You want to tunnel IP traffic through your network.

The basic GRE tunnel configuration is simply a matter of defining the source and destination addresses or interfaces on both devices. On the first router you need to create the tunnel interface, and define its source and destination:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.35.6 255.255.255.252
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.25.1.7
Router1(config-if)#end
Router1#

Then, on the other router, you must create a tunnel interface with a matching source and destination:

Router5#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router5(config)#interface Tunnel3
Router5(config-if)#ip address 192.168.35.5 255.255.255.252
Router5(config-if)#tunnel source 172.25.1.7
Router5(config-if)#tunnel destination 172.25.1.5
Router5(config-if)#end
Router5#

Creating a basic tunnel is very simple, you just need to define a source and destination on each of two routers. As with any other virtual interface such as subinterfaces or loopback interfaces, a tunnel has an additional memory requirement on the router. However, the CPU overhead is not as bad as you might initially think. This is because GRE tunnels do work well with Cisco Express Forwarding (CEF). So the main scaling issue in creating tunnels on routers is the memory required to support them.

The only tricky part of configuring a tunnel is making sure that the source of the tunnel on one router matches the destination on the other. In this case Router1 uses a source IP address of 172.25.1.5, which happens to be its Ethernet port. If you look at the tunnel destination command on the other router, you will see that it matches. Similarly, the destination on the first router is 172.25.1.7, and the source is 172.25.1.5.

You could also use an alternative syntax, specifying the interface name rather than the IP address:

Router5(config)#interface Tunnel3
Router5(config-if)#tunnel source Ethernet0

This points the tunnel source to the primary IP address on a particular interface on this router. It is crucial that this IP address must match the destination address configured on the other router.

If you then look at the new tunnel interface, you will see that it is up:

Router1#show interfaces tunnel1
Tunnel1 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 192.168.35.6/30
  MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 172.25.1.5 (FastEthernet0), destination 172.25.1.7
  Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled
  Checksumming of packets disabled,  fast tunneling enabled
  Last input 00:11:08, output 00:00:08, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     5 packets input, 740 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     73 packets output, 6604 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
Router1#

This is deceptive, though. Even if we remove the tunnel configuration from the other router, this interface will still appear to be up. Indeed, this tunnel interface will appear to be up even if you turn off the power on the far end router. In IOS Version 12.2(8)T, Cisco introduced a new keepalive option for GRE tunnels that overcomes this limitation. When you configure a tunnel with this new feature, the interface will go down if there are any connection problems:

Router1(config)#interface Tunnel1
Router1(config-if)#keepalive

By default, this keepalive command sends a packet through the tunnel to check its status once every 10 seconds. If there is no response to three successive polls, the router declares the tunnel interface to be down. So, this will change the tunnel’s status about 30 seconds after a failure.

You can adjust both the time interval and the number of retries. For example, to send a keepalive packet every five seconds, but to keep the default three retry limit, you could use the following command:

Router1(config)#interface Tunnel1
Router1(config-if)#keepalive 5

If you want to change the number of retries, you can specify the new value after the time interval. The following example will send a keepalive packet every three seconds, and will declare the tunnel down if it doesn’t hear a response back to two successive keepalive tests:

Router1(config)#interface Tunnel1
Router1(config-if)#keepalive 3 2

If you are concerned about the integrity of tunneled data, you can enable checksums on a GRE tunnel:

Router1(config)#interface Tunnel1
Router1(config-if)#tunnel checksum

When you turn on checksums, the router will verify the checksum of every GRE packet it receives and drop any packets that don’t match. A similar feature checks to see if packets are received in the correct order:

Router1(config)#interface Tunnel1
Router1(config-if)#tunnel sequence-datagrams

When you enable the sequence-datagrams option, the router will drop any packets that it receives out of their correct order. These two options can be useful in networks that have a tendency to damage packets, or where there are multiple paths between the tunnel routers. Remember that GRE doesn’t use TCP, so these features can help to improve the reliability of a tunnel connection. However, even when you enable these features, the routers will not resend dropped packets (as TCP does).

We do suggest using some caution when you enable either checksums or sequencing on a GRE tunnel, because these features do not work with CEF. So, as soon as you enable either of them, the router will have to resort to process switching, which could drive up your CPU utilization.

The tunnel in the recipe didn’t specify a particular tunnel protocol, so the routers will use the default GRE protocol. If you prefer to use a different tunnel protocol, you can change it using the tunnel mode command as follows:

Router1(config)#interface Tunnel1
Router1(config-if)#tunnel mode ipip

Here we have opted to use the IP-in-IP tunnel protocol that we discussed in the introduction to this chapter. There are several other options for tunnel protocols, which we list in Table 12-1.

In the recipe example, the two routers shared an Ethernet segment, so the routing was trivial. But, in practice, routing between the tunnel end points is often the most difficult thing to get right. The problem, which we will discuss more in Recipe 12.3, is that the tunnel itself is only one routing hop for packets that travel through it, although it might be several physical hops. As a result, the routing protocol will often decide that the best way to get to the tunnel’s destination IP address is through the tunnel itself. This is called recursive routing, and it makes the tunnel useless. So, when a router notices that it is routing GRE packets for a tunnel destination address through the same tunnel, it will automatically disable the tunnel with the following error message:

Jan 16 12:05:04 EST: %TUN-5-RECURDOWN: Tunnel1 temporarily disabled due to recursive
routing
Jan 16 12:05:05 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed
state to down

Cisco has attempted to reduce this problem by making the default bandwidth for all tunnel interfaces 9Kbps. For most routing protocols, this means that you have to traverse several hops before the tunnel looks like a better path. But some protocols, most notably RIP, don’t look at interface bandwidths. It is important to bear in mind that, no matter what protocol you use, at some point a single hop of 9Kbps is going to look better than a large number of higher bandwidth hops.

The only way to avoid this problem is to ensure that there is always a good route to the tunnel destination that doesn’t use the tunnel itself. This is most easily accomplished using static routes, although we will discuss other techniques in Recipe 12.3.

Recipe 12.3

You want to tunnel a foreign protocol (such as IPX traffic) through your IP network.

One of the most important applications of tunnels is for passing foreign protocols through a network that only supports IP. A typical example of this would be IPX, although the configuration is similar for other protocols such as AppleTalk:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#ipx routing AAAA.BBBB.0001
Router1(config)#interface Tunnel1
Router1(config-if)#ipx network AAA
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.25.1.7
Router1(config-if)#end
Router1#

Then, on the other router, you must create a tunnel interface with a matching source and destination as well as matching IPX network number:

Router5#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#ipx routing AAAA.BBBB.0002
Router5(config)#interface Tunnel3
Router5(config-if)#ipx network AAA
Router5(config-if)#tunnel source 172.25.1.7
Router5(config-if)#tunnel destination 172.25.1.5
Router5(config-if)#end
Router5#

This recipe is nearly identical to Recipe 12.1, but instead of tunneling IP traffic through an IP network, we use the same kind of tunnel to pass IPX traffic through the same network. Note that of all the supported tunnel modes mentioned in Table 12-1, only the default GRE will transport IPX (although there are several AppleTalk tunnel modes).

