Simple Nat/GRE/IPSEC VPN

This config is for linking two sites with a pair of AR320S, running in NAT firewall mode. Each site having a permanent Internet connection.

This example if derived form Allieds example 22 with the, errors fixed:-)

Each site has a private network, there are no IP address clashes between the sites. Each firewall has a valid public IP address for access to the internet.

There are no restrictions placed on access from the private network, to the internet.

There is no access from the intenet to the private network except for traffic that has been tunneled from the other site.

Config used for Eval and notes

Setup is for a private network->Firewall->DMZ->ISP router , type config.

In both cases eth0 is the private network, and eth1 the public network.

Site specific info for first site {Roadtech}

  • Private network :- 192.168.124.0/24
  • Private Firewall IP :- 192.168.124.202
  • Private Host for testing :- 192.168.124.122
  • Public Network :- 193.133.123.128/26
  • Public Firewall IP :- 193.133.123.140
  • Public Gateway for default route :- 193.133.123.129
  • Public Host for testing :- 193.133.123.131

Site specific info for second site {hitech-logistics}

  • Private network :- 172.28.3.16/28
  • Private Firewall IP :- 172.28.3.22
  • Public Network :- 193.133.123.192/27
  • Public Firewall IP :- 193.133.123.213
  • Public Gateway for default route :- 193.133.123.195
The Base configuration should have already been, set and saved. eth0 is the private interface, and eth1 the public interface. Both have been configured as per the notes.

It is worth checking the free space in the Flash memmory and compacting if nessesary

Show Flash

Activate Flash compaction

Private Network interface

If you have not already done so, configure the IP address and setings for the private interface eth0.

Public Network interface

If you have not already done so, configure the IP address and setings for the public interface eth1.

Create Security officer

If you have not already created a Security Officer Login you need to do so now. Please remember to keep a note of the name and password,

While logged in as manager.

add user=Arther password=qlbp priv=securityofficer

Create IPsec Keys

We are going to use preshared keys for Authentication. The key will be created on the First Firewall and then instaled on the second. Each Firewall can store a list of 65,535 keys.

show enco key
will show the keys currently in use.

Create keys on both firewalls.

Create tunnel conditions and rules

Basicaly what we setup here, Tells the route, that packets from networks on out private network {Identified as an address and network mask} to a remote network {Identified as an address and network mask} are to be encripted and tunneled to the public address of the remote firewall.

First Firewall

Before continuing any further it is woth checking that your routing table looks sensible and that you can at leased ping something on both your private network and the internet while loged on as manager to the Firewall.

show ip route
ping 193.133.123.131
ping 192.168.124.122

If the above shows any problem fix before proceeding further.

enable gre

The GRE tables support Generic Routing Encapsulation. upto 99 GRE table may be defined, each with multiple sets of address patterns

When a packet is received on an interface the interface definition is checked to see if a GRE table is defined for the interface. If a table is defined the table is scanned for a match using the source and destination addresses.

If a match is found additional processing is done.

You can check is any GRE tables have already been setup with the command.
show gre

Note this command is pushing the max line length limit of a command, you will probabaly have to either abrevieate the options to their minimum length. or leave the target out, do a gre show note entry number, and then use the set gre=1 entry=n ..... form to finish configuring the entry.

add gre=1 SOUrce=192.168.124.0 SMAsk=255.255.255.0 DESt=172.28.3.16 DMAsk=255.255.255.240 TARget=193.133.123.213

Configure are private network interface to check against the, the GRE list we have just created.

set ip int=eth0 gre=1

Tell the IP module to use the GRE table for locally generated traffic
set ip local gre=1

We now need to creat the specifications for the security Associations to be negotiated on the VPN to connect this LAN to the remote LAN, so traffic between the LAN's is encrypted.

This example will specify AH using SHA, and ESP using DES+MD5, and key management via ISAKMP.

The Firewall supports 256 Security Association Specifications. The defined SAspecifications are combined into upto 256 bundles, when negotiating with a potential peer it is the SAspecs within the bundle selected for use with the peer that are checked.

show ipsec SAspec
Will list alredy defined specs.

show ipsec bundles
will list existing bundles.

create ipsec saspec=1 prot=ah hasha=sha keyman=isakmp

set ipsec sas=1 mode=transport

create ipsec saspec=2 prot=esp hasha=md5 encalg=des keyman=isakmp

set ipsec sas=2 mode=transport

create ipsec bundlespec=1 keym=isakmp string="1 and 2"

For are current purposes we want trafic between our firewalls using the public interfaces encripted, but traffic out to the web in general passed as is.

