Technical Note : Configuration of BGP in a GRE over IPSec tunnel with a Cisco router to announce NAT networks

fgilloteau_FTNT · ‎10-04-2012

Description
The goal of this note is to be able to exchange traffic in a secure tunnel with a Cisco router where the communicating networks should be announced by BGP and these networks are NAT networks to hide the private LAN of each site.

This article will show:

How To create a GRE over IPSec tunnel with a Cisco router
How To use loopback interfaces
How To do a basic BGP configuration to exchange filtered routes using the secure IPSec tunnel
How To create blackhole routes to announce them in BGP

Solution

Network diagram

Configuration steps

VPN configuration Phase 1 – Phase 2
GRE tunnel
Firewall policies
Loopback creation and routing
BGP configuration
Static blackhole route
NAT

Fortigate configuration

1. VPN configuration

config vpn ipsec phase1-interface
    edit "vpnGREoverIPSEC"
        set interface "port2"
        set proposal 3des-sha1 aes128-sha1
set dhgrp 5
        set remote-gw 192.168.152.252
        set psksecret fortinet
    next
end

# Restrict IPSEC encryption domain to protocol GRE (47)

config vpn ipsec phase2-interface
    edit "vpnGREoverIPSEC-P2"
        set encapsulation transport-mode
        set phase1name "vpnGREoverIPSEC"
        set proposal 3des-sha1 aes128-sha1
set dhgrp 5
        set protocol 47
next
end

2. GRE tunnel

config system gre-tunnel
    edit "gre1"
           set interface "vpnGREoverIPSEC"
           set local-gw 192.168.152.128
           set remote-gw 192.168.152.252
    next
end

config router static
edit 2
set dst 192.168.152.252 255.255.255.255
set device "vpnGREoverIPSEC"
set comment "Reach GRE endpoint via IPsec tunnel"
next
end

3. Firewall policies

config firewall ippool
    edit "local-nat-pool"
        set endip 10.100.1.100
        set startip 10.100.1.1
    next
end

config firewall policy
    edit 1
        set srcintf "port1"
        set dstintf "gre1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
        set ippool enable
        set poolname "local-nat-pool"
    next
    edit 2
        set srcintf "gre1"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 3
        set srcintf "vpnGREoverIPSEC"
        set dstintf "vpnGREoverIPSEC"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
set comments "No traffic flowing through this policy. Just an \'activator\' for IPsec"
    next
end

4. Loopback

# Loopback address is used for BGP peering

config system interface
   edit "Loopback1"
        set vdom "root"
        set ip 100.0.1.1 255.255.255.255
        set allowaccess ping
        set type loopback
   next
end

# BGP peering address is reachable via the GRE tunnel

config router static
   edit 3
        set device "gre1"
        set dst 100.0.1.2 255.255.255.255
set comment "Reach BGP peer via GRE tunnel"
   next
end

# Firewall policies

config firewall policy
edit 6
   set srcintf "gre1"
   set dstintf "Loopback1"
   set srcaddr "all"
   set dstaddr "all"
   set action accept
   set schedule "always"
   set service "ALL"
set comments "Allow inbound BGP. No need for an outbound policy."
next
end

5. BGP configuration

# Create access-list to restrict route announcement to the NAT network
config router access-list
    edit "bgpSentToCisco"
            config rule
                edit 1
                    set prefix 10.100.1.0 255.255.255.0
                    set exact-match enable
                next
            end
    next
end

config router bgp
    set as 65001
        config neighbor
            edit "100.0.1.2"
                set ebgp-enforce-multihop enable
                set remove-private-as enable
                set distribute-list-out "bgpSentToCisco"
                set remote-as 65002
                set update-source "Loopback1"
            next
        end
        config network    // Announce NAT network
            edit 1
                set prefix 10.100.1.0 255.255.255.0
            next
        end
set router-id 100.0.1.1
end

6. Static blackhole route

config router static
    edit 4
        set blackhole enable
        set dst 10.100.1.0 255.255.255.0
    next
end

