Networking Forum powered by InfoSec Insitute

Sat Dec 24, 2011 12:35 am

In a previous post -

http://www.networking-forum.com/viewtopic.php?f=35&t=24269

I was looking for a way to connect different data center VRFs. VRF Aware IPSec using VTI was the idea at the time. This solution works but is not very scalable. Each VRF requires a VTI which requires a loopback for termination, an isakamp profile and a /30 network for connecting. If I have 10 VRFs, I have to have 10 VTIs, 10 loopbacks, 10 isakamp profiles and 10 /30 networks. It has been cumbersome.

My objectives are –

I am looking at a new way to do this. I have been learning MPLS for the past month. I think the way to go might be MPLS-over-GRE-over-IPSec. It would still give me the segmentation and encryption I need to be PCI compliant and substantially reduce the complexity because there is only one GRE and one IPSec tunnel. I labbed it up and it all seems to work.

The configs-

Code: Select all: ! hostname R1 ! ! ip vrf vrfA rd 1.1.1.1:20 route-target export 65000:20 route-target import 65000:20 ! ip vrf vrfB rd 1.1.1.1:21 route-target export 65000:21 route-target import 65000:21 ! ip vrf vrfC rd 1.1.1.1:22 route-target export 65000:22 route-target import 65000:22 ! ! crypto isakmp policy 10 encr aes 256 authentication pre-share crypto isakmp key cisco123 address 192.168.1.2 ! ! crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac ! crypto map aesmap 10 ipsec-isakmp set peer 192.168.1.2 set transform-set aesset match address acl_vpn ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface Tunnel0 ip address 192.168.2.1 255.255.255.0 ip tcp adjust-mss 1400 mpls ip tunnel source FastEthernet0/0 tunnel destination 192.168.1.2 ! interface FastEthernet0/0 ip address 192.168.1.1 255.255.255.0 mtu 1546 crypto map aesmap ! interface FastEthernet1/0 switchport access vlan 20 ! interface FastEthernet1/1 switchport access vlan 21 ! interface FastEthernet1/2 switchport access vlan 22 ! interface Vlan20 ip vrf forwarding vrfA ip address 10.20.1.1 255.255.255.0 no ip proxy-arp ! interface Vlan21 ip vrf forwarding vrfB ip address 10.21.1.1 255.255.255.0 no ip proxy-arp ! interface Vlan22 ip vrf forwarding vrfC ip address 10.22.1.1 255.255.255.0 no ip proxy-arp ! router ospf 1 router-id 1.1.1.1 log-adjacency-changes auto-cost reference-bandwidth 100000 network 1.1.1.1 0.0.0.0 area 0.0.0.0 network 192.168.2.0 0.0.0.255 area 0.0.0.0 ! router bgp 65000 bgp router-id 1.1.1.1 bgp log-neighbor-changes neighbor 2.2.2.2 remote-as 65000 neighbor 2.2.2.2 ebgp-multihop 4 neighbor 2.2.2.2 update-source Loopback0 ! address-family ipv4 neighbor 2.2.2.2 activate no auto-summary no synchronization exit-address-family ! address-family vpnv4 neighbor 2.2.2.2 activate neighbor 2.2.2.2 send-community extended exit-address-family ! address-family ipv4 vrf vrfC no synchronization network 10.22.1.0 mask 255.255.255.0 exit-address-family ! address-family ipv4 vrf vrfB no synchronization network 10.21.1.0 mask 255.255.255.0 exit-address-family ! address-family ipv4 vrf vrfA no synchronization network 10.20.1.0 mask 255.255.255.0 exit-address-family ! ! ip access-list extended acl_vpn permit ip host 192.168.1.1 host 192.168.1.2 !