This book does not cover IPX, so we won’t go into any detail on the IPX-specific commands here. This is merely intended as an example of how to use GRE tunnels for foreign protocols. For more information on IPX, please refer to Designing Large-Scale LANs (O’Reilly).

To enable IPX on both of these routers, you have to first make sure that you are running an IOS release that supports IPX. The various “Desktop” IOS versions support this protocol, as do the “Enterprise” versions. Please consult the Cisco IOS feature matrixes for more details. Assuming, then, that your router supports IPX, you can enable it with the ipx routing command, as shown. Naturally, you need to enable IPX routing on both routers. Then, the only other important detail is to configure both ends of the GRE tunnel with matching IPX network numbers as we have done in the example.

It’s important to note that you can configure a GRE tunnel to support more than one protocol by simply specifying appropriate network numbers for each protocol using the tunnel. We could, for example, add IP to this IPX tunnel by simply configuring an IP address on both ends, as we did in Recipe 12.1. The tunnel will then support both protocols simultaneously:

Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.35.6 255.255.255.252
Router1(config-if)#ipx network AAA
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.25.1.7
Router1(config-if)#end
Router1#

Recipe 12.1; Designing Large-Scale LANs, by Kevin Dooley (O’Reilly)

You need to pass a dynamic routing protocol through your tunnels.

Dynamic routing and tunnels can be a dangerous combination. It is critical to ensure that the routers never get confused and think that the best path to the tunnel destination is through the tunnel itself. We offer three different ways of resolving this problem.

The first is to use static routes for the tunnel destination address:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.35.6 255.255.255.252
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.22.1.2
Router1(config-if)#exit
Router1(config)#ip route 172.22.1.2 255.255.255.255 172.25.1.1
Router1(config)#router eigrp 55
Router1(config-router)#network 192.168.35.0
Router1(config-router)#end
Router1#

The second method simply excludes the tunnel’s IP address range from the routing protocol. You can then run a different routing protocol for the addresses that you want to pass through the tunnel:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.35.6 255.255.255.252
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.22.1.2
Router1(config-if)#exit
Router1(config)#router eigrp 55
Router1(config-router)#network 172.22.0.0
Router1(config-router)#network 172.25.0.0
Router1(config-router)#end
Router1(config)#router rip
Router1(config-router)#network 192.168.35.0
Router1(config-router)#end
Router1#

The third solution is to filter the routes of the supporting network to prevent them from passing through the tunnel:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.35.6 255.255.255.252
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.22.1.2
Router1(config-if)#exit
Router11(config)#ip prefix-list TUNNELROUTES seq 10 permit 192.168.0.0/16 ge 17
Router1(config)#router eigrp 55
Router1(config-router)#network 172.22.0.0
Router1(config-router)#network 172.25.0.0
Router1(config-router)#network 192.168.35.0
Router1(config-router)#distribute-list prefix TUNNELROUTES out Tunnel1
Router1(config-router)#end
Router1#

As we mentioned in Recipe 12.1, you have to be careful when using a dynamic routing protocol anywhere near a GRE tunnel to avoid the dreaded recursive routing error message, which brings down the tunnel. This happens because the routers need to have a good path through the network to carry the tunnel to its destination. In addition, this path cannot go through the tunnel itself. But the problem is that, because the tunnel forms a virtual connection that directly connects two routers, the path through the tunnel is almost always shorter than any path that goes through the real physical network.

The other way to look at the problem of recursive routing is to think about what the router has to do to a packet that it wants to send through the tunnel. It wraps this packet in the payload of a GRE packet and it puts the tunnel’s destination address in the header of this GRE packet. Then it looks in its routing table to find out where to send this packet. If it finds that the best path is through the tunnel, then it must take this GRE packet and wrap it in the payload of a GRE packet whose destination address is the tunnel destination, and so on. This makes it difficult to deliver the original packet, so the router shuts down the tunnel interface to avoid having to stuff an infinite number of GRE headers onto the front of the packet.

There are two extremely simple solutions to this problem, but they aren’t always applicable. You can use static routes to connect to the tunnel destination, which allows you to force the tunnel traffic to go the right way. Or you can prevent the routing protocol from passing through the tunnel either by using a separate IP address range or access lists. These two options are the first two examples in the solutions section of this recipe.

Note that we have used a specific host route for the destination IP address to ensure that it always uses the right path:

Router1(config)#ip route 172.22.1.2 255.255.255.255 172.25.1.1

The problem with this solution is that it might eliminate some of your network redundancy. For example, if there are several paths to the router that hold the tunnel’s destination, using a static route like this might mean that your tunnel will fail if there is a topology change in the network that affects the manually selected path. In many cases, you can get around this problem by pointing the static route at a carefully selected downstream destination address. But then you run the risk that the router will learn about this downstream destination address through the tunnel, in which case we’re back at square one.

The second simple solution is to simply exclude the tunnel from your routing protocol. In the example, we gave the tunnel an IP address that doesn’t belong to the same address range as the source or destination addresses. This makes excluding the tunnel from the routing protocol relatively easy. By simply not including the 192.168.35.0/24 network in any of the EIGRP network commands, we prevent the tunnel from taking part in the routing protocol. We could also exclude the interface from the routing protocol using a distribute list. Please see Chapter 7 for more information about these EIGRP features.

However, sometimes these simple solutions are not appropriate. Some network topologies require that you use a routing protocol both inside and outside of the tunnel. For example, if you use VPNs to construct your WAN, through either a private or a public IP network, you will probably have to have both.

The best way to approach this type of situation is to start by ensuring that the ranges of IP addresses are distinct. For example, if the network that supports the tunnel uses public addressing, you could use private addressing for routes that need to be learned through the tunnel. Then you can apply a filter to prevent the routes for the supporting network from passing through the tunnel.

There are two ways to accomplish this. One is simply to use distinct routing protocols inside and outside of the tunnel, and not redistribute between the protocols. For example, the routing protocol outside of the tunnel could be BGP, while the tunneled network uses OSPF or EIGRP through the tunnel, or EIGRP and RIP as in the example above.

But another method is necessary if the two sets of routes use the same routing protocol, or if you need to redistribute. With distance vector–type interior routing protocols such as EIGRP and RIP, you can apply a route distribution filter to the tunnel interface to block the supporting network’s routes. Note that EIGRP is much more sophisticated than a simple distance vector protocol like RIP. But this kind of route filtering is not possible with link state protocols such as OSPF, so this is one place where EIGRP’s distance vector roots come in handy.

In the example, we have shown how to do route filtering using a prefix list with EIGRP. This will permit only the 192.168.0.0/16 range of IP addresses to pass through the tunnel, while information about the 172.22.0.0/16 and 172.25.0.0/16 networks that form the support network is never learned through the tunnel. You should apply this type of filter to both ends of the tunnel:

Router11(config)#ip prefix-list TUNNELROUTES seq 10 permit 192.168.0.0/16 ge 17
Router1(config)#router eigrp 55
Router1(config-router)#network 172.22.0.0
Router1(config-router)#network 172.25.0.0
Router1(config-router)#distribute-list prefix TUNNELROUTES out Tunnel1

For more information on EIGRP route distribution filters, please see Chapter 7. For more information on prefix lists, you can refer to either Chapter 7 or Chapter 9.

