Gre - l2tp and Ipsec

®
Security
Security Module
GRE
Generic Routing Encapsulation
2
GRE Overview
GRE is a mechanism for encapsulating any network layer protocol

over any other network layer protocol.
Encapsulation
mechanism
Network
layer 1 GRE packet
packet
2
Other network
layer protocol= Forwarded
delivery 3
protocol
®
GRE Overview
The general specification is described in RFC1701, and the only

specific standard for GRE encapsulation is IP over IP, which is
defined in RFC1702.
GRE allows hosts in one private IP network to communicate with
hosts in another private IP network by effectively providing a tunnel
between two routers across an internet
Two types of configuration are possible:
» point to point
» multi-point
Encapsulation
mechanism
Original IP Packet GRE Encap Header Delivery IP Header

®
4
GRE Point to Point
Two private networks are connected across the Internet via a single
link.
The GRE is configured using parameters:
» INTERFACE or SOURCE - SMASK
» TARGET IP address
Any IP packet received from the Source interface, or from the Source
IP address (and Mask) will be encapsulated using GRE and
forwarded to the target IP address.
GRE Multi-Point
Multiple private networks are connected across the Internet.

Each private network has multiple links to other private networks
GRE must be configured using the following parameters:
» SOURCE - SMASK
» DESTINATION - DMASK
» TARGET IP address
Any IP packet received from the Source IP address and Mask, and
sent to the Destination IP address and Mask, will be encapsulated
using GRE and forwarded to the target IP address.
6
GRE Procedure
Source site:
1. IP packets received via the IP interface are checked against the
patterns in the GRE entity
2. If a match is found, the IP packet is encapsulated using GRE and
forwarded to the specified target address
3. If not, the packet is sent out as usual
Destination site:
4. The router’s GRE module extracts the payload packet
5. The packet is forwarded to the IP module for normal processing
Configuring GRE
8
GRE - Point to Point
PPP0=192.1.1.1
Router A Router B
Leased line
TXNK
TXNK
ll
ll
RX
RX
Co
Co
LI
LI
CentreCOM AR300 CentreCOM AR300
Access Router LAN WAN SYSTEM Access Router LAN WAN SYSTEM
PC Test
PPP0=192.1.1.2
Eth0=192.168.1.1
192.168.1.2
Eth0=192.168.2.1
GRE - Point to Point
On both routers:
» configure the IP interfaces
» enable the IP module
» enable the GRE module
enable gre
Now we need to create a GRE entity on both routers to
decide which IP packets to encapsulate
10
GRE - Router A
Create the GRE entity with:

» source=private LAN IP address
» target=nexthop of the point to point link - must be a fixed assigned IP
address
» add gre tunnel remote=192.1.1.2
» add gre=1 source=192.168.1.0 smask=255.255.255.0
target=192.1.1.2
Now associate the GRE entity to an IP interface:
» add ip interface=eth0 ip=192.168.1.1 gre=1
» the parameter gre=1 specifies the number of the GRE entity
» apply on the source IP interface
11
GRE - Router B
Create the GRE entity with:

target=192.1.1.1
Now associate the GRE entity to an IP interface:

» add ip interface=eth0 ip=192.168.2.1 gre=1
12
GRE - Router A
» set system name="routerA”

» create ppp=0 over=syn0
» enable gre
target=192.1.1.2
» enable ip
» add ip int=ppp0 ip=192.1.1.1
» add ip int=eth0 ip=192.168.1.1
» set ip int=eth0 gre=1
» add ip rou=0.0.0.0 int=ppp0 next=0.0.0.0
13
GRE - Router B
» set system name="routerB”

» enable gre
target=192.1.1.1
» enable ip
14
Testing the configuration
Try to ping from Router A to Router B WAN IP address

» what happens? I can ping, but the tunnel is not used. This is
» why? because the source address of packets is
not the starting address for GRE
Try to ping from PC Test to Router B WAN IP address

» what happens? I can’t ping because the source address of
» why? the ping reply is not the address range for
GRE on Router B
Try now to ping from PC Test to a PC on LAN B

