Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Earlier, this chapter introduced the concept of an IPsec VPN between the branch router
and another device in the Enterprise core. This VPN, sometimes called a VPN tunnel,
gives the Enterprise engineer a way to send a packet native to the Enterprise, with private
IP addresses, through the Internet. Additionally, the VPN provides privacy (through encryption)
and verification that the sender is legitimate (through authentication).
Although extremely useful, the IPsec tunnel unfortunately does not allow IGP traffic to
flow directly over the IPsec VPN tunnel. One solution is to also use a GRE tunnel, which
does support IGPs because it can encapsulate the IGP’s multicasts inside a unicast IP
packet. As previously shown in Figure 19-6, GRE solves the problem by routing over the
GRE tunnel interface, whose traffic is, in turn, processed by the IPSsec tunnel.
Other alternatives exist for supporting routing over an IPsec tunnel. These options include
■ Virtual Tunnel Interfaces: Similar in concept to GRE tunnels but it uses an encapsulation
that does not add and extra 4-byte header. (GRE adds such a header.)
■ Dynamic Multipoint VPN (DMVPN): Creates a multipoint VPN concept, allowing
less configuration to add new sites.
www.CareerCert.info
Chapter 19: Routing over Branch Internet Connections 665
■ Group Encrypted Transport (GET) VPN: A more recent addition to IOS, also supporting
multipoint VPNs with less configuration to add new sites.
This section shows a sample configuration for both IPsec and GRE tunnels, just to complete
the perspectives on the Internet-connected branch router.
Configuring an IPsec VPN
To fully understand the IPsec configuration, you need a deeper understanding of the security
protocols than the detail included in this book. However, if you ignore the particulars
about security protocols, a sample configuration can reveal some interesting facts about
branch routing, which is the focus of this chapter.
Figure 19-10 shows a sample IPsec configuration for Router BO1. Again, this configuration
assumes the configuration in the previous examples, plus Figure 19-9, have already
occurred.
Focus first on the crypto map (named branchmap) and the dialer interface. The dialer interface
enables IPsec with the crypto map branchmap command, causing IOS to consider
applying IPsec to packets exiting Dialer 2. The crypto map causes IOS to only encrypt
and tunnel the packets that are matched by ACL 101 in this case. (See the arrows in the
figures as to how the crypto map is linked to using ACL 101.) The crypto map also identifies
the destination IP address used when the encapsulation takes place (128.107.9.9). This
Key
Topic
crypto isakmp policy 1
encryption 3des
authentication pre-share
group 2
crypto isakmp key donttellitsasecret address 128.107.9.9
crypto ipsec transform-set name-i-chose esp-3des esp-sha-hmac
crypto map branchmap 10 ipsec-isakmp
set transform-set name-i-chose
set peer 128.107.9.9
match address 101
access-list 101 permit ip 10.99.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit gre any any
interface dialer 2
crypto map branchmap
Security
Details
Tunnel
Details
Enabling
the Logic
Figure 19-10 IPsec Configuration
www.CareerCert.info
666 CCNP ROUTE 642-902 Official Certification Guide
BO1
Tu 9
10.99.2.1/24
Tu 9
10.99.2.2/24
Loop 1
10.12.1.1
Loop 1
10.12.1.9
Ent1
Figure 19-11 GRE Tunnel Topology and Addresses
address is the public IP address of the device on the other end of the tunnel; the earlier
figures showed that as Router Ent1.
Next, think about a packet received by BO1 over the LAN, in light of ACL 101, and in
light of the crypto map processing outbound traffic on interface Dialer 2. The packet arrives
in BO1’s F0/0 interface. The packet may be processed by a GRE tunnel first, or it
may not. Then, some route must route the packet out Dialer 2. At that point, the logic of
the commands in Figure 19-10 finally begins.
Continuing with this same packet, the ACL matches packets that were tunneled by GRE, or
other packets that come from the LAN and are going toward the rest of the Enterprise. The
first line in the ACL matches the packets from the local LAN (10.99.1.0/8) going to another
destination in the Enterprise. The second line in the ACL matches all GRE packets. Note
that packets destined to some public IP address in the Internet would not match the ACL
with a permit action. So, only packets destined for the Enterprise network match ACL 101;
only the packets permitted by ACL 101 will be processed by the IPsec tunnel logic.
Configuring GRE Tunnels
The GRE tunnel configuration on the branch router does not require any additional commands
as compared with the GRE tunnels discussed in Chapter 18, which showed how to
tunnel IPv6 (the passenger protocol) over IPv4 (the transport protocol). In this case, the
GRE tunnel carries IPv4 as the passenger protocol, inside an IPv4 packet.
The fact that an IPSec tunnel exists, plus the issues related to the public and private addresses
used over the Internet connection, does make the application of the tunnel a bit
more challenging. First, to make more sense of what will be configured, Figure 19-11
shows the concepts and parameters related to configuring a GRE tunnel in this case.