Code: Select all: ! hostname R2 ! ip vrf vrfA rd 2.2.2.2:20 route-target export 65000:20 route-target import 65000:20 ! ip vrf vrfB rd 2.2.2.2:21 route-target export 65000:21 route-target import 65000:21 ! ip vrf vrfC rd 2.2.2.2:22 route-target export 65000:22 route-target import 65000:22 ! ! crypto isakmp policy 10 encr aes 256 authentication pre-share crypto isakmp key cisco123 address 192.168.1.1 ! ! crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac ! crypto map aesmap 10 ipsec-isakmp set peer 192.168.1.1 set transform-set aesset match address acl_vpn ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface Tunnel0 ip address 192.168.2.2 255.255.255.0 ip tcp adjust-mss 1400 mpls ip tunnel source FastEthernet0/0 tunnel destination 192.168.1.1 ! interface FastEthernet0/0 ip address 192.168.1.2 255.255.255.0 mtu 1546 crypto map aesmap ! interface FastEthernet1/0 switchport access vlan 20 ! interface FastEthernet1/1 switchport access vlan 21 ! interface FastEthernet1/2 switchport access vlan 22 ! interface Vlan20 ip vrf forwarding vrfA ip address 10.20.2.1 255.255.255.0 no ip proxy-arp ! interface Vlan21 ip vrf forwarding vrfB ip address 10.21.2.1 255.255.255.0 no ip proxy-arp ! interface Vlan22 ip vrf forwarding vrfC ip address 10.22.2.1 255.255.255.0 no ip proxy-arp ! router ospf 1 router-id 2.2.2.2 log-adjacency-changes auto-cost reference-bandwidth 100000 network 2.2.2.2 0.0.0.0 area 0.0.0.0 network 192.168.2.0 0.0.0.255 area 0.0.0.0 ! router bgp 65000 bgp router-id 2.2.2.2 bgp log-neighbor-changes neighbor 1.1.1.1 remote-as 65000 neighbor 1.1.1.1 ebgp-multihop 4 neighbor 1.1.1.1 update-source Loopback0 ! address-family ipv4 neighbor 1.1.1.1 activate no auto-summary no synchronization exit-address-family ! address-family vpnv4 neighbor 1.1.1.1 activate neighbor 1.1.1.1 send-community extended exit-address-family ! address-family ipv4 vrf vrfC no synchronization network 10.22.2.0 mask 255.255.255.0 exit-address-family ! address-family ipv4 vrf vrfB no synchronization network 10.21.2.0 mask 255.255.255.0 exit-address-family ! address-family ipv4 vrf vrfA no synchronization network 10.20.2.0 mask 255.255.255.0 exit-address-family ! ip access-list extended acl_vpn permit ip host 192.168.1.2 host 192.168.1.1 !

Everything seems to be working on the GNS3 demo. So I am wondering a few things –

MTU - Our service provider can support a maximum MTU of 1546 Bytes on their Ethernet circuits. With MTPS (4 bytes per label?), GRE (24 Bytes) with tcp-mss set to 1400 and IPSec (??? Bytes), will I run into any issues with fragmentation or dropped packets (if the DF bit is set)?

QoS – What are some guidelines for running QoS with MPLS? How do I make one VRFs EF traffic higher priority than another VRF’s AF41, but then make any VRF’s BE traffic low priority lower than another VRFs non-BE traffic?

Router Performance – Does running all the services drastically affect router performance?

Any other info, advice, war stories are welcome as well.

Sat Dec 24, 2011 9:06 am

Why not just use Group Encrypted Transport (GET) VPN?

Our MPLS provider uses this for XXX... compliance

Tue Dec 27, 2011 8:28 pm

Well I have done some research and configuration testing on GNS3 and I found the answer to my question about MTU. Thanks to these resources -

http://www.nil.si/ipcorner/IPsecVPN2/
http://www.cisco.com/en/US/docs/ios/11_3/feature/guide/ipsec.html#wp9724
http://www.ciscopress.com/bookstore/product.asp?isbn=1587051796 Section "MTU and Fragmentation Considerations in an IPsec VPN"
http://sites.google.com/site/amitsciscozone/home/important-tips/mpls-wiki/encrypting-p-to-p-traffic-in-mpls-vpn

I have been able to figure out what the MTU will be, how to reduce it and also how to simplify the GRE-over-IPSec configuration.

