GRE over IPSec with EIGRP to Route Through Two Remote Sites Configuration Example

Introduction

Let's consider the scenario when our company has two sites. They are equally big and some users require accessing other network devices directly by using its local IPs, or maybe you even have to replicate domain controllers over this tunnel. Let's say you want to access OWA and not too often check some shared files. The reason why I said not too often is because this will create some serious traffic over internet, if file is big.
Cisco GRE-Based VPN is the best choice for use, because it supports routing, QoS, Multicast and also non-IP protocols. You can configure it using SDM or CLI. The main downside is that this configuration is not multivendor. So both routers has to be Cisco routers with IOS that support VPN.

Refer here for differences between VPNs:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure0900aecd80582078.pdf

Network Diagram

Please check the diagram before you start to read further.


Components Used

- 2 Cisco routers 3745 running Cisco IOS (C3745-ADVIPSERVICESK9-M), Version 12.4(9)T1
- 2 Windows XP
- 1 Windows Server 2003 Enterprise


Configuration

This process has 3 steps:
- Configure the Generic Routing Encapsulation (GRE) Tunnels
- Configure Encryption for the GRE Tunnels
- Configure the Routing Protocol

Configure the GRE Tunnels

R1:
interface Tunnel0
ip address 172.31.0.1 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.2

R2:
interface Tunnel0
ip address 172.31.0.2 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.1

Check if you can ping by interface IP and by Tunnel IPs.

R2#ping 172.31.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
R2#ping 172.16.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/16/48 ms

R1#ping 172.16.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#ping 172.31.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Configure the Encryption for the GRE Tunnels

First create a access list to define which traffic to encypt:

R1:

access-list 100 permit gre host 172.16.0.1 host 172.16.0.2

R2:

access-list 100 permit gre host 172.16.0.2 host 172.16.0.1

Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy, an ISAKMP key, and an IPSec transform set. The ISAKMP policy, key, and IPSec transform set must match on both sides of a single tunnel.

R1 & R2:

crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport

Configure the crypto map

R1:

crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.2
set transform-set strong
match address 100

R2:
crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.1
set transform-set strong
match address 100


Apply on BOTH:

R1 & R2:
interface FastEthernet0/1
crypto map vpn

interface Tunnel0
crypto map vpn


Enable EIGRP

R1:

router eigrp 60
network 172.31.0.0
network 192.168.0.0 0.0.255.255
auto-summary
no eigrp log-neighbor-changes

R2:
router eigrp 60
network 10.0.0.0
network 172.31.0.0
auto-summary
no eigrp log-neighbor-changes

Full config

R1:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$JZ2K$15BvDKP555bzNmcnoxc2D.
!
!
aaa session-id common
!
resource policy
!
memory-size iomem 5
ip cef
!
!
username cisc0 privilege 15 password 0 cisc0
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.2
set transform-set strong
match address 100
!
!
!
!
!
interface Tunnel0
ip address 172.31.0.1 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.2
crypto map vpn
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.1 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
router eigrp 60
network 172.31.0.0
network 192.168.0.0 0.0.255.255
auto-summary
no eigrp log-neighbor-changes
!
!
!
access-list 100 permit gre host 172.16.0.1 host 172.16.0.2
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
alias exec s show ip inter brief
alias exec sr show run
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password v
transport input telnet ssh
!
!
!
!
end


R2:
Building configuration...

Current configuration : 1412 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$aIoH$XR1H76kiRYuPGtAV07ST3.
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.1
set transform-set strong
match address 100
!
!
!
!
!
interface Tunnel0
ip address 172.31.0.2 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.1
crypto map vpn
!
interface FastEthernet0/0
ip address 10.0.0.2 255.0.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.2 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
router eigrp 60
network 10.0.0.0
network 172.31.0.0
auto-summary
no eigrp log-neighbor-changes
!
!
!
ip http server
no ip http secure-server
ip nat inside source list 10 interface FastEthernet0/1 overload
!
access-list 100 permit gre host 172.16.0.2 host 172.16.0.1
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
alias exec s show ip inter brief
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

This post is based on:
GRE over IPSec with EIGRP to Route Through a Hub and Multiple Remote Sites Configuration

Other Examples:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

Teleworker: Thin-Client SSL VPN (WebVPN) IOS Configuration Example with SDM

Before we proceed to the hard core part let's take a look at Cisco promotion video first, Cisco Teleworking Solutions - The World Is Your Office:



One of the key portion of that advanced product is SSL VPN. It used to be called in the past Web VPN. It is usefull in the situations where you need to reach network resources in your company LAN from remote location. Most likely it will be home, cofee shop etc. In this post we will focus on how to access your computer at work from home using Remote Desktop, OWA (Outlook Web Access) and internal website with News and Anouncements, it can be even Sharepoint site.

Take a look at the logical diagram:

As you can see we have 2 Routers. One of them for your remote location (R2) and one of them (R1) at our company site. R2 does not have to be cisco router, it just has to provide internet connection. The network between R1 and R2 (172.16.0.0/16) acts as an internet in this lab environment. In this lab both routers are Cisco 3745 with IOS C3745-ADVIPSERVICESK9-M 12.4 (9) T1.

The configuration can be done via SDM (GUI software to configure Cisco Devices) or CLI.

R2 config:

R2#show run
Building configuration...