Recipe 12.1; Chapters Chapter 7 and Chapter 9

You want to check the status of a tunnel.

You can look at the attributes for a tunnel with the show interface command:

Router1#show interface Tunnel5

The easiest way to determine if a tunnel is operational is simply to use a ping test to either the send ICMP packets through the tunnel or to its destination address:

Router1#ping 192.168.66.6
Router1#ping 172.22.1.4

You can use the standard show interface command on a tunnel interface to see a considerable amount of useful information about it:

Router1#show interface Tunnel5
Tunnel5 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 192.168.66.5/30
  MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 172.25.1.3, destination 172.25.1.4
  Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled
  Checksumming of packets disabled,  fast tunneling enabled
  Last input 1d19h, output 00:00:06, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 79
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     2536 packets input, 1386605 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     23235 packets output, 2036436 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
Router1#

As you can see from this output, the show interface command tells you what the tunnel’s source and destination IP addresses are. You can see the input and output rate, as well as the total number of packets and bytes both sent and received on this tunnel interface. The output also shows that we are using the default GRE tunnel protocol and not enabled checksums or keepalives on this tunnel.

There is only one serious problem with this output. Because we have not enabled keepalives, we discussed in Recipe 12.1, the show interface command will almost always show the tunnel interface as being in an up state. As we mentioned in Recipe 12.1, the router will temporarily bring the tunnel interface down in response to recursive routing situations, and you can also use the shutdown command to disable a tunnel as you would with any other interface. However, usually the tunnel interface will appear to be in an up state, even if the router can’t reach the tunnel destination router.

If you are running an IOS level that supports keepalives on tunnels, you can enable that feature. Then the show interface command will give a more realistic view of the tunnel’s status. But, without that feature, the easiest way to see if a tunnel is working is to simply ping through it:

Router1#ping 192.168.66.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.66.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/20 ms
Router1#

Alternatively, you can ping the destination IP address of the tunnel:

Router1#ping 172.22.1.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.66.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/20 ms
Router1#

Recipe 12.1

You want to create an encrypted VPN through the Internet connecting two routers using pre-shared keys.

In this example, we show how to use IPSec to encrypt traffic from one router to another through a GRE tunnel. Here is the configuration of the first router:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#crypto isakmp policy 10
Router1(config-isakmp)#encryption 3des
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#group 2
Router1(config-isakmp)#exit
Router1(config)#crypto isakmp key TUNNELKEY01 address 172.22.1.4 no-xauth
Router1(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-
sha-hmac
Router1(cfg-crypto-trans)#mode transport
Router1(cfg-crypto-trans)#exit
Router1(config)#crypto map TUNNELMAP 10 ipsec-isakmp
Router1(config-crypto-map)#set peer 172.22.1.4
Router1(config-crypto-map)#set transform-set TUNNEL-TRANSFORM
Router1(config-crypto-map)#match address 116
Router1(config-crypto-map)#exit
Router1(config)#access-list 116 permit gre host 172.22.1.3 host 172.22.1.4
Router1(config)#interface Tunnel5
Router1(config-if)#ip address 192.168.66.5 255.255.255.252
Router1(config-if)#tunnel source 172.22.1.3
Router1(config-if)#tunnel destination 172.22.1.4
Router1(config-if)#exit
Router1(config)#interface FastEthernet0/1
Router1(config-if)#ip address 172.22.1.3 255.255.255.0
Router1(config-if)#crypto map TUNNELMAP
Router1(config-if)#end
Router1#

Here is the corresponding configuration for the other router:

Router2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#crypto isakmp policy 10
Router2(config-isakmp)#encryption 3des
Router2(config-isakmp)#authentication pre-share
Router2(config-isakmp)#group 2
Router2(config-isakmp)#exit
Router2(config)#crypto isakmp key TUNNELKEY01 address 172.22.1.3 no-xauth
Router2(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-
sha-hmac
Router2(cfg-crypto-trans)#mode transport
Router2(cfg-crypto-trans)#exit
Router2(config)#crypto map TUNNELMAP 10 ipsec-isakmp
Router2(config-crypto-map)#set peer 172.22.1.3
Router2(config-crypto-map)#set transform-set TUNNEL-TRANSFORM
Router2(config-crypto-map)#match address 116
Router2(config-crypto-map)#exit
Router2(config)#access-list 116 permit gre host 172.22.1.4 host 172.22.1.3
Router2(config)#interface Tunnel5
Router2(config-if)#ip address 192.168.66.6 255.255.255.252
Router2(config-if)#tunnel source 172.22.1.4
Router2(config-if)#tunnel destination 172.22.1.3
Router2(config-if)#exit
Router2(config)#interface FastEthernet1/0
Router2(config-if)#ip address 172.22.1.4 255.255.255.0
Router2(config-if)#crypto map TUNNELMAP
Router2(config-if)#end
Router2#

There are several steps to these configurations, but they are the same on both routers. The first step is to create an appropriate key exchange policy using ISAKMP. The following set of commands defines the policy with priority 10. When ISAKMP negotiates the Security Association (SA) parameters, it starts with the highest priority and goes to the lowest. The highest possible priority value is 10,000:

Router1(config)#crypto isakmp policy 10
Router1(config-isakmp)#encryption 3des
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#group 2

This policy uses 168-bit Triple DES encryption, pre-shared authentication keys, and group 2 (1024-bit) for DH exchange. If we did not configure this, the routers would have to resort to the default parameters, which are 56-bit DES encryption, Rivest Shamir Adleman (RSA) signatures for authentication and DH group 1 (768-bit). You can see the available policies on a router with the show crypto isakmp policy command:

Router1#show crypto isakmp policy
Protection suite of priority 10
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure  Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit

We could have also adjusted the hash algorithm and the lifetime of a particular SA as follows:

Router1(config)#crypto isakmp policy 20
Router1(config-isakmp)#hash md5
Router1(config-isakmp)#lifetime 600

This policy uses the somewhat less secure but faster MD5 hash algorithm and reduces the SA lifetime to 600 seconds (10 minutes). The default hash algorithm is the standard IPSec SHA, and the default lifetime is 86,400 seconds (24 hours). Reducing the lifetime forces the routers to renegotiate the various SA parameters, including encryption keys, more frequently. This frequent renegotiation improves security, but at the expense of higher router CPU utilization and possible delays during the renegotiation process.