Configuration -
R1

Code: Select all: ! ip vrf vrfA rd 1.1.1.1:20 route-target export 65000:20 route-target import 65000:20 ! ip vrf vrfB rd 1.1.1.1:21 route-target export 65000:21 route-target import 65000:21 ! ip vrf vrfC rd 1.1.1.1:22 route-target export 65000:22 route-target import 65000:22 ! ! crypto isakmp policy 10 encr aes authentication pre-share crypto isakmp key cisco123 address 192.168.1.2 ! ! crypto ipsec transform-set aesset esp-aes esp-md5-hmac mode transport ! crypto ipsec profile tunnel0 set transform-set aesset ! ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface Tunnel0 ip address 192.168.2.1 255.255.255.0 ip mtu 1422 ip tcp adjust-mss 1382 mpls ip tunnel source FastEthernet0/0 tunnel destination 192.168.1.2 tunnel path-mtu-discovery tunnel protection ipsec profile tunnel0 ! ! interface FastEthernet0/0 ip address 192.168.1.1 255.255.255.0 ! interface Vlan20 ip vrf forwarding vrfA ip address 10.20.1.1 255.255.255.0 no ip proxy-arp ! interface Vlan21 ip vrf forwarding vrfB ip address 10.21.1.1 255.255.255.0 no ip proxy-arp ! interface Vlan22 ip vrf forwarding vrfC ip address 10.22.1.1 255.255.255.0 no ip proxy-arp ! router ospf 1 router-id 1.1.1.1 log-adjacency-changes auto-cost reference-bandwidth 100000 network 1.1.1.1 0.0.0.0 area 0.0.0.0 network 192.168.2.0 0.0.0.255 area 0.0.0.0 ! ! router bgp 65000 bgp router-id 1.1.1.1 bgp log-neighbor-changes neighbor 2.2.2.2 remote-as 65000 neighbor 2.2.2.2 ebgp-multihop 4 neighbor 2.2.2.2 update-source Loopback0 ! address-family ipv4 neighbor 2.2.2.2 activate no auto-summary no synchronization exit-address-family ! address-family vpnv4 neighbor 2.2.2.2 activate neighbor 2.2.2.2 send-community extended exit-address-family ! address-family ipv4 vrf vrfC no synchronization network 10.22.1.0 mask 255.255.255.0 exit-address-family ! address-family ipv4 vrf vrfB no synchronization network 10.21.1.0 mask 255.255.255.0 exit-address-family ! address-family ipv4 vrf vrfA no synchronization network 10.20.1.0 mask 255.255.255.0 exit-address-family !

R2-

Code: Select all: ! ip vrf vrfA rd 2.2.2.2:20 route-target export 65000:20 route-target import 65000:20 ! ip vrf vrfB rd 2.2.2.2:21 route-target export 65000:21 route-target import 65000:21 ! ip vrf vrfC rd 2.2.2.2:22 route-target export 65000:22 route-target import 65000:22 ! ! ! ! crypto isakmp policy 10 encr aes authentication pre-share ! crypto isakmp key cisco123 address 192.168.1.1 ! ! crypto ipsec transform-set aesset esp-aes esp-md5-hmac mode transport ! crypto ipsec profile tunnel0 set transform-set aesset ! ! ! ! ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface Tunnel0 ip address 192.168.2.2 255.255.255.0 ip mtu 1422 ip tcp adjust-mss 1382 mpls ip tunnel source FastEthernet0/0 tunnel destination 192.168.1.1 tunnel path-mtu-discovery tunnel protection ipsec profile tunnel0 ! interface FastEthernet0/0 ip address 192.168.1.2 255.255.255.0 ! ! interface Vlan20 ip vrf forwarding vrfA ip address 10.20.2.1 255.255.255.0 no ip proxy-arp ! interface Vlan21 ip vrf forwarding vrfB ip address 10.21.2.1 255.255.255.0 no ip proxy-arp ! interface Vlan22 ip vrf forwarding vrfC ip address 10.22.2.1 255.255.255.0 no ip proxy-arp ! router ospf 1 router-id 2.2.2.2 log-adjacency-changes auto-cost reference-bandwidth 100000 network 2.2.2.2 0.0.0.0 area 0.0.0.0 network 192.168.2.0 0.0.0.255 area 0.0.0.0 ! ! router bgp 65000 bgp router-id 2.2.2.2 bgp log-neighbor-changes neighbor 1.1.1.1 remote-as 65000 neighbor 1.1.1.1 ebgp-multihop 4 neighbor 1.1.1.1 update-source Loopback0 ! address-family ipv4 neighbor 1.1.1.1 activate no auto-summary no synchronization exit-address-family ! address-family vpnv4 neighbor 1.1.1.1 activate neighbor 1.1.1.1 send-community extended exit-address-family ! address-family ipv4 vrf vrfC no synchronization network 10.22.2.0 mask 255.255.255.0 exit-address-family ! address-family ipv4 vrf vrfB no synchronization network 10.21.2.0 mask 255.255.255.0 exit-address-family ! address-family ipv4 vrf vrfA no synchronization network 10.20.2.0 mask 255.255.255.0 exit-address-family !

