Ensuring VPN Security with IPSec/IKE/GRE
14-4 Configuring the Virtual Private Network
Figure 14-2 Tunnel Mode Processing
As shown above, AH authenticates the entire packet transmitted on the network whereas ESP
only covers a portion of the packet transmitted (the higher layer data in transport mode and the
entire original packet in tunnel mode). The ramifications of this difference in the scope between
ESP and AH are significant.
Using IPSec along with Network Address Translation (NAT) might be problematic because while
AH is used to ensure that the packet header is not changed during transmission, NAT does the
opposite - it changes the IP or layer 4 (UDP or TCP) header. AH cannot be used when NAT must
be crossed to reach the other end of the tunnel. When only ESP is used, the XSR automatically
adds the UDP header which is required by NAT to operate properly when an unroutable address
(NAT traffic) is detected between tunnel endpoints.
Arguably the most vital component of IPSec/IKE is the establishment of SAs and key
management. Although these tasks can be done manually, the XSR deploys IPSec through a
scalable, automated SA/key management scheme known as the Internet Key Exchange (IKE),
defined in RFC-2409. This algorithm is the default automated key management, dynamic SA-
creating protocol for IPSec.
Refer to Tabl e A -4 on page A-1 for the number of ISAKMP and IPSec SAs supported, by installed
memory, on the XSR.
GRE over IPSec
As an alternative to IPSec, the XSR supports the Generic Routing Encapsulation protocol (GRE),
which encapsulates arbitrary protocols in other protocols such as IP, as defined by RFC-1701. GRE
can tunnel these payloads between two routers over a network path that does not natively
support the payload protocol. For example, Appletalk packets can be tunneled in IP over the
Internet.
GRE tunnel endpoints are represented as point-to-point (P2P) interfaces to the routing protocols.
End-to-end traffic and routing protocol traffic flows through these interfaces as through physical
network interfaces. The GRE tunnel encapsulates entire frames so it can carry multicast packets
across the tunnel between two routers. This supports routing protocols such as OSPF.
GRE does not provide security but can be encrypted and authenticated by the XSR’s IPSec
subsystem. GRE packets are transmitted using IPSec transport mode. GRE with IPSec provides
multiprotocol and multicast tunneling with strong security. Because GRE lacks a control over
tunnel establishment, both sides of the tunnel must have known IP addresses, not dynamically
assigned. Refer to “GRE Tunnel for OSPF” on page 14-40 for an example.
Original packet
After processing
IP data
AH/ESP data
Can be encrypted
New IP IP
Note: GRE tunnel interfaces support P2P links only with other routers.