Because we have configured the routers to use pre-shared keys in this policy, we need to define this initial key with the crypto isakmp key command:

Router1(config)#crypto isakmp key TUNNELKEY01 address 172.22.1.4 no-xauth

As you can see, this sets this key only for one IP address, which is the address of the other router. We have included the no-xauth option on the command line to explicitly disable IKE Extended Authentication (XAuth) on the routers, which is not necessary when the peer is another router. ISAKMP can work with either IP addresses or hostnames to identify devices. So we could have specified this command like this instead:

Router1(config)#crypto isakmp key TUNNELKEY01 hostname Router2.oreilly.com no-xauth

However, to do this, we would also have needed to ensure that the remote device used its hostname when declaring its ISAKMP identity:

Router2(config)#crypto isakmp identity hostname

We avoided this extra complication by simply using IP addresses, which is the default behavior.

There are several useful commands for looking at the ISAKMP functions on your router. The first is show crypto isakmp key, which lists all of the pre-shared keys that are available:

Router1#show crypto isakmp key
Hostname/Address       Preshared Key
172.25.1.4             TUNNELKEY01
Router1#

Note that this doesn’t mean that there is an active SA using this key, merely that the key is available if required. If you want to see information on active ISAKMP SAs, you should use the following command:

Router1#show crypto isakmp sa
dst             src             state           conn-id    slot
172.25.1.4      172.25.1.3      QM_IDLE               1       0

Router1#

In this case, you can see that there is an active connection between the two routers shown in the example. The connection ID for this particular SA is shown in the conn-id column. You can use this ID number to clear the SA and force the routers to renegotiate as follows:

Router1#clear crypto isakmp 1
Router1#show crypto isakmp sa
dst             src             state           conn-id    slot
172.25.1.4      172.25.1.3      MM_NO_STATE           1       0   (deleted)

Router1#

This particular SA is now in a deleted state, as the routers begin to renegotiate their ISAKMP parameters. A short time later, they will re-establish a new SA.

The next part of the router configuration defines the IPSec transform set, and gives it the name TUNNEL-TRANSFORM, to distinguish it from other transform sets that we might want to use for other purposes:

Router1(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-
sha-hmac
Router1(cfg-crypto-trans)#mode transport

A transform is simply the operation that IPSec will perform on any matching data packets. There are several possible transforms, which are listed in Table 12-2.

In the above example, we chose to combine the more secure 168-bit DES encryption with the more reliable SHA authentication system for maximum security on both the AH and ESP portions of the packet. As we said earlier, many of the combinations are not possible (for example, you cannot combine 56-bit DES with 168-bit DES, as it doesn’t make sense). The router will prevent you from entering impossible combinations.

It’s also worth mentioning that you can use IPSec to compress the IP packet payload. This is not commonly done, though, because there are problems with combining encryption with compression.

While the authors of the IPSec RFCs argue eloquently for the separate usefulness of authentication and encryption, in practice we believe that if your traffic is important enough for one, you should do both. The extra configuration on the router is minimal, and if your router’s CPU can’t easily handle the load of both encrypting and authenticating, it is probably not the right router for the job. So, if you are going to either authenticate or encrypt your traffic, we recommend using both together for added security.

In this transform set, we have also instructed the router to use IPSec transport mode:

Router1(cfg-crypto-trans)#mode transport

By default, IPSec connections will use tunnel mode, which means that the two devices will set up their own tunnel for IPSec to use. This actually uses the IP-in-IP tunnel protocol that we mentioned in the introduction to this chapter. However, in this example we want to use a GRE tunnel between the routers instead, and simply authenticate and encrypt the GRE packets, which requires transport mode.

The main reasons for using GRE tunnels instead of IPSec’s native tunnel mode are simplicity and flexibility. Using a GRE tunnel between these routers allows us to take advantage of some of the useful GRE features if we want them. For example, we can easily use a GRE tunnel to pass other protocols such as IPX or AppleTalk, and we can use the techniques discussed in Recipe 12.3 to pass routing protocol traffic through the encrypted tunnel. The GRE tunnel also makes debugging much easier, as we can simply disable the encryption and ping through the tunnel or ping the tunnel destination addresses to verify connectivity without the complications of authentication and encryption. If the other end of this tunnel was a workstation instead of a router, however (as in Recipe 12.6), we would have to use tunnel mode.

The next step is to define a crypto map that combines all of these elements. The following set of commands defines a map called TUNNELMAP. The number following this name is a sequence number, similar to the route map sequence numbers that we discussed in Chapters Chapter 6, Chapter 7, and Chapter 8. This allows you to associate many peers with a single router interface by creating several different map clauses with different sequence numbers, all associated with the same map.

The keyword ipsec-isakmp on the end of the crypto map command tells the router that this map will apply to IPSec connections that use ISAKMP for key management. You could also specify ipsec-manual if you wanted to do the key management manually. We don’t generally recommend manual key management because it is so much trouble to get right, while ISAKMP automates most of the work for you:

Router1(config)#crypto map TUNNELMAP 10 ipsec-isakmp
Router1(config-crypto-map)#set peer 172.22.1.4
Router1(config-crypto-map)#set transform-set TUNNEL-TRANSFORM
Router1(config-crypto-map)#match address 116
Router1(config-crypto-map)#exit
Router1(config)#access-list 116 permit gre host 172.22.1.3 host 172.22.1.4

The crypto map defines an IPSec peer device by its IP address. If you are using host-names instead of IP addresses (as discussed earlier in this recipe), you should specify the peer’s hostname instead of an IP address. The map also selects the appropriate transform set, and matches on a particular set of IP addresses, defined in this case by access-list 116.

The access list tells IPSec what packets it should apply this transform set to. In this case, we specify a source IP address of 172.22.1.3, which is the IP address of the tunnel source, and 172.22.1.4, which is the tunnel’s destination address. And because of the gre keyword, this access list will only match GRE tunnel packets with these source and destination addresses.

On the other router, the peer address is 172.22.1.3, and the access list reverses the source and destination addresses:

Router2(config)#access-list 116 permit gre host 172.22.1.4 host 172.22.1.3

Then, with all of the IPSec and ISAKMP configuration in place, we can finally create the tunnel and turn on the encryption. The tunnel configuration is similar to what we used in Recipe 12.1:

Router1(config)#interface Tunnel5
Router1(config-if)#ip address 192.168.66.5 255.255.255.252
Router1(config-if)#tunnel source 172.22.1.3
Router1(config-if)#tunnel destination 172.22.1.4
Router1(config-if)#exit
Router1(config)#interface FastEthernet0/1
Router1(config-if)#ip address 172.22.1.3 255.255.255.0
Router1(config-if)#crypto map TUNNELMAP

It’s extremely important to notice that we have applied the crypto map to the interface that will be receiving the GRE packets, and not to the tunnel itself. This is because IPSec is encrypting the GRE tunnel packets, rather than the payload of those packets. For one thing, the GRE tunnel’s payload is not necessarily an IP packet. However, even when they are IP packets, the source and destination IP addresses of the GRE payload could be devices somewhere behind the router. This breaks the essential requirement for IPSec’s transport mode, which is that the source and destination IP addresses must be the devices themselves. So the only way you could successfully apply the crypto map to the tunnel interface would be by using an IPSec tunnel inside of the GRE tunnel, which would not be very efficient.

You can see that the encryption is working properly by looking at the output of the following command on either router:

Router2#show crypto engine connections active

  ID Interface       IP-Address      State  Algorithm           Encrypt  Decrypt
   1 FastEthernet1/0 172.25.1.4      set    HMAC_SHA+3DES_56_C        0        0
2002 FastEthernet1/0 172.25.1.4      set    HMAC_SHA+3DES_56_C        0      407
2003 FastEthernet1/0 172.25.1.4      set    HMAC_SHA+3DES_56_C     1019        0

Router2#

This shows that the router has received and decrypted 407 encrypted packets from the peer that we defined, and it has sent 1,019. It also shows that we are using the SHA hash algorithm for authentication and Triple DES for encryption in the Algorithm column.

Recipe 12.1; Recipe 12.3

You want to create a shareable RSA key for authentication or encryption.

First, you must create the keys on both devices. We recommend using at least 1024-bit keys in production networks:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#crypto key generate rsa
The name for the keys will be: Router1.oreilly.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
Generating RSA keys ...
[OK]

Router1(config)#end
Router1#show crypto key mypubkey rsa
% Key pair was generated at: 01:19:45 EST Mar 1 2003
Key name: Router1.oreilly.com
 Usage: General Purpose Key
 Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E68338
  D561B2D1 7B8B75D6 7B34F6AF 1710B00B 5B6E9E8D D7183BE6 F08A6342 054EADFC
  B764DF9C 4592B891 522727F2 14233B47 8F757134 24F03DB3 833C5988 312B11E9
  FB6E0E20 4579C0A4 F2062353 4F1C8CE4 410EE57B 9FCEE784 DA7E3852 408E9742
  2584DF56 67293F3F F76B6A96 C4D518FB 1A0114BF E2449838 BE5794E2 37020301 0001
% Key pair was generated at: 01:19:52 EST Mar 1 2003
Key name: Router1.oreilly.com.server
 Usage: Encryption Key
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00BD928A BD5637E6
  2265621C 3AC57138 911CA27D 11F40AA1 E657EA26 6EBF654C 952A3319 D421A33C
  E2ECA87E CD7E050C 8A8FE64D B73954EA BF2ED639 BC6A8F74 5B9550EA 4119E796
  A97430E2 4B1BF7D3 ED1469FF AEA83690 A0FEA871 BBFBE8AD 19020301 0001
Router1#

Then you can use cut and paste to copy this manually generated key into the other device:

Router2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#crypto key pubkey-chain rsa
Router2(config-pubkey-chain)#addressed-key 192.168.99.1
Router2(config-pubkey-key)#address 192.168.99.1
Router2(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....

Router2(config-pubkey)#30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181
00E68338
Router2(config-pubkey)#D561B2D1 7B8B75D6 7B34F6AF 1710B00B 5B6E9E8D D7183BE6 F08A6342
054EADFC
Router2(config-pubkey)#B764DF9C 4592B891 522727F2 14233B47 8F757134 24F03DB3 833C5988
312B11E9
Router2(config-pubkey)#FB6E0E20 4579C0A4 F2062353 4F1C8CE4 410EE57B 9FCEE784 DA7E3852
408E9742
Router2(config-pubkey)#2584DF56 67293F3F F76B6A96 C4D518FB 1A0114BF E2449838 BE5794E2
37020301 0001
Router2(config-pubkey)#quit
Router2(config-pubkey-key)#exit
Router2(config-pubkey-chain)#exit
Router2(config)#end
Router2#show crypto key pubkey-chain rsa address 192.168.99.1
Key address: 192.168.99.1
 Usage: General Purpose Key
 Source: Manually entered
 Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E68338
  D561B2D1 7B8B75D6 7B34F6AF 1710B00B 5B6E9E8D D7183BE6 F08A6342 054EADFC
  B764DF9C 4592B891 522727F2 14233B47 8F757134 24F03DB3 833C5988 312B11E9
  FB6E0E20 4579C0A4 F2062353 4F1C8CE4 410EE57B 9FCEE784 DA7E3852 408E9742
  2584DF56 67293F3F F76B6A96 C4D518FB 1A0114BF E2449838 BE5794E2 37020301 0001


Router2#

When you use the crypto key generate command to create new keys, the router must delete any existing keys:

Router1(config)#crypto key generate rsa
The name for the keys will be: Router1.oreilly.com
% You already have RSA keys defined for Router1.oreilly.com.
% Do you really want to replace them? [yes/no]: yes
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.
How many bits in the modulus [512]: 1024
Generating RSA keys ...
[OK]

Router1(config)#

During key generation, any services on the router that is currently using these keys will be temporarily disabled. Key generation can take a considerable length of time, depending on the model of router and the size of the key modulus. We have seen a low-end access router take as long as an hour to generate a key with a very large modulus for greater security. During this time, the router’s CPU load was extremely high. So we urge caution when using this command.

You can remove existing keys with the crypto key zeroize command:

Router1(config)#crypto key zeroize rsa
% Keys to be removed are named Router1.oreilly.com.
Do you really want to remove these keys? [yes/no]: yes
Router1(config)#

If the router has any services that are using the deleted keys, it will automatically disable them until you generate new keys.

You can also generate special usage keys as follows:

Router1(config)#crypto key generate rsa usage-keys
The name for the keys will be: Router1.oreilly.com
% You already have RSA keys defined for Router1.oreilly.com.
% Do you really want to replace them? [yes/no]: yes
Choose the size of the key modulus in the range of 360 to 2048 for your
  Signature Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
Generating RSA keys ...
[OK]
Choose the size of the key modulus in the range of 360 to 2048 for your
  Encryption Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
Generating RSA keys ...
[OK]

Router1(config)#

This command creates separate authentication signature and encryption keys. You can look at the public keys with the show crypto key command:

Router1#show crypto key mypubkey rsa
% Key pair was generated at: 01:29:04 EST Mar 1 2003
Key name: Router1.oreilly.com
 Usage: Signature Key
 Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00AAED98
  0E454C8F ED9DB93E 312B00BD FF561C49 5480344A 094F0EA8 0D994051 AC627CF2
  5FA7F802 DB0A1206 4EB8F8E5 122C9B2D 0F3A20D8 C0E90280 D4F6518A 9C6C2E48
  A570D05A AE2881CA B9366990 931C4A7E EDC6B352 13815B91 3A02B44E 4655DE6D
  1CB5AB35 058B60AA 4639B696 A8EE735E DA15B300 B8A0CE51 7C42B73A 53020301 0001
% Key pair was generated at: 01:29:11 EST Mar 1 2003
Key name: Router1.oreilly.com
 Usage: Encryption Key
 Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00D18F99
  EC2A5754 C1FEF911 E16BFD80 6C3E9517 42716B78 99692618 B57B529B A9C19B23
  6D4BF3CE 39728DEF 2B3D10F9 3DABBDFD 8CAB09F7 0A56768C 053BB4AF 7F224E44
  FA341851 10152A86 28C2084F C13E0738 4C478BED 9960E229 CB112077 097F3DC9
  DD40D109 0A513D31 FF0FD51D B3515CEA F81738B6 5BB02FF6 812A01AC F7020301 0001
% Key pair was generated at: 01:29:14 EST Mar 1 2003
Key name: Router1.oreilly.com.server
 Usage: Encryption Key
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00B43311 D047EFBC
  314C57DB 93F3E755 5CEBF4B5 D0258169 6DAC695B A0F5DA35 C6C7B106 C2BB7863
  0201B68A 7C2F3313 47223065 BDF84692 BF974F2E E4037D5D C976DB3A 231D2603
  6DE8CDCE 8EAD613E 5C984091 55A6B0F5 920E285B 6E4ED34E 31020301 0001
Router1#