7. NAT

config firewall policy
    edit 1
        set srcintf "port1"
        set dstintf "gre1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
        set ippool enable
        set poolname "local-nat-pool"
    next
end

config firewall ippool
    edit "local-nat-pool"
        set endip 10.100.1.100
        set startip 10.100.1.1
    next
end

Cisco configuration

version 12.4

hostname R1
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 5
!
crypto isakmp key fortinet address 192.168.152.128
!
crypto ipsec transform-set tr-fortinet-transport esp-3des esp-sha-hmac

 mode transport
!
crypto map vpn-fortinet 1 ipsec-isakmp
 set peer 192.168.152.128
 set transform-set tr-fortinet-transport
 set pfs group5
 match address cryptoFORTINET
!

interface Tunnel1
 ip address 10.0.1.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 tunnel source 192.168.152.252
 tunnel destination 192.168.152.128
!

interface Loopback1
 ip address 100.0.1.2 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.152.252 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map vpn-fortinet
!

interface FastEthernet0/1
 ip address 172.20.0.90 255.255.0.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!

router bgp 65002
 no synchronization
 bgp log-neighbor-changes
 network 10.200.1.0 mask 255.255.255.0
 neighbor 100.0.1.1 remote-as 65001
 neighbor 100.0.1.1 ebgp-multihop 255
 neighbor 100.0.1.1 update-source Loopback1
 neighbor 100.0.1.1 distribute-list 20 out
 no auto-summary
!

ip route 10.200.1.0 255.255.255.0 Null0
ip route 100.0.1.1 255.255.255.255 Tunnel1
!
ip nat inside source static 172.20.0.1 10.200.1.1
!
ip access-list extended cryptoFORTINET
 permit gre host 192.168.152.252 host 192.168.152.128
!

access-list 20 permit 10.200.1.0 0.0.0.255

Verification

BGP

Fortigate-VM64 # get router info bgp summary

BGP router identifier 100.0.1.1, local AS number 65001
BGP table version is 2
2 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
100.0.1.2 4 65002 6 4 1 0 0 00:01:14 1

Total number of neighbors 1

BGP advertised routes

Fortigate-VM64 # get router info bgp neighbors 100.0.1.2 advertised-routes

BGP table version is 2, local router ID is 100.0.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 10.100.1.0/24 100.0.1.1 100 32768 i

Total number of prefixes 1

BGP received routes

Fortigate-VM64 # get router info bgp neighbors 100.0.1.2 routes

BGP table version is 2, local router ID is 100.0.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.200.1.0/24    100.0.1.2                0             0 65002 i

Total number of prefixes 1

Check the ICMP traffic of a ping test

Fortigate-VM64 # diagnose sniffer packet any 'proto 1' 4 0 a

interfaces=[any]
filters=[proto 1]
2012-09-27 21:50:26.802786 port1 in 192.168.171.215 -> 10.200.1.1: icmp: echo request
2012-09-27 21:50:26.802905 gre1 out 10.100.1.12 -> 10.200.1.1: icmp: echo request
2012-09-27 21:50:26.874895 gre1 in 10.200.1.1 -> 10.100.1.12: icmp: echo reply
2012-09-27 21:50:26.874969 port1 out 10.200.1.1 -> 192.168.171.215: icmp: echo reply

Check the GRE traffic of a ping test

Fortigate-VM64 # diagnose sniffer packet any 'proto 47' 4 0 a

interfaces=[any]
filters=[proto 47]
2012-09-27 21:48:02.140059 vpnGREoverIPSEC in 192.168.152.252 -> 192.168.152.128: ip-proto-47 44
2012-09-27 21:48:07.626742 vpnGREoverIPSEC out 192.168.152.128 -> 192.168.152.252: ip-proto-47 64
2012-09-27 21:48:07.670258 vpnGREoverIPSEC in 192.168.152.252 -> 192.168.152.128: ip-proto-47 64
2012-09-27 21:48:08.628379 vpnGREoverIPSEC out 192.168.152.128 -> 192.168.152.252: ip-proto-47 64

Related Articles

Technical Note: Configuring and verifying a GRE over IPsec tunnel

Technical Note: Configuring and verifying a GRE over IPsec tunnel using 'encapsulation gre'