Configurando Router-to-Router IPsec (Pre-shared Keys) Tunel GRE con IOS Firewall y NAT

En este ejemplo vamos a configurar un tunnel GRE sobre IPSec con Preshared Keys. Los dos routers van a estar configurados con NAT para salir al exterior.

Configuracion Routers:


Router Daphne
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname daphne
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$r2sh$XKZR118vcId11ZGzhbz5C/
!
no aaa new-model
ip subnet-zero
!
!

!— This is the Cisco IOS Firewall configuration and what to inspect.
!— This is applied outbound on the external interface.

ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw ftp
ip inspect name myfw realaudio
ip inspect name myfw smtp
ip inspect name myfw streamworks
ip inspect name myfw vdolive
ip inspect name myfw tftp
ip inspect name myfw rcmd
ip inspect name myfw http
ip telnet source-interface FastEthernet0/0
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!

!— This is the IPsec configuration.

!
crypto isakmp policy 10
authentication pre-share

crypto isakmp key ciscokey address 192.168.2.2
!
!
crypto ipsec transform-set to_fred esp-des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp

set peer 192.168.2.2
set transform-set to_fred
match address 101
!
!
!
!
!

!— This is one end of the GRE tunnel.

!
interface Tunnel0

ip address 192.168.3.1 255.255.255.0

!— Associate the tunnel with the physical interface.

tunnel source FastEthernet0/1

tunnel destination 192.168.2.2

!— This is the internal network.

interface FastEthernet0/0

ip address 10.0.0.2 255.255.255.0
ip nat inside
speed 100
full-duplex
!

!— This is the external interface and one end of the GRE tunnel.

interface FastEthernet0/1

ip address 192.168.1.1 255.255.255.0
ip access-group 103 in
ip nat outside
ip inspect myfw out
speed 100
full-duplex
crypto map myvpn
!

!— Define the NAT pool.

ip nat pool ourpool 192.168.1.10 192.168.1.20 netmask 255.255.255.0
ip nat inside source route-map nonat pool ourpool overload
ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.2

!— Force the private network traffic into the tunnel.


ip route 172.16.1.0 255.255.255.0 192.168.3.2
ip http server
no ip http secure-server
!
!

!— All traffic that enters the GRE tunnel is encrypted by IPsec.
!— Other ACE statements are not necessary.

access-list 101 permit gre host 192.168.1.1 host 192.168.2.2

!— Access list for security reasons. Allow
!— IPsec and GRE traffic between the private networks.

access-list 103 permit gre host 192.168.2.2 host 192.168.1.1
access-list 103 permit esp host 192.168.2.2 host 192.168.1.1
access-list 103 permit udp host 192.168.2.2 eq isakmp host 192.168.1.1
access-list 103 deny ip any any log

!— See the Background Information section if you use
!— a Cisco IOS Software release earlier than 12.1.4 for access list 103.

access-list 175 deny ip 10.0.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 175 permit ip 10.0.0.0 0.0.0.255 any

!— Use access list in route-map to address what to NAT.

route-map nonat permit 10
match ip address 175
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password ww
login
!
!
end

Router Fred

version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname fred
!
enable secret 5 $1$AtxD$MycLGaJvF/tAIFXkikCes1
!
ip subnet-zero
!
!
ip telnet source-interface FastEthernet0/0
!
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw ftp
ip inspect name myfw realaudio
ip inspect name myfw smtp
ip inspect name myfw streamworks
ip inspect name myfw vdolive
ip inspect name myfw tftp
ip inspect name myfw rcmd
ip inspect name myfw http
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 10
authentication pre-share

crypto isakmp key ciscokey address 192.168.1.1
!
!
crypto ipsec transform-set to_daphne esp-des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp

set peer 192.168.1.1
set transform-set to_daphne
match address 101
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Tunnel0

ip address 192.168.3.2 255.255.255.0
tunnel source FastEthernet0/1

tunnel destination 192.168.1.1
!
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
ip nat inside
speed 100
full-duplex
!
interface Serial0/0
no ip address
clockrate 2000000
!
interface FastEthernet0/1

ip address 192.168.2.2 255.255.255.0
ip access-group 103 in
ip nat outside
ip inspect myfw out
speed 100
full-duplex
crypto map myvpn
!

!— Output is supressed.

!

ip nat pool ourpool 192.168.2.10 192.168.2.20 netmask 255.255.255.0
ip nat inside source route-map nonat pool ourpool overload
ip classless

ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip route 10.0.0.0 255.255.255.0 192.168.3.1
ip http server
!

access-list 101 permit gre host 192.168.2.2 host 192.168.1.1
access-list 103 permit gre host 192.168.1.1 host 192.168.2.2
access-list 103 permit udp host 192.168.1.1 eq isakmp host 192.168.2.2
access-list 103 permit esp host 192.168.1.1 host 192.168.2.2
access-list 175 deny ip 172.16.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 175 permit ip 172.16.1.0 0.0.0.255 any

route-map nonat permit 10
match ip address 175
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password ww
login
!
end