GRE Configuration

The document outlines how to set up a GRE tunnel between two RAPTORs.

The tunnel traffic is encrypted with IPSEC. The routing table will be learnt automatically with OSPF.

Figure 1. GRE Topology

A sample working configuration of a GRE tunnel between two RAPTORs is as follows.

RAPTOR #1

Configure a link to security application and VPN policy 1.

Type the following:

iSCom# configure terminal
iSCom(config)# set security enable
iSCom(config)# vlan 5
iSCom(config-vlan)# vlan active
iSCom(config-vlan)# name "Protected Network"
iSCom(config-vlan)# exit
iSCom(config)# vlan 3
iSCom(config-vlan)# vlan active
iSCom(config-vlan)# name "Protected Network"
iSCom(config-vlan)# exit
iSCom(config)# interface gigabit 0/16
iSCom(config-if)# switchport mode trunk
iSCom(config-if)# description "Connected to Local Network"
iSCom(config-if)# description "Connected to Local Network"
iSCom(config-if)# exit
iSCom(config-if)# interface vlan 5
iSCom(config-if)# ip address 172.16.50.1 255.255.255.0
iSCom(config-if)# no shutdown
iSCom(config-if)# exit
iSCom(config-if)# interface vlan 3
iSCom(config-if)# ip address 172.16.51.1 255.255.255.0
iSCom(config-if)# no shutdown
iSCom(config-if)# description "Protected Network"
iSCom(config-if)# exit
iSCom(config-if)# interface loop 1
iSCom(config-if)# no shutdown
iSCom(config-if)# ip address 1.1.1.1 255.255.255.255
iSCom(config-if)# description "Router ID"
iSCom(config-if)# exit
iSCom(config)# interface gigabit 0/24
iSCom(config-if)# shutdown
iSCom(config-if)# no switchport
iSCom(config-if)# set wan enable
iSCom(config-if)# ip add 170.50.31.1 255.255.255.0 cybsec
iSCom(config-if)# no shutdown
iSCom(config-if)# description "WAN Port"
iSCom(config-if)# exit
iSCom(config)# vlan 50
iSCom(config-vlan)# vlan active
iSCom(config-vlan)# name "Connect iBiome to Linux"
iSCom(config)# exit
iSCom(config)# interface vlan 50
iSCom(config-if)# ip address 192.168.50.1 255.255.255.0
iSCom(config-if)# ip address 192.168.50.2 255.255.255.0 cybsec
iSCom(config-if)# ip proxy-arp cybsec
iSCom(config-if)# no shutdown
iSCom(config-if)# description "Connect iBiome to Linux"
iSCom (config-if)# exit

  • Configure GRE Tunnel.
iSCom(config)# interface tunnel 1
iSCom(config-if)# tunnel mode gre source 170.50.31.1 dest 180.50.21.2
iSCom(config-if)# ip address 21.21.21.1 255.255.255.0 cybsec
iSCom(config-if)# no shutdown

  • Configure GRE Over IPSec.
iSCom(config)# set vpn enable
iSCom(config)# crypto map VPN-TEST-1
iSCom(config-crypto-map)# set local 170.50.31.1
iSCom(config-crypto-map)# isakmp local identity ipv4 170.50.31.1
iSCom(config-crypto-map)# set peer 180.50.21.2
iSCom(config-crypto-map)# isakmp peer identity ipv4 180.50.21.2
iSCom(config-crypto-map)# access-list source gre destination gre
iSCom(config-crypto-map)# crypto key mode preshared psk iSCom+
iSCom(config-crypto-map)# isakmp policy encryption aes hash md5 dh group1 exch main lifetime secs 3600
iSCom(config-crypto-map)# crypto ipsec mode tunnel
iSCom(config-crypto-map)# crypto map ipsec encryption esp aes authentication esp md5 pfs group2 lifetime secs 3600
iSCom(config-crypto-map)# set tunnel enable
iSCom(config-crypto-map)# exit

  • Configure Default Routes on Linux and iBiome
iSCom(config)# ip route 0.0.0.0 0.0.0.0 192.168.50.2
iSCom(config)# ip route 0.0.0.0 0.0.0.0 170.50.31.3 cybsec

