International Conference on on Soft Computing in Information Communication Technology (SCICT 2014)

Implementation of GRE Over IPsec VPN Enterprise Network Based on Cisco

Packet Tracer

Chong Wang Jing-you Chen

Hainan College of Software Technology, Qionghai 571400, Hainan College of Software Technology, Qionghai 571400,
China China
[email protected] [email protected]

Abstract—Along with the increasing prominence of network communication line between two or more enterprises
security problem, VPN (Virtual Private Network, VPN) Intranet located in different parts to connect the Internet, is
technology provides a solution of economic remote access for just like establishing a special line. But it doesn’t need to
the enterprise. As the IPSec protocol is able to provide the build a real physical line like optical cable. Enterprises only
highest level of security, using IPSec VPN to build security have to hire local special data line and connect it to the local
Intranet has become a trend. Since the IPSec (Internet Internet, so that the institutions can transmit information to
Protocol Security) does not support the encryption of multicast each other.
and broadcast packet, GRE (Generic Routing Encapsulation) Through the integrated use of Internet technology, access
tunnel is needed to encapsulate multicast and broadcast
of interview technology, encryption technology, and certain
packets to unicast packet. By encrypting the GRE with IPSec,
the data security is guaranteed and the problem of VPN
user management mechanism, the user can make use of the
scalability is solved. existing public Internet to safely, securely, and undisturbedly
interview the remote internal network resources. Compared
Keywords-VPN; GRE; Intranet; IPSec; IKE with the traditional private network, VPN technology greatly
reduces the cost. It is convenient, safe, standard, and
becomes the main technology in achieving enterprises’
I. INTRODUCTION cross-regional secure network interconnection. VPN can be
Enterprise informatization is the only way for the divided into three categories: (1)Internal virtual network
development of all enterprises, especially large enterprises. (Intranet VPN): the safe connection between the
These enterprises are characterized in large scale, with more headquarters and branches; (2) Remote Access to virtual
than one division or branch. Information exchange is needed network (Remote Access VPN): employees’ remote access
among them, some of which involves the enterprise's to the company network server. Generally, it should have
business secrets. If the enterprise information is transmitted encryption, identity authentication, filtering, and other
through the Internet, there will be many problems in safety. functions; (3) Enterprises expanding virtual network
The Internet has the advantage of cheapness, but it is not safe, (Extranet VPN): providing security for the enterprise's
while, by contrast, leased line is safe, but more expensive. business partners, suppliers and customers, mainly ensuring
Then, how to ensure the confidentiality and integrity of the data not being modified in the process of transmission
information exchange between the headquarters and the and protecting the network resources from external damage.
divisions of the enterprises? How to make the cost of VPN mainly adopts two technologies: tunnel and security
connection not as high as that of leased line? In order to technology. Current tunnel technology is mainly supported
solve this problem, the VPN (Virtual Private Network) was by three kinds of protocol: PPTP, L2TP and IPsec. The main
born. It is not only secure, but also low-cost. VPN mission of tunnel technology is completing the secondary
technology provides a solution of safe and cheap remote encapsulation of IP packets in order to realize the
access for enterprises. The secure enterprise virtual private transmission of enterprise’s private address on the public
network was established in the Internet by using IPSec Internet. To ensure the security of transmission, a secure
security tunnel. Thereby the communication could means of encryption shloud be used to ensure the privacy
effectively guarantee the security of enterprises. and integrity of the data. Security technology mainly
includes MPPE, IPSec and other encryption algorithm. IPsec
II. GRE OVER IPSEC VPN provides security services in IP aspects. On the tunnel and
encryption technology, IPSec has already become a widely-
A. Brief Introduction of VPN used and open VPN security protocols, which ensures the
VPN (Virtual Private Network) is a kind of technology interoperability running between the TCP/IP protocol and the
that uses public network to build the special private network, VPN. IPsec defines a set of standard protocols to protect the
and it is the "line in the line". Data is spread through a secure privacy and integrity and supports a series of encryption
"encrypted tunnel" in the public network. Building a special algorithm like DES 、3 DES. It checks the integrity of the

© 2014. The authors - Published by Atlantis Press 142

transmission of data packets to ensure that the data has not D.The advantages of ipsec vpn
been modified. It has the function of authenticating the The advantages and applications of IPSec VPN in the
source data. enterprise network have shown increasingly. On the IP
B. IPSec transmission, the IPSec VPN technology uses an encrypted
tunnel to transmit the content of the internal private network
IPSec Internet Protocol Security is a set of protocols on the public network, and at the same time, it guarantees the
providing IP security in network layer defined by IETF security of the internal data, so as to realize the interflow of
(Internet Engineering Task Force). Being able to provide the data, voice and video between enterprise headquarters and
certification of data integrity, the identification of data branches. Nowadays, the VPN has been regarded as a main
sources and the protection of preventing retransmission, method to connect remote branches and mobile users by
IPSec is one security technology applying to all Internet many enterprises to build the virtual service network. Large
communication at present. IPSec system including three numbers of domestic enterprises begin to consider this
main security protocols, namely the AH (Authentication method and even gradually come into effect. There are
Header), ESP (Encapsulation Security Payload) and IKE following advantages for enterprises using the Internet to
(Intemet Key Exchange). build their own IPSec VPN.
The realization of the IPSEC VPN is mainly composed of
1) Economic: No need to undertake the expensive rent
two stages. The first stage is IKE1 (Internet key exchange),
whose main task is carrying an authentication on both sides cost for fixed lines. Long-distance charge for DDN, frame
of communication, and building a secure data channel at both relay and SDH increases with the increasing communication
ends. The parameters, which used to establish IKE secure distance, the farther the branches, the higher the rent cost.
channel under negotiation, mainly have the encryption While the Internet access charge only needs the local cost,
algorithm, hash algorithm, DH algorithm, identity no matter how far is the branch, the charge is the same.
authentication algorithm and survival time. A collection of Therefore, used as transmission backbone, the Internet is
these parameters in this stage is called strategy set, and the dog-cheap, and still has higher bandwidth. In addition, the
purpose of consultation is making the strategy set on both VPN device is superiorly in its function and low cost.
sides the same. The second stage is IKE2, whose main task is 2) Flexible: Internet can be connected by the l0M,
to negotiate secure parameters in this channel, mainly
100M port, and 2M or lower speed port, as well as the cheap
including the encryption algorithm, hash algorithm,
encapsulation mode, survival time and security protocols, DSL, even the dial-up connection, which makes it the most
and eventually to negotiate the same SA (Security famous numerous end connections. An IPSec VPN network
Association). IPSec protocol can be set in two modes: tunnel can connect the branches at any location, even across oceans.
mode and transmission mode. Under the tunnel mode, IPSec IPSec VPN can connect to a small quantity of branches at
encapsulates lPv4 packets to the secure IP frame. Tunnel bargain prices, as well as numerous branches. The core
mode is the safest one, but it will lead to a larger system equipment of IPSec VPN has good extensibility, a port can
overhead. Transmission mode is to protect the security of be connected with thousands of branches at the same time,
end-to-end, that is, it will not hide the routing information in including divisions and mobile office users, rather than
this mode. needing a port corresponding to remote users like SDH,
C. GRE DDN. Remote IP voice and video business can also be
Encapsulating the datagram of some certain network transmitted to remote branches and mobile users, providing
layer protocol (such as IP, IPX, AppleTalk, etc.), GRE convenient conditions for modern offices together with the
(Generic Routing Encapsulation) makes it possible for the data business, and saving a lot of telephone charges.
encapsulated datagram to transmit in another network layer 3) Safe: The significant characteristic of IPSec VPN is
protocol (IP). The transmission channel of heterogeneous its security, which is the root of its internal data security. On
network is called tunnel. As a kind of encapsulation methods, the VPN switches, it ensures the security by supporting all
its practicality is very strong, which makes GRE the leading channel protocols, data encryption and
encapsulation generally used in the VPN. However, the GRE filter/firewall, as well as realizing authorization by the
tunnel itself doesn't support data encryption. There should be
RADIUS, LDAP, SecurID and many other ways. At the
other protocols like IPSec to realize the data transmission
encryption. GRE can provide low overhead tunnel. The same time, the VPN devices provide a built-in firewall
encapsulation format of GRE is defined in RFC1701 / function to transmit the flow from public to private network
RFC1702, that is, the method of how to use a network interface outside the VPN channel. In addition, this
protocol to encapsulate another network layer protocol. GRE technology can also pass the authentication like RADIUS,
tunnel is defined by the source IP and destination IP at the PAP, CHAP, Tokens, X.509, LDAP and SecurID, etc.
both ends of tunnel, and it can support various routing 4) Redundant Design: VPN devices can provide
protocols, such as RIP, OSPF, IGRP, etc. redundant mechanism, guaranteeing the reliability of the
link and equipment. VPN core equipment in the center node
provides hardware redundant designs like redundant CPU,
redundant power source. When the link fails to work well,

