The Role of VPNs

VPNs are deployed on an unprotected network or over the Internet to ensure data integrity, authentication, and encryption. Initially, VPNs were designed to reduce the cost of unnecessary leased lines. As a result, they now play a critical role in securing the internet and, in some cases, protecting personal information. In addition to connecting to their corporate networks, individuals use VPNs to protect their privacy.

Data integrity, authentication, and encryption through L2F, L2TP, GRE, or MPLS VPNs is impossible. The benefits of L2TP, GRE, and MPLS can also be derived from IPsec when combined with L2TP, GRE, and MPLS. All three of these features make IPsec the preferred protocol for many organizations.

GRE over IPsec

RFC 2784 defines GRE (protocol 47), and RFC 2890 extends it. Using GRE, packets of any protocol (the payload packets) can be encapsulated over any other protocol (the delivery protocol) between two endpoints. Between the payload (data) and the delivery header, the GRE protocol adds its header (4 bytes plus options).

Tip:

GRE supports IPv4 and IPv6. If IPv4 or IPv6 endpoint addresses are defined, the outer IP header will be IPv4 or IPv6, respectively.

In comparison to the original packet, GRE packets have the following overhead:

• 4 bytes (+ GRE options) for the GRE header.

• 20 bytes (+ IP options) for the outer IPv4 header (GRE over IPv4), or

• 40 bytes (+ extension headers) for the outer IPv6 header (GRE over IPv6).

GRE over IPsec creates a new IP packet inside the network infrastructure device by encapsulating the original packets within GRE.

When GRE over IPsec is deployed in tunnel mode, the plaintext IPv4 or IPv6 packet is encapsulated into GRE. The tunnel source and destination IP addresses are then encapsulated in another IPv4 or IPv6 packet. An IPsec tunnel source and tunnel destination route the traffic to the destination with an additional outer IP header acting as a tunnel source and tunnel destination.

On the other hand, GRE over IPsec encapsulates plaintext IPv4 or IPv6 packets in GRE and then protects them with IPsec for confidentiality and integrity; the outer IP header with the source and destination addresses of the GRE tunnel enables packet routing.

GRE Operation

GRE is a layer 3 protocol, meaning it works at the IP level of the network. It enables a router to encapsulate packets of a particular protocol and send them to another router, decapsulated and forwarded to their destination. This is useful for tunneling, where data must traverse multiple networks and different types of hardware.

GRE encapsulates data in a header containing information about the source, destination, and other routing information. The GRE header is then encapsulated in an IP header containing the source and destination IP addresses. When the packet reaches the destination router, the GRE header is stripped off, and the data is sent to its destination.

IPsec site-to-site

An IPsec site-to-site VPN, also known as a gateway-to-gateway VPN, is a secure tunnel established between two or more remote networks over the internet. It enables organizations to connect geographically dispersed offices, data centers, or even cloud networks, creating a unified and secure network infrastructure. By leveraging IPsec, organizations can establish secure communication channels, ensuring confidentiality, integrity, and authentication of transmitted data.

Before you proceed, you may find the following posts helpful for pre-information:

1. Dead Peer Detection
2. IPsec Fault Tolerance
3. Dynamic Workload Scaling 
4. Cisco Switch Virtualization
5. WAN Virtualization
6. VPNOverview

1st Lab guide on IPsec site to site

In this lesson, two Cisco IOS routers use IPSec in tunnel mode. This means the original IP packet will be encapsulated in a new IP packet and encrypted before sending it out of the network. For this demonstration, I will be using the following three routers.

R1 and R3 each have a loopback interface behind them with a subnet. We’ll configure the IPsec tunnel between these routers to encrypt traffic from 1.1.1.1/32 to 3.3.3.3/32. R2 is just a router in the middle, so R1 and R3 are not directly connected.

Notice with information 1 that we can’t ping the remote LAN. However, once the IPsec tunnel is up, we have reachability. Under the security associations, we have 4 packets encapsulated and encapsulated. However, I sent 5 pings. The first packet is lost to ARP.

IPsec relies on encryption and tunneling protocols to establish a secure connection between networks. The two primary components of IPsec are the IPsec tunnel mode and the IPsec transport mode. In tunnel mode, the entire IP packet is encapsulated within another IP packet, adding an extra layer of security. In contrast, the transport mode only encrypts the payload of the IP packet, leaving the original IP header intact.

To initiate a site-to-site VPN connection, the IPsec VPN gateway at each site performs a series of steps. These include negotiating the security parameters, authenticating the participating devices, and establishing a secure tunnel using encryption algorithms such as AES (Advanced Encryption Standard) or 3DES (Triple Data Encryption Standard). Once the tunnel is established, all data transmitted between the sites is encrypted, safeguarding it from unauthorized.

Back to basic with GRE tunnels

What is a GRE tunnel?

A GRE tunnel supplies connectivity to a wide variety of network layer protocols. GRE works by encapsulating and forwarding those packets over an IP-based network. The authentic use of GRE tunnels provided a transport mechanism for non-routable legacy protocols such as DECnet and IPX. With GRE, we add header information to a packet when the router encapsulates the packet for transit on the GRE tunnel.

The new header information contains the remote endpoint IP address as the destination. The latest IP headers permit the packet to be routed between the two tunnel endpoints, and this is done without inspection of the packet’s payload.

After the packet reaches the remote endpoint, the GRE termination point, the GRE headers are removed, and the original packet is forwarded from the remote router. Both GRE and IPsec tunnels are used in solutions for SD WAN SASE and SD WAN Security. Both of these solutions would abstract the complexity of configuring these technologies.

GRE Operation

GRE operates by encapsulating the original packet with a GRE header. This header contains information such as the source and destination IP addresses and additional fields for protocol identification and fragmentation support. Once the packet is encapsulated, it can be transmitted over an IP network, effectively hiding the underlying network details.

When a GRE packet reaches its destination, the receiving end decapsulates it, extracting the original payload. This process allows the recipient to receive the data as if it were sent directly over the underlying network protocol. GRE is a transparent transport mechanism, enabling seamless communication between disparate networks.

• Topologies and routing protocol support

Numerous technologies connect remote branch sites to HQ or central hub. P2P Generic Routing Encapsulation ( GRE network ) over IPsec is an alternative design to classic WAN technologies like ATM, Frame Relay, and Leased lines. GRE over IPsec is a standard deployment model that connects several remote branch sites to one or more central sites. Design topologies include the hub-and-spoke, partial mesh, and full mesh.

Both partial and full-mesh topologies experience limitations in routing protocol support. A full mesh design is limited by the overhead required to support a design with a full mesh of tunnels. Following a complete mesh requirement, a popular design option would be to deploy DMVPN. Regarding the context of direct connectivity from branch to hub only, hub-and-spoke is by far the most common design.

2nd Lab guide with DMVPN and GRE

The lab guide below shows a DMVPN network based on Generic Routing Encapsulation (GRE). So, GRE is the overlay. Specifically, we use GRE in point-to-point mode, which means deploying DMVPN Phase 1, a true VPN hub and spoke design, where all traffic from the spokes must go via the hub. With the command: show dmvpn, we can see that two spokes are dynamically registered over the GRE tunnel, notice the “D” attribute.

The beauty of using DMPVN as a VPN technology is that the hub site does not need a specific spoke configuration as it uses GRE in multi-point mode. On the other hand, the spokes need to have a hub configuration with the command: IP nhrp nhs 192.168.100.11. IPsec encryption is optional with DMVPN. In the other command snippet, we are running IPsec encryption with the command: tunnel protection ipsec profile DMVPN_IPSEC_PROFILE.

One of the primary use cases of GRE is in creating VPNs. Organizations can securely transmit data across public networks such as the Internet by encapsulating traffic within GRE packets. This provides a cost-effective solution for connecting geographically dispersed sites without requiring dedicated leased lines.

Another use of the GRE is in network virtualization. By leveraging GRE tunnels, it is possible to create virtual networks isolated from the underlying physical infrastructure. This allows for more efficient resource utilization and improved network scalability.

• DMVPN (Dynamic Multipoint VPN)

DMVPN is based on the principle of dynamic spoke-to-spoke tunneling, allowing for dynamic routing and scalability. It also provides the ability to create a dynamic mesh topology, allowing for multiple paths between remote sites. This allows for increased redundancy and improved performance.

DMVPN also offers the ability to establish a secure tunnel over an untrusted network, such as the Internet. This is achieved with a series of DMVPN phases. DMVPN phase 3 offers better flexibility by using IPSec encryption and authentication, ensuring that all traffic sent over the tunnel is secure. This makes DMVPN an excellent choice for businesses connecting multiple sites over an unsecured network.

GRE Network: Head-end Architecture 

Single-tier and dual tier

Head-end architectures include a single-tier head-end where the point-to-point GRE network and crypto functionality co-exist on the same device. Dual-tier designs are where the point-to-point GRE network and crypto functionality are not implemented on the same device. In dual-tier designs, the routing and GRE control planes are located on one device while the IPsec control plane is housed on another.

“Tunnel protection” requires the same source and destination IP address for the GRE and crypto tunnels. Implementations of dual-tier separate these functions, resulting in the different IP addresses for the GRE and crypto tunnels. Tunnel protection is invalid with dual-tier mode.

