Differences between using crypto maps in IPSec and VTI-based IPSec

I’m going to write a post about a simple, yet complex topic today and that is using crypto-maps in IPSec versus VTI-based IPSec. There are many topics on this everywhere but most of them lack very important facts that make the whole scenario stops working as needed.
I see on many sites that they want to attach IPSec crypto maps on physical interfaces alongside NAT for a simple purpose; that is enabling 2 branch offices to exchange traffic with each other securely, while being able to reach the Internet using NAT and unsecurely. Normaly two branch offices are reside anywhere on the Internet with multiple hops between them. Am I right? But most of the mentioned sites on the Internet just show 2 sites connecting to each other using a direct physical link with NAT and crypto maps applied to the physical link too. Although this scenario does work fine, it doesn’t fit well to the real world scenario where you want to use this method on two routers while there are many hops between the routers. Now I’m going to show you a real world scenario where all of our requirements will be met.
We have the topology shown above. The IP addressing schema of the routers is as follows: all of the routers have three /32 loopback interfaces with the 4th octet set to 1,2 and 3. The first, second and 3rd octets are set to the routers’ number. For example on R1 we have loopback0:1.1.1.1/32, loopback1:1.1.1.2/32 and loopback2:1.1.1.3/32. For routetr R6 we have 6.6.6.1, 6.6.6.2 and 6.6.6.3 addresses. As the goal of this document is not discussing routing throughout the network, I have configured the network in such a way that all of the devices have reachability to each other’s loopback0 interface. So it’s time to jump into our IPSec VPN configuration.
What we need is enabling IPSec VPN between site A (contains routers R4, R5 and R6) and Site B (contains routers R7, R8 ans R12) while enabling all of clients (since I’ve advertised just the loopback0 network on every router, so the term “all of the clients” here means the IP address of the loopback0 network on every router) to reach anything that is reachable in this topology.
In the first example I want to show you how to use crypto maps alongside the NAT on our border routers (R6 and R12) and In the second one I will show you the VTI-based method. Configuring IPSec is consist of some steps. The first step is defining ISAKMP policy; the second one is defining transfor sets and our ACL and the final step is creating crypto maps and binding ot to an interface. So let’s begin.

On R6:

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
 lifetime 300
!
crypto isakmp key cisco address 12.12.12.1
crypto ipsec transform-set TEST_SET esp-aes esp-sha-hmac

on R12:

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
 lifetime 300
!
crypto isakmp key cisco address 6.6.6.1
crypto ipsec transform-set TEST_SET esp-aes esp-sha-hmac

for example I want to enable inter-site secure reachability between loopback1 interfaces on R4 and R7. I mean the traffic that flow between these networks need to be encrypted by border routers (R6 and R12), but packets that are sent to anywhere else from these networks, must pass through border routers without encryption. Besides, we need to enable NAT on these routers to make these networks (4.4.4.2/32 and 7.7.7.2/32) to communicate with the outside world, because as I said before, we have advertised just loopback 0 of the routers to the Internet, and nothing else.
The important part of this topic is the fact that we need to create a GRE tunnel between the border routers (R6 and R12) and then apply the crypto maps on them. If you enable crypto map to the outside physical interfaces of these routers, they will not be able to securely talk to each other, because of the routing problem. To prevent the routing problem, you need to advertise internal networks to the Internet, so the intermediate routers be able to forward packets to the other border router. This is not possible, because we cannot advertise our internal network to the Internet, else these packets will be blocked by our SP network. (Although I’m using sample IP addressing schema,in the real world scenario the customers uses RFC 1918 addresses inside their own network).
Creating the GRE tunnel have a distinguished advantage; that is we can use routing protocol on the tunnel interface to exchange the traffic between our two branch sites. Let’s continue our configuration with defining crypto maps.

On R12:

crypto map TEST_MAP 1 ipsec-isakmp 
 set peer 6.6.6.1
 set transform-set TEST_SET 
 match address INTERESTING_TRAFFIC
 crypto map TEST_MAP

on R6:

crypto map TEST_MAP 1 ipsec-isakmp 
 set peer 12.12.12.1
 set transform-set TEST_SET 
 match address INTERESTING_TRAFFIC
 crypto map TEST_MAP

And our ACLs need to be defined too. We need two ACLs on each border router; one for NAT and one for defining our interesting traffic that needs to be encrypted while travelling between two sites.

R12(config-if)#do sh ip access-list 
Extended IP access list FOR_NAT
    10 deny ip host 7.7.7.2 host 4.4.4.2
    20 permit ip host 7.7.7.2 any (2 matches)
Extended IP access list INTERESTING_TRAFFIC
    10 permit ip host 7.7.7.2 host 4.4.4.2 (108 matches)
R6(config-if)#do sh ip access-list 
Extended IP access list FOR_NAT
    10 deny ip host 4.4.4.2 host 7.7.7.2
    20 permit ip host 4.4.4.2 any (16 matches)
Extended IP access list INTERESTING_TRAFFIC
    10 permit ip host 4.4.4.2 host 7.7.7.2 (109 matches)

At the next step we should configure a tunnel interface between R6 and R12, assign IP address and enable sample IGP protocol on them. For example, I want to enable OSPF:

R7(config-if)#do sh ip ospf inter b
Interface    PID   Area         IP Address/Mask    Cost  State Nbrs F/C
Lo1           1     0               7.7.7.2/32           1     LOOP  0/0
Fa0/0        1     0               100.1.78.7/24        10    BDR   1/1
R8(config-if)#do sh ip ospf inter b
Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C
Se0/0        1     0               100.1.128.8/24         64    P2P   1/1
Fa0/0        1     0               100.1.78.8/24          10    DR    1/1
R12(config-if)#do sh ip ospf inter b
Interface    PID   Area         IP Address/Mask       Cost  State Nbrs F/C
Tu0           1     0               100.1.0.12/24          11111 P2P   1/1
Se0/0        1     0               100.1.128.12/24       64    P2P   1/1
R4(config-if)#do sh ip ospf inter b
Interface    PID   Area         IP Address/Mask    Cost  State Nbrs F/C
Lo2           1     0               4.4.4.3/32            1     LOOP  0/0
Lo1           1     0               4.4.4.2/32            1     LOOP  0/0
Lo0           1     0               4.4.4.1/32            1     LOOP  0/0
Se0/1        1     0               100.1.46.4/24        64    P2P   1/1
Fa0/0        1     0               100.1.45.4/24        10    BDR   1/1
R5(config-if)#do sh ip ospf inter b
Interface    PID   Area        IP Address/Mask    Cost  State Nbrs F/C
Lo2           1     0               5.5.5.3/32         1     LOOP  0/0
Lo1           1     0               5.5.5.2/32         1     LOOP  0/0
Se0/0        1     0               100.1.56.5/24      64    P2P   1/1
Fa0/0        1     0               100.1.45.5/24      10    DR    1/1
Lo0          1     0               5.5.5.1/32          1     LOOP  0/0
R6(config-if)#do sh ip ospf inter b
Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C
Tu0          1     0               100.1.0.6/24       11111 P2P   1/1
Se0/1        1     0               100.1.46.6/24      64    P2P   1/1
Se0/0        1     0               100.1.56.6/24      64    P2P   1/1
Lo0          1     0               6.6.6.1/32         1     LOOP  0/0
R6(config-if)#do sh run inter tun 0
interface Tunnel0
 ip address 100.1.0.6 255.255.255.0
 ip ospf 1 area 0
 tunnel source Loopback0
 tunnel destination 12.12.12.1
 crypto map TEST_MAP
R12(config-if)#do sh run inter tun 0
interface Tunnel0
 ip address 100.1.0.12 255.255.255.0
 ip ospf 1 area 0
 tunnel source Loopback0
 tunnel destination 6.6.6.1
 crypto map TEST_MAP
end

Now it’s the time for NAT. the NAT must be configured in such a way that any internal networks get translated to loopback0 IP address on each of these border routers; because just these networks are reachable throughout the network. The tunnel interface is used just for transfering encrypted netwerk and we have reachability to internal network by the means of OSPF that is run on the tunnel interface. So we don’t need to enable NAT on the tunnel interfaces.

On R6:

Ip nat inside source list FOR_NAT interface loopback 0 overload
Interface se0/0
 Ip nat inside
Interface se0/1
 Ip nat inside
Interface se0/2
 Ip nat out
Inter f0/1
 Ip nat out

On R12:

Ip nat inside source list FOR_NAT interface loopback 0 overload
Interface se0/0
 Ip nat inside
Interface se0/1
 Ip nat out
Interface fa0/1
 Ip nat out
Interface f0/0
 Ip nat out

Let’s generate some traffic to test both of the NAT and IPSec.

R4(config-if)#do ping 14.14.14.1 so lo1
Sending 5, 100-byte ICMP Echos to 14.14.14.1, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.2 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/66/120 ms
R4(config-if)#do ping 11.11.11.1 so lo1
Sending 5, 100-byte ICMP Echos to 11.11.11.1, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.2 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/54/120 ms
R6(config-if)#do sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 6.6.6.1:10        4.4.4.2:10         14.14.14.1:10      14.14.14.1:10
icmp 6.6.6.1:11        4.4.4.2:11         11.11.11.1:11      11.11.11.1:11

you see that the NAT works like a charm and all of the packets originated from the 4.4.4.2/32 toward global reachable networks get translated to R6’s loopback0 interface. At the second step we need to be sure about IPSec functionality.

R4(config-if)#do ping 7.7.7.2 so lo1 rep 100

R6(config-if)#do sh crypto ipsec sa
interface: Tunnel0
    Crypto map tag: TEST_MAP, local addr 6.6.6.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (4.4.4.2/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (7.7.7.2/255.255.255.255/0/0)
   current_peer 12.12.12.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 100, #pkts encrypt: 100, #pkts digest: 100
    #pkts decaps: 100, #pkts decrypt: 100, #pkts verify: 100
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

The increasing number of encapsulated packets is our proof of IPSec funcionality. These packets will not affected by NAT and you can make sure about it by issuing the following command. You will see that there is nothing in the table.

R6(config-if)#do sh ip nat trans

R6(config-if)#

Maybe you are thinking about the previous entries in the NAT translation table. Where are they now? If you take a look at our test, you will notice that we have used ping to generate traffic and ICMP traffic has a very small timeout and disapears from the nat translation table very soon. But if you are interested, you can change their timeout by ip nat translation icmp-timeout command at the global configuration mode.
I will show you the VTI-based IPSec soon.

Leave a Comment

Your email address will not be published. Required fields are marked *

* Copy This Password *

* Type Or Paste Password Here *

2,050 Spam Comments Blocked so far by Spam Free Wordpress

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>