{"id":745,"date":"2012-11-14T12:19:19","date_gmt":"2012-11-14T11:19:19","guid":{"rendered":"http:\/\/diablo.craem.net\/wordpress\/?p=745"},"modified":"2012-11-14T12:19:19","modified_gmt":"2012-11-14T11:19:19","slug":"ipsec-over-gre-ospf-mikrotik-vs-cisco-parte-1","status":"publish","type":"post","link":"https:\/\/diablo.craem.net\/?p=745","title":{"rendered":"Ipsec Over GRE + ospf mikrotik vs Cisco, parte 1"},"content":{"rendered":"<p>Hoy toca una entrada de las que me ha costado m\u00e1s de elaborar.<br \/>\nTengo bastantes routers cisco en los clientes y la mayor\u00ed\u00ada de vpn&#8217;s (m\u00e1s de 50), las tengo con ipsec over GRE y EIGRP&#8230;. de esta manera, todas las sedes se ven entre ellas y no me tengo que preocupar de las rutas.<br \/>\nLa idea, es montar routers mikrotik virtuales y aprovechar el espacio, ahorrar corriente, etc..<br \/>\nEl escenario que propongo es sencillo:<br \/>\n<a href=\"https:\/\/diablo.craem.net\/wp-content\/uploads\/2012\/11\/captura11.png\"><img fetchpriority=\"high\" decoding=\"async\" src=\"https:\/\/diablo.craem.net\/wp-content\/uploads\/2012\/11\/captura11.png\" alt=\"\" title=\"Esquema red\" width=\"787\" height=\"541\" class=\"aligncenter size-full wp-image-748\" \/><\/a><br \/>\nTenemos en un lado, la red local: 192.168.80.0\/24 y en el otro extremo, la red 192.168.2.0\/24.<br \/>\nLa red que usaremos para el tunel, ser\u00e1: 172.30.0.0\/30.<br \/>\nEmpezamos con la configuraci\u00f3n del router cisco:<br \/>\n<code><br \/>\ncrypto isakmp policy 10<br \/>\n encr 3des<br \/>\n hash md5<br \/>\n authentication pre-share<br \/>\n group 2<br \/>\n lifetime 3600<br \/>\ncrypto isakmp key superClave address 1.1.1.1 no-xauth<br \/>\ncrypto ipsec transform-set trans_3des esp-3des esp-md5-hmac<br \/>\n mode transport<br \/>\n!<br \/>\ncrypto ipsec profile mikro<br \/>\n set transform-set trans_3des<br \/>\n<\/code><br \/>\nColocaremos ipsec en modo transporte para no perder la informaci\u00f3n de routing, entre otras cosas y nos creamos un profile para el tunel con la mikrotik.<br \/>\nCreamos en Tunel GRE:<br \/>\n<code><br \/>\ninterface Tunnel5<br \/>\n description CONNECTED TO oficina mikrtik<br \/>\n ip address 172.30.0.1 255.255.255.252<br \/>\n ip mtu 1476<br \/>\n tunnel source FastEthernet0\/0<br \/>\n tunnel destination 1.1.1.1<br \/>\n tunnel protection ipsec profile mikro<br \/>\n<\/code><br \/>\nY configuramos OSPF, con las \u00e1reas:<br \/>\n<code><br \/>\nrouter ospf 10<br \/>\n log-adjacency-changes<br \/>\n redistribute static subnets<br \/>\n network 192.168.2.0 0.0.0.255 area 0<br \/>\n network 172.30.0.0 0.0.0.3 area 0<br \/>\n<\/code><br \/>\nY por \u00faltimo, la ruta est\u00e1tica (de momento no me funciona de otra manera), con la red remota:<br \/>\n<code><br \/>\ncisco(conf-if)# ip route 192.168.80.0 255.255.255.0 tunnel 5<br \/>\n<\/code><br \/>\nY ahora vamos por la mikrotik:<br \/>\n<code><br \/>\n\/interface ethernet<br \/>\n\/interface gre<br \/>\nadd disabled=no dscp=0 l2mtu=65535 local-address=1.1.1.1 mtu=1476<br \/>\n    name=tunnel5 remote-address=2.2.2.2<br \/>\n\/ip ipsec proposal<br \/>\nset [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des<br \/>\n    lifetime=30m name=default pfs-group=modp1024<br \/>\nadd auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=59m59s name=<br \/>\n    cisco pfs-group=none<br \/>\n\/routing ospf instance<br \/>\nset [ find default=yes ] disabled=no distribute-default=never in-filter=<br \/>\n    ospf-in metric-bgp=auto metric-connected=20 metric-default=1<br \/>\n    metric-other-ospf=auto metric-rip=20 metric-static=20 name=default<br \/>\n    out-filter=ospf-out redistribute-bgp=no redistribute-connected=as-type-1<br \/>\n    redistribute-other-ospf=as-type-1 redistribute-rip=no<br \/>\n    redistribute-static=as-type-1 router-id=0.0.0.0<br \/>\n\/routing ospf area<br \/>\nset [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=<br \/>\n    backbone type=default<br \/>\nadd area-id=192.168.80.0 disabled=no instance=default name=area11 type=<br \/>\n    default<br \/>\n\/routing ospf-v3 instance<br \/>\nset [ find default=yes ] disabled=no distribute-default=never metric-bgp=auto<br \/>\n    metric-connected=20 metric-default=1 metric-other-ospf=auto metric-rip=20<br \/>\n    metric-static=20 name=default redistribute-bgp=no redistribute-connected=<br \/>\n    no redistribute-other-ospf=no redistribute-rip=no redistribute-static=no<br \/>\n    router-id=0.0.0.0<br \/>\n\/ip address<br \/>\nadd address=192.168.80.254\/24 comment=\"added by setup\" disabled=no interface=<br \/>\n    ether1_lan network=192.168.80.0<br \/>\nadd address=1.1.1.1\/32 disabled=no interface=public_interface network=<br \/>\n    1.1.1.1<br \/>\nadd address=172.30.0.2\/30 disabled=no interface=tunnel5 network=172.30.0.0<br \/>\n\/ip dhcp-server config<br \/>\nset store-leases-disk=5m<br \/>\n\/ip ipsec peer<br \/>\nadd address=2.2.2.2\/32 auth-method=pre-shared-key comment=<br \/>\n    \"tunel IPSEC pruebas angel\" dh-group=modp1024 disabled=no dpd-interval=2m<br \/>\n    dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=main<br \/>\n    generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d<br \/>\n    my-id-user-fqdn=\"\" nat-traversal=no port=500 proposal-check=obey secret=<br \/>\n    superClave send-initial-contact=yes<br \/>\n\/ip ipsec policy<br \/>\nadd action=encrypt disabled=no dst-address=2.2.2.2\/32 dst-port=any<br \/>\n    ipsec-protocols=esp level=require priority=0 proposal=cisco protocol=47<br \/>\n    sa-dst-address=2.2.2.2 sa-src-address=1.1.1.1 src-address=<br \/>\n    1.1.1.1\/32 src-port=any tunnel=no<br \/>\n\/ip neighbor discovery<br \/>\nset ether1_lan disabled=no<br \/>\nset public_interface disabled=no<br \/>\nset tunnel5 disabled=yes<br \/>\n\/ip route<br \/>\nadd comment=\"added by setup\" disabled=no distance=1 dst-address=0.0.0.0\/0<br \/>\n    gateway=1.1.1.2 scope=30 target-scope=10<br \/>\n\/routing filter<br \/>\nadd action=accept chain=ospf-out disabled=no distance=1 invert-match=no<br \/>\n    prefix=192.168.80.0\/24 protocol=connect,ospf set-bgp-prepend-path=\"\"<br \/>\n\/routing igmp-proxy<br \/>\nset query-interval=2m5s query-response-interval=10s quick-leave=no<br \/>\n\/routing mme<br \/>\nset bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m<br \/>\n    gateway-selection=no-gateway origination-interval=5s preferred-gateway=<br \/>\n    0.0.0.0 timeout=1m ttl=50<br \/>\n\/routing ospf area range<br \/>\nadd advertise=yes area=area11 cost=calculated disabled=no range=<br \/>\n    192.168.80.0\/24<br \/>\n\/routing ospf interface<br \/>\nadd authentication=none authentication-key=\"\" authentication-key-id=1 cost=10<br \/>\n    dead-interval=40s disabled=no hello-interval=10s instance-id=0 interface=<br \/>\n    all network-type=broadcast passive=no priority=1 retransmit-interval=5s<br \/>\n    transmit-delay=1s use-bfd=no<br \/>\nadd authentication=none authentication-key=\"\" authentication-key-id=1 cost=10<br \/>\n    dead-interval=40s disabled=no hello-interval=10s instance-id=0 interface=<br \/>\n    public_interface network-type=broadcast passive=yes priority=1<br \/>\n    retransmit-interval=5s transmit-delay=1s use-bfd=no<br \/>\n\/routing ospf network<br \/>\nadd area=backbone comment=\"local lan\" disabled=no network=192.168.80.0\/24<br \/>\nadd area=backbone comment=\"tunnel 5 network\" disabled=no network=<br \/>\n    172.30.0.0\/30<br \/>\n\/system clock<br \/>\nset time-zone-name=Europe\/Madrid<br \/>\n\/system clock manual<br \/>\nset dst-delta=+00:00 dst-end=\"jan\/01\/1970 00:00:00\" dst-start=<br \/>\n    \"jan\/01\/1970 00:00:00\" time-zone=+00:00<br \/>\nset name=cpd_router<br \/>\n\/system lcd<br \/>\nset contrast=0 enabled=no port=parallel type=24x4<br \/>\nset enabled=yes mode=unicast primary-ntp=130.206.3.166 secondary-ntp=<br \/>\n    130.206.3.166<br \/>\n\/system ntp server<br \/>\nset broadcast=no broadcast-addresses=\"\" enabled=no manycast=yes multicast=no<br \/>\n<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hoy toca una entrada de las que me ha costado m\u00e1s de elaborar. Tengo bastantes routers cisco en los clientes y la mayor\u00ed\u00ada de vpn&#8217;s (m\u00e1s de 50), las tengo con ipsec over GRE y EIGRP&#8230;. de esta manera, todas las sedes se ven entre ellas y no me tengo que preocupar de las rutas. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,8],"tags":[41,91,107,137],"class_list":["post-745","post","type-post","status-publish","format-standard","hentry","category-cisco","category-varios","tag-cisco","tag-ipsec","tag-mikrotik","tag-ospf"],"_links":{"self":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/745","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=745"}],"version-history":[{"count":0,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/745\/revisions"}],"wp:attachment":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=745"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=745"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=745"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}