GRE over IPsec

GRE (Generic Routing Encapsulation) is a tunneling protocol that encapsulates multiple protocols within IP packets, allowing the transmission of diverse network protocols over an IP network. On the other hand, IPSEC (IP Security) is a suite of protocols that provides secure communication over IP networks by encrypting and authenticating IP packets. Combining these two protocols, GRE over IPSEC offers a secure and flexible solution for transmitting network traffic over public networks.

Benefits of GRE over IPSEC:

Secure Data Transmission:

By leveraging IPSEC’s encryption and authentication capabilities, GRE over IPSEC ensures the confidentiality and integrity of data transmitted over the network. This is particularly crucial when transmitting sensitive information, such as financial data or personal records.

Network Scalability:

GRE over IPSEC allows organizations to create virtual private networks (VPNs) by establishing secure tunnels between remote sites. This enables seamless communication between geographically dispersed networks, enhancing collaboration and productivity.

Protocol Flexibility:

GRE over IPSEC supports encapsulating various network protocols, including IPv4, IPv6, and multicast traffic. This flexibility enables the transmission of diverse data types, ensuring compatibility across different network environments.

Preliminary design considerations

Diverse multi-protocol traffic requirements force the use of a Generic Routing Encapsulation ( GRE ) envelope within the IPsec tunnel. The p2p GRE tunnel is encrypted inside the IPsec crypto tunnel. Native IPsec is not multi-protocol and lacks IP multicast or broadcast traffic support. As a result, proper propagation of routing protocol control packets cannot occur in a native IPsec tunnel.

However, OSPF design cases allow you to run OSPF network type non-broadcast and explicitly configure the remote OSPF neighbors, resulting in OSPF over the IPsec tunnel without GRE. With a GRE over IPsec design, all traffic between hub and branch sites is first encapsulated in the p2p GRE packet before encryption.

GRE over IPSec Key Points

Redundancy

Redundant designs are implemented with the branch having two or more tunnels to the campus head. The head-end routers can be geographically separated or co-located. Routing protocols are used with redundant tunnels providing high availability with dynamic path selection.

The head-end router can propagate a summary route ( 10.0.0.0/8 ) or a default route ( 0.0.0.0/0 ) to the branch sites, and a preferred routing metric will be used for the primary path. If OSPF is RP, the head-end selection is based on OSPF costs.

Recursive Routing

Each branch must add a static route to their respective ISP IP addresses for each head-end. The static avoids recursive routing through the p2p GRE tunnel. Recursive routing occurs when the route to the GRE tunnel source outside the IP address of the opposing router is learned via a route with a next-hop of the inside IP address of the opposing p2p GRE tunnel. Recursive routing causes the tunnel to flap and the p2p GRE packets to route into their p2p GRE tunnel. To overcome recursive routing, my best practice is to ensure that the outside tunnel is routed directly to ISP instead of inside the p2p GRE tunnel.

Recursive routing and outbound interface selection pose significant challenges in tunnel or overlay networks. Therefore, routing protocols should be used with utmost caution over network tunnels. A router can encounter problems if it attempts to reach the remote router’s encapsulating interface (transport IP address) via the tunnel. Typically, this issue occurs when the transport network is advertised into the same routing protocol as the overlay network.

Routers learn the destination IP address for tunnel interfaces through recursive routing. First, the IP address of the tunnel’s destination is removed from the routing table, making it unreachable.

Split tunneling

If the head-end advertises a summary route to the branch, split tunneling is enabled on all packets not destined for the summary. Any packets not destined for the summary are split-tunneled to the Internet. For example, split tunneling is not used for the branch sites in a design where the head-end router advertises a default route ( 0.0.0.0/0 ) through the p2p GRE tunnel.

• A key point: Additional information on Split tunneling.

Split tunneling is a networking concept that allows users to selectively route traffic from their local device to a local or remote network. It gives users secure access to corporate networks and other resources from public or untrusted networks. Split tunneling can also be used to reduce network congestion. For example, if a user is on a public network and needs to access a resource on a remote network, the user can set up a split tunnel to send only the traffic that needs to go over the remote network. This reduces the traffic on the public network, allowing it to perform more efficiently.

Control plane

Routing protocol HELLO packets initiated from the branch office force the tunnel to establish—routing protocol control plane packets to maintain and keep the tunnel up. HELLO packets provide a function similar to GRE keepaways. HELLO routing protocol operates in layer 3, and GRE maintains in layer 2.

 Branch router considerations

The branch router can have p2p GRE over IPSEC with a static or dynamic public address. The GRE and crypto tunnels are sourced from a static address with a static public IP address. With dynamic address allocation, the GRE is sourced from a loopback address privately assigned (non-routable), and the crypto tunnel is sourced from a dynamically assigned public IP address.

Generic routing encapsulation

Key design points