Route Based Vpn With Cisco Vpn Devices
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Route Based Vpn With Cisco Vpn Devices as PDF for free.
More details
- Words: 2,606
- Pages: 14
Route Based VPN Deployment with Cisco VPN Devices December 24, 2006
In This Document: Overview
page 1
System and Installation Requirements
page 2
Configuring VPN Tunnel
page 2
Configuring VPN on a Cisco Router
page 5
Testing a VPN tunnel establishment
page 6
Configuring VPN Tunnel Interface (VTI) on VPN-1 module
page 6
Configuring Tunnel Interface on Cisco router
page 7
GRE over IPsec Configuration
page 8
Testing VPN Connectivity Using VTIs
page 9
Configuring Route Based VPN - Using Static Routes
page 9
Configuring Route Based VPN - Using Dynamic Routing Protocols (OSPF)
page 10
Configuration Verification and Connectivity Test
page 12
Check that OSPF Adjacency is Established
page 13
Final Connectivity Test
page 13
Overview This document describes a proper way of how to configure Route Based VPN between VPN-1 modules and interoperable Cisco devices that support IPsec, GRE and OSPF protocols. The document provides a step by step configuration flow, based on an example scenario of Check Point VPN-1 module and Cisco router (IOS 12.X - C2800 series). The main aspects covered in this example are: •
Establishing VPN (IPsec) tunnel between a VPN-1 module and an interoperable Cisco device (supporting GRE over IPsec) using a Simplified Policy.
•
Creating a VPN Tunnel interface on a VPN-1 module (VTI).
Copyright © 2005 Check Point Software Technologies, Ltd. All rights reserved
1
System and Installation Requirements
•
Creating tunnel interfaces on Cisco devices.
•
Allow and configure GRE over IPsec support on VPN-1 and Cisco devices.
•
Configure OSPF and establishing adjacency for VPN-1 and Cisco devices.
•
Define Route Based VPN and provide connectivity.
System and Installation Requirements The following components should be installed and configured: •
SPLAT Pro installed machines with a proper license.
•
Check Point VPN-1 installed with internal and external interfaces defined.
•
Cisco router.
•
Clear text connectivity should be allowed and tested.
Figure 1
Configuring VPN Tunnel 1. Enable VPN-1 module on all gateway objects. 2. In SmartDashboard, create an empty group. 3. In the Topology page of each gateway, define the VPN Domain as the empty encryption domain created in step 2.
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
2
Configuring VPN Tunnel Figure 2
4. Create an Interoperable device and configure it according to the Cisco router information (i.e., name IP addresses, etc.): Figure 3
5. On the Topology page of the Cisco device, click Add and enter the tunnel IP address information. This IP address is used in the Rule Base for security purposes and not related to connectivity.
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
3
Configuring VPN Tunnel Figure 4
6. Create a meshed community. In the Participating Gateways page, add the VPN-1 module(s) and Cisco object. Configure the required encryption methods and IKE authentication for the community. Note - In this example, define IKE authentication based on pre-shared secrets, however VPN-1 has full support of IKE PKI based on RSA digital signatures (certificates) with Interoperable devices.
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
4
Configuring VPN on a Cisco Router Figure 5
Figure 6
7. Create a rule in the security Rule Base which allows ICMP and OSPF services. Keep in mind that the VPN column should remain as Any Traffic. Additionally, there is no need to define Source and Destination. In this example, the focus is on the VPN dynamic routing, and not on creating a proper security Rule Base. Table 1
Sample Rule
Source
Destination
VPN
Service
Action
Track
Any
Any
Any Traffic
icmp ospf
accept
Log
Note - VPN access control (VPN column), in Route Based VPN configurations, must be defined by "Directional VPN" only. Regular settings won't function and drop corresponding traffic. (For more information refer to the Directional VPN Enforcement chapter in the VPN User Guide).
