Overlay Tunnels

Recommended reading is basic extended access lists and basic layer 3 routing.


Network overlays are virtual networks that run over a physical transport network. This physical transport network is called an underlay.

Virtual Private Networks

Non tunnel/multipoint vpn overlay networks will not be discussed in this page.

Those topics such as VXLAN overlays are much larger on their own and will be on their own pages.


Virtual Private Networks (VPN) are tunnels created to traverse wan topologies to remote sites.

Generally, this traffic is encapsulated and sent over a virtual tunnel to virtual tunnel end points (VTIs). This is considered an overlay network.

GRE: Generic Routing Encapsulation

Encapsulation: | Outer IP | GRE | Inner IP | Payload |
  • You most likely will need to change mtu and mss.
  • Not secure, does not encrypt.
  • Can do non-unicast protocols.
IPSec: Internet Protocol Security
  • Used to setup secure VPNs. Provides authentication and is encrypted.
  • Only does unicast protocols.
  • IPSec uses symmetric and asymmetric encryption.

GRE

Create the tunnel interface.

(conf)#int tunnel "id number"

Give the virtual tunnel interface a private ip address and give the tunnel destination consisting of the endpoints public address.

(config-if)#ip address "ip address" "network mask"

(config-if)# tunnel destination "destination public address"

Show Commands

#show int tunnel "id number"

IPSEC

This uses two phases.

IKE phase 1: Authenticates using asymmetric encryption then creates symmetric keys.

This is a phase 1 tunnel.

IKE phase 2: Agrees on a encryption method and brings up a phase 2 tunnel. When not in use this phase 2 tunnel is torn down.

When making an IPSEC tunnel we will make a access-list to say what traffic is going to be forwarded.
This traffic is called interesting traffic.



GRE over IPSEC

GRE over IPSEC is as it sounds. We are running a GRE tunnel over an IPSEC tunnel. This allows us to use GRE to encapsulate non unicast traffic into unicast and then forward it securely over the IPSEC tunnel.

Configuration

We will setup the policy to define how the tunnels will secure themselves. We will be setting up the policy to use a pre-shared key.

To setup a isakmp policy you need to choose a priority number and encryption type.

(conf)#crypto isakmp policy "priority number 1-10000"

(conf-isakmp)#encryption "encryption type"


Now we will choose authentication type.

(conf-isakmp)#authentication "pre-share"


If using Diffie-Hellman choose an algorithm that is suitable. (Use something stronger but whoever you are peering with may have their own requirements)

(conf-isakmp)#group "2"

We will now create the pre-shared key.

(conf)#cryto isakmp key "key-name" address "address" "mask"


The address being wild cards based on the remote destinations allowed.

We will now create a transform set for ipsec and choose a transport mode type either transform or tunnel.

(conf)#cryto ipsec transform-set "t-set-name" "encapsulation option" "hash type"

(cfg-crypto-trans)#mode "transport"


We will setup an access list that will tell what traffic can go over the IPsec tunnel.

(conf)#ip access-list extended "ext-acl-name"

(conf-ext-nacl)#permit "gre" "any" "any"


A crypto map is now needed to tie everything together.

(conf)#crypto map "map-name" "10:sqc number" "ipsec-isakmp"

(conf-crypto-map)#match address "ext-acl-name"

(conf-crypto-map)#set transform-set "t-set-name"

(conf-crypto-map)#set peer "peer public address"


Now we have to set this map to the outside interface we will be using (if using IOS older than 12.2.15 you must set this to the outside int as well as the tunnel).

(conf)#int "int"
(config-if)#"crypto map "map-name"


Show Commands

#sho crypto isakmp sa

DMVPN

Overlay hub and spoke tech architecture that allows vpn to multiple remote sites over an NBMA network. These are usually backup wan connections.

DMVPN uses NHRP or next hop redundancy protocol to allow the spoke devices to not need statically assigned destination IPs.















































































Popular posts from this blog

  This will be a follow along for studying the ENCOR and any exams that follow. As well as any misc information that relates such as python scripting etc. The first portion will be basic notes that I decided needed to be my base. This includes but isn't limited to topics such as basic network principles, the layer 2 process, SSH setup, IOS upgrades. This first section will most likely align with the CCENT. I will focus on Cisco for the time being, but I would like to get into Junos (OS?) and Aruba OS. Syntax and basic info on documentation Syntax for commands will be as follows: Any portion of the command with "example" should be an object that you can change. For example, in the line ip vrf "name" the portion "name" is a name you can give to identify this specific vrf. At times this "example" will identify an identifier you can change or an option that is needed for input, but it will always denote something that is configurable. The descrip...
Read more