Geographic IPsec VPN High Availability with IPsecGRE and Encrypted Routing Protocols | IPSec Virtual Private Network Fundamentals

Geographic IPsec VPN High Availability with IPsec+GRE and Encrypted Routing Protocols

Tunneling traffic in GRE prior to encryption with IPsec enables the encryption of multicast traffic. This is due to the fact that the multicast traffic is represented as a payload of a unicast packet after it has been encapsulated with GRE. As such, once the packet has been encapsulated in GRE, it is presented to the crypto engine as a unicast packet. We have referred to this as IPsec+GRE in previous chapters. IPsec+GRE is a key design option for passing multicast traffic, including RPs that use multicast updates, through an encrypted tunnel. As such, sending routing protocol updates over an IPsec+GRE tunnel serves as an alternative to RRI for preserving IP routing continuity across an IPsec VPN tunnel.

Solution Overview for IPsec+GRE with Encrypted Routing Protocols

IPsec+GRE tunnels have increased in popularity primarily due to the increase in multicast application adoption. As these applications drive the amount of multicast traffic in the overall traffic profile upward, the need to secure this type of traffic increases proportionally. IGP multicast update traffic is one such critical multicast application that is often included in the crypto switching path.

Tip

Cisco IOS includes unicast RP update features for BGP and most IGPs. Encrypted unicast RP updates can be exchanged over the IPsec VPN tunnel to preserve IP routing continuity without the use of GRE. More information on Unicast RP updates is provided in Chapter 5.

Sending RP updates across the IPsec tunnel enables RP adjacencies to be built between two networks situated on opposite sides of an IPsec tunnel, as illustrated in Figure 7-3. This solution therefore serves as an alternative to RRI for preserving IP routing continuity between IP networks across an IPsec VPN tunnel.

Figure 7-3. IPsec+GRE with Encrypted Routing Protocol Updates

The administrators of the network illustrated in Figure 7-3 face the same challenges as in the network topologies of Figures 7-1 and 7-2. Instead of using RRI to allow Network A and Network B to route between one another over the IPsec VPN tunnel, the administrators choose to create a GRE tunnel between C3845ISR-A and B through which RP updates are exchanged. All GRE traffic is then encrypted with a transform defined in the IPsec configuration on C3845ISR-A and B. This effectively allows the administrators of Network A and B to run the same routing protocol, preserving continuity of the routing tables of Network A and B by leveraging encrypted RP updates over the IPsec+GRE tunnel. The resulting forwarding numbered process along the path from Host-A to Server-B in Figure 7-3 is as follows:

1.	ISAKMP and IPsec are configured on C3845ISR-A and B. Once the GRE tunnel and RP configuration is complete on C3845ISR-A and B and traffic is received matching a active crypto ACL, the crypto engine initiates the negotiation of Phase 1 and 2 SAs on C3845ISR-A and B, completing the creation of the IPsec+GRE tunnel. Note Beware that control plane traffic such as GRE Keepalives, RP Hellos, and RP updates passing through the GRE tunnel will keep the IPsec+GRE tunnel up, as they are encapsulated in GRE causing a match on the IPsec+GRE crypto ACL.
2.	The GRE tunnel interfaces created in #1 are configured to forward EIGRP RP updates between C3845ISR-A and B. Routes for Network A are populated in the routing tables of networked nodes throughout Network B and vice versa.
3.	When Host-A sends traffic to Server-B, C3845ISR-A uses a route table entry for Server-B learned via EIGRP in #2 to make the Layer 3 forwarding decision. C3845ISR-A therefore forwards traffic from Host-A to Server-B out of the GRE tunnel interface.
4.	When the traffic is encapsulated in GRE, the crypto engine recognizes a crypto ACL match, causing the GRE packet resulting from #3 to be encrypted using ESP and forwarded to C3845ISR-B across the IPsec VPN tunnel.
5.	C3845ISR-B receives the encrypted traffic from #4 and decrypts it. After the ESP header is removed, the resulting GRE packet is then decapsulated.
6.	C3845ISR-B now forwards the resulting packet from #5 to Server-B using the destination IP of the original IP packet sent by Host-A in #3.
7.	When Server-B sends return traffic to Host-A, C3845ISR-B uses a routing table entry for Host-A learned via EIGRP in #2 to make the Layer 3 forwarding decision.
8.	C3845ISR-B encrypts the GRE packet resulting from the GRE encapsulation in #7 using ESP, and subsequently forwards the encrypted packet to C3845ISR.
9.	C3845ISR-A removes the Extended Services Processor (ESP) header attached by C3845ISRA in #8, and decapsulates the resulting GRE packet.
10.	C3845ISR-A forwards the return traffic from Server-B to Host-A using the destination of the original IP packet created in #7.

