GRE over IPSEC

As explained in the GRE post, when data needs to be transported between geographically separated locations, GRE establishes a tunnel between end points to allow networks to communicate with each other as if they were directly connected. Since GRE was not built with security in mind, data is sent in clear text and when it has to travel over a third-party network it is susceptible to eavesdropping. This is a security concern that can be easily tackled by adding IPSEC to the mixture, thus preventing eavesdropping and achieving data integrity and confidentiality. 

The GRE over IPSec tunnel has two modes being the tunnel mode the default mode, with tunnel mode the entire GRE packet is encrypted and IPSec will add new IP header. Since GRE and IPSec are using the same tunnel the new IP header added by IPSec will be identical to the IP header added by GRE.

Tunnel mode packet encapsulation:


tunnel mode configuration:
hostname SitE_1R1
crypto isakmp policy 100
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 200.10.11.0    
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac 
!
crypto ipsec profile ABC
 set transform-set TS
!
interface Tunnel100
 tunnel protection ipsec profile ABC
!
Since IPSec and GRE add overhead to the IP packet, the IP MTU  and the TCP-MSS must be adjusted to prevent packet fragmentation.

IP MTU:
new IP Header
20 bytes
ESP Header (SPI + Sequence)
8 bytes
Init Vector *
8 bytes
New IP Header (GRE)
20 bytes
GRE Header
4 bytes
ESP Pad (ESP-DES/3DES) **
2 bytes
Pad length (ESP Trailer)
1 byte
Next Header (ESP Trailer)
1 byte
ESP-MD5-HMAC (ESP Trailer) ***
12 byte
Total
76 bytes

In this example the IP MTU should be set to 1500 - 76 = 1434

* According to the ESP encryption type, the Init Vector size can be 8 bytes for DES/3DES or 16 bytes for AES.

** ESP Padding varies according to the ESP encryption type, for DES/3DES the size is 2 bytes and for AES the size is 10 bytes.

*** The ESP Trailer varies according to the ESP integrity type, 12 bytes for MD5-HMAC or SHA-HMAC, 16 bytes for SHA-256-HMAC, 24 bytes for SHA-384-HMAC and 32 bytes for SHA-512-HMAC.

TCP-MSS:
TCP Header
20 bytes

The Maximum segment size should be the IP MTU - TCP-MSS, 1434 - 20 = 1414

Transport mode packet encapsulation:



transport mode configuration:
hostname SitE_1R1
crypto isakmp policy 100
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 200.10.11.0    
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode transport 
!
crypto ipsec profile ABC
 set transform-set TS
!
interface Tunnel100
 tunnel protection ipsec profile ABC
!
In transport mode since the GRE IP header is not duplicated the overhead is less then tunnel mode.

IP MTU:

new IP Header
20 bytes
ESP Header (SPI + Sequence)
8 bytes
Init Vector *
8 bytes
GRE Header
4 bytes
ESP Pad (ESP-DES/3DES) **
6 bytes
Pad length (ESP Trailer)
1 byte
Next Header (ESP Trailer)
1 byte
ESP-MD5-HMAC (ESP Trailer) ***
12 byte
Total
60 bytes

In this example the IP MTU should be set to 1500 - 60 = 1440

* According to the ESP encryption type, the Init Vector size can be 8 bytes for DES/3DES or 16 bytes for AES.

** ESP Padding varies according to the ESP encryption type, for DES/3DES the size is 6 bytes and for AES the size is 14 bytes.

*** The ESP Trailer varies according to the ESP integrity type, 12 bytes for MD5-HMAC or SHA-HMAC, 16 bytes for SHA-256-HMAC, 24 bytes for SHA-384-HMAC and 32 bytes for SHA-512-HMAC.

TCP-MSS:
TCP Header
20 bytes

The Maximum segment size should be the IP MTU - TCP-MSS, 1440 - 20 = 1420

A good IP MTU Calculator can be found here

No comments:

Post a Comment