Scribd Logo
Upload

Welcome to Scribd!

  • BGP Over IPSEC. (Underlay IPSEC and Overlay BGP)

    Uploaded by

    hamzakilame
    4 views4 pages
    BGP routing protocol

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    BGP routing protocol

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views4 pages

    BGP Over IPSEC. (Underlay IPSEC and Overlay BGP)

    Uploaded by

    hamzakilame
    BGP routing protocol

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    BGP Over IPSEC: (IPSEC Underlay & BGP Overlay)

    Topology:

    Data is considered to be safe in resting state and vulnerable in transit. That’s why IPSEC came into
    existence to traverse data securely over the internet.

    In an enterprise environment, to confluence all the remote networks, we need to some protocol over the
    internet.

    If we consider activating BGP over the internet, we first need to configure IPSEC as underlay and on top
    of that BGP to be activated with tunnel protection profile for secure convergence of data.

    For the same, a very simple topology is taken as shown in the above image and also not to convolute,
    basic configuration is given below.

    ISP Router Configuration:

    interface fastEthernet 0/0


    description Towards HO
    ip address 1.1.1.2 255.0.0.0
    no shut

    interface FastEthernet0/1
    description towards Branch
    ip address 2.2.2.1 255.0.0.0
    no shut

    Head Office Router Configuration:

    Interface Configuration:
    interface FastEthernet0/0
    ip address 1.1.1.1 255.0.0.0
    description WAN_Interface
    no shut

    interface FastEthernet0/1
    ip address 192.168.1.1 255.255.255.0
    description LAN_Interface
    no shut

    Default Route: (Needed to reach the IPSEC peer in this case)


    ip route 0.0.0.0 0.0.0.0 1.1.1.2

    DHCP Configuration: (Optional)


    ip dhcp excluded-address 192.168.1.1 192.168.1.50
    ip dhcp pool HeadOffice_Network
    network 192.168.1.0 255.255.255.0
    dns-server 192.168.1.1
    default-router 192.168.1.1

    Crypto Configuration:
    ISAKMP Configuration: (Phase-01)
    crypto isakmp policy 1
    encr 3des
    hash md5
    authentication pre-share
    group 2

    Pre-shared key configuration: (We are telling the router that this is the PSK for this peer)
    crypto isakmp key 123456 address 2.2.2.2

    Defining ISAKMP Peer: (We are defining the peer here)


    crypto isakmp peer address 2.2.2.2

    Defining Transform-Set: (Phase-02. This transform-set is needed to secure the actual payload)
    crypto ipsec transform-set TS esp-3des esp-md5-hmac

    Defining Crypto MAP: (As the name suggests, we map all crypto criteria here)
    crypto map CM 1 ipsec-isakmp
    set peer 2.2.2.2
    set transform-set TS

    Applying Crypto MAP on WAN interface:


    crypto map CM

    Defing tunnel protection crypto profile: (Needed to secure the tunnel interface traffic. In this case I
    have used the same transform set that is used in Phase-2)
    crypto ipsec profile CP
    set transform-set TS

    BGP Tunnel Interface Configuration:


    interface Tunnel1
    ip address 3.3.3.1 255.0.0.0
    tunnel source 1.1.1.1
    tunnel destination 2.2.2.2
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile CP

    Branch Office Router Configuration:


    Interface Configuration:
    interface FastEthernet0/1
    description WAN_Interface
    ip address 2.2.2.2 255.0.0.0

    interface FastEthernet0/0
    description LAN_Interface
    ip address 172.16.1.1 255.255.255.0

    Default Route: (Needed to reach the IPSEC peer in this case)


    ip route 0.0.0.0 0.0.0.0 2.2.2.1

    DHCP Configuration: (Optional)


    ip dhcp pool Branch_Network
    network 172.16.1.0 255.255.255.0
    dns-server 172.16.1.1
    default-router 172.16.1.1

    Crypto Configuration:
    ISAKMP Configuration: (Phase-01)
    crypto isakmp policy 1
    encr 3des
    hash md5
    authentication pre-share
    group 2

    Pre-shared key configuration: (We are telling the router that this is the PSK for this peer)
    crypto isakmp key 123456 address 1.1.1.1

    Defining ISAKMP Peer:


    crypto isakmp peer address 1.1.1.1

    Defining Transform-Set: (Phase-02. This transform-set is needed to secure the actual payload)
    crypto ipsec transform-set TS esp-3des esp-md5-hmac

    Defining Crypto MAP: (As the name suggests, we map all crypto criteria here)
    crypto map CM 1 ipsec-isakmp
    set peer 1.1.1.1
    set transform-set TS

    Applying Crypto MAP on WAN interface:


    crypto map CM
    Defing tunnel protection crypto profile: (Needed to secure the tunnel interface traffic. In this case I
    have used the same transform set that is used in Phase-2)
    crypto ipsec profile CP
    set transform-set TS

    BGP Tunnel Interface Configuration:


    interface Tunnel1
    ip address 3.3.3.2 255.0.0.0
    tunnel source 2.2.2.2
    tunnel destination 1.1.1.1
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile CP

    Verification on HO Router:
    HO#show ip bgp summary
    Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
    3.3.3.2 4 200 32 32 4 0 0 00:28:02 2

    HO#show ip route bgp


    172.16.0.0/24 is subnetted, 2 subnets
    B 172.16.1.0 [20/0] via 3.3.3.2, 00:28:12

    Verification on Branch Router:


    BR#show ip bgp summary
    Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
    3.3.3.1 4 100 33 33 4 0 0 00:29:14 1

    BR#show ip route bgp


    B 192.168.1.0/24 [20/0] via 3.3.3.1, 00:30:00

    You might also like