Who does not like a good old tunnel?
There are different tunnel types available for us to use when building our networks. The ones we will cover here are GRE and IPsec, as well as briefly mentioning DMVPN, GET VPN and FlexVPN.
GRE
Generic Routing Encapsulation (GRE) is one of the most versatile tools to keep in your networking tool belt. This type of tunnel provides encapsulation without any sort of encryption. There are ways to encrypt a GRE tunnel, however, this won’t be touched on here.
These work by simply attaching a extra L3 header to the packet, causing it to be tunneled. This can be used across the internet as well as in your internal network to effectively tunnel traffic between two network devices.
Configuring a GRE tunnel is as simple as creating a tunnel interface, and then setting the tunnel source and destination:
interface Tunnel10
ip address 10.0.0.1 255.255.255.0
tunnel source 192.168.1.1
tunnel destination 192.168.2.3
IPsec
IPsec allows for secure tunneling across untrusted networks. It can be used to encrypt and provide data integrity checks for not only the packet data, but also the packet headers.
Encapsulating Security Payload (ESP) allows you to encrypt and entire packet, including the original IP header. This is called tunnel mode and is probably the most common way of running IPsec tunnels.
There is also another mode known as transport mode, which only encrypts the data of the original packet. This allows the original IP-headers to be preserved, which can be extremely useful if you want to run QoS across an L3VPN circuit for example while stil encrypting your data.
ESP has it’s own protocol number of 50, but is also able to handle NAT-traversal by using UDP4500 in stead of the dedicated ESP protocol.
IKEv1
Internet Key Exchange (IKE) is the protocol that allows for the exchanging of secure keys between tunnel peers. This also includes the negotiation of which algorithms to use and wish security associations (SAs) should be established.
IKE comes in two different flavors: v1 and v2.
IKEv1, which is also referred to as ISAKMP, uses UDP500 to establish a tunnel. This is done in two distinct phases: Phase 1 (P1) and Phase 2 (P2), respectively.
Phase 1
During P1, there is a bidirectional SA established over which the P2 SA negotiation can occur. In order to establish the P1 SA one of two modes can be used: Main mode (MM) or Aggressive mode (AM). Main mode is the more secure option, however, it is slower to establish compared to aggressive mode.
Phase 2
Once the initial P1 SA har been established, then the unidirectional P2 SAs can be formed. These are the SAs that will actually be used to send the traffic.
IKEv2
IKEv2 brings a lot of improvements from IKEv1. Mostly security related but there is also an increased efficiency when establishing the tunnel. This is because IKEv2 uses fewer negotiation packets to establish the tunnel, which reduces overhead and increases the efficiency of the tunnel.