Implementing IPsec to protect your VPN data
While implementing IPsec can be done a variety of ways, this article discusses how to configure IP security to protect your VPN data.
Depending on your network setup, requirements and available equipment, IPsec can be implemented across your VPN a variety of ways. A common setup is between Cisco routers, configured to provide a site-to-site GRE VPN tunnel, allowing the sites to freely communicate between each other.
Because GRE (Generic Routing Encapsulation) is an encapsulation protocol, it does not provide any real encryption to the data sent over the tunnel. For this reason, a GRE tunnel is almost always complemented with IPsec, to provide that additional security absent in GRE.
The first step is to create the GRE tunnel between the two sites. GRE's initial configuration involves creating a tunnel interface on each end (router) and connecting the two between each other (see Figure 1 below). GRE tunnels are covered in these GRE tunnel versus IPsec tunnel and GRE Tunnel configuration articles.
Figure 1: Encrypted GRE tunnel between two sites
Assuming the GRE tunnel is up and running, the next step is to properly protect it using IPsec.
The following set of commands will enable IPsecurity and instruct the routers to encrypt the GRE tunnel using IPsec.
Here is the command used for your first router:
R1(config)# crypto isakmp policy 1 R1(config-isakmp)# encr 3des R1(config-isakmp)# hash md5 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 2 R1(config-isakmp)# lifetime 86400 R1(config-isakmp)# exit R1(config)# crypto isakmp key firewallcx address 2.2.2.10 R1(config)# crypto IPsec transform-set TS esp-3des esp-md5-hmac R1(config)# crypto IPsec profile protect-gre R1(IPsec-profile)# set security-association lifetime seconds 86400 R1(IPsec-profile)# set transform-set TS R1(IPsec-profile)# exit R1(config)# interface Tunnel 0 R1(config-if)# tunnel protection IPsec profile protect-gre
Here is the command used for your second router:
R2(config)# crypto isakmp policy 1 R2(config-isakmp)# encr 3des R2(config-isakmp)# hash md5 R2(config-isakmp)# authentication pre-share R2(config-isakmp)# group 2 R2(config-isakmp)# lifetime 86400 R2(config-isakmp)# exit R2(config)# crypto isakmp key firewallcx address 1.1.1.10 R2(config)# crypto IPsec transform-set TS esp-3des esp-md5-hmac R2(config)# crypto IPsec profile protect-gre R2(IPsec-profile)# set security-association lifetime seconds 86400 R2(IPsec-profile)# set transform-set TS R2(IPsec-profile)# exit R2(config)# interface Tunnel 0 R2(config-if)# tunnel protection IPsec profile protect-gre
The tunnel protection IPsec profile protect-gre command essentially applies the IPsec profile protect-gre to our GRE tunnel and protects it.
The above configuration will force IPsec to use its default mode -- that is, IPsec tunnel mode. To switch to IPsec transport mode, the following commands must be entered under the crypto IPsec transform-set.
Here is the command used for your first router:
R1(config)# crypto IPsec transform-set TS esp-3des esp-md5-hmac R1(cfg-crypto-trans)# mode transport
This is the command used for your second router:
R2(config)# crypto IPsec transform-set TS esp-3des esp-md5-hmac R2(cfg-crypto-trans)# mode transport
Choosing an IPsec mode for GRE encryption is a common dilemma for network engineers. Selecting between the two modes should not be a casual decision. There are some factors that need to be considered, as we are about to explain in the last article of this series.
Learn about GRE IPsec tunnel and transport mode overhead factors.