The important difference in this design is that encrypted routing protocols essentially replace RRI as a means of IP routing continuity between Network A and Network B. With IPsec+GRE, routing protocols updates can be exchanged only once the IPsec tunnel is successfully established, which is more akin to a dynamic RRI implementation as opposed to a static one. Unlike either mode of RRI, redistribution of static routes in to the dynamic Interior Gateway Protocol (IGP) is not required. Instead, RP updates are automatically propagated throughout Network A and Network B.

While the use of IPsec+GRE for encrypted routing protocols does deprecate the need for RRI, it does raise new requirements. Obviously, GRE tunnels must be created. Additionally, the crypto ACL is changed to include only GRE traffic between the tunnel endpoints. This is due to the fact that the crypto engine will now be presented with a GRE header resulting from the GRE encapsulation for inclusion in the crypto switching path based on a crypto ACL match, rather than the original headers now included as parts of the GRE payload. These necessary configuration elements are listed for C3845ISR-A and B of Figure 7-3 in Example 7-8, and the verification of the configuration is provided using the diagnostic commands in Example 7-9 later in our discussion of IPsec+GRE HA.

Thus far, we've covered two options for establishing IP routing continuity between two networks across an IPsec VPN tunnel: IPsec+GRE with encrypted RP updates and RRI. Generally speaking, each method is used to accomplish the same task of enabling each end of an IPsec VPN tunnel to route to the opposite end. However, each method has different benefits and requirements. Keep several design considerations, such as the ones provided in the following list, in mind when choosing one or another:

Encrypted IP Multicast Application Requirements: If there are other IP multicast applications that require data confidentiality, then IPsec+GRE may be a requirement regardless of the need for encrypted multicast updates. RRI does not provide a solution for IP multicast data flows. Instead it is a means to preserve unicast IP routing continuity across the IPsec VPN tunnel. Therefore, if IPsec+GRE is a requirement based on IP multicast application flow, then the same IPsec+GRE tunnel can be used for encrypted multicast RP updates.
GRE Support and Scalability: If GRE is unsupported; another means of preserving IP routing continuity is therefore required. The scalability and performance of GRE is a more common concern than support for GRE itself. In many of today's IPsec VPN platforms, GRE encap/decap processes are not supported in hardware. This becomes a disadvantage on higher-end VPN platforms that accelerate crypto in hardware, as the GRE process then becomes the bottleneck. If encrypted IP multicast flows are not a requirement, RRI becomes a more attractive design option for geographic HA when the crypto switching path must be executed in hardware.
Reverse Route Injection Support: RRI is not an Internet Engineering Task Force (IETF) standard, and is instead a feature proprietary to Cisco IPsec VPN platforms. In vendor-diverse environments, the IPsec VPN design options available to network architects do not include RRI.

At this point, the fundamental differences, requirements, and design drivers behind an RRI or IPsec+GRE decision should be clear. However, the IPsec+GRE solutions presented thus far have been limited to simple site-to-site designs without incorporating any elements of HA. We will now take a look at the design elements specific to geographic HA in IPsec+GRE, noting that these elements should indeed be coupled with the local HA design concepts covered in Chapter 6 for a full IPsec+GRE HA design. The numbered steps in Figure 7-4 are covered later in this section.

Figure 7-4. Geographic HA with IPsec+GRE and Encrypted Multicast RP Updates

The degree of availability of a given IPsec+GRE design such as the one illustrated in Figure 7-4 depends primarily on the reconvergence of three components:

IPsec VPN Tunnel Reconvergence
GRE Tunnel Reconvergence
Routing Protocol Reconvergence

Before any reconvergence can occur across the IPsec VPN tunnel, stale Internet Key Exchange (IKE) and IPsec SAs must be reaped from the SADB, and new ones must be established between valid peers. In Chapter 5, we discussed the use of IKE keepalives and DPD to expedite reconvergence of an IPsec VPN tunnel in a failover situation. If IKE keepalives or DPD is not used, stale SAs could remain present in the SADB for unacceptably long periods of time, potentially stalling the reconvergence of the IPsec VPN tunnel.

