Now, for the sake of simplicity, I'll just make our two policies match. I'll create the same basic policy on each router, but that's the reason we give this. I'm saying I'll prefer 10, but if that doesn't work, I'll use policy 20 as an example and see if the other side supports that this is just for that negotiation. Now what am I going to set here in the policy with a priority of 10?

Well, let's set up encryption. I have different encryption options, we have Triple. DES AES and des don't even think about using des, it's super insecure, it's been around since the 70's, there are vulnerabilities everywhere. Triple DES is better, but the flagship is AES, the advanced encryption standard, that's what I'm going to select. and we can select how many keys we are going to have here. I'll just press ENTER and take the default and say authentication do I want to use a digital certificate or Do I want to use a pre-shared key just to make it simple so we don't have to set up a digital certificate.

I'll just set the same key on both routers. I will say that we will use a pre-shared key and we say how we are going to exchange our key, we will use a different group and the higher the group number, the more secure it will be. It gets into two modular maths, which is fun to play, but is way beyond the scope of what we have to talk about today. I'll just say group 2, that's exactly what I've been using for years. Normally I say Diffie-Hellman group 2 and we end up with that policy, but the policy said, "Okay, you're in." I'm going to use a pre-shared key.

I need to configure it now. I must say that here is the pre-shared key on my side for my ISO camp policy and I will do the same on the other side, so here I explain how to do it. which I'm going to say crypto crypto crypto ISO camp key and I'm just going to call it Kevin's key and I can specify the address with the peer that I'm going to exchange keys with now in the real world you might want to be very specific and make sure you have the endpoint far away or the right router, but sometimes you might want to leave it open if it can be multiple routers to connect to you here in this lab environment.

I'll leave it open for any pair that has a matching connection. key, so I'll just give them all 0 0 dot 0 dot 0 to 0 0 to 0 dot 0 dot 0 and now that we have specified the parameters for Ike phase 1 it's time to create a transformation set for Ike phase 2 the transformation set that is again a collection of encryption and hashing algorithms and we have to find a matching transformation set on the other side, something like the ISO counting policy, that's how we do it. I'm going to say IPSec crypto transformation set and I'll hit it. a name just my company, the key name W train and let's see what options were given here, we have some encapsulation options and now I want to use AES, this ESP and aah, this means authentication header, it means encapsulate the payload of ESP safety is better than an H without going into all the details of Hawaii.

I'm going to say ESP - AES for Advanced Encryption Standard, which is what I normally do now. I'm going to say what my hash algorithm is to make sure the date hasn't been modified in transit here are my options. I'm going to use the sha encapsulated security payload, which by the way is better than md5 and I'll say H Mac now what is H back? Remember I said that with hashing I said that the router at each end is I'm going to run this encryption or excuse me for this hash algorithm on a string of data and if they both get the same result then the string has not been modified in transit, there is a little hole in that logic right there, what if someone intercepted that in the middle during transmission and they altered it and recalculated the hash value and sent that recalculated hash value to the recipient, look at the modified data, run the hash algorithm, for sure It matches without them knowing that it was the modified hash and they say no, this has not been modified properly.

H Mac adds another level of security there, it adds a secret key that the man in the middle wouldn't know, so we would be protected. We also talked about tunnel mode versus transport mode. Before we could use either one. I'm just going to use transport mode for no particular reason and now I need to say what traffic is qualified to go through the IPSec tunnel, what we consider interesting traffic, and I'm going to define that interesting traffic using an access list. I'll say IP access - extended list because I want to specify a specific protocol, Jiri, I'll say I'll call it GRE in IPSec, that'll be the name of my named access control list and I'll allow GRE traffic. from anywhere to anywhere, okay, who's gonna come in?

All the traffic that goes through that tunnel will be interesting traffic because everything has gone inside that GRE tunnel, so now everything we send through the IPSec tunnel will be all GRE traffic. which includes everyone, that's who we are, that's where we merge these two and now the next step is to create what's called a cryptographic map, a cryptographic map that is the connective tissue that unites everything that we have. 'I've been configuring it to join the interesting traffic that the transform set and we put: the IP address of our peer, so I want to say crypto map and I'll give it a really creative VPN name, I'll give it a sequence number and 'I'll say IPSec I so camp, that's the way we normally configure an IPSec tunnel, we're using IPSec along with ISO camp, in other words, AIESEC campus, first identification phase one, IPSec, a second identification phase, two.

Great, now notice that it says this is going to be disabled until we point to pop up and say what traffic is interesting, okay, let's do it. I'll say match the match address and the name of my access control list. I want to make sure I spell it correctly to avoid a typo. I'm going to copy and paste that and say that the transform set that I'm using that we created I called kW train and my pair, if you look at the topology, is going to be that IP address of 98 points 51 points 100 points2 which is the ingress interface on top of r1 and the last thing we do is apply this to the interface we're using to send our GRE packets, which on this router is gigabit 0/1, so we've created the crypto. map that tied everything together, now I say I'm applying that crypto map to traffic coming out of gigabit 0/1, so let's go to interface configuration mode for gigabit 0/1 and I'll say crypto map and we call it VPN now that we have given the halfway through the setup and I know you're thinking do we have to wait 10 minutes for Kevin to type all that again no no you don't because I just put the mirror setup we have to give it an hour.

I put it in a text document so I could paste it. The only thing that's different is that I'm pointing to our IP address. I guess that's all. That's really the only difference. It is a coincidence. configuration so there's nothing new here oh I probably need to enter global configuration mode for that will be useful and then let me paste it let's see what I'm doing let me try to copy this again oh I need to enter global configuration that's it which I skipped doing now, let's paste the configuration, that's better, I'd give it a second to show the tunnel, actually, let's send some traffic, oh look we had an OSPF neighbor ship form over the tunnel again, okay?

Let's send some traffic. I'm going to ping the loopback interface on ours. I'm going to ping one, I have, another, I have one, see if it passes. Let me send a little more traffic just trying to generate some traffic to show. in our check commands, if I want to see the status of my bike's phase one tunnel, I can do a show crypto. I see Kemp yes and that means Security Association and it says we are active, that is the Ike phase one tunnel. about tunnel I Phase two, instead of showing the cryptographic ISO camp, it shows the cryptographic IPSec if and we can see the packet count, it says we have encapsulated so many packets, we have encapsulated so many packets, this is giving us confirmation that the traffic is actually flowing over our IP SEC tunnel and the only traffic we considered interesting for the IPSec tunnel was our GRE traffic, which means that now the traffic we sent from r1 to r4 goes through that Giri tunnel and yes, it shows the IP neighbors ospf, yes. we can set things up so that we use that tunnel to go from r1 to r4 so we can safely send traffic over the internet.

Wow, my friends are Jiri on IPSec and my goal was to cover all of that in about 30 to 45 minutes and it looks like we covered it in about 35 minutes