Implementing IPsec to protect your VPN data

Depending on your network setup, requirements and available equipment, IPsec can be implemented across your VPN a variety of ways. A common setup is between Cisco routers, configured to provide a site-to-site GRE VPN tunnel, allowing the sites to freely communicate between each other.

Because GRE (Generic Routing Encapsulation) is an encapsulation protocol, it does not provide any real encryption to the data sent over the tunnel. For this reason, a GRE tunnel is almost always complemented with IPsec, to provide that additional security absent in GRE.

The first step is to create the GRE tunnel between the two sites. GRE's initial configuration involves creating a tunnel interface on each end (router) and connecting the two between each other (see Figure 1 below). GRE tunnels are covered in these GRE tunnel versus IPsec tunnel and GRE Tunnel configuration articles.

Figure 1: Encrypted GRE tunnel between two sites

Assuming the GRE tunnel is up and running, the next step is to properly protect it using IPsec.

The following set of commands will enable IPsecurity and instruct the routers to encrypt the GRE tunnel using IPsec.

Here is the command used for your first router:

R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encr 3des
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# lifetime 86400
R1(config-isakmp)# exit
R1(config)# crypto isakmp key firewallcx address 2.2.2.10
R1(config)# crypto IPsec transform-set TS esp-3des esp-md5-hmac
R1(config)# crypto IPsec profile protect-gre
R1(IPsec-profile)# set security-association lifetime seconds 86400
R1(IPsec-profile)# set transform-set TS
R1(IPsec-profile)# exit
R1(config)# interface Tunnel 0
R1(config-if)# tunnel protection IPsec profile protect-gre

Here is the command used for your second router:

R2(config)# crypto isakmp policy 1
R2(config-isakmp)# encr 3des
R2(config-isakmp)# hash md5
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2
R2(config-isakmp)# lifetime 86400
R2(config-isakmp)# exit
R2(config)# crypto isakmp key firewallcx address 1.1.1.10
R2(config)# crypto IPsec transform-set TS esp-3des esp-md5-hmac
R2(config)# crypto IPsec profile protect-gre
R2(IPsec-profile)# set security-association lifetime seconds 86400
R2(IPsec-profile)# set transform-set TS
R2(IPsec-profile)# exit
R2(config)# interface Tunnel 0
R2(config-if)# tunnel protection IPsec profile protect-gre

The tunnel protection IPsec profile protect-gre command essentially applies the IPsec profile protect-gre to our GRE tunnel and protects it.

The above configuration will force IPsec to use its default mode -- that is, IPsec tunnel mode. To switch to IPsec transport mode, the following commands must be entered under the crypto IPsec transform-set.

Here is the command used for your first router:

R1(config)# crypto IPsec transform-set TS esp-3des esp-md5-hmac
R1(cfg-crypto-trans)# mode transport

This is the command used for your second router:

R2(config)# crypto IPsec transform-set TS esp-3des esp-md5-hmac
R2(cfg-crypto-trans)# mode transport

Choosing an IPsec mode for GRE encryption is a common dilemma for network engineers. Selecting between the two modes should not be a casual decision. There are some factors that need to be considered, as we are about to explain in the last article of this series.

Learn about GRE IPsec tunnel and transport mode overhead factors.