As you can see, the router now has a signature key and an encryption key where it previously had only a general purpose key. However, it is important to remember that this is only the public key. There is also a corresponding private key that you cannot view on the router. The router keeps this key in its NVRAM storage and sets file permissions so nobody can read it. The private key is what the router uses to encrypt things that it sends. The public key can decrypt anything encrypted with the private key. Every device that this router shares encrypted information with will need a copy of the public key, but the private key is secret.

As a side effect of this, the public key provides an excellent authentication system. If the device’s public key successfully decrypts a message, then you know that this message must have been encrypted with that device’s private key. And, consequently, if the private key really is private, the message must actually have been sent by that device.

When you use these keys on routers, we highly recommend using the cut-and-paste feature on your terminal, rather than trying to type all of this in manually. A single typographical error in this sequence will make the key useless. Note, however, that there is an inherent security risk in copying and pasting a key like this over a network. If you are using an insecure protocol like Telnet, the packet can be intercepted, and the key information is easily extracted. So you should avoid doing this over untrusted networks.

In Recipe 12.7 we will show an example of how to use RSA keys.

Recipe 12.7

You want to create an encrypted VPN between two routers using RSA keys.

As in Recipe 12.3, we will use IPSec transport mode and a GRE tunnel for this encrypted router-to-router connection:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#crypto key pubkey-chain rsa
Router1(config-pubkey-chain)#addressed-key 172.22.1.4
Router1(config-pubkey-key)#address 172.22.1.4
Router1(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....

Router1(config-pubkey)#305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00B8120C
AC2C5AAC
Router1(config-pubkey)#ADAD378D A5A1F140 2EB9A66A DD6FF2A9 7DD47692 5CDE4732 E2C9EDDA
52809BE0
Router1(config-pubkey)#D60A5A34 CDD7DC31 DA7F9590 849F142E 26C6F130 0A2E4491 65020301
0001
Router1(config-pubkey)#quit
Router1(config-pubkey-key)#exit
Router1(config-pubkey-chain)#exit
Router1(config)#crypto isakmp policy 100
Router1(config-isakmp)#encryption 3des
Router1(config-isakmp)#authentication rsa-encr
Router1(config-isakmp)#group 2
Router1(config-isakmp)#exit
Router1(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-
sha-hmac
Router1(cfg-crypto-trans)#mode transport
Router1(cfg-crypto-trans)#exit
Router1(config)#crypto map TUNNEL-RSA 10 ipsec-isakmp
Router1(config-crypto-map)#set peer 172.22.1.4
Router1(config-crypto-map)#set transform-set TUNNEL-TRANSFORM
Router1(config-crypto-map)#match address 116
Router1(config-crypto-map)#exit
Router1(config)#access-list 116 permit gre host 172.22.1.3 host 172.22.1.4
Router1(config)#interface Tunnel5
Router1(config-if)#ip address 192.168.66.5 255.255.255.252
Router1(config-if)#tunnel source 172.22.1.3
Router1(config-if)#tunnel destination 172.22.1.4
Router1(config-if)#exit
Router1(config)#interface FastEthernet0/1
Router1(config-if)#ip address 172.22.1.3 255.255.255.0
Router1(config-if)#crypto map TUNNEL-RSA
Router1(config-if)#end
Router1#

Here is the corresponding configuration for the other router:

Router2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#crypto key pubkey-chain rsa
Router2(config-pubkey-chain)#addressed-key 172.22.1.3
Router2(config-pubkey-key)#address 172.22.1.3
Router2(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....

Router2(config-pubkey)#305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00DA2810
6627212B
Router2(config-pubkey)#7234CC4A 91BCB4CC 7985AD4B 884E4653 9E533422 A34A4011 E7402B56
7DCE7A33
Router2(config-pubkey)#7407C6DE 995D2EBD E9F2C29D B4EEB962 61B9CF3B 05D903FC 57020301
0001
Router2(config-pubkey)#quit
Router2(config-pubkey-key)#exit
Router2(config-pubkey-chain)#exit
Router2(config)#crypto isakmp policy 100
Router2(config-isakmp)#encryption 3des
Router2(config-isakmp)#authentication rsa-encr
Router2(config-isakmp)#group 2
Router2(config-isakmp)#exit
Router2(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-
sha-hmac
Router2(cfg-crypto-trans)#mode transport
Router2(cfg-crypto-trans)#exit
Router2(config)#crypto map TUNNEL-RSA 10 ipsec-isakmp
Router2(config-crypto-map)#set peer 172.22.1.3
Router2(config-crypto-map)#set transform-set TUNNEL-TRANSFORM
Router2(config-crypto-map)#match address 116
Router2(config-crypto-map)#exit
Router2(config)#access-list 116 permit gre host 172.22.1.4 host 172.22.1.3
Router2(config)#interface Tunnel5
Router2(config-if)#ip address 192.168.66.6 255.255.255.252
Router2(config-if)#tunnel source 172.22.1.4
Router2(config-if)#tunnel destination 172.22.1.3
Router2(config-if)#exit
Router2(config)#interface FastEthernet1/0
Router2(config-if)#ip address 172.22.1.4 255.255.255.0
Router2(config-if)#crypto map TUNNEL-RSA
Router2(config-if)#end
Router2#

This recipe is similar to 12.3, except that here we use RSA keys for authentication and encryption instead of pre-shared keys. This technique is more secure but more time consuming to configure.

The first step is to create a set of RSA encryption keys using the methods discussed in Recipe 12.6. We took the keys that we generated in this way and entered them into the router configurations. So, for example, we created the key on Router1 as follows:

Router1(config)#crypto key generate rsa
The name for the keys will be: Router1.oreilly.com
% You already have RSA keys defined for Router1.oreilly.com.
% Do you really want to replace them? [yes/no]: yes
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]:
Generating RSA keys ...
[OK]

Router1(config)#exit
Router1#show crypto key mypubkey rsa
% Key pair was generated at: 11:25:55 EST Jan 26 2003
Key name: Router1.oreilly.com
 Usage: General Purpose Key
 Key Data:
  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00DA2810 6627212B
  7234CC4A 91BCB4CC 7985AD4B 884E4653 9E533422 A34A4011 E7402B56 7DCE7A33
  7407C6DE 995D2EBD E9F2C29D B4EEB962 61B9CF3B 05D903FC 57020301 0001
% Key pair was generated at: 11:26:01 EST Jan 26 2003
Key name: Router1.oreilly.com.server
 Usage: Encryption Key
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00A3603A 58941769
  EF93B43D C89AC7CF 2A6DA0D5 F72BCFF8 D9EEDDD2 B0CE9A8E B4BAFD2D 805A4D8F
  969A5AE3 5F4F8252 744A0834 B4BA24B9 BC7E4522 2345F081 587BD1A8 309B03F4
  A70F2373 2AB6CEE5 736F6D61 F64A94A6 30CE253F BEB8330B FF020301 0001
Router1#

Note that in this example we used the default 512-bit key. However, in production networks, we recommend using 1024-bit keys or higher.