Note

The default SA lifetimes for IKE and IPsec SAs in Cisco IOS are 38400s and 3600s, respectively.

IKE keepalives intervals can be configured as frequently as 10s apart. Therefore, using IKE keepalives potentially expedites stale SA cleanup from the SADB from as long as 3600s to as short as 30s (three missed IKE keepalives at 10s intervals). As such, IKE keepalives and DPD are a critical part of geographic HA concepts for both RRI and IPsec+GRE designs. IKE keepalives and DPD are also a critical part of IPsec peer availability, which is discussed in detail in Chapter 5.

After the IPsec VPN peers have been managed appropriately, and a new IPsec VPN tunnel has been established, the GRE tunnel must be established. This component of the overall reconvergence process is not expected to be materially relevant to the routing protocol reconvergence that must occur once the GRE tunnel is established. Once the IPsec+GRE tunnel is established, RP neighbor adjacency must be built between the two GRE tunnel interfaces. This process can vary based on the routing protocol selected. However, consider, as an example, that most EIGRP interfaces use a default hold timer of 15s (three times the 5s hello interval), which is the time it will take for that EIGRP neighbor to be declared dead so that a new one can be established to a viable peer.

For geographic IPsec HA deployments, the reconvergence component associated with RP reconvergence plays a critical role when deciding between IPsec+GRE vs. IPsec with RRI. Consider the failover scenario in Figure 7-4 in which the following steps are executed to facilitate reconvergence IPsec+GRE tunnel and associated EIGRP neighbor:

1.	A failure occurs between C3845ISR-A and C3845ISR-B, causing C3845ISR-A's primary IPsec peer to become unavailable (C3845ISR-B).
2.	C3845ISR-A fails to receive responses to 3 IKE keepalives timed at 10s intervals, causing C3845ISR-A to reap the IKE and IPsec SAs from its SADB.
3.	During the time it takes to miss the three IKE keepalives in #2, the EIGRP holddown timer expires for the EIGRP neighbor relationship between C3845ISR-A and B, at which point the EIGRP neighbor is removed from the neighbor table.
4.	C3845ISR-A and C's routing tables reconverge, causing all of the routes learned over the tunnel interface to B to point over the GRE tunnel interface to C3845ISR-C.
5.	Host-A forwards traffic to Server-B. C3845ISR-A uses a routing table entry learned via EIGRP RP updates sent in #5 to forward the traffic from Host-A through the IPsec+GRE tunnel.
6.	The traffic in #6 is encapsulated in GRE by C3845ISR-A. After the packet is GRE-encapsulated, it is encrypted with ESP and forwarded to the redundant IPsec peer at C3845ISR-C.

7.	C3845ISR-C decrypts the traffic received in #6, decapsulates the resulting GRE packet, and forwards the traffic to Server-B based on the destination address in the original IP header sent from Host-A.
8.	Server-B forwards the return traffic to C3845ISR-C. C3845ISR-C uses a routing table entry learned via EIGRP RP updates sent in #4 to forward the return traffic from Server-B back to Host-A through the IPsec+GRE tunnel.
9.	The traffic in #8 is encapsulated in GRE by C3845ISR-C. After it is GRE-encapsulated, the packet is encrypted with ESP and forwarded to the IPsec peer at C3845ISR-A.
10.	C3845ISR-A decrypts the traffic received in #9, decapsulates the resulting GRE packet, and forwards the traffic on to Host-A based on the destination address in the original IP header sent from Server-B in #8.

Similar to our discussion of RRI with multiple IPsec peers, IPsec+GRE in and of itself does not provide added degrees of availability to the design. Instead, IPsec+GRE is hardened using multiple, redundant, IPsec peers and redundant GRE tunnel interfaces that enable the IPsec+GRE tunnel to reconverge over a redundant path. This concept is referred to as path availability, and is discussed in greater detail in Chapter 5. Example 7-8 includes a sample configuration used on C3845ISR-A in Figure 7-4 providing HA using multiple IPsec peer definitions and redundant GRE tunnels. The failover process described previously for the IPsec+GRE deployment illustrated in Figure 7-4 is verified in Example 7-9.

Internet Security Association and Key Management Protocol (ISAKMP) is configured to use preshared key (PSK) authentication with an MD5 hash, DES encryption (default), and a group 2 Diffie-Hellman modulus. A PSK of Cisco is used to authenticate IKE SAs with C3845ISR-A (200.1.1.2) and B (200.1.1.3). The cipher used on the cleartext traffic sent through the IPsec VPN tunnel to the spokes is ESP 3DES with MD5 HMAC authentication on the ciphered blocks. Unlike our previous discussions of RRI with multiple crypto maps, this IPsec+GRE design leverages multiple crypto map process IDs (10 and 20) to define different IPsec peers and crypto ACLs. This effectively enables the use of two IPsec+GRE tunnels to become active simultaneously, offering the ability to load balance across each in an active/active fashion. There are two crypto ACLs that are defined in their own respective process IDs (10 and 20) under the same crypto map, "chap7-IPsec+gre":

Crypto ACL 101 defines GRE traffic from the Tunnel12's source IP to Tunnel12's destination IP to be protected in the crypto switching path. Crypto ACL 101 is configured to protect all traffic through GRE tunnel 12. It accomplishes this by including any GRE packets sourced from 1.1.1.1 (GRE tunnel source on C7304) to 2.2.2.2 (GRE tunnel destination on C3845ISR-A).
Crypto ACL 102 defines GRE traffic from the Tunnel13's source IP to Tunnel12's destination IP to be protected in the crypto switching path. Crypto ACL 102 is configured to protect all traffic through GRE tunnel 13. It accomplishes this by including any GRE packets sourced from 1.1.1.1 (GRE tunnel source on C7304) to 3.3.3.3 (GRE tunnel destination on C3845ISR-B).

It is also important to note that there are two different routing protocol implementations relevant to the design. Unless the GRE tunnels are built across a directly connected L3 segment, a routing protocol is needed between the two GRE tunnel endpoints to successfully establish the GRE tunnel. This routing protocol will also be used to establish Phase 1 and 2 SAs that protect the GRE tunnels. In this case, Open Shortest Path First (OSPF) (OSPF 10) is used to accomplish both of these tasks. This routing protocol's updates and hellos will not be protected by IPsec. A second routing protocol is used to provide continuity between two routed domains on opposite sides of the IPsec VPN tunnel. In this case, EIGRP (EIGRP 10) is used to accomplish this by sending EIGRP hellos and updates across the GRE tunnel. These routing protocol updates and hellos will be encrypted because they are encapsulated with GRE, which is defined in the crypto ACLs 101 and 102 accordingly.

Example 7-8. IPsec HA Configuration Using IPsec+GRE with Multiple Crypto-Process IDs and Redundant, Load-Sharing GRE Interfaces (C3845ISR-A)

1  C3845ISR-A#show running-config 2  Building configuration... 3  ! 4  ! 5  crypto isakmp policy 10 6   hash md5 7   authentication pre-share 8   group 2 9  crypto isakmp key cisco address 200.1.1.2 10 crypto isakmp key cisco address 200.1.1.3 11 crypto isakmp keepalive 10 12 ! 13 crypto IPsec transform-set chap7-IPsec+gre esp-3des esp-md5-hmac 14 ! 15 crypto map chap7-IPsec+gre 10 IPsec-isakmp 16  set peer 200.1.1.2 17  set transform-set chap7-IPsec+gre 18  match address 101 19 crypto map chap7-IPsec+gre 20 IPsec-isakmp 20  set peer 200.1.1.3 21  set transform-set chap7-IPsec+gre 22  match address 102 23 ! 24 interface Tunnel12 25  ip address 12.1.1.1 255.255.255.252 26  tunnel source 1.1.1.1 27  tunnel destination 2.2.2.2 28 ! 29 interface Tunnel13 30  ip address 13.1.1.1 255.255.255.252 31  tunnel source 1.1.1.1 32  tunnel destination 3.3.3.3 33 ! 34 interface Loopback1 35 ip address 1.1.1.1 255.255.255.255 36 ! 37 ! 38 router eigrp 10 39  network 10.0.0.0 40  network 12.1.1.0 0.0.0.3 41  network 13.1.1.0 0.0.0.3 42  no auto-summary 43 ! 44 router ospf 10 45  log-adjacency-changes 46  network 1.1.1.1 0.0.0.0 area 0 47  network 200.1.1.0 0.0.0.255 area 0 48 ! 49 ! 50 access-list 101 permit gre host 1.1.1.1 host 2.2.2.2 51 access-list 102 permit gre host 1.1.1.1 host 3.3.3.3

The crypto engine entries shown in Example 7-9, lines 1-9, verify two active IPsec VPN tunnels, each with their own ISAKMP SA and 2 IPsec SAs. This confirms that the IPsec+GRE implementation is currently redundant in an active/active load-balanced format across the two tunnels. The output in Example 7-9, lines 11-18, confirms that both the local interface providing connectivity to private networks and the two GRE tunnels to the branches (C3845ISR-A and B) are all injected into the appropriate routing protocol (EIGRP AS 10) on C7304. Diagnostic output provided in Example 7-9, lines 20-26, confirms that there are three EIGRP neighbors currently established on C7304: one for connectivity to the private networks behind C7304 and two additional ones for connectivity to the private networks behind C3845ISR-A and B across the IPsec+GRE tunnels. Routes are being learned via EIGRP 10 over the two IPsec+GRE tunnel interfaces from C7304 to C3845ISR-A and B, respectively, as confirmed by Example 7-9, lines 28-40. Each route has two equal cost paths that C7304 will use to load balance over the two IPsec+GRE tunnels currently operating in an active/active fashion.

Example 7-9. Verifying IPsec VPN Failover with IPsec+GRE with Multiple Crypto-Process IDs and Redundant, Load-Sharing GRE Interfaces (C3845ISR-A)

1  C3845ISR-A#show crypto engine connections active 2 3    ID Interface            IP-Address      State  Algorithm           Encrypt Decrypt 4     7 FastEthernet0/0      200.1.1.1       set    HMAC_MD5+DES_56_CB        0       0 5     8 FastEthernet0/0      200.1.1.1       set    HMAC_MD5+DES_56_CB        0       0 6  2001 FastEthernet0/0      200.1.1.1       set    3DES+MD5                  0     156 7  2002 FastEthernet0/0      200.1.1.1       set    3DES+MD5                123       0 8  2003 FastEthernet0/0      200.1.1.1       set    3DES+MD5                157       0 9  2004 FastEthernet0/0      200.1.1.1       set    3DES+MD5                  0     124 10 11 C3845ISR-A#show ip eigrp interfaces 12 IP-EIGRP interfaces for process 10 13 14                         Xmit Queue   Mean   Pacing Time   Multicast    Pending 15 Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes 16 Fa0/1              1        0/0         1       0/10          50           0 17 Tu12               1        0/0        87      71/2702      3134           0 18 Tu13               1        0/0       192      71/2702      3294           0 19 20 C3845ISR-A#show ip eigrp neighbors 21 IP-EIGRP neighbors for process 10 22 H   Address                 Interface       Hold Uptime   SRTT   RTO  Q   Seq 23                                             (sec)         (ms)       Cnt  Num 24 2   13.1.1.2                Tu13            11 00:10:02   192   5000  0   49 25 1   12.1.1.2                Tu12            12 00:12:11    87   5000  0   73 26 0   10.1.1.100              Fa0/1           11 03:24:54     1    200  0   43 27 28 C3845ISR-A#show ip route eigrp 10 | include Tunnel 29 D       10.1.2.0 [90/297270016] via 13.1.1.2, 00:11:04, Tunnel13 30                  [90/297270016] via 12.1.1.2, 00:11:04, Tunnel12 31 D       192.168.2.2 [90/297398016] via 13.1.1.2, 00:11:04, Tunnel13 32                     [90/297398016] via 12.1.1.2, 00:11:04, Tunnel12 33 D       192.168.2.3 [90/297398016] via 13.1.1.2, 00:11:04, Tunnel13 34                     [90/297398016] via 12.1.1.2, 00:11:04, Tunnel12 35 D       192.168.2.1 [90/297398016] via 13.1.1.2, 00:11:04, Tunnel13 36                     [90/297398016] via 12.1.1.2, 00:11:04, Tunnel12 37 D       192.168.2.4 [90/297398016] via 13.1.1.2, 00:11:04, Tunnel13 38                     [90/297398016] via 12.1.1.2, 00:11:04, Tunnel12 39 D       192.168.2.5 [90/297398016] via 13.1.1.2, 00:11:04, Tunnel13 40                     [90/297398016] via 12.1.1.2, 00:11:04, Tunnel12