143
VPN switches support static tunnel for failure recovery addresses can access the company's DNS server and FTP
function, and its secure IP service gateway can realize the server. Establishment of VPN between sites is called for
load balancing between multiple routing paths and multiple between the head office in Beijing and the Shanghai filiale.
switches. Besides, in the connection, the VPN client will By establishing GRE tunnel, two agencies manage to
communicate with each other. Because GRE protocol itself
automatically select the backbone node of this area which is
can not encrypt and package the data, we configure IPSec to
set in the communication list, and automatically choose protect the GRE message.
other VPN switches according to the list settings when the
regional node fails, so as to achieve the purpose of the C. Network topology
connection. The whole network structure is divided into three large
5) Effective Management: The split channel blocks, namely Beijing head office networks, Shanghai
characteristic of VPN switches provides the supports of filiale networks and the Internet. Two enterprise networks
visiting the Internet, Extranet and local network for IPSec are both connected to the Internet network. In order to
client at the same time. This technology can set permissions, complete the experiment, the network topology is designed
as shown in Figure 1: Router1 is the egress router of Beijing
allow users’ access, such as local print and file sharing,
head office, Router 4 is the egress router of the Shanghai
direct Internet and secure outside network. This filiale, Router2 and Router3 are routers of
characteristic makes it possible for users to use the network telecommunication department, and they are used to simulate
resources rationally and conveniently under the safety the Internet network. Terminal equipment are connected in
condition, both secure and flexible. Routing protocols are the internal network of the head office in Beijing and
needed by the multiple users and complex routings to make Shanghai filiale to test the network connectivity. DNS server
the entire web address management convenient and and FTP server are placed in the enterprise network.
effective. With the help of RIP & OSPF, VPN devices’ Experimental topology construction: build a network
connection and extension are as routers, which is suitable topology diagram as shown in Figure 1 in the simulation
for the continuous expansion of network. What’s more, the software Cisco Packet Tracer, including four 2811 routers,
two 2960 switches, two PCs and four servers.
dynamic routing protocol can be supported in the encrypted
tunnel. Managers can manage the remote node through the
management of software and remote configuration .
III. DESIGN PRINCIPLES

A. Key steps for configuration

IPSec configuration between routers uses IPSec
connections, and it needs to configure a virtual tunnel as a
secure link for secure and reliable communication between
the two networks. Taking IPsec encryption algorithm using Figure 1. GRE over IPSec VPN net map
pre-shared key for example, the IPsec VPN configuration
process is as follows: D. IP address Configure
1) Configure IKE strategy: including hash algorithm, When planning IP addresses internal addresses of the
encryption algorithm, and lifetime; Beijing head office are set as Class c IP addresses,
2) Configure pre-shared key: requiring to select IP 222.17.244.0/24 for Beijing head office and 222.17.245.0/24
address or hostname to identify the key; for Shanghai filiale. The segment between Beijing head
3) Configure IPSec parameters: including configuring office and the Internet is set to 188.128.5.0/24, and the
home terminal identification of IP address or hostname, and segment between Shanghai faliale and the Internet is set to
access-list in order to be quoted in the crypto map; 52.1.1.0/24. The network between two external network
4) Configure crypto map: creating crypto mapping entries router is set to 198.96.6.0/24.
for IPSec, in order to make parts used to establish the IPSec Next set IP addresses for terminal machines.
security association coordinate; 1) Host IP configuration for Beijing head office: IP
5) Apply crypto mapping table to the interface; address of PC1 is set to: 222.17.244.2, subnet mask of PC1
6) Configure the tunnel; is 255. 255. 255. 0, and the gateway address is set to 222.17.
7) Apply IPSEC encryption to GRE package; 244.1.
IP address of DNS Server1 is set to: 222.17.244.3,
8) Examine the configuration of IPSec VPN.
subnet mask of DNS Server1 is 255. 255. 255. 0, and the
B. Networking requirement gateway address is set to 222.17. 244.1.
A company, with the head office in Beijing, has a filiale IP address of FTP Server1 is set to: 222.17.244.4, subnet
in Shanghai. The internal IP of the head office uses class c IP mask of FTP Server1 is 255. 255. 255. 0, and the gateway
addresses but need to access the Internet. Internal IP address is set to 222.17.244.1.