Note this command is pushing the max line length limit of a command, you will probabaly have to either abrevieate the options to their minimum length. or leave the target out, do a show ipsec note entry number, and then use multiple set ipsec policy=Fire2Fire ..... commands to finish configuring the entry.

create ipsec policy=isakmp int=eth1 action=permit
set ipsec policy=isakmp RADDress=193.133.123.213 RMASk=255.255.255.255 RPOrt=500 LADDress=193.133.123.140 LMASk=255.255.255.255 LPOrt=500 TRANsportprotocol=UDP

create ipsec policy=Fire2Fire int=eth1 action=ipsec KEYManagement=isakmp BUNDlespecification=1 PEERaddress=193.133.123.213

set ipsec policy=Fire2Fire RADDress=193.133.123.213 RMASk=255.255.255.255 LADDress=193.133.123.140 LMASk=255.255.255.255

create ipsec policy=the_rest int=eth1 action=permit
enable ipsec
create isakmp policy=Fire2Fire peer=193.133.123.213 key=1
enable isakmp

Enable NAT for connections from private addresses to the Internet.

enable ip nat
add ip nat ip=192.168.124.0 mask 255.255.255.0 gblip=193.133.123.140

If not already done add a default routing entery.

add ip route=0.0.0.0 int=eth1 next=193.133.123.129 mask=255.255.255.255

Second Firewall

Before continuing any further it is worth checking that your routing table looks sensible and that you can at leased ping something on both your private network and the internet while loged on as manager to the Firewall.

show ip route
ping 193.133.123.194
ping 172.28.3.19

If the above shows any problem fix before proceeding further.

enable gre

add gre=1 source=172.28.3.16 smask=255.255.255.240 dest=192.168.124.0 dmask=255.255.255.0 target=193.133.123.140

set ip int=eth0 gre=1

Tell the IP module to use the GRE table for locally generated traffic
set ip local gre=1

show ipsec SAspec
Will list alredy defined specs.

show ipsec bundles
will list existing bundles.

create ipsec saspec=1 prot=ah hasha=sha keyman=isakmp
set ipsec sas=1 mode=transport
create ipsec saspec=2 prot=esp hasha=md5 encalg=des keyman=isakmp
set ipsec sas=2 mode=transport
create ipsec bundlespec=1 keym=isakmp string="1 and 2"

create ipsec policy=isakmp int=eth1 action=permit set ipsec policy=isakmp RADDress=193.133.123.213 RMASk=255.255.255.255 RPOrt=500 LADDress=193.133.123.140 LMASk=255.255.255.255 LPOrt=500 TRANsportprotocol=UDP

create ipsec policy=Fire2Fire int=eth1 action=ipsec keymanagement=isakmp bundlespecification=1 peeraddress=193.133.123.140
set ipsec policy=Fire2Fire raddress=193.133.123.140 rmask=255.255.255.255 laddress=193.133.123.213 lmask=255.255.255.255
create ipsec policy=the_rest int=eth1 action=permit
enable ipsec
create isakmp policy=Fire2Fire peer=193.133.123.140 key=1
enable isakmp

Enable NAT for connections from private addresses to the Internet.

enable ip nat
add ip nat ip=172.28.3.16 mask 255.255.255.240 gblip=193.133.123.213

How it works

Site to web

A packet from a host on the private network, arrives at the router. It is compared with the GRE filters for the receving interface eth0. It does not match, the detination address is not local, and a check with the routing tables idecates it should be sent on eth1.

As it is out bound on eth1, the source address is checked against the NAT filters. The address matches so NAT processing is trigered and the source address rewriten.

Packet is sent, and a reply receved.

The receved packet pases through eth1, the destination is local.

Local packet proccessing routes the packet to the inbound NAT modual that has been listening for replies.

NAT module rewites the detination address from its saved values, and packet is passed for routing.

Packet set over eth0 to the host that started the session.

Site to Site

A packet from a host on the private network, arrives at the router. It is compared with the GRE filters for the receving interface eth0.

Match found so the GRE modual encapsulates the packet in a new GRE packet.

The GRE packet is passed to routing modula, the detination address is not local, and a check with the routing tables idecates it should be sent on eth1.

As it is out bound on eth1, the source address is checked against the NAT filters. As the source is the local NAT proccessing is skiped.

Packet is compared with IPSEC filters, a match is found for policy Fire2Fire, so the packet is Queued awiting tunnel initalization.

ISAKMP negociation starts by sending a UDP packet to port 500 on the unit handleing the remote end of the tunnel and awaits a reply.

The ISAKMP packet is routed outbound on interface eth1

THe ISAKMP packet is compared against the NAT filters. As the source is the local NAT proccessing is skiped.

The ISAKMP packet is compared to the IPSEC filters, a match is found for policy isakmp, with an action of permit so the packet is sent.

A reply is receved from the remote unit {UDP port 500} This passes inbound on eth1, to the local ISAKMP agent.

Negociation continues through pases 1 and to with a number of Further packets being exchanged.

The Tunnel is established.

The queued packets are encripted according the the agreed security associations and the resulting packets are sent outbound on eth1.

Oddly it would apear that the tunnel packet skip the outbound filters.

The returning ESP tunnel packets, are reseived on eth1, and sent for local processing.

The payload is unpacked and decripted.

The resulting packets of Type GRE are delivered localy to the GRE modual.

The GRE modual unpacks the packet.

The packet is not local, and routing indecates that it should be delivered via eth0.

Packet set over eth0 to the host that started the session.

Testing

You should still be able to ping addresses on the public internet, from the router.

And the same fro the local private networks.

However you should now be able to ping or traceroute from devices, on one of the private networks to the other, or to the internet.

Note if the tunnel is working properly you should not see any intermediate routers apearing in the trace route listing when tracing between the sites private networks.

If you suspect a problem on the network between two routers, you must trace to the remote routers public interface, so that your trace packets do not use the tunnel, but follow the route of the tunnels transport layer.