» verify that the communication is enabled
15
Testing the configuration
In all previous situations verify the GRE encapsulation using:

sh gre
look for requests and translations
Try to telnet from one LAN to the other and verify with sh gre that
packets are encapsulated.
16
GRE - Multipoint
Eth0=192.168.3.1
Router 3
LI NK
ll
RX
TX
Co
CentreCOM AR300
Access Router LAN WAN SYSTEM
PPP0=192.1.3.2
192.168.2.2
PPP0=192.1.1.2
Router 1 Router 2
Internet
TXNK
TXNK
ll
ll
RX
RX
Co
Co
LI
LI
PPP0=192.1.2.2
Eth0=192.168.1.1
192.168.1.2
Eth0=192.168.2.1
®
17
GRE - Multipoint
Purpose:
» establish a VPN between each PAIR of routers transiting over
internet
Method:
» we emulate internet using an ATI router
» we need to configure each router to use GRE to connect to the
private remote LAN
18
GRE - Multipoint
Procedure:
- Assign a private IP number to the Ethernet interface.
- Assign a fixed IP number to the PPP link.
- Add a default route to the internet, so that traffic to IP addresses for
which the router doesn’t have an explicit route will be sent using this
route.
- Enable the GRE module.
- Add the GRE entry, from the local Ethernet to the remote Ethernet;
the target is the IP address of the PPP interface on the remote router.
- Tell the IP module to use the GRE setup on the Ethernet port.
19
Router for Internet Emulation
» set system name="internet”

» enable ip
» add ip int=eth0 ip=194.1.1.1 mask=255.255.255.0
This router needs no routing instruction, it only has to perform direct
routing between the "public internet addresses"; it must not know
the private LANs.
®
20
GRE - Multipoint - Router 1
Set up the name for the router

Configure the IP module
Add a default route to internet
Configure GRE:
» enable gre
dest=192.168.2.0 dmask=255.255.255.0 target=192.1.2.2
dest=192.168.3.0 dmask=255.255.255.0 target=192.1.3.2
21
GRE - Multipoint - Router 2
Configure GRE:
» enable gre
destination=192.168.1.0 dmask=255.255.255.0 target=192.1.1.2
22
GRE - Multipoint - Testing
Try to ping from LAN to LAN

Verify the encapsulation of the transmitted packets using:
» sh gre
Try to telnet or ping from a LAN to the remote router and verify what
happens with sh gre command:
» are you able to telnet?
» are you able to ping?
We are not able to ping nor to telnet, but from the show gre
command we can see that the packets are translated.
This is because packets coming back start from a different IP
address of the one we configured for GRE.
23
GRE - Multipoint - Testing
For reaching the remote router using the tunnel we need to tell the IP
module to use the GRE setup for locally generated traffic – i.e.
traffic generated from the router itself:
» on router 1: set ip local gre=1 ip=192.168.1.1
Try now to ping from LAN to router
Try to ping from router to router
Try to telnet
Verify the GRE encapsulation
24
Router 1 Full Configuration
» set sys name=router 1

» enable ip
» enable gre
» add gre=1 source=192.168.1.0 smask=255.255.255.0 dest=192.168.2.0
dmask=255.255.255.0 target=192.1.2.2
» add gre=1 source=192.168.1.0 smask=255.255.255.0 dest=192.168.3.0
dmask=255.255.255.0 target=192.1.3.2
®
25
Router 2 Full Configuration
» set system name=router2

» enable gre
» enable ip
» add ip rou=0.0.0.0 mask=0.0.0.0 int=ppp0 next=192.1.2.1
®
26
GRE + Firewall
192.1.1.2
Router A Router B
Internet
TXNK
TXNK
ll
ll
RX
RX
Co
Co
LI
LI
192.1.2.2
Eth0=192.168.1.1
192.168.1.2 255.255.255.0
Eth0=192.168.2.1
255.255.255.0
27
GRE + Firewall - Router A
» set sys name=Router1

» create ppp=0 idle=60 over=syn0
» enable gre
» enable ip
» set ip loc ip=192.168.1.1 gre=1
28
GRE + Firewall - Router A
» enable firewall
» create firewall policy="a"
» add firewall policy="a" int=eth0 type=private
» add firewall policy="a" int=ppp0 type=public
» add firewall poli="a" nat=enhanced int=eth0 gblin=ppp0 gblip=192.1.1.2
» add firewall poli="a" ru=1 ac=allo int=ppp0 prot=gre ip=192.1.1.2
gblip=192.1.1.2
» set firewall poli=a ru=1 rem=192.1.2.2
29
GRE + Firewall - Router B
» set sys name=Router2