Current configuration : 935 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable secret s
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
interface FastEthernet0/0
ip address 10.0.0.2 255.0.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.2 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
!
ip http server
no ip http secure-server
ip nat inside source list 10 interface FastEthernet0/1 overload
!
access-list 10 permit 10.0.0.0 0.255.255.255
!
control-plane
!
alias exec s show ip inter brief
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password v
login
!
!
end




Below is a R1 config:

Current configuration : 3841 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret s
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
memory-size iomem 5
ip cef
!
!
crypto pki trustpoint TP-self-signed-998521732
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-998521732
revocation-check none
rsakeypair TP-self-signed-998521732
!
!
crypto pki certificate chain TP-self-signed-998521732
certificate self-signed 01
!---- output cut ---
ED20B032 D4BDEF14 5A114136 4C9F1794 3C3AA01E E670BC18 FC19B9B5
quit
username cisc0 privilege 15 password 0 cisc0
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.1 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 10 interface FastEthernet0/1 overload
!
access-list 10 permit 192.168.0.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
alias exec s show ip inter brief
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password v
transport input telnet ssh
!
!
webvpn gateway gateway_1
ip address 172.16.0.1 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-998521732
inservice
!

webvpn context First
title-color #FFFF00
secondary-color white
text-color black
ssl authenticate verify all
!
url-list "First"
heading "Web Sites"
url-text "OWA" url-value "http://192.168.0.10/owa/exchange"
url-text "News" url-value "http://192.168.0.10/news"
!

port-forward "portforward_list_1"
local-port 3000 remote-server "192.168.0.100" remote-port 3389 description "XP1 RD"
local-port 3001 remote-server "192.168.0.10" remote-port description "DC1 Remote Desktop"
!
policy group policy_1
url-list "First"
port-forward "portforward_list_1"
default-group-policy policy_1
aaa authentication list sdm_vpn_xauth_ml_1
gateway gateway_1 domain mydomain
inservice
!
!
end


If you accomplish that config on the XP2 you can connect using web browser. After you login you need to Start Application access. The Java applet will create a VPN and using IP 127.0.0.1:3000 you will be able to connect to your computer at work while being at home!

Login screen from XP2:

After you login and click Start Application Access you will see:

More info:

http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml

http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008071c58b.shtml

How Are IP Addresses and Subnet Masks Related?

One of the topics that I (along with many others) had trouble understanding was how to differentiate the network side of an IP address with the host side of an IP address. For example, our computer has an IP address 192.168.1.1 with a subnet mask of 255.255.255.0. The subnet mask is key in determining the difference between your network address and host address.

Now let’s break down our computer’s IP. Every IP consists of four, 8-bit octets that range in decimal value from 0 to 255. For instance, 192 (our IP’s 1st octet) in decimal translates to 11000000 in binary (for more information on binary to decimal translation, see this article: http://www.wikihow.com/Convert-from-Binary-to-Decimal). This next step is key. ANY BINARY ‘1’ IN OUR SUBNET DEFINES THE NETWORK, and ANY ‘0’ IN OUR SUBNET DEFINES OUR HOST. Because our subnet mask’s 1ST, 2nd, and 3rd octets are 255 (or 11111111 in binary), this means that our network address that our IP exists in is 192.168.1.0. The 4th octet, thus, defines the host number in this network. So in this one particular network, 192.168.1.0, we can have up to 254 host computers. You may wonder why not 255?? This is because the host address 255 (192.168.1.255) is reserved for the network’s broadcast address. Therefore, we can only host 254 addresses on our network (1-254).

Let’s try a little harder example this time. Say we go to the command line on our computer and do an “ipconfig” command to display our IP and subnet mask. The output displays our IP address being 192.168.1.193 with a subnet mask of 255.255.255.192. The first thing to do is break the IP address into each octet. Luckily for us, the 1st three octets are all our network address as defined by the subnet being all 1’s (255 = 11111111 in binary). Now all we need to worry about is our last octet! The 192 in our subnet mask translates to 11000000 in binary (All ‘0s’ being possible host IP addresses). Because our network is defined by 1’s in the subnet, the first 2 bits of the last octet of our IP are still part of the network address. So, if we translate 193 to binary, we get 11000001. 193 ends up being the first host in the network 192.168.1.192! So in this case, our network address is 192.168.1.192 in which hosts in this network will range from 192.168.1.193 – 192.168.1.254!

Fortunately for us, IPv6 has been created which voids the need for differentiating the network address from the host address using a subnet mask. I will post this topic in a later article, but for now, IPv4 takes practice, practice, and even more practice to understand the concept of the relationship between your IP address and subnet mask. Try it yourself on your computer at home and let me know how things go!

Etherchannel in a Nutshell: Understanding and Configuring the Cisco Technology

Ever feel like your internet connection isn’t as fast as you think it could be? Along with that, shouldn’t there be a way to create fault tolerance between your computers and the internet in the case that one of your cables happens to go bad? Fortunately for you, there is a way to kill two birds with one stone. It’s called EtherChannel, an easily-configurable technology used primarily on Cisco switches.

Etherchannel allows the grouping of multiple, physical Ethernet links into one logical link. This provides both increased bandwidth as well as fault tolerance between your routers, switches, servers, hosts, etc. Each Etherchannel can consist of between two and eight Fast Ethernet, Gigabit, or 10 Gigabit Ethernet channels. This means that, depending on how many Ethernet links you create, you can create multiplied bandwidth as well as fault tolerance without losing connection on your newly created, grouped Ethernet link.

For example, let’s say you have two Cisco switches, both which have four Gigabit Ethernet ports. You have already established connectivity using one Gigabit port on each switch, but users are saying it is taking them too long to transport large, necessary files to each other. Each of our switches has 3 additional Gigabit Ethernet ports, but unfortunately all they are doing right now is collecting dust. Creating 3 additional physical Gigabit Ethernet links allow us to group these all together into one logical link using Etherchannel to multiple our original Gigabit speed by four AND create backup links at the same time in case one of them fails! So in essence, our previous bandwidth of 1 Gbps is now 4 Gbps including fault tolerance!!!

For additional information on the subject, please refer to the following links:

Cisco EtherChannel Technology

Configuring EtherChannel