  • Configure OSPF on the Linux
iSCom(config)# router ospf cybsec
iSCom(config-router)# router-id 11.11.11.11
iSCom(config-router)# network 21.21.21.1 area 0.0.0.0
iSCom(config-router)# network 192.168.50.2 area 0.0.0.0

  • Configure OSPF on the iBiome.
iSCom(config)# router ospf 
iSCom(config-router)# router-id 1.1.1.1
iSCom(config-router)# network 1.1.1.1 area 0.0.0.0
iSCom(config-router)# network 172.16.50.1 area 0.0.0.0
iSCom(config-router)# network 172.16.51.1 area 0.0.0.0
iSCom(config-router)# network 192.168.50.1 area 0.0.0.0

RAPTOR #2

Configure a link to security application and VPN policy 1.

Type the following:

iSCom# configure terminal
iSCom(config)# set security enable
iSCom(config)# vlan 6
iSCom(config-vlan)# vlan active
iSCom(config-vlan)# name "Protected Network"
iSCom(config-vlan)# exit

iSCom(config)# vlan 4
iSCom(config-vlan)# vlan active
iSCom(config-vlan)# name "Protected Network"
iSCom(config-vlan)# exit

iSCom(config)# interface gigabit 0/16
iSCom(config-if)# switchport mode trunk
iSCom(config-if)# description "Connected to Local Network"
iSCom(config-if)# exit
iSCom(config-if)# interface vlan 6
iSCom(config-if)# ip address 172.16.60.1 255.255.255.0
iSCom(config-if)# no shutdown
iSCom(config-if)# description "Protected Network"
iSCom(config-if)# exit
iSCom(config-if)# interface vlan 4
iSCom(config-if)# ip address 172.16.61.1 255.255.255.0
iSCom(config-if)# no shutdown
iSCom(config-if)# description "Protected Network"
iSCom(config-if)# exit

iSCom(config-if)# interface loop 1
iSCom(config-if)# no shutdown
iSCom(config-if)# ip address 2.2.2.2 255.255.255.255
iSCom(config-if)# description "Router ID”
iSCom(config-if)# exit
iSCom(config)# interface gigabit 0/24
iSCom(config-if)# shutdown
iSCom(config-if)# no switchport
iSCom(config-if)# set wan enable
iSCom(config-if)# ip add 180.50.21.2 255.255.255.0 cybsec
iSCom(config-if)# no shutdown
iSCom(config-if)# description "WAN Port"
iSCom(config-if)# exit

iSCom(config)# vlan 80
iSCom(config-vlan)# vlan active
iSCom(config-vlan)# name "Connect iBiome to Linux"
iSCom(config)# exit
iSCom(config)# interface vlan 80
iSCom(config-if)# ip address 192.168.80.1 255.255.255.0
iSCom(config-if)# ip address 192.168.80.2 255.255.255.0 cybsec
iSCom(config-if)# ip proxy-arp cybsec
iSCom(config-if)# no shutdown
iSCom(config-if)# description "Connect iBiome to Linux"
iSCom(config-if)# exit

  • Configure GRE Tunnel.
iSCom(config)# interface tunnel 1
iSCom(config-if)# tunnel mode gre source 180.50.21.2 dest 170.50.31.1
iSCom(config-if)# ip address 21.21.21.2 255.255.255.0 cybsec
iSCom(config-if)# no shutdown

  • Configure GRE Over IPSec.
iSCom(config)# set vpn enable
iSCom(config)# crypto map VPN-TEST-2
iSCom(config-crypto-map)# set local 180.50.21.2
iSCom(config-crypto-map)# isakmp local identity ipv4 180.50.21.2
iSCom(config-crypto-map)# set peer 170.50.31.1
iSCom(config-crypto-map)# isakmp peer identity ipv4 170.50.31.1
iSCom(config-crypto-map)# access-list source gre destination gre
iSCom(config-crypto-map)# crypto key mode preshared psk iSCom+
iSCom(config-crypto-map)# isakmp policy encryption aes hash md5 dh group1 exch main lifetime secs 3600
iSCom(config-crypto-map)# crypto ipsec mode tunnel
iSCom(config-crypto-map)# crypto map ipsec encryption esp aes authentication esp md5 pfs group2 lifetime secs 3600
iSCom(config-crypto-map)# set tunnel enabl
iSCom(config-crypto-map)# exit

  • Configure Default Routes on Linux and iBiome
iSCom(config)# ip route 0.0.0.0 0.0.0.0 192.168.80.2
iSCom(config)# ip route 0.0.0.0 0.0.0.0 180.50.21.3 cybsec

  • Configure OSPF on the Linux
iSCom(config)# router ospf cybsec
iSCom(config-router)# router-id 22.22.22.22
iSCom(config-router)# network 21.21.21.2 area 0.0.0.0
iSCom(config-router)# network 192.168.50.2 area 0.0.0.0

  • Configure OSPF on the iBiome.
iSCom(config)# router ospf 
iSCom(config-router)# router-id 2.2.2.2
iSCom(config-router)# network 2.2.2.2 area 0.0.0.0
iSCom(config-router)# network 172.16.60.1 area 0.0.0.
iSCom(config-router)# network 172.16.61.1 area 0.0.0.
iSCom(config-router)# network 192.168.80.1 area 0.0.0.0

GRE Over IPsec with Certificate

Configure GRE Over IPsec with Certificate

Perform the following

RAPTOR 1:
#Create Private Key On the RAPTOR
crypto pki keygen client rsa4096 CA ON MISSISSAUGA iSCom DOC 1.1.1.1


#Create a CSR on the RAPTOR


crypto pki csrgen client




#Importing Signed Certificate to the RAPTOR


crypto pki import cert clientSingedCert.pem private-key clientKey.pem




#Importing CA Certificate to the RAPTOR


crypto pki import ca-cert CA.pem




iSCom#show crypto pki
------------------------------------------------------------


Name                            Type


------------------------------------------------------------


clientKey.pem                   Private Key


clientCert.pem                  Certificate


clientSingedCert.pem            Certificate


CA.pem                          CA Certificate


clientCsr.pem                   CSR


-----------------------------------------------------------




en


conf t


set security enable


vlan 5


vlan active


Name "Protected Network"


exit


vlan 3


vlan active


Name "Protected Network"


exit


inter gig 0/16


sw mo trunk


description "Connected to Local Network"


exit


inter vlan 5


ip address 172.16.50.1 255.255.255.0


no shut


description "Protected Network"


exit


inter vlan 3


ip address 172.16.51.1 255.255.255.0


no shut


description "Protected Network"


exit


inter loop 1


no shut


ip add 1.1.1.1 255.255.255.255


description "Router ID"


exit


inter gig 0/24


shu


no sw


set wan enable


ip add 170.50.31.1 255.255.255.0 cybsec


no shut


description "WAN Port"


exit


vlan 50


vlan active


name "Connect iBiome to Linux"


exit


int vlan 50 


ip addr 192.168.50.1 255.255.255.0


ip addr 192.168.50.2 255.255.255.0 cybsec


ip proxy-arp cybsec


no shut


description "Connect iBiome to Linux"


exit


!


#Configuring GRE Tunnel


interface tunnel 1
tunnel mode gre source 170.50.31.1 dest 180.50.21.2
ip address  21.21.21.1 255.255.255.0 cybsec


 no shutdown


!


#configuring GRE Over IPSec


set vpn enable




crypto map VPN-TEST-1


set local 170.50.31.1


isakmp Local identity ipv4 "C=CA, ST=ON, L=MISSISSAUGA, O=iSCom, OU=DOC, CN=1.1.1.1"


set peer 180.50.21.2


isakmp peer identity ipv4 "C=CA, ST=ON, L=MISSISSAUGA, O=iSCom, OU=DOC, CN=2.2.2.2"


access-list source gre destination gre


crypto key mode cert certificate-File clientSingedCert.pem PrivateKey-File clientKey.pem


isakmp policy encryption aes hash md5 dh group1 exch main lifetime secs 3600


crypto ipsec mode tunnel


crypto map ipsec encryption esp aes authentication esp md5 pfs group2 lifetime secs 3600


set Tunnel enable


exit


!


#Configuring Default Routes on Linux and iBiome


ip route 0.0.0.0 0.0.0.0 192.168.50.2


ip route 0.0.0.0 0.0.0.0 170.50.31.3 cybsec


!


#Configuring OSPF on the Linux


router ospf cybsec


 router-id 11.11.11.11


network 21.21.21.1 area 0.0.0.0


network 192.168.50.2 area 0.0.0.0


!


#Configuring OSPF on the iBiome


router ospf


 router-id 1.1.1.1


network 1.1.1.1 area 0.0.0.0


network 172.16.50.1 area 0.0.0.0


network 172.16.51.1 area 0.0.0.0


network 192.168.50.1 area 0.0.0.0


!


RAPTOR 2:


#Create Private Key On the RAPTOR


crypto pki keygen client rsa4096 CA ON MISSISSAUGA iSCom DOC 2.2.2.2




#Create a CSR on the RAPTOR


crypto pki csrgen client




#Importing Signed Certificate to the RAPTOR


crypto pki import cert clientSingedCert.pem private-key clientKey.pem




#Importing CA Certificate to the RAPTOR


crypto pki import ca-cert CA.pem




iSCom#show crypto pki


------------------------------------------------------------




 Name                            Type




------------------------------------------------------------


clientKey.pem                   Private Key


 clientCert.pem                  Certificate


 clientSingedCert.pem            Certificate


 CA.pem                          CA Certificate


 clientCsr.pem                   CSR


------------------------------------------------------------


en


conf t


set security enable


vlan 6


vlan active


Name "Protected Network"


exit


vlan 4


vlan active


Name "Protected Network"


exit


inter gig 0/16


sw mo trunk


description "Connected to Local Network"


exit


inter vlan 6


ip address 172.16.60.1 255.255.255.0


no shut


description "Protected Network"


exit


inter vlan 4


ip address 172.16.61.1 255.255.255.0


no shut


description "Protected Network"


exit


inter loop 1


no shut


ip add 2.2.2.2 255.255.255.255


description "Router ID"


exit


inter gig 0/24


shu


no sw


set wan enable


ip add 180.50.21.2 255.255.255.0 cybsec


no shut


description "WAN Port"


exit


vlan 80


vlan active


name "Connect iBiome to Linux"


exit


int vlan 80 


ip addr 192.168.80.1 255.255.255.0


ip addr 192.168.80.2 255.255.255.0 cybsec


ip proxy-arp cybsec


no shut


description "Connect iBiome to Linux"


exit


!


#Configuring GRE Tunnel


interface tunnel 1


 tunnel mode gre source 180.50.21.2 dest 170.50.31.1


 ip address  21.21.21.2 255.255.255.0 cybsec


no shutdown


!


#configuring GRE Over IPSec


set vpn enable




crypto map VPN-TEST-2


set local 180.50.21.2


isakmp local identity ipv4 "C=CA, ST=ON, L=MISSISSAUGA, O=iSCom, OU=DOC, CN=2.2.2.2"


set peer 170.50.31.1


isakmp peer identity ipv4 "C=CA, ST=ON, L=MISSISSAUGA, O=iSCom, OU=DOC, CN=1.1.1.1"


access-list source gre destination gre


crypto key mode cert certificate-File clientSingedCert.pem PrivateKey-File clientKey.pem


isakmp policy encryption aes hash md5 dh group1 exch main lifetime secs 3600


crypto ipsec mode tunnel


crypto map ipsec encryption esp aes authentication esp md5 pfs group2 lifetime secs 3600


set Tunnel enable


exit


!


#Configuring Default Routes on Linux and iBiome


ip route 0.0.0.0 0.0.0.0 192.168.80.2


ip route 0.0.0.0 0.0.0.0 180.50.21.3 cybsec


!


#Configuring OSPF on the Linux


router ospf cybsec


 router-id 22.22.22.22


network 21.21.21.2 area 0.0.0.0


network 192.168.80.2 area 0.0.0.0


!


#Configuring OSPF on the iBiome


router ospf


 router-id 2.2.2.2


network 2.2.2.2 area 0.0.0.0


network 172.16.60.1 area 0.0.0.0


network 172.16.61.1 area 0.0.0.0


network 192.168.80.1 area 0.0.0.0


!