Then we took the general purpose key from this output and entered it into the other router as follows:

Router2(config)#crypto key pubkey-chain rsa
Router2(config-pubkey-chain)#addressed-key 172.22.1.3
Router2(config-pubkey-key)#address 172.22.1.3
Router2(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....
Router2(config-pubkey)#305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00DA2810
6627212B
Router2(config-pubkey)#7234CC4A 91BCB4CC 7985AD4B 884E4653 9E533422 A34A4011 E7402B56
7DCE7A33
Router2(config-pubkey)#7407C6DE 995D2EBD E9F2C29D B4EEB962 61B9CF3B 05D903FC 57020301
0001
Router2(config-pubkey)#quit
Router2(config-pubkey-key)#exit
Router2(config-pubkey-chain)#exit

We then repeated the procedure on the other router.

With the keys in place, we proceeded to tell the routers how to use these keys to create an IPSec connection. Even though we are using a manually entered key, the two routers still need to use ISAKMP. The important difference between this example and the one in Recipe 12.3 is that here we are using RSA authentication keys. So we need to tell the routers to use this key method in the ISAKMP policy:

Router1(config)#crypto isakmp policy 100
Router1(config-isakmp)#encryption 3des
Router1(config-isakmp)#authentication rsa-encr
Router1(config-isakmp)#group 2

After that, the remainder of the configuration is essentially identical to what we showed in Recipe 12.3.

Recipe 12.3; Recipe 12.6

You want to make a VPN from a remote workstation to a router.

There are several steps to configuring a router to accept IPSec VPN connections from remote PCs. The following discussion doesn’t include requirements for the PC’s software configuration, just the router’s configuration. You should refer to the software vendor’s documentation for information about configuring the workstation software:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa authentication login default group tacacs+
Router1(config)#aaa authentication enable default group tacacs+
Router1(config)#tacacs-server host 172.25.1.1
Router1(config)#tacacs-server key COOKBOOK
Router1(config)#crypto isakmp policy 10
Router1(config-isakmp)#encryption 3des
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#group 2
Router1(config-isakmp)#exit
Router1(config)#crypto ipsec transform-set VPN-TRANSFORMS ah-sha-hmac esp-sha-hmac
esp-3des
Router1(cfg-crypto-trans)#mode tunnel
Router1(cfg-crypto-trans)#exit
Router1(config)#crypto dynamic-map VPN-USER-MAP 50
Router1(config-crypto-map)#description A dynamic crypto map for VPN users
Router1(config-crypto-map)#match address 115
Router1(config-crypto-map)#set transform-set VPN-TRANSFORMS
Router1(config-crypto-map)#exit
Router1(config)#access-list 115 deny any 224.0.0.0 35.255.255.255
Router1(config)#access-list 115 deny any 172.25.1.255 0.0.0.0
Router1(config)#access-list 115 permit any any
Router1(config)#crypto map CRYPTOMAP 10 ipsec-isakmp dynamic VPN-USER-MAP
Router1(config)#interface FastEthernet0/1
Router1(config-if)#ip address 172.25.1.5 255.255.255.0
Router1(config-if)#crypto map CRYPTOMAP
Router1(config-if)#exit
Router1#

The first few lines in this example are the aaa and tacacs-server commands, which are described in more detail in Chapter 4. This simply sets up username authentication for all incoming VPN connections, and allows you to get these authentication credentials from a central server running the TACACS+ protocol.

We are using AAA and TACACS+ in this configuration to supply the pre-shared keys that ISAKMP will use to set up its SA for this VPN. This is similar to the use of pre-shared keys in Recipe 12.3, but here we expect to have a large number of remote VPN users, so it is administratively easier if we manage them from the TACACS+ server instead of on the router.

Then we set up the ISAKMP policy as follows:

Router1(config)#crypto isakmp policy 10
Router1(config-isakmp)#encryption 3des
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#group 2

This defines the policy for authentication and encryption keys, and is identical to the ISAKMP policy we used in Recipe 12.3. We selected these particular policy parameters because they are required for the Cisco Easy VPN Remote software. If you are using different client software, you may need to use different settings. This policy is also identical to the one we used in Recipe 12.3.

After doing this, we need to define the IPSec VPN properties. We begin by defining the transform set that we want to use for these VPN connections. We will call this transform set VPN-TRANSFORMS.

Router1(config)#crypto ipsec transform-set VPN-TRANSFORMS ah-sha-hmac esp-sha-hmac
esp-3des
Router1(cfg-crypto-trans)#mode tunnel

The VPN will use the esp-sha-hmac and esp-3des transforms. This transform set is almost the same as the one in Recipe 12.3, but this time we have specified that this VPN should use tunnel mode with the mode command. In Recipe 12.3, IPSec was used to encrypt traffic in a GRE tunnel. However, here we are dealing with VPNs that terminate on a user workstation, so it is not possible to create a GRE tunnel before establishing the connection. This example uses tunnel mode, which is actually the default.

Because the workstation could, in principle, be anywhere on the Internet, we can’t even define an IP address for it. But, to use IPSec on a Cisco router, we need to create a crypto map, which is a template for the SA that IPSec will use for this session. Fortunately, Cisco provides the ability to create dynamic crypto maps for precisely these types of situations:

Router1(config)#crypto dynamic-map VPN-USER-MAP 50
Router1(config-crypto-map)#description A dynamic crypto map for VPN users
Router1(config-crypto-map)#match address 115
Router1(config-crypto-map)#set transform-set VPN-TRANSFORMS

This creates a dynamic map called VPN-USER-MAP. The number (50) on the end of the line is a sequence number, similar to the sequence numbers used in route map statements. The router will look at all map entries in sequence until it finds a match. In this case, the match is decided by the match address command, which compares the IP addresses of packets to access-list 115. If the access list matches the addresses in the packet header, it will then apply the transform set that we created earlier.

The access list here blocks any packets whose destination addresses are either multicasts or local broadcasts. Obviously this type of traffic cannot possible be associated with a VPN:

Router1(config)#access-list 115 deny any 224.0.0.0 35.255.255.255
Router1(config)#access-list 115 deny any 172.25.1.255 0.0.0.0
Router1(config)#access-list 115 permit any any

In practice, you may want to use a more restrictive access list.

