Configuring a secure GRE tunnel over IPsec
To enable secure communication between remote resources and data transmission via public communication channels, e.g., the internet, one uses technologies for setting up secure connections, such as the IPsec protocol. However, IPsec has a number of significant limitations: it is only designed for IP packet transmission, does not support multicast delivery, and cannot be combined with other protocols within a single request.
To extend the IPsec features, it is handy to use the GRE protocol in the GRE over IPsec configuration. GRE encapsulates network packets in IP packets, which enables you to transmit any traffic over IPsec.
In this example, you will create a secure GRE over IPsec tunnel between two Cisco CSR 1000v virtual routers hosted in different virtual networks and availability zones in Yandex Cloud.
IPsec settings are provided for NAT-T (NAT Traversal) mode, since Yandex Cloud uses NAT, while GRE does not support using ports. This mode enables router IP address translation with NAT when using a GRE over IPsec tunnel. This makes the tunnel configuration described in our example suitable for both the cloud infrastructure in Yandex Cloud and remote resources placed behind the device providing the NAT functionality.
To configure a secure tunnel between two virtual routers:
- Prepare your cloud.
- Create an SSH key pair.
- Create folders.
- Create two VMs with a Cisco Cloud Services Router.
- Configure IPSec protocols.
- Create tunnel interfaces.
- Configure routing.
- Test the tunnel.
If you no longer need the resources you created, delete them.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
- On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the
ACTIVEorTRIAL_ACTIVEstatus. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.
Learn more about clouds and folders.
Required paid resources
Alert
If using a Cisco CSR 1000v image without a license, the router throughput is limited to 100 kbps. To remove this limit, install a license.
The infrastructure support cost includes:
- Fee for disks and continuously running VMs (see Yandex Compute Cloud pricing).
- Fee for using an external IP address (see Yandex Virtual Private Cloud pricing).
Create an SSH key pair
To connect to a VM over SSH, you need a key pair: the public key resides on the VM, and the private one is kept by the user. This method is more secure than connecting with login and password.
Note
SSH connections using a login and password are disabled by default on public Linux images that are provided by Yandex Cloud.
Cisco Cloud Services Router (CSR) 1000v only supports keys generated using the RSA algorithm.
To create a key pair:
-
Open the terminal.
-
Use the
ssh-keygencommand to create a new key:ssh-keygen -t rsa -b 2048After you run the command, you will be asked to specify the names of files where the keys will be saved and enter the password for the private key. The default name is
id_rsa. Keys are created in the~/.sshdirectory.The public part of the key will be saved to the
<key_name>.pubfile.
-
Run
cmd.exeorpowershell.exe. -
Use the
ssh-keygencommand to create a new key:ssh-keygen -t rsa -b 2048After you run the command, you will be asked to specify the names of files where the keys will be saved and enter the password for the private key. The default name is
id_rsa. The keys are created inC:\Users\<username>\.ssh\orC:\Users\<username>\depending on the command-line interface.The public part of the key will be saved to a file named
<key name>.pub.
Create keys using the PuTTY app:
-
Download and install PuTTY.
-
Make sure that the directory where you installed PuTTY is included in
PATH:- Right-click My computer. Click Properties.
- In the window that opens, select Additional system parameters, then Environment variables (located in the lower part of the window).
- Under System variables, find
PATHand click Edit. - In the Variable value field, append the path to the directory where you installed PuTTY.
-
Launch the PuTTYgen app.
-
Select RSA for the type of pair to generate and set the length to 2048. Click Generate and move the cursor in the field above it until key creation is complete.
-
In Key passphrase, enter a strong password. Enter it again in the field below.
-
Click Save private key and save the private key. Do not share its key phrase with anyone.
-
Save the key to a text file. To do this, copy the public key from the text field to a text file with the name
id_rsa.pub. Please note that the key must be written as a single line (no returns or line breaks).
Warning
Save the private key in a secure location, as you will not be able to connect to the VM without it.
Create folders
To test tunneling between two different virtual networks, place Yandex Cloud resources in different folders. To create a new folder:
- In the management console, select a cloud and click
Create folder at the top right. - Enter the folder name:
site-a. - Add a folder description, if required.
- Select Create a default network.
- Click Create.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
Create a folder:
yc resource-manager folder create \
--name site-a \
--description "Folder for site-a"
To create a folder, use the create REST API method for the Folder resource or the FolderService/Create gRPC API call.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the parameters of the resources you want to create:
resource "yandex_resourcemanager_folder" "folder1" { cloud_id = "<cloud ID>" name = "site-a" description = "Folder for site-a" }For more information about the parameters of the
yandex_resourcemanager_folderresource in Terraform, see the provider documentation. -
Make sure the configuration files are correct.
