Monday, September 30, 2013

VPN tunnels IOS-XR

In this blog, we will look at a vpn tunnel-ipsec config. IOS-XR support  tunnels and ipsec tunnels.  A  basic gre tunnel looks similar to something like the below.


show run interface tunnel-ip 12

interface tunnel-ip12
 description grr0 tunnel to juniper-CR1SEA01
 ipv4 address 10.19.1.1 255.255.255.252
 load-interval 30
 tunnel source 2.2.2.2
 keepalive 30 3
 tunnel destination 1.1.1.1
!


               Intf       Intf        LineP              Encap  MTU        BW
               Name       State       State               Type (byte)    (Kbps)
--------------------------------------------------------------------------------
              ti12          up          up         TUNNEL_GRE  1500        100


Okay, so what about vpn tunnels?

They have a tunnel naming convention of tunnel-ipsec xxx. And you can  re-use a tunnel-ip ## for a tunnel-ipsec interface,  but it's best practice to give each tunnel a unique imho.

e.g

show int tunnel-ipsec 99 br
Wed Sep 01 03:44:31.166 UTC

               Intf       Intf        LineP              Encap  MTU        BW
               Name       State       State               Type (byte)    (Kbps)
--------------------------------------------------------------------------------
               ti99          up          up              IPSec  1476          0

RP/0/RSP0/CPU0:LACORE1#show int tunnel-ip 99 br   
Wed Sep 01 03:44:41.493 UTC

               Intf       Intf        LineP              Encap  MTU        BW
               Name       State       State               Type (byte)    (Kbps)
--------------------------------------------------------------------------------

               ti99        down        down         TUNNEL_GRE  1500        100




So let's look at the step for vpn ipsec tunnels.


1st define your ike policies;



crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 lifetime 86400
!
crypto isakmp policy 10
 authentication pre-share
 group 2
 encryption 3des
!
crypto isakmp policy 20
 authentication pre-share
 hash md5
 group 2
 encryption 3des
!
crypto isakmp policy 30
 authentication pre-share
 group 2
 encryption aes
!
crypto isakmp policy 40
 authentication pre-share
 hash md5
 group 2
 encryption aes
!

don't forget to enable isakmp;

crypto isakmp

and you can verify it's enabled via the following show command  <show crypto isaskmp > ;

sh crypto isakmp 
Wed Sep 01 03:47:02.523 UTC
ISAKMP is enable
  Keepalive not set
  Identity set (IP)


Okay now, we can start the heart of the configuration. Craft your keyring;


crypto keyring key1 vrf default
 pre-shared-key address 192.0.2.1 255.255.255.255 key mybigkeyhere
!

Enable the  crypto logging status ( optional );

!
crypto logging tunnel-status
!

Build your ike profile and specific your keyring and identity method;

!
crypto isakmp profile isakmp_prof
 description IOS-XR VPN
 keyring key1
 self-identity address
!


Next we  build a  transform set and ipsec profile where we specify the transform(s) in the profile;


!
crypto ipsec transform-set ESP-AES-md5
 transform esp-aes esp-md5-hmac
 mode tunnel
!
crypto ipsec transform-set ESP-AES-sha
 transform esp-aes esp-sha-hmac
 mode tunnel
!
crypto ipsec transform-set ESP-3DES-md5
 transform esp-3des esp-md5-hmac
 mode tunnel
!
crypto ipsec transform-set ESP-3DES-sha
 transform esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec transform-set ESP-3DES-md5-1
 transform esp-3des esp-md5-hmac
 mode transport

!


and;

!
!
ipv4 access-list kenfelixipsec
 10 permit ipv4 host 10.200.1.253 10.150.252.0/24
 20 permit ipv4 10.150.252.0/24 host 10.200.1.253

!
!
crypto ipsec profile ipsecprofile
 set pfs group2
 set type static
 match kenfelixipsec transform-set  ESP-AES-md5

!

and we craft our peer address
!
crypto isakmp peer address xx.xxx.xxx.xxx vrf default

 description "for socpuppets blog "

and we  apply the profile to our interface;

RP/0/RSP0/CPU0:LACORE1#show run interface tunnel-ipsec 10
Wed Sep 01 03:56:22.061 UTC
interface tunnel-ipsec10
 profile ipsecprofile
 tunnel source Loopback5
 tunnel destination xx.xxx.xxx.xxx

!


We can get tunnel-ipsec details via the following show comamnd;


show crypto ipsec interface 
Wed Sep 01 03:58:08.406 UTC

--------------- IPSec interface ----------------
Interface tunnel-ipsec99, mode Tunnel, intf_handle 0x80001A0
Locations ,  VRF default (60000000)
Number of profiles 0, number of flows 0
Tunnel: source 0.0.0.0, destination 0.0.0.0, tunnel VRF default
DF-bit: Copy, pre-fragmentation Enable
default pmtu: 9216
No flows on this interface.

--------------- IPSec interface ----------------
Interface tunnel-ipsec10, mode Tunnel, intf_handle 0x80000A0
Locations ,  VRF  (60000000)
Number of profiles 1, number of flows 0
Tunnel: source 192.02.1.49, destination 172.16.22.73, tunnel VRF default
DF-bit: Copy, pre-fragmentation Enable
default pmtu: 9216

No flows on this interface.





Keep this thought in mind;

IOS-XR is limited on tunnel-mode and only supports ipv4 gre
If  you define policy type of "set type static" ios-xr  is acting on the peer defined..


A crypto profiles replaces the legacy crypto map




Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \


No comments:

Post a Comment