We can then build the actual crypto map that references this dynamic map. In the following command, we create a crypto map called, appropriately enough, CRYPTOMAP. This command is sequence number 10 in the definition of the map. In fact, it’s the only command in the map’s definition, but there could easily be others, including static crypto maps similar to the ones we discussed in Recipe 12.3 and Recipe 12.5. Usually you actually want to put any dynamic maps at the end of your crypto map. This is because dynamic maps work best as catchall conditions for unknown IP addresses. So, if there are any known IP addresses that require special attention, you need to configure them first, before the dynamic map statements.

You apply the crypto map to the interface that will be receiving the VPN requests:

Router1(config)#crypto map CRYPTOMAP 10 ipsec-isakmp dynamic VPN-USER-MAP
Router1(config)#interface FastEthernet0/1
Router1(config-if)#crypto map CRYPTOMAP

Recipe 12.3; Recipe 12.5; Chapter 4

You want to check the status of a VPN.

There are several useful commands for displaying IPSec parameters.

The command show crypto isakmp sa shows all of the ISAKMP security associations:

Router1#show crypto isakmp sa

You can look at the IPSec security associations with this command:

Router1#show crypto ipsec sa

Even if you aren’t using a key management protocol such as ISAKMP, you can see information on all of the active IPSec connections with the following command:

Router1#show crypto engine connections active

This closely related command will tell you about packet drops within the encryption engine:

Router1#show crypto engine connections dropped-packet

The show crypto map command gives information about all of the IPSec crypto maps that you have configured on your router, in use or not:

Router1#show crypto map

You can specify a particular crypto map with the tag keyword:

Router1#show crypto map tag TUNNELMAP

For information about dynamic crypto maps, you can use the following command:

Router1#show crypto dynamic-map

The show crypto isakmp sa command lets you see information about the current state of any ISAKMP key exchanges that the router is involved in:

Router1#show crypto isakmp sa
dst             src             state           conn-id    slot
172.25.1.4      172.25.1.3      QM_IDLE               1       0

Router1#

Table 12-3 shows all of the possible ISAKMP SA states.

We used Main Mode in all of the examples in this chapter. Aggressive Mode allows faster SA setup by combining SA parameter negotiation, key exchange, and authentication information into the same packet. This has the disadvantage of not hiding the identity information on the peer devices, however. In Main Mode exchanges, this identity information is exchanged separately in encrypted form. Main Mode is the default. Because the extra overhead is minimal, you generally don’t need to resort to Aggressive Mode for ISAKMP.

Quick Mode is possible only after the initial ISAKMP exchange has happened at least once. The routers then use this mode when periodically renegotiating the SA information of an SA that has been active for a while. Quick Mode can take advantage of the existing SA to encrypt its exchange.

You can use the following rather verbose command to look at IPSec SAs:

Router1#show crypto ipsec sa

interface: FastEthernet0/1
    Crypto map tag: TUNNELMAP, local addr. 172.25.1.3

   local  ident (addr/mask/prot/port): (172.22.1.3/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.22.1.4/255.255.255.255/47/0)
   current_peer: 172.25.1.4
     PERMIT, flags={transport_parent,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.25.1.3, remote crypto endpt.: 172.25.1.4
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:


   local  ident (addr/mask/prot/port): (172.22.1.3/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.22.1.4/255.255.255.255/47/0)
   current_peer: 172.25.1.4
     PERMIT, flags={origin_is_acl,transport_parent,parent_is_transport,}
    #pkts encaps: 466, #pkts encrypt: 466, #pkts digest 466
    #pkts decaps: 1156, #pkts decrypt: 1156, #pkts verify 1156
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 172.25.1.3, remote crypto endpt.: 172.25.1.4
     path mtu 1500, media mtu 1500
     current outbound spi: EB99FB6C

     inbound esp sas:
      spi: 0x5A48ACC4(1514712260)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: TUNNELMAP
        sa timing: remaining key lifetime (k/sec): (4606612/3392)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xEB99FB6C(3952737132)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: TUNNELMAP
        sa timing: remaining key lifetime (k/sec): (4607955/3392)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:


Router1#

There is clearly a lot of information in this output. It breaks out the inbound and outbound information, and shows what crypto maps have been applied to which interfaces. It also includes information about the number of packets that the router has both been sent and received, as well as how much time remains before the SA must be renegotiated.

The show crypto engine commands allow you to see some of this same information in a more compact form. With the connections active keywords, this command tells you what interfaces are involved in IPSec SAs, the peer IP addresses, the algorithms used, and the number of packets sent and received through the encryption engine:

Router1#show crypto engine connections active

  ID Interface       IP-Address      State Algorithm           Encrypt Decrypt
   1 <none>          <none>          set   HMAC_SHA+3DES_56_C        0       0
2088 FastEthernet0/1 172.25.1.3      set   HMAC_SHA+3DES_56_C        0       5
2089 FastEthernet0/1 172.25.1.3      set   HMAC_SHA+3DES_56_C      202       0

Router1#

With the connections dropped-packet keywords, you get some simple statistics on dropped packets. In the following example, the encryption engine was forced to drop five packets because the router tried to send them before it had a valid connection:

Router1#show crypto engine connections dropped-packet

Packets dropped because of connection not established:
Interface            IP-Address           Drop Count
FastEthernet0/1      172.25.1.3                    5

Router1#

The command show crypto map displays information about all of the configured crypto maps on the router, including which interfaces are currently using them. Note that just because a particular interface is using a particular crypto map, it does not follow that there are any active IPSec SAs. It only means that you have applied this map to this interface using the crypto map interface configuration command:

Router1#show crypto map
        Interfaces using crypto map VPN-MAP:

Crypto Map "CRYPTOMAP" 10 ipsec-isakmp
        Dynamic map template tag: VPN-USER-MAP
        Interfaces using crypto map CRYPTOMAP:

Crypto Map "TUNNELMAP" 10 ipsec-isakmp
        Peer = 172.25.1.4
        Extended IP access list 116
            access-list 116 permit gre host 172.25.1.3 host 172.25.1.4
        Current peer: 172.25.1.4
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ TUNNEL-TRANSFORM, }
        Interfaces using crypto map TUNNELMAP:
                FastEthernet0/1

Router1#

If you have several crypto maps configured on your router, you can look at a particular one with the tag keyword:

Router1#show crypto map tag TUNNELMAP
Crypto Map "TUNNELMAP" 10 ipsec-isakmp
        Peer = 172.25.1.4
        Extended IP access list 116
            access-list 116 permit gre host 172.25.1.3 host 172.25.1.4
        Current peer: 172.25.1.4
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ TUNNEL-TRANSFORM, }
        Interfaces using crypto map TUNNELMAP:
                FastEthernet0/1

Router1#

If there are any dynamic maps, you can see more information about them with the following command:

Router1#show crypto dynamic-map
Crypto Map Template"VPN-USER-MAP" 50
        Extended IP access list 115
            access-list 115 permit tcp any port = 80 any
            access-list 115 permit tcp any any port = 80
            access-list 115 deny ip any 224.0.0.0 31.255.255.255
        Current peer: 0.0.0.0
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ VPN-TRANSFORMS, }
Router1#