8. Install the policy on the VPN-1 module.
Configuring VPN on a Cisco Router Table 2 details the configuration for the Cisco device to establish basic VPN connectivity with the VPN-1 module:
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
5
Testing a VPN tunnel establishment Table 2 crypto isakmp policy 20 encr 3des authentication pre-share group 2 crypto isakmp key 123456 address 192.168.65.50 crypto isakmp peer address 192.168.65.50 crypto ipsec security-association lifetime seconds 120 crypto ipsec transform-set testset esp-3des esp-sha-hmac crypto map testmap 73 ipsec-isakmp set peer 192.168.65.50 set transform-set testset match address 141 interface FastEthernet0/0 ip address 10.10.120.10 255.255.255.0 speed 100 full-duplex crypto map testmap access-list 141 permit ip host 10.10.120.10 host 194.29.43.63 access-list 141 permit ip host 194.29.43.63 host 10.10.120.10
Testing a VPN tunnel establishment Check that a basic VPN tunnel is successfully established between the VPN-1 module and the Cisco device by performing an ICMP (ping) connectivity test. Using the SPLAT Pro command prompt on the VPN-1 module, ping an external interface of the Cisco device. The same should be done in the other direction. Ping an external interface of the VPN-1 module from the Cisco device. In SmartView Tracker, check that IKE key exchanges were completed without errors and failures and the ICMP traffic is encrypted and decrypted by the VPN-1 module. Check that proper logs are received by SmartTracker.
Configuring VPN Tunnel Interface (VTI) on VPN-1 module For the detailed description of how to configure VTI using VPN SHELL command line interface, refer to the Route Based VPN chapter and VPN Shell appendix in the VPN User Guide. Using the VPN Shell, create a VTI attached to a Cisco interoperable device object, with local IP 22.22.22.1 and remote IP 22.22.22.2:
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
6
Configuring Tunnel Interface on Cisco router Table 3 vpn shell i a n 22.22.22.1 22.22.22.2 cisco Interface 'vt-cisco' was added successfully to the system [admin@gw_a ~]$ vpn shell i s d vt-cisco vt-cisco Type:numbered MTU:1500 inet addr:22.22.22.1 P-t-P:22.22.22.2 Mask:255.255.255.255 Peer:cisco Peer ID:10.10.120.10 Status:attached
Confirm that the VTI was fetched and properly configured in the Topology page of the VPN-1 module. When this is confirmed, install the policy. Figure 7
Configuring Tunnel Interface on Cisco router Create and configure a tunnel interface on the Cisco device with the settings in Table 4: Table 4 interface Tunnel0 ip address 22.22.22.2 255.255.255.0 ip ospf network point-to-point ip ospf mtu-ignore tunnel source FastEthernet0/0 tunnel destination 192.168.65.50
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
7
GRE over IPsec Configuration
GRE over IPsec Configuration In SmartDashboard, 1. Navigate to the VPN > VPN Advanced page of the interoperable object (Cisco device). Figure 8
2. Select Custom settings > One VPN tunnel per Gateway pair. 3. In the drop down menu, select GRE on IPsec. 4. Install policy. 5. On the Cisco device, GRE encapsulation should be enabled by default. To confirm this, see Table 5. Table 5 Cisco# show interfaces tunnel 0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 22.22.22.2/24 MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 10.10.120.10 (FastEthernet0/0), destination 194.29.43.63 Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled
6. Edit a current access-list on the Cisco device, which allows GRE traffic between two IPsec endpoints as shown in Table 6. Table 6 access-list 141 permit gre host 10.10.120.10 host 192.168.65.50 access-list 141 permit gre host 192.168.65.50 host 10.10.120.10
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
8
Testing VPN Connectivity Using VTIs
Testing VPN Connectivity Using VTIs To confirm connectivity between the VPN-1 module and the Cisco device, proceed as follows: 1. On the VPN-1 module, ping the IP address of the Cisco device (22.22.22.2) from the command line. 2. On the Cisco device, ping the address of the VPN-1 module (22.22.22.1). Before proceeding to the next step: •
Check that pinging was successful when initiated from both sides.
•
Check that proper logs of IKE successful negotiation and Encrypt/Decrypt are received within ICMP connection.
•
See Encrypt/Decrypt log information and check that GRE is used.
Configuring Route Based VPN - Using Static Routes To provide Route based VPN connectivity between the VPN-1 module and Cisco device, define static routes in the operating system, where a dedicated interface device should be a chosen VTI. Create a following static routes: •
On the VPN-1 module: route add -net 30.1.1.0 netmask 255.255.255.0 dev vt-cisco
•
On the Cisco device: ip route 10.65.50.0 255.255.255.0 tunnel 0
Confirm that the static routes are defined in the operating system routing tables on the VPN-1 module: [admin@gw_a ~]$ route Kernel IP routing table Destination Gateway Genmask Flags Metric 224.0.0.2 * 255.255.255.255 UHD 0 0 22.22.22.2 * 255.255.255.255 UH 0 0 22.22.22.1 localhost.local 255.255.255.255 UGH 0 1.1.1.1 localhost.local 255.255.255.255 UGH 0 localhost.local * 255.255.255.255 UH 0 0 30.1.1.0 * 255.255.255.0 U 0 0 192.168.65.0 * 255.255.255.0 U 0 0 10.65.50.0 * 255.255.255.0 U 0 0 127.0.0.0 - 255.0.0.0 !D 0 default 192.168.65.1 0.0.0.0 UG 0 0
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
Ref Use Iface 0 lo 0 vt-cisco 0 0 lo 0 0 lo 0 lo 0 vt-cisco 0 eth0 0 eth1 0 0 eth0
9
Configuring Route Based VPN - Using Dynamic Routing Protocols (OSPF)
Confirm that the static routes are defined in the operating system routing tables on the Cisco device: show ip route Gateway of last resort is 10.10.120.1 to network 0.0.0.0 22.0.0.0/24 is subnetted, 1 subnets C 22.22.22.0 is directly connected, Tunnel0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 10.10.120.0/24 is directly connected, FastEthernet0/0 S 10.65.50.0/24 is directly connected, Tunnel0 30.0.0.0/24 is subnetted, 1 subnets C 30.1.1.0 is directly connected, FastEthernet0/1 S* 0.0.0.0/0 [1/0] via 10.10.120.1
Perform cross "ping" from one of the hosts allocated in internal networks behind the VPN-1 module and the Cisco device. For example, if the host IP address behind VPN-1 is 10.65.50.2, and host's IP behind Cisco is 30.1.1.2 - then establish a ping session from both hosts: VPN-1-host: ping 30.1.1.2
;
Cisco-host: ping 10.65.50.2
ICMP traffic to and from the VPN-1 gateways should be encrypted and decrypted properly and the correct logs should be received by SmartView Tracker.
Configuring Route Based VPN - Using Dynamic Routing Protocols (OSPF) If static routes have been configured, which represent internal networks of both VPN peers, these routes are removed before beginning OSPF configuration. 1. On the VPN-1 module, verify that the operating system is equipped with SPLAT Pro license, which supports Advanced routing suite (dynamic routing daemon). 2. From the SPLAT Pro command prompt run one of the following commands to enter into the GateD CLI shell:
router or cligated Follow the commands in Table 7 to configure OSPF on the VPN-1 module.
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
10
Configuring Route Based VPN - Using Dynamic Routing Protocols (OSPF) Table 7 [admin@gw_a ~]$ router localhost.localdomain>ena localhost.localdomain#conf t localhost.localdomain(config)#router ospf 1 localhost.localdomain(config-router-ospf)#router-id 192.168.65.50 localhost.localdomain(config-router-ospf)#network 22.22.22.2 0.0.0.0 area 0.0.0.0 localhost.localdomain(config-router-ospf)#redistribute kernel localhost.localdomain(config-router-ospf)#end Review the settings: localhost.localdomain#show running-config Building configuration... router ospf 1 router-id 192.168.65.50 network 22.22.22.2 0.0.0.0 area 0.0.0.0 redistribute kernel exit Check that VTI is OSPF related interface: localhost.localdomain#show ip route ospf Codes: C - connected, S - static, R - RIP, B - BGP, O - OSPF D - DVMRP, 3 - OSPF3, I - IS-IS, K - Kernel A - Aggregate localhost.localdomain#show ip ospf interface vt-cisco is up Internet Address 22.22.22.1, Area 0.0.0.0 Network Type Point-To-Point, Cost: 10 Transmit Delay is 1 sec, State Pt2Pt, Priority 1 No Designated Router on this network No Backup Designated Router on this network Timer intervals configured, Hello 10, Dead 40, Retransmit 5 Neighbor Count is 0 localhost.localdomain# Note - We have chosen redistribution policy - "kernel", to advertise kernel routes allocated in SPLAT Pro OS routing table. There are different policies supported by GateD dynamic routing daemon (for example, bgp, direct, ospf, rip, and static). Refer to additional documents, describing how to use all redistribute policy options.
3. Create a kernel (static) route in SPLAT Pro OS routing table which is considered as a VPN encryption domain and advertised via VTI towards the Cisco device. Table 8 illustrates how to redistribute specific range located behind a VPN-1 gateway:
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
11
Configuration Verification and Connectivity Test Table 8 [admin@gw_a ~]$ route add -net 10.65.50.0 netmask 255.255.255.128 gw 10.65.50.1 [admin@gw_a ~]$ route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 224.0.0.2 * 255.255.255.255 UHD 0 0 0 lo 22.22.22.2 * 255.255.255.255 UH 0 0 0 vt-cisco 22.22.22.1 localhost.local 255.255.255.255 UGH 0 0 0 lo 224.0.0.6 * 255.255.255.255 UHD 0 0 0 lo 224.0.0.5 * 255.255.255.255 UHD 0 0 0 lo 1.1.1.1 localhost.local 255.255.255.255 UGH 0 0 0 lo localhost.local * 255.255.255.255 UH 0 0 0 lo 10.65.50.0 10.65.50.1 255.255.255.128 UG 0 0 0 eth1 192.168.65.0 * 255.255.255.0 U 0 0 0 eth0 10.65.50.0 * 255.255.255.0 U 0 0 0 eth1 127.0.0.0 255.0.0.0 !D 0 0 default 192.168.65.1 0.0.0.0 UG 0 0 0 eth0
In this example, the internal interface is 10.65.50.1 and has 24-bit, we created a route which has the same network 10.65.50.0 , but with netmask of 25-bit. 4. On Cisco device, define the following settings: router ospf 1 router-id 10.10.120.10 log-adjacency-changes redistribute static subnets network 22.22.22.0 0.0.0.255 area 0.0.0.0
5. Create static routes, that point to a host located behind the Cisco device:
ip route 30.1.1.2 255.255.255.255 FastEthernet0/1
Configuration Verification and Connectivity Test On the VPN-1 module, enter into the GateD CLI shell and check the OSPF settings: localhost.localdomain#show running-config Building configuration... router ospf 1 router-id 192.168.65.50 network 22.22.22.2 0.0.0.0 area 0.0.0.0 redistribute kernel exit localhost.localdomain#
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
12
Check that OSPF Adjacency is Established
Check that OSPF Adjacency is Established On the Cisco device, confirm adjacency as follows: localhost.localdomain#show ip ospf neighbor Routing Process "ospf 1": Neighbor 10.10.120.10, interface address 22.22.22.2 In area 0.0.0.0 interface vt-cisco Neighbor priority is 1, state is Full 6 state changes DR is 0.0.0.0 BDR is 0.0.0.0 Options is 18 Dead timer is due in 36 seconds
Cisco routes are shown on the VPN-1 module. Check that proper routes from the Cisco device are learned by the VPN-1 module and appear in the OS routing table via Cisco's VTI: localhost.localdomain#show ip route ospf Codes: C - connected, S - static, R - RIP, B - BGP, O - OSPF D - DVMRP, 3 - OSPF3, I - IS-IS, K - Kernel A - Aggregate 22.22.22.0/24 [11121/10] via 22.22.22.2, 00:12:41, vt-cisco 30.1.1.2/32 [10/150] via 22.22.22.2, 00:04:46, vt-cisco localhost.localdomain#
On the Cisco device, check that adjacency and route injection have the same configuration: router ospf 1 router-id 10.10.120.10 log-adjacency-changes redistribute static subnets network 22.22.22.0 0.0.0.255 area 0.0.0.0
Final Connectivity Test Confirm that both the VPN-1 module and the Cisco device contain redistributed routes which function as additional encryption domains. •
VPN-1 module: O 30.1.1.2/32 10/150] via 22.22.22.2, 00:04:46, vt-cisco
•
Cisco device: O E2 10.65.50.0/25 [110/1] via 22.22.22.1, 00:07:59, Tunnel0 Cisco#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.65.50 0 FULL/ 00:00:36 22.22.22.1 Tunnel0 Check routing table: Cisco#show ip route ospf 10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks E2 10.65.50.0/25 [110/1] via 22.22.22.1, 00:07:59, Tunnel0
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
13
Final Connectivity Test
•
Perform ping tests between hosts located behind VPN-1 and Cisco devices.
•
Connection should be successfully established within encryption and decryption of all traffic.
•
Check that proper logs are received in SmartView Tracker.
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
14
In This Document: Overview
page 1
System and Installation Requirements
page 2
Configuring VPN Tunnel
page 2
Configuring VPN on a Cisco Router
page 5
Testing a VPN tunnel establishment
page 6
Configuring VPN Tunnel Interface (VTI) on VPN-1 module
page 6
Configuring Tunnel Interface on Cisco router
page 7
GRE over IPsec Configuration
page 8
Testing VPN Connectivity Using VTIs
page 9
Configuring Route Based VPN - Using Static Routes
page 9
Configuring Route Based VPN - Using Dynamic Routing Protocols (OSPF)
page 10
Configuration Verification and Connectivity Test
page 12
Check that OSPF Adjacency is Established
page 13
Final Connectivity Test
page 13
Overview This document describes a proper way of how to configure Route Based VPN between VPN-1 modules and interoperable Cisco devices that support IPsec, GRE and OSPF protocols. The document provides a step by step configuration flow, based on an example scenario of Check Point VPN-1 module and Cisco router (IOS 12.X - C2800 series). The main aspects covered in this example are: •
Establishing VPN (IPsec) tunnel between a VPN-1 module and an interoperable Cisco device (supporting GRE over IPsec) using a Simplified Policy.
•
Creating a VPN Tunnel interface on a VPN-1 module (VTI).
Copyright © 2005 Check Point Software Technologies, Ltd. All rights reserved
1
System and Installation Requirements
•
Creating tunnel interfaces on Cisco devices.
•
Allow and configure GRE over IPsec support on VPN-1 and Cisco devices.
•
Configure OSPF and establishing adjacency for VPN-1 and Cisco devices.
•
Define Route Based VPN and provide connectivity.
System and Installation Requirements The following components should be installed and configured: •
SPLAT Pro installed machines with a proper license.
•
Check Point VPN-1 installed with internal and external interfaces defined.
•
Cisco router.
•
Clear text connectivity should be allowed and tested.
Figure 1
Configuring VPN Tunnel 1. Enable VPN-1 module on all gateway objects. 2. In SmartDashboard, create an empty group. 3. In the Topology page of each gateway, define the VPN Domain as the empty encryption domain created in step 2.
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
2
Configuring VPN Tunnel Figure 2
4. Create an Interoperable device and configure it according to the Cisco router information (i.e., name IP addresses, etc.): Figure 3
5. On the Topology page of the Cisco device, click Add and enter the tunnel IP address information. This IP address is used in the Rule Base for security purposes and not related to connectivity.
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
3
Configuring VPN Tunnel Figure 4
6. Create a meshed community. In the Participating Gateways page, add the VPN-1 module(s) and Cisco object. Configure the required encryption methods and IKE authentication for the community. Note - In this example, define IKE authentication based on pre-shared secrets, however VPN-1 has full support of IKE PKI based on RSA digital signatures (certificates) with Interoperable devices.
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
4
Configuring VPN on a Cisco Router Figure 5
Figure 6
7. Create a rule in the security Rule Base which allows ICMP and OSPF services. Keep in mind that the VPN column should remain as Any Traffic. Additionally, there is no need to define Source and Destination. In this example, the focus is on the VPN dynamic routing, and not on creating a proper security Rule Base. Table 1
Sample Rule
Source
Destination
VPN
Service
Action
Track
Any
Any
Any Traffic
icmp ospf
accept
Log
Note - VPN access control (VPN column), in Route Based VPN configurations, must be defined by "Directional VPN" only. Regular settings won't function and drop corresponding traffic. (For more information refer to the Directional VPN Enforcement chapter in the VPN User Guide).
8. Install the policy on the VPN-1 module.
Configuring VPN on a Cisco Router Table 2 details the configuration for the Cisco device to establish basic VPN connectivity with the VPN-1 module:
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
5
Testing a VPN tunnel establishment Table 2 crypto isakmp policy 20 encr 3des authentication pre-share group 2 crypto isakmp key 123456 address 192.168.65.50 crypto isakmp peer address 192.168.65.50 crypto ipsec security-association lifetime seconds 120 crypto ipsec transform-set testset esp-3des esp-sha-hmac crypto map testmap 73 ipsec-isakmp set peer 192.168.65.50 set transform-set testset match address 141 interface FastEthernet0/0 ip address 10.10.120.10 255.255.255.0 speed 100 full-duplex crypto map testmap access-list 141 permit ip host 10.10.120.10 host 194.29.43.63 access-list 141 permit ip host 194.29.43.63 host 10.10.120.10
Testing a VPN tunnel establishment Check that a basic VPN tunnel is successfully established between the VPN-1 module and the Cisco device by performing an ICMP (ping) connectivity test. Using the SPLAT Pro command prompt on the VPN-1 module, ping an external interface of the Cisco device. The same should be done in the other direction. Ping an external interface of the VPN-1 module from the Cisco device. In SmartView Tracker, check that IKE key exchanges were completed without errors and failures and the ICMP traffic is encrypted and decrypted by the VPN-1 module. Check that proper logs are received by SmartTracker.
Configuring VPN Tunnel Interface (VTI) on VPN-1 module For the detailed description of how to configure VTI using VPN SHELL command line interface, refer to the Route Based VPN chapter and VPN Shell appendix in the VPN User Guide. Using the VPN Shell, create a VTI attached to a Cisco interoperable device object, with local IP 22.22.22.1 and remote IP 22.22.22.2:
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
6
Configuring Tunnel Interface on Cisco router Table 3 vpn shell i a n 22.22.22.1 22.22.22.2 cisco Interface 'vt-cisco' was added successfully to the system [admin@gw_a ~]$ vpn shell i s d vt-cisco vt-cisco Type:numbered MTU:1500 inet addr:22.22.22.1 P-t-P:22.22.22.2 Mask:255.255.255.255 Peer:cisco Peer ID:10.10.120.10 Status:attached
Confirm that the VTI was fetched and properly configured in the Topology page of the VPN-1 module. When this is confirmed, install the policy. Figure 7
Configuring Tunnel Interface on Cisco router Create and configure a tunnel interface on the Cisco device with the settings in Table 4: Table 4 interface Tunnel0 ip address 22.22.22.2 255.255.255.0 ip ospf network point-to-point ip ospf mtu-ignore tunnel source FastEthernet0/0 tunnel destination 192.168.65.50
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
7
GRE over IPsec Configuration
GRE over IPsec Configuration In SmartDashboard, 1. Navigate to the VPN > VPN Advanced page of the interoperable object (Cisco device). Figure 8
2. Select Custom settings > One VPN tunnel per Gateway pair. 3. In the drop down menu, select GRE on IPsec. 4. Install policy. 5. On the Cisco device, GRE encapsulation should be enabled by default. To confirm this, see Table 5. Table 5 Cisco# show interfaces tunnel 0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 22.22.22.2/24 MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 10.10.120.10 (FastEthernet0/0), destination 194.29.43.63 Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled
6. Edit a current access-list on the Cisco device, which allows GRE traffic between two IPsec endpoints as shown in Table 6. Table 6 access-list 141 permit gre host 10.10.120.10 host 192.168.65.50 access-list 141 permit gre host 192.168.65.50 host 10.10.120.10
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
8
Testing VPN Connectivity Using VTIs
Testing VPN Connectivity Using VTIs To confirm connectivity between the VPN-1 module and the Cisco device, proceed as follows: 1. On the VPN-1 module, ping the IP address of the Cisco device (22.22.22.2) from the command line. 2. On the Cisco device, ping the address of the VPN-1 module (22.22.22.1). Before proceeding to the next step: •
Check that pinging was successful when initiated from both sides.
•
Check that proper logs of IKE successful negotiation and Encrypt/Decrypt are received within ICMP connection.
•
See Encrypt/Decrypt log information and check that GRE is used.
Configuring Route Based VPN - Using Static Routes To provide Route based VPN connectivity between the VPN-1 module and Cisco device, define static routes in the operating system, where a dedicated interface device should be a chosen VTI. Create a following static routes: •
On the VPN-1 module: route add -net 30.1.1.0 netmask 255.255.255.0 dev vt-cisco
•
On the Cisco device: ip route 10.65.50.0 255.255.255.0 tunnel 0
Confirm that the static routes are defined in the operating system routing tables on the VPN-1 module: [admin@gw_a ~]$ route Kernel IP routing table Destination Gateway Genmask Flags Metric 224.0.0.2 * 255.255.255.255 UHD 0 0 22.22.22.2 * 255.255.255.255 UH 0 0 22.22.22.1 localhost.local 255.255.255.255 UGH 0 1.1.1.1 localhost.local 255.255.255.255 UGH 0 localhost.local * 255.255.255.255 UH 0 0 30.1.1.0 * 255.255.255.0 U 0 0 192.168.65.0 * 255.255.255.0 U 0 0 10.65.50.0 * 255.255.255.0 U 0 0 127.0.0.0 - 255.0.0.0 !D 0 default 192.168.65.1 0.0.0.0 UG 0 0
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
Ref Use Iface 0 lo 0 vt-cisco 0 0 lo 0 0 lo 0 lo 0 vt-cisco 0 eth0 0 eth1 0 0 eth0
9
Configuring Route Based VPN - Using Dynamic Routing Protocols (OSPF)
Confirm that the static routes are defined in the operating system routing tables on the Cisco device: show ip route Gateway of last resort is 10.10.120.1 to network 0.0.0.0 22.0.0.0/24 is subnetted, 1 subnets C 22.22.22.0 is directly connected, Tunnel0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 10.10.120.0/24 is directly connected, FastEthernet0/0 S 10.65.50.0/24 is directly connected, Tunnel0 30.0.0.0/24 is subnetted, 1 subnets C 30.1.1.0 is directly connected, FastEthernet0/1 S* 0.0.0.0/0 [1/0] via 10.10.120.1
Perform cross "ping" from one of the hosts allocated in internal networks behind the VPN-1 module and the Cisco device. For example, if the host IP address behind VPN-1 is 10.65.50.2, and host's IP behind Cisco is 30.1.1.2 - then establish a ping session from both hosts: VPN-1-host: ping 30.1.1.2
;
Cisco-host: ping 10.65.50.2
ICMP traffic to and from the VPN-1 gateways should be encrypted and decrypted properly and the correct logs should be received by SmartView Tracker.
Configuring Route Based VPN - Using Dynamic Routing Protocols (OSPF) If static routes have been configured, which represent internal networks of both VPN peers, these routes are removed before beginning OSPF configuration. 1. On the VPN-1 module, verify that the operating system is equipped with SPLAT Pro license, which supports Advanced routing suite (dynamic routing daemon). 2. From the SPLAT Pro command prompt run one of the following commands to enter into the GateD CLI shell:
router or cligated Follow the commands in Table 7 to configure OSPF on the VPN-1 module.
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
10
Configuring Route Based VPN - Using Dynamic Routing Protocols (OSPF) Table 7 [admin@gw_a ~]$ router localhost.localdomain>ena localhost.localdomain#conf t localhost.localdomain(config)#router ospf 1 localhost.localdomain(config-router-ospf)#router-id 192.168.65.50 localhost.localdomain(config-router-ospf)#network 22.22.22.2 0.0.0.0 area 0.0.0.0 localhost.localdomain(config-router-ospf)#redistribute kernel localhost.localdomain(config-router-ospf)#end Review the settings: localhost.localdomain#show running-config Building configuration... router ospf 1 router-id 192.168.65.50 network 22.22.22.2 0.0.0.0 area 0.0.0.0 redistribute kernel exit Check that VTI is OSPF related interface: localhost.localdomain#show ip route ospf Codes: C - connected, S - static, R - RIP, B - BGP, O - OSPF D - DVMRP, 3 - OSPF3, I - IS-IS, K - Kernel A - Aggregate localhost.localdomain#show ip ospf interface vt-cisco is up Internet Address 22.22.22.1, Area 0.0.0.0 Network Type Point-To-Point, Cost: 10 Transmit Delay is 1 sec, State Pt2Pt, Priority 1 No Designated Router on this network No Backup Designated Router on this network Timer intervals configured, Hello 10, Dead 40, Retransmit 5 Neighbor Count is 0 localhost.localdomain# Note - We have chosen redistribution policy - "kernel", to advertise kernel routes allocated in SPLAT Pro OS routing table. There are different policies supported by GateD dynamic routing daemon (for example, bgp, direct, ospf, rip, and static). Refer to additional documents, describing how to use all redistribute policy options.
3. Create a kernel (static) route in SPLAT Pro OS routing table which is considered as a VPN encryption domain and advertised via VTI towards the Cisco device. Table 8 illustrates how to redistribute specific range located behind a VPN-1 gateway:
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
11
Configuration Verification and Connectivity Test Table 8 [admin@gw_a ~]$ route add -net 10.65.50.0 netmask 255.255.255.128 gw 10.65.50.1 [admin@gw_a ~]$ route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 224.0.0.2 * 255.255.255.255 UHD 0 0 0 lo 22.22.22.2 * 255.255.255.255 UH 0 0 0 vt-cisco 22.22.22.1 localhost.local 255.255.255.255 UGH 0 0 0 lo 224.0.0.6 * 255.255.255.255 UHD 0 0 0 lo 224.0.0.5 * 255.255.255.255 UHD 0 0 0 lo 1.1.1.1 localhost.local 255.255.255.255 UGH 0 0 0 lo localhost.local * 255.255.255.255 UH 0 0 0 lo 10.65.50.0 10.65.50.1 255.255.255.128 UG 0 0 0 eth1 192.168.65.0 * 255.255.255.0 U 0 0 0 eth0 10.65.50.0 * 255.255.255.0 U 0 0 0 eth1 127.0.0.0 255.0.0.0 !D 0 0 default 192.168.65.1 0.0.0.0 UG 0 0 0 eth0
In this example, the internal interface is 10.65.50.1 and has 24-bit, we created a route which has the same network 10.65.50.0 , but with netmask of 25-bit. 4. On Cisco device, define the following settings: router ospf 1 router-id 10.10.120.10 log-adjacency-changes redistribute static subnets network 22.22.22.0 0.0.0.255 area 0.0.0.0
5. Create static routes, that point to a host located behind the Cisco device:
ip route 30.1.1.2 255.255.255.255 FastEthernet0/1
Configuration Verification and Connectivity Test On the VPN-1 module, enter into the GateD CLI shell and check the OSPF settings: localhost.localdomain#show running-config Building configuration... router ospf 1 router-id 192.168.65.50 network 22.22.22.2 0.0.0.0 area 0.0.0.0 redistribute kernel exit localhost.localdomain#
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
12
Check that OSPF Adjacency is Established
Check that OSPF Adjacency is Established On the Cisco device, confirm adjacency as follows: localhost.localdomain#show ip ospf neighbor Routing Process "ospf 1": Neighbor 10.10.120.10, interface address 22.22.22.2 In area 0.0.0.0 interface vt-cisco Neighbor priority is 1, state is Full 6 state changes DR is 0.0.0.0 BDR is 0.0.0.0 Options is 18 Dead timer is due in 36 seconds
Cisco routes are shown on the VPN-1 module. Check that proper routes from the Cisco device are learned by the VPN-1 module and appear in the OS routing table via Cisco's VTI: localhost.localdomain#show ip route ospf Codes: C - connected, S - static, R - RIP, B - BGP, O - OSPF D - DVMRP, 3 - OSPF3, I - IS-IS, K - Kernel A - Aggregate 22.22.22.0/24 [11121/10] via 22.22.22.2, 00:12:41, vt-cisco 30.1.1.2/32 [10/150] via 22.22.22.2, 00:04:46, vt-cisco localhost.localdomain#
On the Cisco device, check that adjacency and route injection have the same configuration: router ospf 1 router-id 10.10.120.10 log-adjacency-changes redistribute static subnets network 22.22.22.0 0.0.0.255 area 0.0.0.0
Final Connectivity Test Confirm that both the VPN-1 module and the Cisco device contain redistributed routes which function as additional encryption domains. •
VPN-1 module: O 30.1.1.2/32 10/150] via 22.22.22.2, 00:04:46, vt-cisco
•
Cisco device: O E2 10.65.50.0/25 [110/1] via 22.22.22.1, 00:07:59, Tunnel0 Cisco#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.65.50 0 FULL/ 00:00:36 22.22.22.1 Tunnel0 Check routing table: Cisco#show ip route ospf 10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks E2 10.65.50.0/25 [110/1] via 22.22.22.1, 00:07:59, Tunnel0
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
13
Final Connectivity Test
•
Perform ping tests between hosts located behind VPN-1 and Cisco devices.
•
Connection should be successfully established within encryption and decryption of all traffic.
•
Check that proper logs are received in SmartView Tracker.
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006
14