» enable gre
» enable ip
» set ip loc ip=192.168.2.1 gre=1
30
GRE + Firewall - Router B
» enable firewall
» add firewall poli="a" ru=1 ac=allo int=ppp0 prot=gre ip=192.1.2.2
gblip=192.1.2.2
31
L2TP
Layer 2 Tunneling Protocol
32
L2TP Introduction
L2TP provides a mechanism for encapsulating layer 2 packets, such

as PPP, inside IP packets.
It enables the tunneling of PPP authentication handshake across the
internet.
It provides multi-vendor interoperability
33
L2TP Overview
L2TP provides a mechanism for tunnelling the link layer of PPP over
the Internet.
L2TP creates a tunnel across the Internet between an L2TP Access
Concentrator (LAC) and an L2TP Network Server (LNS), enabling
Point-to-Point Protocol (PPP) link layer frames to be encapsulated
and carried across the Internet.
The router can be configured to act as an LAC, as an LNS, or as both
34
L2TP Overview
In a typical scenario, L2TP supports only one-way dial-up

connections. That is, a remote user dials into an ISP via the PSTN
or ISDN. Once the connection has been made, data can be
transferred in both directions.
If two-way dial-up connections are required, an L2TP call must be

defined to enable the L2TP server to call back the remote user.
35
L2TP Example: Inter-Router Tunnel
Tunnels other protocols such as IPX and Apple Talk across the
internet.
Novell
LAN, e.g. L2TP Server
NetWare (IPX in PPP in IP)
Internet
T K
T K
X
CoX
CoX
l
l
LIN
LIN
R
C entreCOM A R30 0 C entreCOM A R30 0

LAN WA
N SY STEM LAN WA
N SY STEM
A ccessR ou e
tr A ccessR ou e
tr
36
L2TP Example: Dialup Tunnel
PPP link is tunneled to Head Office

» Maintains centralized authentication
» Saves costly link directly to head office
`
Central Office Branch Office
Internet
T K
T K
X
CoX
CoX
l
l
LIN
LIN
R
R
C entreCOM A R30 0 C entreCOM A R30 0
LAN WA
N SY STEM LAN WA
N SY STEM
A ccessR ou e
tr A ccessR ou e
tr
PPP Packets Tunneled Remote users dials into branch office

directly to Central Office
Remote User
Host / Auth.
PC Server
37
L2TP Config: Main Commands
Create the L2TP Connection

» enable l2tp
# Use inter-router tunnel mode
» enable l2tp server=both
# Create the tunnel specifying the name and remote IP address

# Note: “prec” should be “in” at one end and “out” at the other
» add l2tp call=test rem=test1 ip=<remote WAN IP> type=virtual
prec=out
# Setup password for authentication

» set l2tp password=secret
®
38
Tunnelling Dialup Connections
The TYPE parameter specifies the type of call used by the remote
end to send reply packets; this is usually an L2TP call (virtual), but it
can also be an ACC (asyn) or an ISDN (isdn) call.
The REMOTE parameter specifies the name of the respective L2TP,
ACC or ISDN call, and it must identify a call defined on the remote
router.
When a router makes an L2TP call to a remote peer, the L2TP call
connects the router to the remote L2TP server and passes the value
of the REMOTE parameter in the call setup message to the remote
L2TP server. The remote L2TP server then makes a call to the
calling L2TP peer using the specified L2TP, ACC or ISDN call.
When the remote peer answers, a dial-up connection is established
via the L2TP tunnel between the local L2TP server and the remote
peer.
®
39
L2TP Config: PPP and IP
Create the PPP and IP configuration for the tunnel
# Create PPP for tunnel

» create ppp=10 over=tnl-test idle=3600
# Add remote network to routing table via tunnel

» add ip int=ppp10 ip=192.168.10.1 mask=255.255.255.0
» add ip route=<remote LAN network> int=ppp10 next=0.0.0.0
40
L2TP Config: Troubleshooting
Use the following steps for fault-finding:

» sh l2tp
» sh l2tp count
Has a tunnel formed?
» sho ppp
Has PPP 10 opened?
» sho ppp=10 conf
Is the remote IP WAN address correct? Can you ping it?
» Is your route correct? Try with IP local off and ping the remote tunnel
WAN and remote LAN IP address?
41
Inter-Router L2TP Configuration
PPP0=192.1.1.2
Router A Internet Router B
L2TP tunnel
TXNK
TXNK
ll
ll
RX
RX
Co
Co
LI
LI

PPP0=192.1.2.2
Eth0=192.168.1.1
Eth0=192.168.2.1
42
Follow These Steps
1. Create ppp0 over the synchronous interface

2. Configure the IP module for eth0 and ppp0
3. Configure the default route
4. Enable L2TP and L2TP server
5. Create a virtual call to the remote router
6. Create another PPP over the L2TP call
7. Configure the new PPP interface
8. Add the routing instruction to reach the remote LAN through the
new PPP interface
9. Configure the password for tunnel creation
43
Router A
» set system name="RouterA"

