Configure GRE over IPSec secured private channel

I'll try to show you easy and fast way to configure GRE IPSec between CentOS and Cisco 2821. This is not final config and it without any ACL/Firewall rules. This post provides only configuration examples. For more information about GRE and IPSec basics see Point-to-Point GRE over IPsec Design Guide.

Overview

Goal

Provide a secure connection with branch offices.

Topology

Two distributed offices each connected to shared network. Across this network is set encrypted GRE tunnel by using IPSec stack

The head office site

Connected to shared network (internet) with cisco 2821 router (head-gw). WAN interface is GigabitEthernet 0/0 (g0/0), IP-address is 192.168.100.10/24. Tunnel interface tunnel0 (tun0), IP-address is 172.21.0.1/30.

The branch office site

Connected to Shared Network (internet) with software router running CentOS 6.0 (branch-gw). WAN connection is eth0, IP-address is 192.168.0.10/24. Tunnel connections is tun0, IP-address is 172.21.0.2/30. IPSec support provided by StrongSwarn software.

WAN Topology Scheme

Configuration

Branch office

Configure interface and routing

sudo ifconfig eth0 192.168.0.10/24 up  
sudo route add -net default gw 192.168.0.1  

Update system and install StronSwan

sudo yum -y update  
sudo rpm -Uhv http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release*rpm  
sudo yum install strongswan  

Change system environment

cat << EOF >> /etc/sysctl.conf

# Controls IP packet forwarding 
# enable IP forwarding
net.ipv4.ip_forward = 1 

# disable ICMP redirects 
net.ipv4.conf.default.send_redirects = 0  
net.ipv4.conf.default.accept_redirects = 0  
EOF  

StrongSwan Configuration

Change the ipsec.conf file to configure IPSec

cat << EOF > /etc/strongswan/ipsec.conf  
config setup  
    # loglevel configuration
    #charondebug="dmn 2, mgr 2, chd 2, net 2, ike 2, knl 3, cfg 0" 

conn head  
    # Try connect on daemon start
    auto=start
    # Authentication by PSK (see ipsec.secret)
    authby=secret 
    # Disable compression 
    compress=no 
    # Re-dial setings
    closeaction=clear 
    dpddelay=30s 
    dpdtimeout=150s 
    dpdaction=restart 
    # ESP Authentication settings (Phase 2)
    esp=3des-sha1 
    # UDP redirects 
    forceencaps=no 
    # IKE Authentication and keyring settings (Phase 1)
    ike=3des-sha1-modp1024 
    ikelifetime=3600s 
    keyingtries=%forever 
    lifetime=86400s 
    # Internet Key Exchange (IKE) version
    # Default: Charon - ikev2, Pluto: ikev1 
    keyexchange=ikev1 
    # connection type
    type=tunnel 
    # Peers
    left=192.168.100.10
    right=192.168.0.10 
    # Protocol type. May not work in numeric then need set 'gre'
    leftprotoport=47 
    rightprotoport=47 
    # Networks announcement,  %any — any networks.
    #leftsubnet=10.0.254.0/24 
    #rightsubnet=10.0.0.0/24
EOF  

Add PSK

cat << EOF >> /etc/strongswan/ipsec.secrets  
192.168.100.10 : PSK 1234567890  
EOF  

Configure logging settings for StrongSwan. Here some configuration example (not full).

cat /etc/strongswan/strongswan.conf  
charon { 

    # number of worker threads in charon 
    threads = 16 

    # send strongswan vendor ID? 
    # send_vendor_id = yes 

    filelog { 
  /var/log/charon.log { 
      # add a timestamp prefix 
      time_format = %b %e %T 
      # loggers to files also accept the append option to open files in 
      # append mode at startup (default is yes) 
      append = no 
      # the default loglevel for all daemon subsystems (defaults to 1). 
      default = 1 
      # flush each line to disk 
      flush_line = yes 
  } 
    } 

    plugins { 

        sql { 
            # loglevel to log into sql database 
            loglevel = -1 

            # URI to the database 
            # database = sqlite:///path/to/file.db 
            # database = mysql://user:password@localhost/database 
        } 
    } 

    # ... 
} 

pluto { 

} 

libstrongswan { 

    #  set to no, the DH exponent size is optimized 
    #  dh_exponent_ansi_x9_42 = no 
}

iptable test config

Add some rules to iptabel to allow traffic

iptables -I INPUT 6 -i tun0 -s 172.21.0.0/30 -j ACCEPT  
iptables -I INPUT 7 -i eth0 -s 192.168.100.10 -j ACCEPT  
And if we need routing dont forget add

iptables -I FORWARD 2 -i tun0 -j ACCEPT  
iptables -I FORWARD 1 -o tun0 -j ACCEPT  

Note: at this stage we don't start StrongSwan daemon for future tests.

Head office

Configure interface and routing

interface GigabitEthernet0/0  
 description WAN connection
 ip address 192.168.100.10 255.255.255.0 
 duplex auto 
 speed auto

interface Tunnel0  
 description GRE tunnel to Branch Office
 ip address 172.21.0.1 255.255.255.252
 tunnel source GigabitEthernet0/0 
 tunnel destination 192.168.0.10

! Default route
ip route 0.0.0.0 0.0.0.0 192.168.100.1  
Remember, we do not enable a IPSec on StrongSwan (Branch office) so now we can test our Tunnel connection (without IPSec, GRE only). Let's see connection status on the cisco router.

enable  
show intterface Tunnel 0  
    Tunnel0 is up, line protocol is up 
          Hardware is Tunnel 
          Internet address is 172.21.0.1/30 
          MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 
         Encapsulation TUNNEL, loopback not set 
          Keepalive not set 
          Tunnel source 192.168.100.10 (GigabitEthernet0/0), destination 192.168.0.10 
          Tunnel protocol/transport GRE/IP 
                Key disabled, sequencing disabled 
                Checksumming of packets disabled 
          Tunnel TTL 255
    Fast tunneling enabled 
          Tunnel transmit bandwidth 8000 (kbps) 
          Tunnel receive bandwidth 8000 (kbps) 
          Last input 00:02:37, output 00:02:37, output hang never 
         Last clearing of "show interface" counters never 
          Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2 
          Queueing strategy: fifo 
          Output queue: 0/0 (size/max) 
          5 minute input rate 0 bits/sec, 0 packets/sec 
          5 minute output rate 0 bits/sec, 0 packets/sec 
                 6237 packets input, 613782 bytes, 0 no buffer 
                 Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 
                 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 
                 7595 packets output, 872954 bytes, 0 underruns 
                 0 output errors, 0 collisions, 0 interface resets 
                 0 unknown protocol drops 
                 0 output buffer failures, 0 output buffers swapped out

As we can see connection is UP. GRE/IP encapsulation is used. Try to ping tunnel endpoint of branch office.

ping 172.21.0.2 

    Type escape sequence to abort. 
    Sending 5, 100-byte ICMP Echos to 172.21.0.2, timeout is 2 seconds: 
    !!!!! 
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

IPSec configuration.

In this example I use crypto-map style but it will be work with ipsec profile too.

! CCreate ACL. Would encrypt only GRE traffic between offices.
ip access-list extended MATCH-STATIC-MAP-100  
 permit gre host 192.168.100.10 host 192.168.0.10

! Encription policy
crypto isakmp policy 10  
 encr 3des 
 authentication pre-share 
 group 2

! PSK key for peer
crypto isakmp key 1234567890 address 192.168.0.10

! Create transform-set
crypto ipsec transform-set TS esp-3des esp-sha-hmac

! Create cryptomap
crypto map STATIC-MAP 100 ipsec-isakmp  
 set peer 192.168.0.10 
 set transform-set TS 
 match address MATCH-STATIC-MAP-100 

! Apply encryption on WAN interface
interface GigabitEthernet0/0  
 ip address 192.168.100.10 255.255.255.0
 duplex auto 
 speed auto 
 crypto map STATIC-MAP

Enable IPSec on Branch Office

Just start StronSwan

sudo strongswan start  

Now we can see connection status

strongswan statusall  
…
  Connections: 
       cisco:  192.168.0.10...192.168.100.10  IKEv1, dpddelay=30s 
       cisco:   local:  [192.168.0.10] uses pre-shared key authentication 
       cisco:   remote: [192.168.100.10] uses pre-shared key authentication 
       cisco:   child:  dynamic[gre] === dynamic[gre] TUNNEL, dpdaction=restart 
    Security Associations (1 up, 0 connecting): 
       cisco[4]: ESTABLISHED 45 minutes ago, 192.168.0.10[192.168.0.10]...192.168.100.10[192.168.100.10] 
       cisco[4]: IKEv1 SPIs: d1670af393d1e08c_i* b286166b7bc3a2e6_r, pre-shared key reauthentication in 4 minutes 
       cisco[4]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 
       cisco{1}:  INSTALLED, TUNNEL, ESP SPIs: c9027cb6_i 02ae527f_o 
       cisco{1}:  3DES_CBC/HMAC_SHA1_96, 8272 bytes_i (119 pkts, 0s ago), 6408 bytes_o (89 pkts, 0s ago), rekeying in 23 hours 
       cisco{1}:   192.168.0.10/32[gre] === 192.168.100.10/32[gre]

If you can see this then all works fine!