The link that appears as a tunnel between the branch router (BO1) and central site Enterprise
router (Ent1) acts like a point-to-point serial link. In the many examples in Chapter
18, this link would have had IPv6 addresses because IPv6 was the passenger protocol. In
this case, the tunnel interfaces have IPv4 addresses because IPv4 is the passenger protocol,
with the addresses in a new subnet allocated just for this tunnel.
The configuration also uses loopback interfaces, with those interfaces and their IP addresses
used as the tunnel endpoints. This configuration means that the new IP packet
header created by GRE will use addresses 10.12.1.1 and 10.12.1.9. Finally, any routes
www.CareerCert.info
Chapter 19: Routing over Branch Internet Connections 667
learned over the tunnel will list tunnel 9 as an outgoing interface, with next-hop address
10.99.2.2.
Example 19-3 shows a sample configuration, again on Router BO1.
Example 19-3 GRE Tunnel Configuration
interface tunnel 9
ip address 10.99.2.1 255.255.255.255
tunnel source loopback 1
tunnel destination 10.12.1.9
interface loopback 1
ip address 10.12.1.1 255.255.255.0
router eigrp 1
network 10.12.1.1 0.0.0.0
network 10.99.2.1 0.0.0.0
ip route 10.12.1.9 255.255.255.255 dialer2
The tunnel configuration just uses three subcommands: one to define the source IP address
(indirectly, as loopback 1’s 10.12.1.1), the tunnel destination (10.12.1.9), and the interface’s
passenger protocol address (IP address 10.99.2.1). The tunnel mode command is not
needed, because IOS defaults to use IPv4 as the transport protocol, which then allows any
of the supported passenger protocols.
The configuration also requires two main branches of logic for routing to work correctly.
First, for the tunnel to function, the tunnel destination must be reachable; in this example,
a static route was added for this purpose. Additionally, the routers need to exchange
routes that will list the tunnel interface as the outgoing interface, which in turn directs
packets through the tunnel. The example includes the EIGRP configuration that enables
EIGRP on tunnel 9 just as a reminder that one of the primary motivations for bothering
with the GRE tunnel is to support IGP routing protocols.
Summary–Branch Routing from PC1 to Enterprise Server S1
To complete the chapter, this section works through an example where a host at the
branch sends a packet to a server inside the Enterprise. For the sake of argument, the
branch prefers to send this packet over the Internet. It is immaterial whether the branch
does not have a private link into the Enterprise, or if the engineer chose to implement
routing so that the path through the Internet is currently preferred. The example then
gives us a chance to work through the logic when the packet is sent through a GRE tunnel,
and an IPsec tunnel, and then out the DSL ATM interface.
Following are the steps in Figure 19-12:
Step 1. R1 has the original packet in memory, source 10.99.1.1 (PC1), destination
10.1.1.1 (S1).
Step 2. BO1’s best route for destination 10.1.1.1 uses outgoing interface tunnel 9. This
route may have been learned by an IGP running over this GRE tunnel.
Step 3. BO1 adds a new IPv4 header and GRE header to the original packet. This new
packet as a destination based on BO1’s tunnel 9 subcommand tunnel destination,
per the previous Example 19-3, is address 10.12.1.9.
Step 4. BO1 routes the packet formed in the previous step. This best route for 10.12.1.9
lists Dialer 2 as the outgoing interface. The crypto map on interface Dialer 2
refers to an ACL, and ACL matches this packet with a permit action. This combination
of logic tells BO1 to use IPsec to encrypt this packet for transmission
over the IPsec tunnel.
Step 5. BO1 encrypts the packet that was created in Step 3–in other words, it encrypts
the GRE-created packet.
Step 6. BO1 encapsulates the encrypted data, adding several IPsec headers, plus a new
IPv4 header. The new IPv4 header uses BO1’s public IPv4 address as source
and the configured public IPv4 address of the other end of the IPsec tunnel as
destination. Per the example in Figure 19-10, the destination IP address would
be 128.107.9.9.
Step 7. BO1 routes this latest packet, with its destination IP address of 128.107.9.9,
matching a route (probably a default route) that lists Dialer 2 (again) as the outgoing
interface. However, the crypto map’s ACL does not match the packet
with a permit action, so BO1 bypasses any further IPsec functions and simply
tries to forward the packet.
Step 8. Forwarding out the dialer interface then causes this DSL-connected router to
forward the packet out the underlying ATM interface, which performs the encapsulation
and segmentation previously shown in Figure 19-8.
Interestingly, this process drives the branch router to make comparisons to the routing
table three separate times when forwarding this data. The most important thing to remember
from this example is to get a sense for how the pieces work together and how the steps
add additional headers.
www.CareerCert.info
No comments:
Post a Comment