Security
Security Module
GRE
2
GRE Overview
Network
layer 1 GRE packet
packet
2
Other network
layer protocol= Forwarded
delivery 3
protocol
®
GRE Overview
4
GRE Point to Point
Two private networks are connected across the Internet via a single
link.
The GRE is configured using parameters:
» INTERFACE or SOURCE - SMASK
» TARGET IP address
Any IP packet received from the Source interface, or from the Source
IP address (and Mask) will be encapsulated using GRE and
forwarded to the target IP address.
GRE Multi-Point
6
GRE Procedure
Source site:
1. IP packets received via the IP interface are checked against the
patterns in the GRE entity
2. If a match is found, the IP packet is encapsulated using GRE and
forwarded to the specified target address
3. If not, the packet is sent out as usual
Destination site:
4. The router’s GRE module extracts the payload packet
5. The packet is forwarded to the IP module for normal processing
Configuring GRE
8
GRE - Point to Point
PPP0=192.1.1.1
Router A Router B
Leased line
TXNK
TXNK
ll
ll
RX
RX
Co
Co
LI
LI
CentreCOM AR300 CentreCOM AR300
Access Router LAN WAN SYSTEM Access Router LAN WAN SYSTEM
PC Test
PPP0=192.1.1.2
Eth0=192.168.1.1
192.168.1.2
Eth0=192.168.2.1
On both routers:
» configure the IP interfaces
» enable the IP module
» enable the GRE module
enable gre
Now we need to create a GRE entity on both routers to
decide which IP packets to encapsulate
10
GRE - Router A
11
GRE - Router B
12
GRE - Router A
13
GRE - Router B
14
Testing the configuration
15
Try to telnet from one LAN to the other and verify with sh gre that
packets are encapsulated.
16
GRE - Multipoint
Eth0=192.168.3.1
Router 3
LI NK
ll
RX
TX
Co
CentreCOM AR300
Access Router LAN WAN SYSTEM
PPP0=192.1.3.2
192.168.2.2
PPP0=192.1.1.2
Router 1 Router 2
Internet
TXNK
TXNK
ll
ll
RX
RX
Co
Co
LI
LI
CentreCOM AR300 CentreCOM AR300
Access Router LAN WAN SYSTEM Access Router LAN WAN SYSTEM
PPP0=192.1.2.2
Eth0=192.168.1.1
192.168.1.2
Eth0=192.168.2.1
®
17
GRE - Multipoint
Purpose:
» establish a VPN between each PAIR of routers transiting over
internet
Method:
» we emulate internet using an ATI router
» we need to configure each router to use GRE to connect to the
private remote LAN
18
GRE - Multipoint
Procedure:
- Assign a private IP number to the Ethernet interface.
- Assign a fixed IP number to the PPP link.
- Add a default route to the internet, so that traffic to IP addresses for
which the router doesn’t have an explicit route will be sent using this
route.
- Enable the GRE module.
- Add the GRE entry, from the local Ethernet to the remote Ethernet;
the target is the IP address of the PPP interface on the remote router.
- Tell the IP module to use the GRE setup on the Ethernet port.
19
20
GRE - Multipoint - Router 1
Configure GRE:
» enable gre
» add gre tunnel remote=192.1.2.2
» add gre tunnel remote=192.1.3.2
» add gre=1 source=192.168.1.0 smask=255.255.255.0
dest=192.168.2.0 dmask=255.255.255.0 target=192.1.2.2
» add gre=1 source=192.168.1.0 smask=255.255.255.0
dest=192.168.3.0 dmask=255.255.255.0 target=192.1.3.2
» set ip int=eth0 gre=1
21
Configure GRE:
» enable gre
» add gre tunnel remote=192.1.1.2
» add gre tunnel remote=192.1.3.2
» add gre=1 source=192.168.2.0 smask=255.255.255.0
destination=192.168.1.0 dmask=255.255.255.0 target=192.1.1.2
» add gre=1 source=192.168.2.0 smask=255.255.255.0
destination=192.168.3.0 dmask=255.255.255.0 target=192.1.3.2
» set ip int=eth0 gre=1
22
GRE - Multipoint - Testing
We are not able to ping nor to telnet, but from the show gre
command we can see that the packets are translated.