GRE-over-IPsec - The config was simplified by using an IPSec profile with tunnel protection on the GRE tunnel. This allows me to omit the crypto-map and ACL.

MTU- The MTU under normal circumstances for GRE-o-IPSec is 94B (GRE 24B + IPSec AES 70B). Then add a single MPLS label (4Bytes) for PE-to-PE MPLS-o-GRE-o-IPSec and you have 98Bytes. Or for P-to-P MPLS-o-GRE-o-IPSec add two labels for a total overhead of 102Bytes.
However, there is a thing called Transport mode for IPSec. The only caveat of transport mode is that it can "only used when the traffic to be protected has the same IP addresses as the IPSec peers"(From the Cisco site). Well if your using GRE anyway, the tunnel source and destination can be the same IP address as the IPSec peers. Using transport mode means that the IP header from the original GRE encapsulated packet is preserved. Normally the default IPSec Tunnel mode would take the original packet, encapsulate it in IPSec and the add an additional IP header for the ESP packet. Using transport mode reduces the total overhead by 20Bytes for a total overhead of 78B PE-to-PE and 82B P-to-P.

So now with a standard maximum MTU of 1500B, the effective maximum MTU is 1422B or 1418B. The TCP MSS ideally should be 1382B or 1378B (MTU-40B).

So with the MTU question solved, has anyone implemented MPLS in the enterprise?

Tue Dec 27, 2011 8:36 pm

writeerase wrote:Why not just use Group Encrypted Transport (GET) VPN?

Our MPLS provider uses this for XXX... compliance

Thanks for the suggestion writeerase, but I don't thing it would be a good fit for our organization. I am needing to use MPLS within our routing infrastructure to segment traffic internally. Plus, I dont think our auditor would like the idea of encryption being handled by an outside organization unless they had an active PCI certification as well.

Wed Dec 28, 2011 9:00 am

texanmutt wrote:
writeerase wrote:Why not just use Group Encrypted Transport (GET) VPN?

Our MPLS provider uses this for XXX... compliance

Thanks for the suggestion writeerase, but I don't thing it would be a good fit for our organization. I am needing to use MPLS within our routing infrastructure to segment traffic internally. Plus, I dont think our auditor would like the idea of encryption being handled by an outside organization unless they had an active PCI certification as well.

Ya, transport mode is only good for traffic traversing trusted entities, bad for traffic traversing untrusted entities.

Wed Dec 28, 2011 8:30 pm

Your setup sounds similar to what was discussed on this Packet Pushers podcast. but it sounds like you already have your issue sorted out.

Networking Forum powered by InfoSec Insitute

MPLS-over-GRE-over-IPSec

Re: MPLS-over-GRE-over-IPSec

Re: MPLS-over-GRE-over-IPSec

Re: MPLS-over-GRE-over-IPSec

Re: MPLS-over-GRE-over-IPSec

Re: MPLS-over-GRE-over-IPSec

Who is online