RIP, EIGRP, OSPF, IS-IS, BGP, MPLS, VTP, STP.
User avatar
texanmutt
Post Whore
Posts:
1971
Joined:
Sat Oct 20, 2007 11:05 am
Certs:
CCNA

MPLS-over-GRE-over-IPSec

Sat Dec 24, 2011 12:35 am

In a previous post -

http://www.networking-forum.com/viewtopic.php?f=35&t=24269

I was looking for a way to connect different data center VRFs. VRF Aware IPSec using VTI was the idea at the time. This solution works but is not very scalable. Each VRF requires a VTI which requires a loopback for termination, an isakamp profile and a /30 network for connecting. If I have 10 VRFs, I have to have 10 VTIs, 10 loopbacks, 10 isakamp profiles and 10 /30 networks. It has been cumbersome.

My objectives are –
    Provide segmented connectivity to different VRFs between multiple sites
    Encrypt data for PCI compliance
    Reduce the complexity of configuration

I am looking at a new way to do this. I have been learning MPLS for the past month. I think the way to go might be MPLS-over-GRE-over-IPSec. It would still give me the segmentation and encryption I need to be PCI compliant and substantially reduce the complexity because there is only one GRE and one IPSec tunnel. I labbed it up and it all seems to work.

The configs-
Code: Select all
!
hostname R1
!
!
ip vrf vrfA
 rd 1.1.1.1:20
 route-target export 65000:20
 route-target import 65000:20
!
ip vrf vrfB
 rd 1.1.1.1:21
 route-target export 65000:21
 route-target import 65000:21
!
ip vrf vrfC
 rd 1.1.1.1:22
 route-target export 65000:22
 route-target import 65000:22
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
crypto isakmp key cisco123 address 192.168.1.2
!
!
crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
 set peer 192.168.1.2
 set transform-set aesset
 match address acl_vpn
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
 ip address 192.168.2.1 255.255.255.0
 ip tcp adjust-mss 1400
 mpls ip
 tunnel source FastEthernet0/0
 tunnel destination 192.168.1.2
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 mtu 1546
 crypto map aesmap
!

interface FastEthernet1/0
 switchport access vlan 20
!
interface FastEthernet1/1
 switchport access vlan 21
!
interface FastEthernet1/2
 switchport access vlan 22
!
interface Vlan20
 ip vrf forwarding vrfA
 ip address 10.20.1.1 255.255.255.0
 no ip proxy-arp
!
interface Vlan21
 ip vrf forwarding vrfB
 ip address 10.21.1.1 255.255.255.0
 no ip proxy-arp
!
interface Vlan22
 ip vrf forwarding vrfC
 ip address 10.22.1.1 255.255.255.0
 no ip proxy-arp
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 auto-cost reference-bandwidth 100000
 network 1.1.1.1 0.0.0.0 area 0.0.0.0
 network 192.168.2.0 0.0.0.255 area 0.0.0.0
!
router bgp 65000
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 65000
 neighbor 2.2.2.2 ebgp-multihop 4
 neighbor 2.2.2.2 update-source Loopback0
 !
 address-family ipv4
  neighbor 2.2.2.2 activate
  no auto-summary
  no synchronization
 exit-address-family
 !
 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf vrfC
  no synchronization
  network 10.22.1.0 mask 255.255.255.0
 exit-address-family
 !
 address-family ipv4 vrf vrfB
  no synchronization
  network 10.21.1.0 mask 255.255.255.0
 exit-address-family
 !
 address-family ipv4 vrf vrfA
  no synchronization
  network 10.20.1.0 mask 255.255.255.0
 exit-address-family
!
!
ip access-list extended acl_vpn
 permit ip host 192.168.1.1 host 192.168.1.2
!


Code: Select all
!
hostname R2
!
ip vrf vrfA
 rd 2.2.2.2:20
 route-target export 65000:20
 route-target import 65000:20
!
ip vrf vrfB
 rd 2.2.2.2:21
 route-target export 65000:21
 route-target import 65000:21
!
ip vrf vrfC
 rd 2.2.2.2:22
 route-target export 65000:22
 route-target import 65000:22
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
crypto isakmp key cisco123 address 192.168.1.1
!
!
crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
 set peer 192.168.1.1
 set transform-set aesset
 match address acl_vpn
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
 ip address 192.168.2.2 255.255.255.0
 ip tcp adjust-mss 1400
 mpls ip
 tunnel source FastEthernet0/0
 tunnel destination 192.168.1.1
!
interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
  mtu 1546
  crypto map aesmap
!
interface FastEthernet1/0
 switchport access vlan 20
!
interface FastEthernet1/1
 switchport access vlan 21
!
interface FastEthernet1/2
 switchport access vlan 22
!
interface Vlan20
 ip vrf forwarding vrfA
 ip address 10.20.2.1 255.255.255.0
 no ip proxy-arp
!
interface Vlan21
 ip vrf forwarding vrfB
 ip address 10.21.2.1 255.255.255.0
 no ip proxy-arp
!
interface Vlan22
 ip vrf forwarding vrfC
 ip address 10.22.2.1 255.255.255.0
 no ip proxy-arp
!
router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 auto-cost reference-bandwidth 100000
 network 2.2.2.2 0.0.0.0 area 0.0.0.0
 network 192.168.2.0 0.0.0.255 area 0.0.0.0
!
router bgp 65000
 bgp router-id 2.2.2.2
 bgp log-neighbor-changes
 neighbor 1.1.1.1 remote-as 65000
 neighbor 1.1.1.1 ebgp-multihop 4
 neighbor 1.1.1.1 update-source Loopback0
 !
 address-family ipv4
  neighbor 1.1.1.1 activate
  no auto-summary
  no synchronization
 exit-address-family
 !
 address-family vpnv4
  neighbor 1.1.1.1 activate
  neighbor 1.1.1.1 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf vrfC
  no synchronization
  network 10.22.2.0 mask 255.255.255.0
 exit-address-family
 !
 address-family ipv4 vrf vrfB
  no synchronization
  network 10.21.2.0 mask 255.255.255.0
 exit-address-family
 !
 address-family ipv4 vrf vrfA
  no synchronization
  network 10.20.2.0 mask 255.255.255.0
 exit-address-family
!
ip access-list extended acl_vpn
 permit ip host 192.168.1.2 host 192.168.1.1
!


Everything seems to be working on the GNS3 demo. So I am wondering a few things –

MTU - Our service provider can support a maximum MTU of 1546 Bytes on their Ethernet circuits. With MTPS (4 bytes per label?), GRE (24 Bytes) with tcp-mss set to 1400 and IPSec (??? Bytes), will I run into any issues with fragmentation or dropped packets (if the DF bit is set)?

QoS – What are some guidelines for running QoS with MPLS? How do I make one VRFs EF traffic higher priority than another VRF’s AF41, but then make any VRF’s BE traffic low priority lower than another VRFs non-BE traffic?

Router Performance – Does running all the services drastically affect router performance?

Any other info, advice, war stories are welcome as well.

User avatar
writeerase
Ultimate Member
Posts:
525
Joined:
Sat Apr 09, 2011 3:55 pm
Certs:
CCIE CCNP-S CCDA MCSE RHCT Sec+ A+

Re: MPLS-over-GRE-over-IPSec

Sat Dec 24, 2011 9:06 am

Why not just use Group Encrypted Transport (GET) VPN?

Our MPLS provider uses this for XXX... compliance

User avatar
texanmutt
Post Whore
Posts:
1971
Joined:
Sat Oct 20, 2007 11:05 am
Certs:
CCNA

Re: MPLS-over-GRE-over-IPSec

Tue Dec 27, 2011 8:28 pm

Well I have done some research and configuration testing on GNS3 and I found the answer to my question about MTU. Thanks to these resources -

http://www.nil.si/ipcorner/IPsecVPN2/
http://www.cisco.com/en/US/docs/ios/11_3/feature/guide/ipsec.html#wp9724
http://www.ciscopress.com/bookstore/product.asp?isbn=1587051796 Section "MTU and Fragmentation Considerations in an IPsec VPN"
http://sites.google.com/site/amitsciscozone/home/important-tips/mpls-wiki/encrypting-p-to-p-traffic-in-mpls-vpn

I have been able to figure out what the MTU will be, how to reduce it and also how to simplify the GRE-over-IPSec configuration.

Configuration -
R1
Code: Select all
!
ip vrf vrfA
    rd 1.1.1.1:20   
    route-target export 65000:20
    route-target import 65000:20
!
ip vrf vrfB
    rd 1.1.1.1:21
    route-target export 65000:21
    route-target import 65000:21
!
ip vrf vrfC
    rd 1.1.1.1:22
    route-target export 65000:22
    route-target import 65000:22
!
!
crypto isakmp policy 10
    encr aes
    authentication pre-share
crypto isakmp key cisco123 address 192.168.1.2
!
!
crypto ipsec transform-set aesset esp-aes esp-md5-hmac
    mode transport
!
crypto ipsec profile tunnel0
    set transform-set aesset
!
!
!
interface Loopback0
    ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
    ip address 192.168.2.1 255.255.255.0
    ip mtu 1422
    ip tcp adjust-mss 1382
    mpls ip
    tunnel source FastEthernet0/0
    tunnel destination 192.168.1.2
    tunnel path-mtu-discovery
    tunnel protection ipsec profile tunnel0
!
!
interface FastEthernet0/0
    ip address 192.168.1.1 255.255.255.0
!
interface Vlan20
    ip vrf forwarding vrfA
    ip address 10.20.1.1 255.255.255.0
    no ip proxy-arp
!
interface Vlan21
    ip vrf forwarding vrfB
    ip address 10.21.1.1 255.255.255.0
    no ip proxy-arp
!
interface Vlan22
    ip vrf forwarding vrfC
    ip address 10.22.1.1 255.255.255.0
    no ip proxy-arp
!
router ospf 1
    router-id 1.1.1.1
    log-adjacency-changes
    auto-cost reference-bandwidth 100000
    network 1.1.1.1 0.0.0.0 area 0.0.0.0
    network 192.168.2.0 0.0.0.255 area 0.0.0.0
!
!
router bgp 65000
    bgp router-id 1.1.1.1
    bgp log-neighbor-changes
    neighbor 2.2.2.2 remote-as 65000
    neighbor 2.2.2.2 ebgp-multihop 4
    neighbor 2.2.2.2 update-source Loopback0
 !
   address-family ipv4
     neighbor 2.2.2.2 activate
     no auto-summary
     no synchronization
   exit-address-family
 !
   address-family vpnv4
     neighbor 2.2.2.2 activate
     neighbor 2.2.2.2 send-community extended
    exit-address-family
 !
   address-family ipv4 vrf vrfC
     no synchronization
     network 10.22.1.0 mask 255.255.255.0
    exit-address-family
 !
    address-family ipv4 vrf vrfB
     no synchronization
     network 10.21.1.0 mask 255.255.255.0
    exit-address-family
 !
   address-family ipv4 vrf vrfA
     no synchronization
     network 10.20.1.0 mask 255.255.255.0
    exit-address-family
!


R2-
Code: Select all
!
ip vrf vrfA
    rd 2.2.2.2:20
    route-target export 65000:20
    route-target import 65000:20
!
ip vrf vrfB
    rd 2.2.2.2:21
    route-target export 65000:21
    route-target import 65000:21
!
ip vrf vrfC
    rd 2.2.2.2:22
    route-target export 65000:22
    route-target import 65000:22
!
!
!
!
crypto isakmp policy 10
    encr aes
    authentication pre-share
!
crypto isakmp key cisco123 address 192.168.1.1
!
!
crypto ipsec transform-set aesset esp-aes esp-md5-hmac
    mode transport
!
crypto ipsec profile tunnel0
    set transform-set aesset
!
!
!
!
!
interface Loopback0
    ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
    ip address 192.168.2.2 255.255.255.0
    ip mtu 1422
    ip tcp adjust-mss 1382
    mpls ip
    tunnel source FastEthernet0/0
    tunnel destination 192.168.1.1
    tunnel path-mtu-discovery
    tunnel protection ipsec profile tunnel0
!
interface FastEthernet0/0
    ip address 192.168.1.2 255.255.255.0
!
!
interface Vlan20
    ip vrf forwarding vrfA
    ip address 10.20.2.1 255.255.255.0
    no ip proxy-arp
!
interface Vlan21
    ip vrf forwarding vrfB
    ip address 10.21.2.1 255.255.255.0
    no ip proxy-arp
!
interface Vlan22
    ip vrf forwarding vrfC
    ip address 10.22.2.1 255.255.255.0
    no ip proxy-arp
!
router ospf 1
    router-id 2.2.2.2
    log-adjacency-changes
    auto-cost reference-bandwidth 100000
    network 2.2.2.2 0.0.0.0 area 0.0.0.0
    network 192.168.2.0 0.0.0.255 area 0.0.0.0
!
!
router bgp 65000
    bgp router-id 2.2.2.2
    bgp log-neighbor-changes
    neighbor 1.1.1.1 remote-as 65000
    neighbor 1.1.1.1 ebgp-multihop 4
    neighbor 1.1.1.1 update-source Loopback0
 !
   address-family ipv4
     neighbor 1.1.1.1 activate
     no auto-summary
     no synchronization
    exit-address-family
 !
   address-family vpnv4
     neighbor 1.1.1.1 activate
     neighbor 1.1.1.1 send-community extended
    exit-address-family
 !
   address-family ipv4 vrf vrfC
     no synchronization
     network 10.22.2.0 mask 255.255.255.0
    exit-address-family
 !   
   address-family ipv4 vrf vrfB
     no synchronization
     network 10.21.2.0 mask 255.255.255.0
    exit-address-family
 !
   address-family ipv4 vrf vrfA
     no synchronization
     network 10.20.2.0 mask 255.255.255.0
    exit-address-family
!


GRE-over-IPsec - The config was simplified by using an IPSec profile with tunnel protection on the GRE tunnel. This allows me to omit the crypto-map and ACL.

MTU- The MTU under normal circumstances for GRE-o-IPSec is 94B (GRE 24B + IPSec AES 70B). Then add a single MPLS label (4Bytes) for PE-to-PE MPLS-o-GRE-o-IPSec and you have 98Bytes. Or for P-to-P MPLS-o-GRE-o-IPSec add two labels for a total overhead of 102Bytes.
However, there is a thing called Transport mode for IPSec. The only caveat of transport mode is that it can "only used when the traffic to be protected has the same IP addresses as the IPSec peers"(From the Cisco site). Well if your using GRE anyway, the tunnel source and destination can be the same IP address as the IPSec peers. Using transport mode means that the IP header from the original GRE encapsulated packet is preserved. Normally the default IPSec Tunnel mode would take the original packet, encapsulate it in IPSec and the add an additional IP header for the ESP packet. Using transport mode reduces the total overhead by 20Bytes for a total overhead of 78B PE-to-PE and 82B P-to-P.

So now with a standard maximum MTU of 1500B, the effective maximum MTU is 1422B or 1418B. The TCP MSS ideally should be 1382B or 1378B (MTU-40B).

So with the MTU question solved, has anyone implemented MPLS in the enterprise?
Last edited by texanmutt on Tue Dec 27, 2011 8:45 pm, edited 1 time in total.

User avatar
texanmutt
Post Whore
Posts:
1971
Joined:
Sat Oct 20, 2007 11:05 am
Certs:
CCNA

Re: MPLS-over-GRE-over-IPSec

Tue Dec 27, 2011 8:36 pm

writeerase wrote:Why not just use Group Encrypted Transport (GET) VPN?

Our MPLS provider uses this for XXX... compliance


Thanks for the suggestion writeerase, but I don't thing it would be a good fit for our organization. I am needing to use MPLS within our routing infrastructure to segment traffic internally. Plus, I dont think our auditor would like the idea of encryption being handled by an outside organization unless they had an active PCI certification as well.

User avatar
ristau5741
Post Whore
Posts:
10618
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: MPLS-over-GRE-over-IPSec

Wed Dec 28, 2011 9:00 am

texanmutt wrote:
writeerase wrote:Why not just use Group Encrypted Transport (GET) VPN?

Our MPLS provider uses this for XXX... compliance


Thanks for the suggestion writeerase, but I don't thing it would be a good fit for our organization. I am needing to use MPLS within our routing infrastructure to segment traffic internally. Plus, I dont think our auditor would like the idea of encryption being handled by an outside organization unless they had an active PCI certification as well.


Ya, transport mode is only good for traffic traversing trusted entities, bad for traffic traversing untrusted entities.
Tips of the day:
- The human mind is the ultimate creation invention.
- I have so many customers, my customers have customers.
- Sausage time
- POP, stack, and store

killabee
Post Whore
Posts:
1474
Joined:
Sat Dec 19, 2009 11:52 pm
Certs:
CCNP, CCDA, JNCIA

Re: MPLS-over-GRE-over-IPSec

Wed Dec 28, 2011 8:30 pm

Your setup sounds similar to what was discussed on this Packet Pushers podcast. but it sounds like you already have your issue sorted out.

'

Return to Cisco Routing and Switching

Who is online

Users browsing this forum: No registered users and 106 guests