This is because packets coming back start from a different IP
address of the one we configured for GRE.
23
For reaching the remote router using the tunnel we need to tell the IP
module to use the GRE setup for locally generated traffic – i.e.
traffic generated from the router itself:
» on router 1: set ip local gre=1 ip=192.168.1.1
» on router 2: set ip local gre=1 ip=192.168.2.1
» on router 3: set ip local gre=1 ip=192.168.3.1
Try now to ping from LAN to router
Try to ping from router to router
Try to telnet
Verify the GRE encapsulation
24
Router 1 Full Configuration
25
26
GRE + Firewall
192.1.1.2
Router A Router B
Internet
TXNK
TXNK
ll
ll
RX
RX
Co
Co
LI
LI
CentreCOM AR300 CentreCOM AR300
Access Router LAN WAN SYSTEM Access Router LAN WAN SYSTEM
192.1.2.2
Eth0=192.168.1.1
192.168.1.2 255.255.255.0
Eth0=192.168.2.1
255.255.255.0
27
28
GRE + Firewall - Router A
» enable firewall
» create firewall policy="a"
» add firewall policy="a" int=eth0 type=private
» add firewall policy="a" int=ppp0 type=public
» add firewall poli="a" nat=enhanced int=eth0 gblin=ppp0 gblip=192.1.1.2
» add firewall poli="a" ru=1 ac=allo int=ppp0 prot=gre ip=192.1.1.2
gblip=192.1.1.2
» set firewall poli=a ru=1 rem=192.1.2.2
29
30
GRE + Firewall - Router B
» enable firewall
» create firewall policy="a"
» add firewall policy="a" int=eth0 type=private
» add firewall policy="a" int=ppp0 type=public
» add firewall poli="a" nat=enhanced int=eth0 gblin=ppp0 gblip=192.1.2.2
» add firewall poli="a" ru=1 ac=allo int=ppp0 prot=gre ip=192.1.2.2
gblip=192.1.2.2
31
L2TP
32
L2TP Introduction
33
L2TP Overview
L2TP provides a mechanism for tunnelling the link layer of PPP over
the Internet.
L2TP creates a tunnel across the Internet between an L2TP Access
Concentrator (LAC) and an L2TP Network Server (LNS), enabling
Point-to-Point Protocol (PPP) link layer frames to be encapsulated
and carried across the Internet.
The router can be configured to act as an LAC, as an LNS, or as both
34
L2TP Overview
35
Tunnels other protocols such as IPX and Apple Talk across the
internet.
Novell
LAN, e.g. L2TP Server
NetWare (IPX in PPP in IP)
Internet
T K
T K
X
CoX
CoX
l
l
LIN
LIN
R
36
L2TP Example: Dialup Tunnel
Internet
T K
T K
X
CoX
CoX
l
l
LIN
LIN
R
R
C entreCOM A R30 0 C entreCOM A R30 0
LAN WA
N SY STEM LAN WA
N SY STEM
A ccessR ou e
tr A ccessR ou e
tr
Remote User
Host / Auth.
PC Server
37
38
Tunnelling Dialup Connections
The TYPE parameter specifies the type of call used by the remote
end to send reply packets; this is usually an L2TP call (virtual), but it
can also be an ACC (asyn) or an ISDN (isdn) call.
The REMOTE parameter specifies the name of the respective L2TP,
ACC or ISDN call, and it must identify a call defined on the remote
router.
When a router makes an L2TP call to a remote peer, the L2TP call
connects the router to the remote L2TP server and passes the value
of the REMOTE parameter in the call setup message to the remote
L2TP server. The remote L2TP server then makes a call to the
calling L2TP peer using the specified L2TP, ACC or ISDN call.
