Embedded Files
IPSec with IPv6-in-IPv4 GRE tunnel
Theory:
RFC 4891 discusses about IPSec with IPv6-in-IPv4 tunnels. It points out two different types of threats with IPv6-in-IPv4 tunnels which mandates the use of IPSec. The two types of threats are-
1) The IPv4 source address of the encapsulating (outer) packet can be spoofed
2) The IPv6 source address of the encapsulated (inner) packet can be spoofed.
RFC 4891 discusses two ways to use IPSec- in transport and tunnel modes.
IPSec in Transport mode:
In transport mode, the IPSec ESP or AH SA are established to protect traffic with the header {IPv4 Source address, IPv4 Destination address, Protocol = 41}. On receiving an IPSec packet, the receiver applies the IPSec transform (e.g. ESP or AH) and matches the packet against Security Parameter Index (SPI) and the inbound selectors associated with the SA to verify that the packet is appropriate for the SA via which it was received. The successful verification ensures that the packet came from correct IPv4 endpoint.
The transport mode takes care of threat # 1. But IPSec in Transport mode does not verify the payload of the IPSec packet which carries IPv6 addresses. Hence, the inner payload can be spoofed. The packet will be decapsulated and accepted. This shortcoming can be mitigated by Ingress filtering which is a check to ensure packet is received on the correct interface like RPF in IP multicasting.
IPSec in Tunnel mode:
In Tunnel mode, the IPSec SA is established to protect the traffic defined by {IPv6 Source address, IPv6 Destination address}. On receiving such an IPSec packet, the receiver first applies the IPSec transform and matches the packet against SPI and inbound selectors associated with the SA. The successful verification ensures that the packet came from correct endpoint.
In tunnel mode, the outer IPv4 addresses can be spoofed and IPSec cannot detect this in tunnel mode.
Network topology:
An IPv6-in-IPv4 GRE tunnel needs to be setup between R1 & R2 router connecting the two IPv6 domains separated by an IPv4 network.
Initial configuration on R1
ipv6 unicast-routing!interface Loopback 0 ip address 1.1.1.1 255.255.255.255!interface serial 0/0 description IPv4 WAN Interface ip address 10.1.1.1 255.255.255.252!interface fastethernet 0/0 description Internal IPv6 network ipv6 address CAFE:1::1/64!router ospf 1 network 1.1.1.1 0.0.0.0 area 0 network 10.1.1.0 0.0.0.3 area 0!Initial configuration on R2
ipv6 unicast-routing!interface Loopback 0 ip address 2.2.2.2 255.255.255.255!interface serial 0/0 description IPv4 WAN Interface ip address 10.2.2.2 255.255.255.252!interface fastethernet 0/0 description Internal IPv6 network ipv6 address CAFE:2::1/64!router ospf 1 network 2.2.2.2 0.0.0.0 area 0 network 10.2.2.0 0.0.0.3 area 0!GRE Tunnel configuration:
A GRE tunnel is setup between R1 and R2. The tunnel interfaces will have IPv6 addresses and they belong to the same network. IPv6 traffic for remote sites is manually forwarded over GRE tunnel using an IPv6 static route.
Tunnel configuration on R1
interface Tunnel 0 tunnel mode gre ip ipv6 address 2001::1/64 tunnel source Loopback 0 tunnel destination 2.2.2.2!ipv6 route CAFE:2::/64 2001::2!Tunnel configuration on R2
interface Tunnel 0 tunnel mode gre ip ipv6 address 2001::2/64 tunnel source Loopback 0 tunnel destination 1.1.1.1!ipv6 route CAFE:1::/64 2001::1!When traffic is generated from R1 router's IPv6 domain towards R2 router's IPv6 network, ICMPv6 packets are encapsulated in a GRE packet (protocol= 0x2F or decimal value 47) with packet's source IP address as R1's Loopback 0 interface and destination IP address as R2's Loopback 0 interface. At R2 router, these GRE packets are decapsulated and forwarded to the correct destination.
GRE Ping results
R1# ping CAFE:2::1 source fa 0/0Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to CAFE:2::1, timeout is 2 seconds:Packet sent with a source address of CAFE:1::1!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 44/64/96 msR1# debug ip packet detailIP: s=1.1.1.1 (Tunnel0), d=2.2.2.2 (Serial0/0), len 124, sending, proto=47IP: s=1.1.1.1 (Tunnel0), d=2.2.2.2 (Serial0/0), len 124, sending, proto=47IP: s=1.1.1.1 (Tunnel0), d=2.2.2.2 (Serial0/0), len 124, sending, proto=47IP: s=1.1.1.1 (Tunnel0), d=2.2.2.2 (Serial0/0), len 124, sending, proto=47IP: s=1.1.1.1 (Tunnel0), d=2.2.2.2 (Serial0/0), len 124, sending, proto=47
IPSec over IPv6-in-IPv4 GRE tunnel:
Over this GRE tunnel, IPSec is configured using static crypto-map to encrypt the traffic on the GRE tunnel. This essentially adds extra overhead since the GRE packet is encapsulated by ESP (protocol value 50). All the traffic that travels over the GRE tunnel get encrypted hence no access-list is configured to match interesting traffic. Also, the peer address is set to the Loopback 0 interfaces of the routers since they are used as the source IP addresses for the GRE tunnel.
IPSec configuration on R1
crypto isakmp policy 10 encryption des authentication pre-share hash md5 group 2!crypto isakmp key 0 MY_K3Y address 2.2.2.2!crypto ipsec transform-set TS esp-des esp-md5-hmac!crypto ipsec profile PROFILE set transform-set TS!interface tunnel 0 tunnel protection ipsec profile PROFILE!IPSec configuration on R2
crypto isakmp policy 10 encryption des authentication pre-share hash md5 group 2!crypto isakmp key 0 MY_K3Y address 1.1.1.1!crypto ipsec transform-set TS esp-des esp-md5-hmac!crypto ipsec profile PROFILE set transform-set TS!interface tunnel 0 tunnel protection ipsec profile PROFILE!When traffic is generated from R1 router's IPv6 domain towards R2 router's IPv6 network, ICMPv6 packets are encapsulated in GRE packets, which are then encapsulated in an ESP packet. R1 router also initiates an IKE negotiation with R2 router, meanwhile all packets are dropped.
The debugging on R2 router shows how it negotiates SA with R1 router. It shows that when R2 router receives a packet from 1.1.1.1 peer, it checks to see if it has a pre-shared key. It initiates IKE Phase 1 during which it checks whether the policy sent by R1 matches any of its policy and if it agrees to the policy. After successful IKE Phase 1, it initiates IKE Phase 2 during which it checks IPSec transform-set. After successful transform-set negotiation IKE Phase 2 is completed after which communication is possible.
"debug crypto isakmp" on R2
ISAKMP (0:0): received packet from 1.1.1.1 dport 500 sport 500 Global (N) NEW SAISAKMP: Created a peer struct for 1.1.1.1, peer port 500ISAKMP: New peer created peer = 0x64BB250C peer_handle = 0x80000004ISAKMP: Locking peer struct 0x64BB250C, IKE refcount 1 for crypto_isakmp_process_blockISAKMP: local port 500, remote port 500 insert sa successfully sa = 64BB6094ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCHISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0ISAKMP:(0:0:N/A:0): processing vendor id payloadISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatchISAKMP (0:0): vendor ID is NAT-T v7ISAKMP:(0:0:N/A:0): processing vendor id payloadISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatchISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3ISAKMP:(0:0:N/A:0): processing vendor id payloadISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatchISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 1.1.1.1ISAKMP:(0:0:N/A:0): local preshared key foundISAKMP : Scanning profiles for xauth ...ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policyISAKMP: encryption DES-CBCISAKMP: hash MD5ISAKMP: default group 2ISAKMP: auth pre-shareISAKMP: life type in secondsISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0ISAKMP:(0:1:SW:1): processing vendor id payloadISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatchISAKMP (0:134217729): vendor ID is NAT-T v7ISAKMP:(0:1:SW:1): processing vendor id payloadISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157 mismatchISAKMP:(0:1:SW:1): vendor ID is NAT-T v3ISAKMP:(0:1:SW:1): processing vendor id payloadISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatchISAKMP:(0:1:SW:1): vendor ID is NAT-T v2ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODEISAKMP:(0:1:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1ISAKMP:(0:1:SW:1): constructed NAT-T vendor-07 IDISAKMP:(0:1:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUPISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETEISAKMP:(0:1:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2ISAKMP (0:134217729): received packet from 1.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUPISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCHISAKMP:(0:1:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0ISAKMP:(0:1:SW:1): processing NONCE payload. message ID =0ISAKMP:(0:1:SW:1):found peer pre-shared key matching 1.1.1.1ISAKMP:(0:1:SW:1):SKEYID state generatedISAKMP:(0:1:SW:1): processing vendor id payloadISAKMP:(0:1:SW:1): vendor ID is UnityISAKMP:(0:1:SW:1): processing vendor id payloadISAKMP:(0:1:SW:1): vendor ID is DPDISAKMP:(0:1:SW:1): processing vendor id payloadISAKMP:(0:1:SW:1): speaking to another IOS box!ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODEISAKMP:(0:1:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3ISAKMP:(0:1:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCHISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETEISAKMP:(0:1:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4ISAKMP (0:134217729): received packet from 1.1.1.1 dport 500 sport 500 Global (R) MM_KEY_EXCHISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCHISAKMP:(0:1:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0ISAKMP (0:134217729): ID payload next-payload : 8 type : 1 address : 1.1.1.1 protocol : 17 port : 500 length : 12ISAKMP:(0:1:SW:1):: peer matches *none* of the profilesISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0ISAKMP:(0:1:SW:1): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 0, sa = 64BB6094ISAKMP:(0:1:SW:1):SA authentication status:authenticatedISAKMP:(0:1:SW:1): Process initial contact,bring down existing phase 1 and 2 SA's with local 2.2.2.2 remote 1.1.1.1 remote port 500ISAKMP:(0:1:SW:1):SA authentication status: authenticatedISAKMP:(0:1:SW:1):SA has been authenticated with 1.1.1.1ISAKMP: Trying to insert a peer 2.2.2.2/1.1.1.1/500/, and inserted successfully 64BB250C.ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODEISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDRISAKMP (0:134217729): ID payload next-payload : 8 type : 1 address : 2.2.2.2 protocol : 17 port : 500 length : 12ISAKMP:(0:1:SW:1):Total payload length: 12ISAKMP:(0:1:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCHISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETEISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETEISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETEISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETEISAKMP (0:134217729): received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLEISAKMP: set new node 1046004050 to QM_IDLEISAKMP:(0:1:SW:1): processing HASH payload. message ID = 1046004050ISAKMP:(0:1:SW:1): processing SA payload. message ID = 1046004050ISAKMP:(0:1:SW:1):Checking IPSec proposal 1ISAKMP: transform 1, ESP_DESISAKMP: attributes in transform:ISAKMP: encaps is 1 (Tunnel)ISAKMP: SA life type in secondsISAKMP: SA life duration (basic) of 3600ISAKMP: SA life type in kilobytesISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0ISAKMP: authenticator is HMAC-MD5ISAKMP:(0:1:SW:1):atts are acceptable.ISAKMP:(0:1:SW:1): processing NONCE payload. message ID =1046004050ISAKMP:(0:1:SW:1): processing ID payload. message ID = 1046004050ISAKMP:(0:1:SW:1): processing ID payload. message ID = 1046004050ISAKMP:(0:1:SW:1): asking for 1 spis from ipsecISAKMP:(0:1:SW:1):Node 1046004050, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCHISAKMP:(0:1:SW:1):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVEISAKMP: received ke message (2/1)ISAKMP: Locking peer struct 0x64BB250C, IPSEC refcount 1 for for stuff_keISAKMP:(0:1:SW:1): Creating IPSec SAs inbound SA from 1.1.1.1 to 2.2.2.2 (f/i) 0/ 0 (proxy 1.1.1.1 to 2.2.2.2) has spi 0x4F11F20E and conn_id 0 and flags 2 lifetime of 3600 seconds lifetime of 4608000 kilobytes has client flags 0x0 outbound SA from 2.2.2.2 to 1.1.1.1 (f/i) 0/0 (proxy 2.2.2.2 to 1.1.1.1) lifetime of 3600 seconds lifetime of 4608000 kilobytes has client flags 0x0ISAKMP:(0:1:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) QM_IDLEISAKMP:(0:1:SW:1):Node 1046004050, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLYISAKMP:(0:1:SW:1):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2ISAKMP: Locking peer struct 0x64BB250C, IPSEC refcount 2 for from create_transformsISAKMP: Unlocking IPSEC struct 0x64BB250C from create_transforms, count 1ISAKMP (0:134217729): received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLEISAKMP:(0:1:SW:1):deleting node 1046004050 error FALSE reason "QM done (await)"ISAKMP:(0:1:SW:1):Node 1046004050, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCHISAKMP:(0:1:SW:1):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETEThe show crypto isakmp peer [detail] command shows peer description.
show crypto isakmp peers
R1# show crypto isakmp peersPeer: 2.2.2.2 Port: 500 Local: 1.1.1.1 Phase1 id: 2.2.2.2The show crypto session detail command provides details on currently active crypto sessions.
show crypto session detail
R1# show crypto session detailCrypto session current statusCode: C - IKE Configuration mode, D - Dead Peer DetectionK - Keepalives, N - NAT-traversal, X - IKE Extended AuthenticationInterface: Tunnel0Session status: UP-ACTIVEPeer: 2.2.2.2 port 500 fvrf: (none) ivrf: (none) Phase1_id: 2.2.2.2 Desc: (none) IKE SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active Capabilities:(none) connid:1 lifetime:23:59:34 IPSEC FLOW: permit 47 host 1.1.1.1 host 2.2.2.2 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 9 drop 0 life (KB/Sec) 4586052/3575 Outbound: #pkts enc'ed 9 drop 11 life (KB/Sec) 4586052/3575The show crypto isakmp sa and show crypto ipsec sa commands show IKE Phase 1 and Phase 2 SA respectively.
IKE Phase 1 & 2 SA
R1# show crypto isakmp sadst src state conn-id slot status2.2.2.2 1.1.1.1 QM_IDLE 1 0 ACTIVER1# show crypto ipsec sainterface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 1.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0) current_peer 2.2.2.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9 #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 11, #recv errors 0 local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2 path mtu 1514, ip mtu 1514, ip mtu idb Loopback0 current outbound spi: 0x4F11F20E(1326576142) inbound esp sas: spi: 0x3861DD57(945937751) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: SW:1, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4586052/3201) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x4F11F20E(1326576142) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: SW:2, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4586052/3200) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:The following output shows R1 sending ESP encapsulated packets (protocol 50).
debug ip packet detail
IP: tableid=0, s=1.1.1.1 (local), d=2.2.2.2 (Serial0/0), routed via FIBIP: s=1.1.1.1 (local), d=2.2.2.2 (Serial0/0), g=10.1.1.2,len 176, forward, proto=50IP: tableid=0, s=2.2.2.2 (Serial0/0), d=1.1.1.1 (Loopback0), routed via RIBIP: s=2.2.2.2 (Serial0/0), d=1.1.1.1, len 124, rcvd 4, proto=47IP: tableid=0, s=1.1.1.1 (local), d=2.2.2.2 (Serial0/0), routed via FIBIP: s=1.1.1.1 (local), d=2.2.2.2 (Serial0/0), g=10.1.1.2,len 176, forward, proto=50IP: tableid=0, s=2.2.2.2 (Serial0/0), d=1.1.1.1 (Loopback0), routed via RIBIP: s=2.2.2.2 (Serial0/0), d=1.1.1.1, len 124, rcvd 4, proto=47IP: tableid=0, s=1.1.1.1 (local), d=2.2.2.2 (Serial0/0), routed via FIBIP: s=1.1.1.1 (local), d=2.2.2.2 (Serial0/0), g=10.1.1.2,len 176, forward, proto=50IP: tableid=0, s=2.2.2.2 (Serial0/0), d=1.1.1.1 (Loopback0), routed via RIBIP: s=2.2.2.2 (Serial0/0), d=1.1.1.1, len 124, rcvd 4, proto=47IP: tableid=0, s=1.1.1.1 (local), d=2.2.2.2 (Serial0/0), routed via FIBIP: s=1.1.1.1 (local), d=2.2.2.2 (Serial0/0), g=10.1.1.2,len 176, forward, proto=50IP: tableid=0, s=2.2.2.2 (Serial0/0), d=1.1.1.1 (Loopback0), routed via RIBIP: s=2.2.2.2 (Serial0/0), d=1.1.1.1, len 124, rcvd 4, proto=47IP: tableid=0, s=1.1.1.1 (local), d=2.2.2.2 (Serial0/0), routed via FIBIP: s=1.1.1.1 (local), d=2.2.2.2 (Serial0/0), g=10.1.1.2,len 176, forward, proto=50IP: tableid=0, s=2.2.2.2 (Serial0/0), d=1.1.1.1 (Loopback0), routed via RIBIP: s=2.2.2.2 (Serial0/0), d=1.1.1.1, len 124, rcvd 4, proto=47Page updated
Google Sites
Report abuse