144
 2) Host IP configuration for Shanghai filiale: IP address R4(config)#interface serial0/0/1
of PC2 is set to: 222.17.245.2, subnet mask is 255. 255. 255. R4(config-if)#ip address 52.1.1.2 255.255.255.0
0, and the gateway is 222.17.245.1. R4(config-if)#no shutdown
IP address of DNS Server2 is set to: 222.17.245.3, R4(config-if)#exit
subnet mask is 255. 255. 255. 0, and the gateway is 222.17. R4(config)#interface fastethernet0/0
245.1. R4(config-if)#ip address 222.17.245.1 255.255.255.0
IP address of FTP Server2 is set to: 222.17.245.4, subnet R4(config-if)#no shutdown
mask is 255. 255. 255. 0, and the gateway is 222.17. 245.1. R4(config-if)#exit
R4(config)#ip route 0.0.0.0 0.0.0.0 52.1.1.1
IV. CONFIGURE ROUTER 2) Establish IKE strategy
R4(config)#crypto isakmp policy 10
A. Configure Router 1 R4(config-isakmp)#hash md5
1) Configure IP addresses R4(config-isakmp)#authentication pre-share
R1(config)#interface serial0/0/1 R4(config-isakmp)#lifetime 86400
R1(config-if)#ip address 188.128.5.1 255.255.255.0 R4(config-isakmp)#group 5
R1(config-if)#no shutdown 3) Configure preshared key, and create ACL
R1(config-if)#exit R4(config)#crypto isakmp key 13876694751 address
R1(config)#interface fastethernet0/0 188.128.5.1
R1(config-if)#ip address 222.17.244.1 255.255.255.0 R4(config)#access-list 110 permit ip 222.17.245.0
R1(config-if)#no shutdown 0.0.0.255 222.17.244.0 0.0.0.255
R1(config-if)#exit 4) Define transform set
R1(config)#ip route 0.0.0.0 0.0.0.0 188.128.5.2 R4(config)#crypto ipsec transform-set test esp-3des esp-
2) Establish IKE strategy md5-hmac
R1(config)#crypto isakmp enable 5) Configure crypto mapping table
R1(config)#crypto isakmp policy 10 R4(config)#crypto map chong-map 10 ipsec-isakmp
R1(config-isakmp)#hash md5 R4(config-crypto-map)#set peer 188.128.5.1
R1(config-isakmp)#authentication pre-share R4(config-crypto-map)#set transform-set test
R1(config-isakmp)#lifetime 86400 R4(config-crypto-map)#match address 110
R1(config-isakmp)#group 5 6) Apply encrypted mapping table to physical interfaces
R1(config-isakmp)#exit R4(config)#interface serial0/0/1
3) Configure preshared key, and create ACL (IKE R4(config-if)#crypto map chong-map
parameters) 7) Configure logical interfaces of the tunnel
R1(config)#crypto isakmp key 13876694751 address R4(config-if)#ip add 192.168.1.2 255.255.255.0
52.1.1.2 R4(config-if)#tunnel source serial0/0/1
R1(config)#access-list 110 permit ip 222.17.244.0 R4(config-if)#tunnel destination 188.128.5.1
0.0.0.255 222.17.245.0 0.0.0.255 R4(config-if)#exit
4) Define transform set (IPSec parameters) R4(config)#access-list 110 permit gre host 52.1.1.2 host
R1(config)#crypto ipsec transform-set test esp-3des esp- 188.128.5.1
md5-hmac C. Simulate WAN-WAN on Router 2 and Router 3
5) Configure crypto mapping table respectively
R1(config)#crypto map chong-map 10 ipsec-isakmp
R1(config-crypto-map)#set peer 52.1.1.2 1) on Router 2
R1(config-crypto-map)#set transform-set test Route2(config)#hostname R2
R1(config-crypto-map)#match address 110 R2(config)#interface serial0/0/0
6) Apply encrypted mapping table to interfaces R2(config-if)#ip add 198.96.6.1 255.255.255.0
R1(config)#interface serial0/0/1 R2(config-if)#no shutdown
R1(config-if)#crypto map chong-map R2(config-if)#exit
R2(config)#interface serial0/0/1
7) Configure logical interfaces of the tunnel
R2(config-if)#ip add 188.128.5.2 255.255.255.0
R1(config)#interface tunnel0
R2(config-if)#clock rate 64000
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R2(config-if)#no shutdown
R1(config-if)#tunnel source serial0/0/1
R2(config-if)#exit
R1(config-if)#tunnel destination 52.1.1.2
R2(config)#ip route 52.1.1.0 255.255.255.0 198.96.6.2
R1(config-if)#exit
R1(config)#access-list 110 permit gre host 188.128.5.1 2）on Router 3
host 52.1.1.2 R3(config)# interface serial0/0/0
R3(config-if)#ip add 198.96.6.2 255.255.255.0
B. Configure Router 4 R3(config-if)#clock rate 64000
1) Configure IP addresses R3(config-if)#no shut

145
 R3(config-if)#exit [4] Grembowski T, Lien R, Gaj K et al. Comparative analysis of the
R3(config)# interface serial0/0/1 hardware implementations of hash functions sha-1 and sha-512. In
Proc. the 5th Int. Information Security Conference, Brazil, September
R3(config-if)#ip add 52.1.1.1 255.255.255.0 3-October 2, 2002, pp.75-89.
R3(config-if)#clock rate 64000 [5] WANG C, Lo C, Lee M, et al. A network security processor design
R3(config-if)#no shutdown based on an integrated SoC design and test platform [C]//Proc.
R3(config-if)#exit IEEE/ACM Design Automation Conf. (DAC'06), IEEE Press,
R3(config)#ip route 188.128.5.0 255.255.255.0 2006:490-495.
198.96.6.1 [6] China Core C * Core310 User Guide [R]. ChinaCore Inc. [EB/OL].
(2004). http: //www. china-core, corn/data/ summary/C310_datasheet
V. VERIFY THE RESULTS chinese, pdf.
[7] WANG Haixin, BAI Guoqiang, CHEN Hongyi. Zodiac: system
Wen completed, they can be tested on the client. Use architecture implementation of a high performance network seeurity
PC1 to ping PC2, namely ping each other between private processor [C]// Proc IEEE International Conference on Application-
networks, which theoretically can access, and then ping IP Specific Systems, Architectures and Processors (ASAP'08), IEEE
address of analog public network, which doesn't make sense Press, 2008:91 - 96.
theoretically, testifying that an analog public network just [8] Verbauwhede I, Scheaumont P, Kuo H. Design and performance
testing of a 2.29 Gb/s Rijndael processor [J]. IEEE Journal of Solid-
provides a physical link for the tunnel. Input the command State Circuits, 2002, 28(3): 569 - 572.
on a router 1 to verify the results.
[9] CHEN Gang, BAI Gguoqiang, CHEN Hongyi. A high-performance
R1#show ip route elliptic curve cryptographic processor for general curves over GF(p)
C 188.128.5.0 is directly connected, Serial0/0/1 based on a systolic arithmetic unit [J]. IEEE Transactions on Circuits
C 192.168.1.0/24 is directly connected, Tunnel0 and Systems II-express briefs, 2007, 54(5): 412-416.
C 222.17.244.0/24 is directly connected, FastEthernet0/0 [10] Chou W. Inside SSL: accelerating secure transactions [J]. IT
S* 0.0.0.0/0 [1/0] via 188.128.5.2 Professional, 2002, 4(5) : 37 - 41.
R1#show interface tunnel 0 [11] Onuki A, Takeuchi K, Inada T et al. A realization of theoretical
Tunnel0 is up, line protocol is up (connected) maximum performance in IPSec on gigabit Ethernet. IEEJ
Transactions on Electronics, Information and Systems, 2004, 124-
Hardware is Tunnel C(8): 1533-1537.
Internet address is 192.168.1.1/24 [12] Dandalis A, Prasanna V K, Rolim J D P. An adaptive cryptographic
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec, engine for IPSec architectures. In Proc. IEEE Symposium on Field-
reliability 255/255, txload 1/255, rxload 1/255 Programmable Custom Computing Machines, USA, April 17-19,
Encapsulation TUNNEL, loopback not set 2000, pp.132-141.
Keepalive not set [13] Castanier F, Ferrante A, Piuri V. A packet scheduling algorithm for
Tunnel source 188.128.5.1 (Serial0/0/1), destination IPSec multi-accelerator based systems. In Proc. the 15th IEEE
International Conference on Application-Specific Systems,
52.1.1.2 Architectures and Processors (ASAP 2004), USA, Sept. 27-29, 2004,
Tunnel protocol/transport GRE/IP pp.387-397.
[14] Niemann J G, Porrmann M, Ruckert U. A scalable parallel SoC
VI. CONCLUSIONS architecture for network processors. In Proe. IEEE Computer Society
With the development of modern enterprises, the Annual Symposium on VLSI 2005 ( ISVLSI 2005): New Frontiers in
VLSI Design, USA, May 11-12, 2005, pp.311-313.
establishment of branch offices, the formation of remote
clients, more and more users need to establish the connection [15] Ariga S, Nagahashi K, Minami M et al. Performance evaluation of
data transmission using IPSec over IPv6 networks. In Proc. INET
with enterprise Intranet. Combined with GRE, the IPSEC 2000, Yokohama, Japan, USA, July 18-21, 2000, pp.200-202.
virtual private network (VPNS) can provide enterprises with [16] Caldera J, Niz D D, Nakagawa J. Performance analysis of IPSec and
safe, low-cost and extensible network services without IKE for mobile IP on wireless environments. Information Networking
affecting the existing communications. Achieve the real Institute, Carnegie Mellon University, http://www.cs.cmu.edu/-
minimum investment and maximum communication. Along dionisio/ipSec-wmip.doc.
with the increasingly important of network security, it can [17] Elkeelany O, Matalgah M M, Sheikh K Pet al. Performance analysis
believe that the application of GRE Over IPsec VPN will be of IPSec protocol: Encryption and authentication. In Proc. IEEE
International Conference on Communications (ICC 2002), New York,
more extensive. USA, April-May, 2002, pp.1164-1168.
REFERENCES [18] Kent S, Atkinson R. Security architecture for the Internet protocol.
RFC 2401, November 1998.
[1] Kang Y K, Kim D W, Kwon T Wet al. An efficient implementation of [19] Kent S, Atkinson R. Security architecture for the Internet protocol.
hash function processor for IPSEC. In Proc. 3rd IEEE Asia-Pacific RFC 4301, December, 2005.
Conf. ASIC, Taipei, Aug. 6-8, 2002, pp.93-96.
[20] Madson C, Glenn R. The use of HMAC-MD5-96 within ESP and AH.
[2] Schaumont P R, Kuo H, Verbauwhede I M. Unlocking the design RFC 2403, November 1998.
secrets of a 2.29 Gb/s Rijndael processor. In Proc. 39th ACM/IEEE
Design Automation Conference (DAC 2002), USA, June 10-14, 2002, [21] Madson C, Glenn R. The use of HMAC-SHA-1-96 within ESP and
pp.634-639. AH. RFC 2404, November 1998.
[3] Chang H C, Chen C C, Lin C F. XScale hardware acceleration on [22] Madson C, Doraswamy N. The ESP DES-CBC cipher algorithm with
cryptographic algorithms for IPSec applications. In Proc. explicit IV. RFC 2405, November 1998
International Conference on Inforrnation Technology ( ITCC 2005),
USA, April 4-6, 2005, pp.592-597.

146