» enable ip
» enable l2tp
» add l2tp call=rem rem=dialin ip=192.1.2.2 ty=virtual prec=out
» set l2tp call=rem pass=verysecret
» create ppp=1 idle=60 over=tnl-rem
» set ppp=1 username=rem password=friend
®
44
Router B
» set system name="RouterB"
» add user=rem pass=friend priv=user
» enable ip
» enable l2tp
» set l2tp password=verysecret
» add l2tp call=dialin rem=rem ip=192.1.1.2 ty=virtual prec=in
» create ppp=1 idle=120 over=tnl-dialin
» set ppp=1 over=tnl-dialin authentication=chap
®
45
L2TP + Firewall
Firewall Firewall
PPP0=192.1.1.2 PPP0=192.1.2.2
Internet
TXNK
TXNK
ll
ll
RX
RX
Co
Co
LI
LI

Router A Router B
PPP1
Eth0=192.168.1.1 Eth0=192.168.2.1
46
Router A - L2TP + Firewall

» enable l2tp
» add l2tp call="rem" rem="dialin" ip=192.1.2.2 ty=virtual prec=out
» set l2tp call="rem" pass=verysecret
» create ppp=1 idle=60 over=tnl-rem
» set ppp=1 username="rem" password="friend"
» enable ip
47
Router A - L2TP + Firewall
» enable firewall
» add firewall policy="a" int=ppp1 type=private
» add firewall poli="a" ru=1 ac=allo int=ppp0 prot=udp po=1701 ip=192.1.1.2
gblip=192.1.1.2 gblp=1701
Pinhole: rule for allowing L2TP protocol

to acces through the public interface
48
Router B - L2TP + Firewall
» add user=rem pass=friend priv=user

» enable l2tp
» set l2tp password="verysecret"
» add l2tp call="dialin" rem="rem" ip=192.1.1.2 ty=virtual prec=in
» create ppp=1 idle=60 over=tnl-dialin authentication=chap
» enable ip
49
Router B - L2TP + Firewall
» enable firewall
» add firewall policy="a" int=ppp1 type=private
gblip=192.1.2.2 gblp=1701
50
®
IPSEC
An encrypted VPN
51
IPSEC Overview
IPsec is a set of security protocols which provides encryption and

authentication to IP packets.
Protection is provided through the use of two security protocols, the IP
Authentication Header (AH) and the IP Encapsulating Security
Payload (ESP).
IPsec is used to protect one or more paths between a pair of hosts, a
pair of security gateways, or a security gateway and a host.
Two devices using IPsec to protect a path between them are called
IPsec peers.
52
AH and ESP
AH protocol provides authentication of IP packets. AH provides

protection to an IP packet and to any further headers added by AH.
ESP provides one or both of encryption and authentication. ESP
provides protection to an IP packet, but not to any further headers
added by ESP.
AH and ESP may be applied either alone or together to provide the
desired set of security services for selected IP packets.
53
Security Associations
A Security Association (SA) is a simplex connection that provides

security services between IPsec peers for selected IP packets.
If both AH and ESP protection is required for a traffic stream, a bundle

of two or more SAs is created and applied to the traffic stream.
An SA is uniquely identified by the combination of a random number

called the Security Parameter Index (SPI), an IP destination
address, and a security protocol (either AH or ESP).
54
Transport Mode and Tunnel Mode
AH and ESP support two modes - transport mode and tunnel mode:
» Transport mode provides protection for upper (transport)
layer protocols:
ESP provides security services only for the higher layer protocols,
not for the IP header
AH gives protection to those parts of the IP header which do not
change in transit.
» Tunnel mode provides protection to the whole IP packet by

applying AH or ESP to tunnelled packets:
if AH is employed in tunnel mode, the tunnelled packet and
portions of the outer IP header are protected.
if ESP is employed, only the tunnelled packet is protected.
55
Transport Mode and Tunnel Mode
IP HDR Data
Tunnel Mode
New IP HDR IPsec HDR IP HDR Data

Encrypted/Authenticated
IP HDR Data
Transport Mode
IP HDR IPsec HDR Data
Encrypted/Authenticated
56
IPsec Policies
The protection is based on requirements defined by IPsec

policies stored in a Security Policy Database (SPD)
established and maintained by a Security Officer.
IPsec actions:
» IPSEC: apply the specified IPsec security services to the
packet
» DENY: discard the packet
» PERMIT: allow the packet to bypass IPsec
57
Key Management
IPsec security services use cryptographic keys for

authentication and encryption.
IPsec relies on a separate set of mechanisms for putting
these keys into place:
» manual distribution of keys
» automatic distribution of keys
ISAKMP/IKE is the default automatic key management
mechanism.
58
The Concept of the Session Key
If the key is changed frequently it is nearly impossible for an attacker

to try an attack on the encrypted data.
Session keys need to be changed on a regular basis
Manually keyed IPsec soon becomes very unmanageable.
Session keys need to be changed automatically, and securely.
59
Key Management - Manual
1) Manual Key
The same key is used at both ends of the VPN to encrypt and
decrypt data. This is known as “pre-shared” keys.
Key changes must be done manually which is a major task on large
networks requiring:
» outage time
» co-ordination
» secure key delivery between VPN engineers performing the
change
60
Key Management - ISAKMP
2) IKE (Internet Key Exchange)

IKE (Internet Key Exchange) is a mechanism for negotiating IPsec
protection and keys. The basic framework used by IKE is provided
by ISAKMP (Internet Standards Authority Key Management
Protocol).
A network key is required on both VPN devices, however this key is
never transported across the network or used for encrypting data.
Public key cryptography is used for signing Diffie-Hellman exchanges
to confirm the identities of 2 parties and avoid man in the middle
attacks.
61
Key Management - ISAKMP
Advantages
» Keys are automatically re-negotiated at regular intervals
» No manual key changes required
» More secure, as key changes frequently
» Allows to negotiate dynamic options between different pieces
of equipment
Disadvantages
» More sophisticated to fault find
» Takes time for Key exchange for dialup users
62
ISAKMP
The Internet Security Association and Key Management Protocol

(ISAKMP) provides a framework for negotiating SAs and their
attributes, including secret keys.
The security of encrypted data relies on the security of the encryption
key used. If the key has been created and stored securely then the
attacker will have no option but a brute force attack
The term key management refers to the creation, distribution, storage
and deletion of keys.
If anything out of the ordinary happens during an ISAKMP exchange
the ISAKMP state machine returns to the idle state without creating
any unauthenticated SAs.
63
ISAKMP Phases
Negotiation Phases:
» Phase 1 is the establishment of the ISAKMP SA to provide a
secure authenticated channel for ISAKMP traffic between two
ISAKMP peers.
» Phase 2 is the negotiation of SAs and keys on behalf of
services such as IPsec.
This makes it possible to negotiate more than one Phase 2 SA over
the same ISAKMP SA without having to re-establish
communications with the ISAKMP peers.
64
ISAKMP SA
The ISAKMP SA is created to protect ISAKMP traffic between two

ISAKMP peers.
It ensures that any SAs and keys negotiated for other security
services (e.g. IPsec) are kept secret and are authenticated.
The ISAKMP SA is identified by the cookies in the ISAKMP message
header and it is stored locally in an ISAKMP SA database.
65
IPsec Configuration
SA Specifications are a template for SAs. They specify the attributes

that an SA will have when it is created.
Bundle Specifications are a template for SA bundles. They specify
the number and order of SAs that an SA bundle will have when it is
created.
Policies link together a rule for selecting a set of IP packets and an
action. The action will be to permit, deny or apply IPsec processing.
66
Bundle Specifications
When an SA bundle is created a bundle specification is used to

determine the attributes of the SA bundle.
Attributes of a bundle specification:
» key management mechanism
» the lifetime expiry limits of the SA pairs
» the SA pairs to be created for the bundle
The SA pairs are represented by SA specification identification

numbers in a bundle string, which can also contain the logical
operators “AND”, “OR” and “,”.
67
Bundle specifications:
» can specify that the bundle will consist of one, two or three SA
pairs.
» each SA pair must use a different IPsec protocol (ESP, AH,..)
» the SA specification identification numbers in the bundle string
which will be used to create the SA pairs are separated by
“AND”s
68
For example, assume the following three SA specifications have been

created:
» SA specification 1: ESP providing triple DES encryption.
» SA specification 2: ESP providing DES encryption.
» SA specification 3: AH providing MD5 authentication.
Valid bundle strings would be:

» “1 AND 3, 2 AND 3”
» “1 OR 2, 3”
69
Policies
IPsec policies:
» An IPsec policy binds a packet selection rule to an action.
» When multiple policies are attached to one IP logical interface,
the policies are ordered and packets traversing the interface
are matched against the policies’ selection rules in order.
ISAKMP policies:
» An ISAKMP policy specifies how to communicate with, and
how to authenticate, an ISAKMP peer.
» An ISAKMP policy specifies an encryption algorithm and a
hash algorithm.
» An ISAKMP policy must also specify the address of the remote
ISAKMP peer.
®
70
IPsec Requirements
IPsec peers have fixed IP addresses.

» The IPsec and ISAKMP policies they use to communicate can
be configured with these addresses.
» It is, however, possible for a router which has a dynamically
assigned IP address to protect IP traffic using IPsec
» The dynamic peer must communicate with a router with a fixed
IP address
Software release 1.81 (better 1.93)

Encryption Mini Accelerator Card (EMAC)
A feature licence for using 3DES encryption
71
Configuring IPSEC
72
IPsec First Operations
1. Create a new user with security officer privileges:

» add user=secoff pass=secret priv=securityofficer login=yes
» set user securedelay=600
2. Login as the security officer (insert username and password you have
configured before)
» login secoff
» secret
3. Enable the security mode for the system:
» enable system security
These operations must be done on all routers that will use the
encryption keys in order to be able to generate the keys and not to
lose them in case of power failure.
®
73
Key Generation
Create a random key in the HEAD OFFICE ROUTER; this key will be
the shared key :
» create enco key=1 type=general random
» sh enco key=1
Create the same key in the REMOTE ROUTER:

» create enco key=1 type =general value=<the same value of
the head office router>
74
®
IPsec Configuration
Follow These Steps
75
IPsec Lab: 1) Setup
Configure a LAN to LAN:

Can you:
» a) Ping the other end of your PPP link?
» This is the first requirement: you have to be able to reach the remote
WAN IP address.
» b) Go to next step: generation of the shared secret (shared network
key)
76
IPsec Lab: 2) Create Keys
Setup secoff user and share encryption key

» add user=secoff pass=secoff priv=security login=yes
login as secoff
» enable system security
» create enco key=1 type=gen val=123456
» create conf=ipsec.cfg
» set conf=ipsec.cfg
77
IPsec Lab: 3) ISAKMP
Create an ISAKMP policy for the exchange. On both

routers;
» enable isakmp
ISAKMP configuration with Key and hash algorithm

» create isakmp pol=keys peer=<peer WAN IP address>
hashalg=sha key=1
78
IPsec Lab: 4) IPsec Bundles
Create the possible combinations for the IPsec peer

» enable ipsec
The bundles below specify ESP algorithm and AH options.

» create ipsec sas=1 prot=esp hasha=sha encalg=des keym=isakmp
» create ipsec sas=2 prot=ah mode=tunn hasha=sha keym=isakmp
The bundle definition below must have a peer with all the bundle options.
» create ipsec bundle=1 keym=isakmp string=“1 and 2”
The parameters ‘and’, ‘or’ can be specified as well as combinations
separated by commas. This is useful when negotiating with different
devices which support different AH and ESP combinations
79
IPsec Lab: 5) IPsec Policies
Create 3 IPsec policies. These act as filters for all traffic, so the position of
each IPsec policy is important :
1. Allow traffic to the ISAKMP module

» create ipsec pol=isakmp int=ppp0 act=permit lport=500
rport=500
2.Create the bundle configuration
» create ipsec pol=tunnel int=ppp0 act=ipsec key=isakmp bund=1
peer=<peer WAN IP>
» set ipsec pol=tunnel lad=<Local IP LAN> lmask=<Local MASK>

rad=<Remote IP LAN> rmask=<Remote IP MASK>
3. Allow Non IPSec type packets in as normal Internet access
» create ipsec pol=internet int=ppp0 act=permit
®
80
IPsec Lab: 6) Testing
Initiate a ping from a router to its remote peer

The ping will time out but ISAKMP and IPsec security associations will
be created. Use
» sho isakmp sa
» sho ipsec sa
» show log - verify if the bundle has been created
If the tunnels are not working use the appropriate debug to check SA
communication
» enable isakmp debug=all
» enable ipsec poli=tunnel debug=all
81
LAB TEST
82
VPN with Fixed Internet Address
LAN A: 192.168.1.0 LAN B: 192.168.2.0
PPP0=192.1.1.2
Router A Router B
internet
TXN K
TX K
C oll
C oll
LI N
RX
RX
LI

PPP0=192.1.2.2
Eth0=192.168.1.1
Eth0=192.168.2.1
83
Prerequisites
Login as security officer

Security mode enabled
Shared network key present
84
Router A: LAN to LAN with Encryption
Create the PPP interface over the leased line

Configure the routing module
Create the SAs:
» create ipsec sas=1 key=isakmp prot=esp enc=des hasha=null
» create ipsec sas=2 key=isakmp prot=ah hasha=sha
85
Create the bundle:

» create ipsec bund=1 key=isakmp string="1 and 2"
» Here we have just one choice for the string in which we use two
security associations together
Create the policy for allowing the isakmp key management to bypass
IPsec:
» create ipsec pol=isakmp int=ppp0 ac=permit
» set ipsec pol=isakmp lp=500 rp=500
86
Create the policy for using IPsec between two destinations:
» enable ipsec
» create ipsec pol=vpn int=ppp0 action=ipsec key=isakmp
bund=1 peer=192.1.2.2
» set ipsec pol=vpn lad=192.168.1.0 lmask=255.255.255.0

rad=192.168.2.0 rmask=255.255.255.0
Peer is the remote end of the PPP link
Lad is the local IP address from which the sent data will be
encrypted with IPsec
Rad is the destination address for the sent encrypted data
87
Create the policy for the ISAKMP mechanism:

» enable isakmp
» create isakmp policy=isakmp peer=192.1.2.2 key=1
Peer is the remote end of the PPP link
88
IPsec Troubleshooting
The resources that the ENCO module can provide can be displayed
using the command:
» show enco
89
Verify if IPsec has been enabled:

» sh ipsec
Before any traffic can be processed by an IPsec policy, IPsec SAs
and an SA bundle must have been created for that policy.
» show ipsec policy=policy_name
Check whether or not an SA bundle has been created
90
In order to verify the IPSEC SA and bundle you can use also the
command:
» sh ipsec sa
If an IPsec SA and bundle has not been created then check the
ISAKMP:
» show log-look for Phase1 and Phase2 exchange and success
91
Verify whether ISAKMP has been enabled or not:

» sh isakmp
If phase 1 has succeded then verify the creation of the ISAKMP SA:
» sh isakmp sa
92
Verify the ISAKMP key exchange with:

» sh isakmp exchange
Phase 1 failed:
» The pre-shared key or RSA public keys have not been configured
correctly.
Phase 2 failed:
» The IPsec configuration at both ends is incompatible
» Check the IP addresses of the IPsec configuration
93
IPsec Debugging
Debugging commands:
» enable isakmp debugging=<state/trace>
» enable ipsec policy=<name>

debugging=<filter/trace>
FILTER debugging can explain why packets are not being matched to
a particular policy.
TRACE debugging can show where a packet has failed in the IPsec
process.
94
Verification of the IPsec Tunnel
» sh ipsec policy=<name> counter
Verify the outProcessDone (Outbound Packet Processing

Counters section) and the inProcessDone (Inbound Packet
section) counters
For every data transfer the counters must increase
95
Router A- LAN to LAN with Encryption
Complete configuration:
» add user=albenga pass=albenga priv=securityofficer

» enable ip
96
Router A- LAN to LAN with Encryption
» enable ipsec
» create ipsec pol=isakmp int=ppp0 ac=permit lp=500 rp=500
» create ipsec pol=vpn int=ppp0 ac=ipsec key=isakmp bund=1
peer=192.1.2.2
» set ipsec pol=vpn lad=192.168.1.0 lmask=255.255.255.0 rad=192.168.2.0
rmask=255.255.255.0
» enable isakmp
» create isakmp pol=isakmp pe=192.1.2.2 key=1
97
Router B- LAN to LAN with Encryption
Complete configuration:
» add user=albenga pass=albenga priv=securityofficer

» enable ip
98
Router B- LAN to LAN with Encryption
» enable ipsec
» create ipsec pol=isakmp int=ppp0 ac=permit lp=500 rp=500
peer=192.1.1.2
» set ipsec pol=vpn lad=192.168.2.0 lmask=255.255.255.0 rad=192.168.1.0
rmask=255.255.255.0
» enable isakmp
99
VPN with Fixed Internet Address and

Firewall + NAT
Eth0=192.168.2.1
PPP0=192.1.1.2
192.168.1.2
Router A Router B
Internet
TX K
TXN K
C oll
C oll
LI N
RX
RX
LI

PPP0=192.1.2.2
192.168.2.2
Eth0=192.168.1.1
100
RouterA
Add User as Security Officer -> Enable System Security

Generate Enco Key=1 (Head Office)
Copy the same Enco Key to Branch Office router
Create the ISDN call to the remote office
Create the PPP interface
Configure the routing module
101
RouterA
Create the SAs

Create the bundle
Create the policy for allowing the ISAKMP key management to IPsec
Create the policy for using IPsec between the two LANs
Create the policy for Internet Access
Create the Firewall policy
Verify the tunnel creation: from LAN A try to ping a PC on LAN B
102
Unencrypted Internet Access
To allow unencrypted traffic access to the rest of the Internet:

» create ipsec poli=internet int=ppp0 action=permit
Verify if this policy is in the last position in the policies database:
» sh ipsec poli
If this policy is before the policy with action=ipsec then the traffic will be not
encrypted but all allowed
103
Router A – Complete Configuration

» enable ip
104

peer=192.1.2.2
» set ipsec pol=vpn lad=192.168.1.0 lma=255.255.255.0 rad=192.168.2.0
rma=255.255.255.0
» enable ipsec
» enable isakmp
105
» enable firewall
» enable firewall policy="a" icmp_f=all
» add firewall poli="a" nat=enhanced int=eth0 gblin=ppp0
gblip=192.1.1.2 gblp=500
» add firewall poli="a" ru=2 ac=allo int=ppp0 prot=50
» add firewall poli="a" ru=4 ac=nonat int=ppp0 prot=ALL ip=192.168.1.1-
192.168.1.254 encap=ipsec
» set firewall poli=“a” ru=4 rem=192.168.2.1-192.168.2.254
106
Router B – Complete Configuration

» enable ip
107

peer=192.1.1.2
» set ipsec pol=vpn lad=192.168.2.0 lma=255.255.255.0 rad=192.168.1.0
rma=255.255.255.0
» enable ipsec
» enable isakmp
108
» enable firewall
» enable firewall policy="a" icmp_f=all
» add firewall poli="a" nat=enhanced int=eth0 gblin=ppp0
» add firewall poli="a" ru=1 ac=allo int=ppp0 prot=udp po=500
ip=192.1.1.2 gblip=192.1.1.2 gblp=500
» add firewall poli="a" ru=4 ac=nonat int=ppp0 prot=ALL
ip=192.168.2.1-192.168.2.254 encap=ipsec
» set firewall poli=“a” ru=4 rem=192.168.1.1-192.168.1.254
109
Security
The End
110

Gre - l2tp and Ipsec

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Gre - l2tp and Ipsec

Diunggah oleh

Hak Cipta:

Format Tersedia

®

Generic Routing Encapsulation

GRE is a mechanism for encapsulating any network layer protocol

The general specification is described in RFC1701, and the only

Original IP Packet GRE Encap Header Delivery IP Header

Multiple private networks are connected across the Internet.

GRE - Point to Point

Create the GRE entity with:

Create the GRE entity with:

Now associate the GRE entity to an IP interface:

» set system name="routerA”

» set system name="routerB”

Try to ping from Router A to Router B WAN IP address

Try to ping from PC Test to Router B WAN IP address

Try now to ping from PC Test to a PC on LAN B

Testing the configuration

In all previous situations verify the GRE encapsulation using:

Router for Internet Emulation

» set system name="internet”

Set up the name for the router

GRE - Multipoint - Router 2

Try to ping from LAN to LAN

GRE - Multipoint - Testing

» set sys name=router 1

Router 2 Full Configuration

» set system name=router2

GRE + Firewall - Router A

» set sys name=Router1

GRE + Firewall - Router B

» set sys name=Router2

Layer 2 Tunneling Protocol

L2TP provides a mechanism for encapsulating layer 2 packets, such

In a typical scenario, L2TP supports only one-way dial-up

If two-way dial-up connections are required, an L2TP call must be

L2TP Example: Inter-Router Tunnel

C entreCOM A R30 0 C entreCOM A R30 0

PPP link is tunneled to Head Office

Central Office Branch Office

PPP Packets Tunneled Remote users dials into branch office

L2TP Config: Main Commands

Create the L2TP Connection

# Create the tunnel specifying the name and remote IP address

# Setup password for authentication

L2TP Config: PPP and IP

Create the PPP and IP configuration for the tunnel

# Create PPP for tunnel

# Add remote network to routing table via tunnel

Use the following steps for fault-finding:

Inter-Router L2TP Configuration

Router A Internet Router B

CentreCOM AR300 CentreCOM AR300

1. Create ppp0 over the synchronous interface

» set system name="RouterA"

CentreCOM AR300 CentreCOM AR300

» create ppp=0 over=syn0

Router A - L2TP + Firewall

Pinhole: rule for allowing L2TP protocol

» add user=rem pass=friend priv=user

Router B - L2TP + Firewall

IPsec is a set of security protocols which provides encryption and

AH protocol provides authentication of IP packets. AH provides

A Security Association (SA) is a simplex connection that provides