When the remote peer answers, a dial-up connection is established
via the L2TP tunnel between the local L2TP server and the remote
peer.
®
39
40
L2TP Config: Troubleshooting
41
PPP0=192.1.1.2
L2TP tunnel
TXNK
TXNK
ll
ll
RX
RX
Co
Co
LI
LI
PPP0=192.1.2.2
Eth0=192.168.1.1
Eth0=192.168.2.1
42
Follow These Steps
43
Router A
44
Router B
» set system name="RouterB"
» add user=rem pass=friend priv=user
» create ppp=0 over=syn0
» enable ip
» add ip int=ppp0 ip=192.1.2.2
» add ip int=eth0 ip=192.168.2.1
» add ip rou=0.0.0.0 mask=0.0.0.0 int=ppp0 next=0.0.0.0
» enable l2tp
» enable l2tp server=both
» set l2tp password=verysecret
» add l2tp call=dialin rem=rem ip=192.1.1.2 ty=virtual prec=in
» create ppp=1 idle=120 over=tnl-dialin
» set ppp=1 over=tnl-dialin authentication=chap
» add ip int=ppp1 ip=0.0.0.0
» add ip rou=192.168.1.0 mask=255.255.255.0 int=ppp1 next=0.0.0.0
®
45
L2TP + Firewall
Firewall Firewall
PPP0=192.1.1.2 PPP0=192.1.2.2
Internet
TXNK
TXNK
ll
ll
RX
RX
Co
Co
LI
LI
Router A Router B
PPP1
Eth0=192.168.1.1 Eth0=192.168.2.1
46
Router A - L2TP + Firewall
47
» enable firewall
» create firewall policy="a"
» add firewall policy="a" int=ppp1 type=private
» add firewall policy="a" int=eth0 type=private
» add firewall policy="a" int=ppp0 type=public
» add firewall poli="a" nat=enhanced int=eth0 gblin=ppp0 gblip=192.1.1.2
» add firewall poli="a" ru=1 ac=allo int=ppp0 prot=udp po=1701 ip=192.1.1.2
gblip=192.1.1.2 gblp=1701
48
Router B - L2TP + Firewall
49
» enable firewall
» create firewall policy="a"
» add firewall policy="a" int=eth0 type=private
» add firewall policy="a" int=ppp1 type=private
» add firewall policy="a" int=ppp0 type=public
» add firewall poli="a" nat=enhanced int=eth0 gblin=ppp0 gblip=192.1.2.2
» add firewall poli="a" ru=1 ac=allo int=ppp0 prot=udp po=1701 ip=192.1.2.2
gblip=192.1.2.2 gblp=1701
50
®
IPSEC
An encrypted VPN
51
IPSEC Overview
52
AH and ESP
53
Security Associations
54
Transport Mode and Tunnel Mode
AH and ESP support two modes - transport mode and tunnel mode:
» Transport mode provides protection for upper (transport)
layer protocols:
ESP provides security services only for the higher layer protocols,
not for the IP header
AH gives protection to those parts of the IP header which do not
change in transit.
55
IP HDR Data
Tunnel Mode
IP HDR Data
Transport Mode
Encrypted/Authenticated
56
IPsec Policies
57
Key Management
58
The Concept of the Session Key
59
1) Manual Key
The same key is used at both ends of the VPN to encrypt and
decrypt data. This is known as “pre-shared” keys.
Key changes must be done manually which is a major task on large
networks requiring:
» outage time
» co-ordination
» secure key delivery between VPN engineers performing the
change
60
Key Management - ISAKMP
61
Advantages
» Keys are automatically re-negotiated at regular intervals
» No manual key changes required
» More secure, as key changes frequently
» Allows to negotiate dynamic options between different pieces
of equipment
Disadvantages
» More sophisticated to fault find
» Takes time for Key exchange for dialup users
62
ISAKMP
63
ISAKMP Phases
Negotiation Phases:
» Phase 1 is the establishment of the ISAKMP SA to provide a
secure authenticated channel for ISAKMP traffic between two
ISAKMP peers.
» Phase 2 is the negotiation of SAs and keys on behalf of
services such as IPsec.
This makes it possible to negotiate more than one Phase 2 SA over
the same ISAKMP SA without having to re-establish
communications with the ISAKMP peers.
64
ISAKMP SA
65
IPsec Configuration
66
Bundle Specifications
67
Bundle Specifications
Bundle specifications:
» can specify that the bundle will consist of one, two or three SA
pairs.
» each SA pair must use a different IPsec protocol (ESP, AH,..)
» the SA specification identification numbers in the bundle string
which will be used to create the SA pairs are separated by
“AND”s
68
Bundle Specifications
69
Policies
IPsec policies:
» An IPsec policy binds a packet selection rule to an action.
» When multiple policies are attached to one IP logical interface,
the policies are ordered and packets traversing the interface
are matched against the policies’ selection rules in order.
ISAKMP policies:
» An ISAKMP policy specifies how to communicate with, and
how to authenticate, an ISAKMP peer.
» An ISAKMP policy specifies an encryption algorithm and a
hash algorithm.
» An ISAKMP policy must also specify the address of the remote
ISAKMP peer.
®
70
IPsec Requirements
71
Configuring IPSEC
72
IPsec First Operations
These operations must be done on all routers that will use the
encryption keys in order to be able to generate the keys and not to
lose them in case of power failure.
®
73
Key Generation
Create a random key in the HEAD OFFICE ROUTER; this key will be
the shared key :
» create enco key=1 type=general random
» sh enco key=1
74
®
IPsec Configuration
Follow These Steps
75
76
IPsec Lab: 2) Create Keys
77
» enable isakmp
78
IPsec Lab: 4) IPsec Bundles
The bundle definition below must have a peer with all the bundle options.
» create ipsec bundle=1 keym=isakmp string=“1 and 2”
The parameters ‘and’, ‘or’ can be specified as well as combinations
separated by commas. This is useful when negotiating with different
devices which support different AH and ESP combinations
79
Create 3 IPsec policies. These act as filters for all traffic, so the position of
each IPsec policy is important :
80
IPsec Lab: 6) Testing
81
LAB TEST
82
VPN with Fixed Internet Address
PPP0=192.1.1.2
Router A Router B
internet
TXN K
TX K
C oll
C oll
LI N
RX
RX
LI
PPP0=192.1.2.2
Eth0=192.168.1.1
Eth0=192.168.2.1
83
Prerequisites
84
Router A: LAN to LAN with Encryption
85
Create the policy for allowing the isakmp key management to bypass
IPsec:
» create ipsec pol=isakmp int=ppp0 ac=permit
» set ipsec pol=isakmp lp=500 rp=500
86
Router A: LAN to LAN with Encryption
» enable ipsec
» create ipsec pol=vpn int=ppp0 action=ipsec key=isakmp
bund=1 peer=192.1.2.2
Lad is the local IP address from which the sent data will be
encrypted with IPsec
87
88
IPsec Troubleshooting
The resources that the ENCO module can provide can be displayed
using the command:
» show enco
89
IPsec Troubleshooting
90
IPsec Troubleshooting
In order to verify the IPSEC SA and bundle you can use also the
command:
» sh ipsec sa
If an IPsec SA and bundle has not been created then check the
ISAKMP:
» show log-look for Phase1 and Phase2 exchange and success
91
IPsec Troubleshooting
92
IPsec Troubleshooting
93
IPsec Debugging
Debugging commands:
» enable isakmp debugging=<state/trace>
FILTER debugging can explain why packets are not being matched to
a particular policy.
TRACE debugging can show where a packet has failed in the IPsec
process.
94
Verification of the IPsec Tunnel
95
Complete configuration:
96
Router A- LAN to LAN with Encryption
» enable ipsec
» create ipsec sas=1 key=isakmp prot=esp enc=des hasha=null
» create ipsec sas=2 key=isakmp prot=ah hasha=sha
» create ipsec bund=1 key=isakmp string="1 and 2"
» create ipsec pol=isakmp int=ppp0 ac=permit lp=500 rp=500
» create ipsec pol=vpn int=ppp0 ac=ipsec key=isakmp bund=1
peer=192.1.2.2
» set ipsec pol=vpn lad=192.168.1.0 lmask=255.255.255.0 rad=192.168.2.0
rmask=255.255.255.0
» enable isakmp
» create isakmp pol=isakmp pe=192.1.2.2 key=1
97
Complete configuration:
98
Router B- LAN to LAN with Encryption
» enable ipsec
» create ipsec sas=1 key=isakmp prot=esp enc=des hasha=null
» create ipsec sas=2 key=isakmp prot=ah hasha=sha
» create ipsec bund=1 key=isakmp string="1 and 2"
» create ipsec pol=isakmp int=ppp0 ac=permit lp=500 rp=500
» create ipsec pol=vpn int=ppp0 ac=ipsec key=isakmp bund=1
peer=192.1.1.2
» set ipsec pol=vpn lad=192.168.2.0 lmask=255.255.255.0 rad=192.168.1.0
rmask=255.255.255.0
» enable isakmp
» create isakmp pol=isakmp pe=192.1.1.2 key=1
99
Eth0=192.168.2.1
PPP0=192.1.1.2
192.168.1.2
Router A Router B
Internet
TX K
TXN K
C oll
C oll
LI N
RX
RX
LI
PPP0=192.1.2.2
192.168.2.2
Eth0=192.168.1.1
100
RouterA
101
RouterA
102
Unencrypted Internet Access
If this policy is before the policy with action=ipsec then the traffic will be not
encrypted but all allowed
103
104
Router A – Complete Configuration
105
» enable firewall
» create firewall policy="a"
» enable firewall policy="a" icmp_f=all
» add firewall policy="a" int=eth0 type=private
» add firewall policy="a" int=ppp0 type=public
» add firewall poli="a" nat=enhanced int=eth0 gblin=ppp0
» add firewall poli="a" ru=1 ac=allo int=ppp0 prot=udp po=500 ip=192.1.1.2
gblip=192.1.1.2 gblp=500
» add firewall poli="a" ru=2 ac=allo int=ppp0 prot=50
» add firewall poli="a" ru=3 ac=allo int=ppp0 prot=51
» add firewall poli="a" ru=4 ac=nonat int=ppp0 prot=ALL ip=192.168.1.1-
192.168.1.254 encap=ipsec
» set firewall poli=“a” ru=4 rem=192.168.2.1-192.168.2.254
106
Router B – Complete Configuration
107
108
Router B – Complete Configuration
» enable firewall
» create firewall policy="a"
» enable firewall policy="a" icmp_f=all
» add firewall policy="a" int=eth0 type=private
» add firewall policy="a" int=ppp0 type=public
» add firewall poli="a" nat=enhanced int=eth0 gblin=ppp0
» add firewall poli="a" ru=1 ac=allo int=ppp0 prot=udp po=500
ip=192.1.1.2 gblip=192.1.1.2 gblp=500
» add firewall poli="a" ru=2 ac=allo int=ppp0 prot=50
» add firewall poli="a" ru=3 ac=allo int=ppp0 prot=51
» add firewall poli="a" ru=4 ac=nonat int=ppp0 prot=ALL
ip=192.168.2.1-192.168.2.254 encap=ipsec
» set firewall poli=“a” ru=4 rem=192.168.1.1-192.168.1.254
109
Security
The End
110