-
In the command line, go to the directory where you created the configuration file.
-
Check the configuration using this command:
terraform validateIf the configuration is correct, you will get this message:
Success! The configuration is valid. -
Run this command:
terraform planIf the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply -
Confirm creating the resources: type
yesin the terminal and press Enter.
The folder will be created in the specified cloud. You can check the new folder and its settings using the management console or this CLI command:
yc resource-manager cloud list -
Repeat the steps to create a second folder named site-b.
Create two VMs with a Cisco Cloud Services Router
Create your first VM with a Cisco Cloud Services Router
- In the management console, select
site-a. - Click Create resource and select the Virtual machine instance option.
- Enter a name for the VM, e.g.,
cisco-router-a. - In the Availability zone list, select ru-central1-a.
- Under Boot disk image, go to the Marketplace tab and select the Cisco CSR image.
- Under Computing resources:
- Choose a VM platform.
- Specify the required number of vCPUs and the amount of RAM:
- Platform:
Intel Ice Lake - vCPU:
2 - Guaranteed vCPU performance:
100% - RAM:
4 GB
- Platform:
- Under Network settings, select the network and subnet to connect the VM to.
- Under Access, specify the information required to access the instance:
- Enter the username in the Login field.
- In the SSH key field, paste the contents of the previously generated public key file.
- In the Advanced field, select Access to serial console.
- Click Create VM.
It may take a few minutes to create the VM. When the VM status changes to RUNNING, you can use the serial console.
Set the host name for the router
-
In the management console, select the folder containing your VM.
-
Select Compute Cloud.
-
Select
cisco-router-afrom the VM list. -
Go to the Serial console tab and click Connect.
-
Wait for the operating system to start up completely.
-
To switch to privileged mode, run the following command in the serial console:
enable -
Enter the configuration mode and set the host name for the router:
conf t hostname cisco-routerThe router name at the beginning of the command line should change to
cisco-router.
Create a user with the administrative rights
Create a user with the administrative rights and password authentication disabled:
In the serial console, run this command:
username test-user privilege 15
Prepare a key
If your public SSH key is longer than 72 characters, split it into chunks of 72 characters each:
-
In your computer terminal, run this command:
fold -bw 72 <path_to_file_with_public key>This will output your public SSH key split into chunks, 72 characters in each.
-
Save the key hash:
ssh-keygen -E md5 -lf <path_to_file_with_public_key>
Configure authentication using SSH keys
-
In the serial console, enable access to the VM over SSH:
conf t aaa new-model ip ssh server algorithm authentication publickey ip ssh pubkey-chain -
Create a user named
test-userand provide your public SSH key in chunks that you split it into in the previous step:username test-user key-string <public_key_string> ... <public_key_string> exit exit exit exit -
Make sure that the key is added:
show run | beg ip sshResult:
ip ssh pubkey-chain username test-user key-hash ssh-rsa <key_hash> <username_associated_with_this_key> ! ! ...Compare the SSH key hash on the router with the key hash on your computer.
-
In the serial console, enter the password that enables the privileged mode:
cisco-router#configure terminal cisco-router(config)#enable secret <password>
Check the SSH connection to the router
-
Log in to the router via SSH by running this command in your computer terminal:
ssh -i <path_to_file_with_private_key> test-user@<router_public_IP_address>If everything is configured correctly, you will log in to the router under
test-user. If the connection is not established, make sure that the router is configured correctly in the serial console: theaaa new-modelcommand was run, the key hashes are the same on your computer and the router, and password authorization for the test user is disabled. If still unable to locate the issue, repeat the previous steps. -
Switch to privileged mode. Enter the
enablecommand and password. If everything is configured correctly, you can configure the router.
Create and set up a second VM with a Cisco Cloud Services Router
- In the
site-bfolder, create a VM namedcisco-router-bby following the above steps. Select ru-central1-b as its availability zone. - Set up the VM in the same way as the
cisco-router-aVM.
Configure IPSec protocols
Warning
- The settings are the same on both VMs, except the specifically mentioned parameters.
- The setup is performed in the terminal connected to the VM over SSH in privileged mode.
-
Configure global parameters for IKEv2:
conf t crypto logging ikev2 crypto ikev2 nat keepalive 900 crypto ikev2 dpd 10 2 periodic -
Configure an IKEv2
proposal:crypto ikev2 proposal MY_IKEV2_PROPOSAL encryption aes-cbc-256 integrity sha256 group 2 exit -
Configure an IKEv2
policy:crypto ikev2 policy MY_IKEV2_POLICY proposal MY_IKEV2_PROPOSAL exit -
Set a secret key:
Cisco-router-a VMCisco-router-b VMcrypto ikev2 keyring MY_IKEV2_KEYRING peer SiteB address cisco-router-b pre-shared-key <secret_key> exitcrypto ikev2 keyring MY_IKEV2_KEYRING peer SiteA address cisco-router-a pre-shared-key <secret_key> exitWhere:
<secret_key>: Encryption key that is at least 16 characters long, e.g.,MySecretKey12345. Use the same key on both VMs.
-
Create an IKEv2 profile:
Cisco-router-a VMCisco-router-b VMcrypto ikev2 profile MY_IKEV2_PROFILE match address local interface GigabitEthernet1 match identity remote address cisco-router-b authentication remote pre-share authentication local pre-share keyring local MY_IKEV2_KEYRING lifetime 28800 dpd 20 2 periodic exitcrypto ikev2 profile MY_IKEV2_PROFILE match address local interface GigabitEthernet1 match identity remote address cisco-router-a authentication remote pre-share authentication local pre-share keyring local MY_IKEV2_KEYRING lifetime 28800 dpd 20 2 periodic exitNote
For testing purposes, you can use the
0.0.0.0template instead of IP addresses to provide access to any IP.
You can also set up separate profiles for different peers. -
Add the IKEv2 profile to the IPsec profile:
crypto ipsec transform-set ESP_AES128_SHA256 esp-aes esp-sha-hmac mode tunnel exit crypto ipsec profile MY_IPSEC_PROFILE set transform-set ESP_AES128_SHA256 set ikev2-profile MY_IKEV2_PROFILE exit exit
Create tunnel interfaces
Warning
- The settings are the same on both VMs, except the specifically mentioned parameters.
- The setup is performed in the terminal connected to the VM over SSH in privileged mode.
-
Configure the GRE tunnel:
Cisco-router-a VMCisco-router-b VMconf t int tu192 ip address 192.168.0.1 255.255.255.0 no ip redirects no ip proxy-arp ip mtu 1400 ip tcp adjust-mss 1360 tunnel source GigabitEthernet1 tunnel destination cisco-router-b tunnel mode ipsec ipv4 tunnel protection ipsec profile MY_IPSEC_PROFILEconf t int tu192 ip address 192.168.0.2 255.255.255.0 no ip redirects no ip proxy-arp ip mtu 1400 ip tcp adjust-mss 1360 tunnel source GigabitEthernet1 tunnel destination cisco-router-a tunnel mode ipsec ipv4 tunnel protection ipsec profile MY_IPSEC_PROFILE -
Check whether the tunnel is there:
Cisco-router-b VMshow crypto ikev2 sa remote cisco-router-aResult:
Tunnel-id Local Remote fvrf/ivrf Status 4 10.128.0.32/4500 51.250.***.***/4500 none/none READY Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK Life/Active Time: 28800/23528 secYou can also view tunnel logs by running these commands:
debug crypto ikev2 conf t do sh log
Configure routing
Warning
- The settings are the same on both VMs, except the specifically mentioned parameters.
- The setup is performed in the terminal connected to the VM over SSH in privileged mode.
-
To make sure the requests are responded to, configure a Loopback interface:
Cisco-router-a VMCisco-router-b VMconf t int lo10 ip address 10.1.1.1 255.255.255.255 exitconf t int lo10 ip address 10.1.1.2 255.255.255.255 exit -
To enable dynamic routing, configure the Border Gateway Protocol (BGP):
Cisco-router-a VMCisco-router-b VMrouter bgp 65001 bgp log-neighbor-changes neighbor 192.168.0.2 remote-as 65002 address-family ipv4 network 10.1.1.1 mask 255.255.255.255 neighbor 192.168.0.2 activate exit exit exitrouter bgp 65002 bgp log-neighbor-changes neighbor 192.168.0.1 remote-as 65001 address-family ipv4 network 10.1.1.2 mask 255.255.255.255 neighbor 192.168.0.1 activate exit exit exit
Test the GRE tunnel
Make sure the packets are sent and returned. To check this on the cisco-router-a VM, run:
ping 10.1.1.2 source lo10
Result:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/11 ms
For the GRE tunnel performance diagnostics, you can also run the following commands:
show ip int brief
show ip bgp summary
show ip bgp
show ip route bgp
How to delete the resources you created
To stop paying for the resources you created: