Configuring a secure GRE tunnel over IPsec
To enable secure communication between remote resources and data transmission via public communication channels, e.g., the internet, one uses technologies for setting up secure connections, such as the IPsec
To extend the IPsec features, it is handy to use the GRE
In this example, you will create a secure GRE over IPsec tunnel between two Cisco CSR 1000v virtual routers hosted in different virtual networks and availability zones in Yandex Cloud.
IPsec settings are provided for NAT-T (NAT Traversal
To configure a secure tunnel between two virtual routers:
- Prepare your cloud.
- Create an SSH key pair.
- Create folders.
- Create two VMs with a Cisco Cloud Services Router.
- Configure IPSec protocols.
- Create tunnel interfaces.
- Configure routing.
- Test the tunnel.
If you no longer need the resources you created, delete them.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
Alert
If using a Cisco CSR 1000v image without a license, the router throughput is limited to 100 kbps. To remove this limit, install a license
The infrastructure support cost includes:
- Fee for disks and continuously running VMs (see Yandex Compute Cloud pricing).
- Fee for using an external IP address (see Yandex Virtual Private Cloud pricing).
Create an SSH key pair
To connect to a VM over SSH, you need a key pair: the public key resides on the VM, and the private one is kept by the user. This method is more secure than connecting with login and password.
Note
SSH connections using a login and password are disabled by default on public Linux images that are provided by Yandex Cloud.
Cisco Cloud Services Router (CSR) 1000v only supports keys generated using the RSA algorithm.
To create a key pair:
-
Open the terminal.
-
Use the
ssh-keygen
command to create a new key:ssh-keygen -t rsa -b 2048
After you run the command, you will be asked to specify the names of files where the keys will be saved and enter the password for the private key. The default name is
id_rsa
. Keys are created in the~/.ssh
directory.The public part of the key will be saved to the
<key_name>.pub
file.
-
Run
cmd.exe
orpowershell.exe
. -
Use the
ssh-keygen
command to create a new key:ssh-keygen -t rsa -b 2048
After you run the command, you will be asked to specify the names of files where the keys will be saved and enter the password for the private key. The default name is
id_rsa
. The keys are created inC:\Users\<username>\.ssh\
orC:\Users\<username>\
depending on the command-line interface.The public part of the key will be saved to a file named
<key name>.pub
.
Create keys using the PuTTY app:
-
Download
and install PuTTY. -
Make sure that the directory where you installed PuTTY is included in
PATH
:- Right-click My computer. Click Properties.
- In the window that opens, select Additional system parameters, then Environment variables (located in the lower part of the window).
- Under System variables, find
PATH
and click Edit. - In the Variable value field, append the path to the directory where you installed PuTTY.
-
Launch the PuTTYgen app.
-
Select RSA for the type of pair to generate and set the length to 2048. Click Generate and move the cursor in the field above it until key creation is complete.
-
In Key passphrase, enter a strong password. Enter it again in the field below.
-
Click Save private key and save the private key. Do not share its key phrase with anyone.
-
Save the key to a text file. To do this, copy the public key from the text field to a text file with the name
id_rsa.pub
. Please note that the key must be written as a single line (no returns or line breaks).
Warning
Save the private key in a secure location, as you will not be able to connect to the VM without it.
Create folders
To test tunneling between two different virtual networks, place Yandex Cloud resources in different folders. To create a new folder:
- In the management console
, select a cloud and click Create folder at the top right. - Enter the folder name:
site-a
. - Add a folder description, if required.
- Select Create a default network.
- Click Create.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
Create a folder:
yc resource-manager folder create \
--name site-a \
--description "Folder for site-a"
To create a folder, use the create REST API method for the Folder resource or the FolderService/Create gRPC API call.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the parameters of the resources you want to create:
resource "yandex_resourcemanager_folder" "folder1" { cloud_id = "<cloud ID>" name = "site-a" description = "Folder for site-a" }
For more information about the parameters of the
yandex_resourcemanager_folder
resource in Terraform, see the provider documentation . -
Make sure the configuration files are correct.
-
In the command line, go to the directory where you created the configuration file.
-
Check the configuration using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
The folder will be created in the specified cloud. You can check the new folder and its settings using the management console
or this CLI command:yc resource-manager cloud list
-
Repeat the steps to create a second folder named site-b
.
Create two VMs with a Cisco Cloud Services Router
Create your first VM with a Cisco Cloud Services Router
- In the management console
, selectsite-a
. - Click Create resource and select the Virtual machine instance option.
- Enter a name for the VM, e.g.,
cisco-router-a
. - In the Availability zone list, select ru-central1-a.
- Under Boot disk image, go to the Marketplace tab and select the Cisco CSR image.
- Under Computing resources:
- Choose a VM platform.
- Specify the required number of vCPUs and the amount of RAM:
- Platform:
Intel Ice Lake
- vCPU:
2
- Guaranteed vCPU performance:
100%
- RAM:
4 GB
- Platform:
- Under Network settings, select the network and subnet to connect the VM to.
- Under Access, specify the information required to access the instance:
- Enter the username in the Login field.
- In the SSH key field, paste the contents of the previously generated public key file.
- In the Advanced field, select Access to serial console.
- Click Create VM.
It may take a few minutes to create the VM. When the VM status changes to RUNNING
, you can use the serial console.
Set the host name for the router
-
In the management console
, select the folder containing your VM. -
Select Compute Cloud.
-
Select
cisco-router-a
from the VM list. -
Go to the
Serial console tab and click Connect. -
Wait for the operating system to start up completely.
-
To switch to privileged mode, run the following command in the serial console:
enable
-
Enter the configuration mode and set the host name for the router:
conf t hostname cisco-router
The router name at the beginning of the command line should change to
cisco-router
.
Create a user with the administrative rights
Create a user with the administrative rights and password authentication disabled:
In the serial console, run this command:
username test-user privilege 15
Prepare a key
If your public SSH key is longer than 72 characters, split it into chunks of 72 characters each:
-
In your computer terminal, run this command:
fold -bw 72 <path_to_file_with_public key>
This will output your public SSH key split into chunks, 72 characters in each.
-
Save the key hash:
ssh-keygen -E md5 -lf <path_to_file_with_public_key>
Configure authentication using SSH keys
-
In the serial console, enable access to the VM over SSH:
conf t aaa new-model ip ssh server algorithm authentication publickey ip ssh pubkey-chain
-
Create a user named
test-user
and provide your public SSH key in chunks that you split it into in the previous step:username test-user key-string <public_key_string> ... <public_key_string> exit exit exit exit
-
Make sure that the key is added:
show run | beg ip ssh
Result:
ip ssh pubkey-chain username test-user key-hash ssh-rsa <key_hash> <username_associated_with_this_key> ! ! ...
Compare the SSH key hash on the router with the key hash on your computer.
-
In the serial console, enter the password that enables the privileged mode:
cisco-router#configure terminal cisco-router(config)#enable secret <password>
Check the SSH connection to the router
-
Log in to the router via SSH by running this command in your computer terminal:
ssh -i <path_to_file_with_private_key> test-user@<router_public_IP_address>
If everything is configured correctly, you will log in to the router under
test-user
. If the connection is not established, make sure that the router is configured correctly in the serial console: theaaa new-model
command was run, the key hashes are the same on your computer and the router, and password authorization for the test user is disabled. If still unable to locate the issue, repeat the previous steps. -
Switch to privileged mode. Enter the
enable
command and password. If everything is configured correctly, you can configure the router.
Create and set up a second VM with a Cisco Cloud Services Router
- In the
site-b
folder, create a VM namedcisco-router-b
by following the above steps. Select ru-central1-b as its availability zone. - Set up the VM in the same way as the
cisco-router-a
VM.
Configure IPSec protocols
Warning
- The settings are the same on both VMs, except the specifically mentioned parameters.
- The setup is performed in the terminal connected to the VM over SSH in privileged mode.
-
Configure global parameters for IKEv2
:conf t crypto logging ikev2 crypto ikev2 nat keepalive 900 crypto ikev2 dpd 10 2 periodic
-
Configure an IKEv2
proposal
:crypto ikev2 proposal MY_IKEV2_PROPOSAL encryption aes-cbc-256 integrity sha256 group 2 exit
-
Configure an IKEv2
policy
:crypto ikev2 policy MY_IKEV2_POLICY proposal MY_IKEV2_PROPOSAL exit
-
Set a secret key:
Cisco-router-a VMCisco-router-b VMcrypto ikev2 keyring MY_IKEV2_KEYRING peer SiteB address cisco-router-b pre-shared-key <secret_key> exit
crypto ikev2 keyring MY_IKEV2_KEYRING peer SiteA address cisco-router-a pre-shared-key <secret_key> exit
Where:
<secret_key>
: Encryption key that is at least 16 characters long, e.g.,MySecretKey12345
. Use the same key on both VMs.
-
Create an IKEv2 profile:
Cisco-router-a VMCisco-router-b VMcrypto ikev2 profile MY_IKEV2_PROFILE match address local interface GigabitEthernet1 match identity remote address cisco-router-b authentication remote pre-share authentication local pre-share keyring local MY_IKEV2_KEYRING lifetime 28800 dpd 20 2 periodic exit
crypto ikev2 profile MY_IKEV2_PROFILE match address local interface GigabitEthernet1 match identity remote address cisco-router-a authentication remote pre-share authentication local pre-share keyring local MY_IKEV2_KEYRING lifetime 28800 dpd 20 2 periodic exit
Note
For testing purposes, you can use the
0.0.0.0
template instead of IP addresses to provide access to any IP.
You can also set up separate profiles for different peers. -
Add the IKEv2 profile to the IPsec profile:
crypto ipsec transform-set ESP_AES128_SHA256 esp-aes esp-sha-hmac mode tunnel exit crypto ipsec profile MY_IPSEC_PROFILE set transform-set ESP_AES128_SHA256 set ikev2-profile MY_IKEV2_PROFILE exit exit
Create tunnel interfaces
Warning
- The settings are the same on both VMs, except the specifically mentioned parameters.
- The setup is performed in the terminal connected to the VM over SSH in privileged mode.
-
Configure the GRE tunnel:
Cisco-router-a VMCisco-router-b VMconf t int tu192 ip address 192.168.0.1 255.255.255.0 no ip redirects no ip proxy-arp ip mtu 1400 ip tcp adjust-mss 1360 tunnel source GigabitEthernet1 tunnel destination cisco-router-b tunnel mode ipsec ipv4 tunnel protection ipsec profile MY_IPSEC_PROFILE
conf t int tu192 ip address 192.168.0.2 255.255.255.0 no ip redirects no ip proxy-arp ip mtu 1400 ip tcp adjust-mss 1360 tunnel source GigabitEthernet1 tunnel destination cisco-router-a tunnel mode ipsec ipv4 tunnel protection ipsec profile MY_IPSEC_PROFILE
-
Check whether the tunnel is there:
Cisco-router-b VMshow crypto ikev2 sa remote cisco-router-a
Result:
Tunnel-id Local Remote fvrf/ivrf Status 4 10.128.0.32/4500 51.250.***.***/4500 none/none READY Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK Life/Active Time: 28800/23528 sec
You can also view tunnel logs by running these commands:
debug crypto ikev2 conf t do sh log
Configure routing
Warning
- The settings are the same on both VMs, except the specifically mentioned parameters.
- The setup is performed in the terminal connected to the VM over SSH in privileged mode.
-
To make sure the requests are responded to, configure a Loopback
interface:Cisco-router-a VMCisco-router-b VMconf t int lo10 ip address 10.1.1.1 255.255.255.255 exit
conf t int lo10 ip address 10.1.1.2 255.255.255.255 exit
-
To enable dynamic routing, configure the Border Gateway Protocol (BGP):
Cisco-router-a VMCisco-router-b VMrouter bgp 65001 bgp log-neighbor-changes neighbor 192.168.0.2 remote-as 65002 address-family ipv4 network 10.1.1.1 mask 255.255.255.255 neighbor 192.168.0.2 activate exit exit exit
router bgp 65002 bgp log-neighbor-changes neighbor 192.168.0.1 remote-as 65001 address-family ipv4 network 10.1.1.2 mask 255.255.255.255 neighbor 192.168.0.1 activate exit exit exit
Test the GRE tunnel
Make sure the packets are sent and returned. To check this on the cisco-router-a
VM, run:
ping 10.1.1.2 source lo10
Result:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/11 ms
For the GRE tunnel performance diagnostics, you can also run the following commands:
show ip int brief
show ip bgp summary
show ip bgp
show ip route bgp
How to delete the resources you created
To stop paying for the resources you created: