GRE Tunnels Between Cisco and Nokia Greg Schwartzkopf – Systems Engineer - Technical Theory May 29, 2003 Page 1 of 4

Overview

The purpose of this paper is to explain how to configure GRE tunnels on both the Nokia and Cisco platforms. The reader should have basic knowledge of IP routing, infrastructure, and VPN design, and should be familiar with configuring both the Nokia and Cisco platforms. The instructions were written for IPSO version 3.6 and Cisco IOS version 11.0 and later. We will use the sample network configuration seen in the diagram below:

Los Angeles Network 172.16.10.0/24

Eth-s1p1c0 172.16.10.1/24

LAX_FW Nokia IP650

Ser-s2p1c0 Tun0c0: 38.49.214.1/24 38.49.215.1/24

Internet GRE Tunnel

Serial2/0: Tunnel0: 196.100.100.1/24 196.100.101.1/24 SFN_Router Cisco 3640 Eth1/0: 172.16.100.1/24

San Fransicso Network 172.16.100.0/24

This is a general GRE implementation for internal site to site communications. Although packets are encapsulated, an enterprising hacker can easily view the contents. For this reason, these types of “VPN” configurations are not considered secure by today’s standards. A better solution would be a IPSEC tunnel with triple- DES data encryption.

1 GRE Tunnels Between Cisco and Nokia Greg Schwartzkopf – Systems Engineer - Technical Theory May 29, 2003 Page 2 of 4

Part One – Configuring the GRE tunnel on the Nokia Security Platform

Step 1 – Disable current firewall policy by typing the following at a console prompt:

LAX_FW[admin]# fw unloadlocal

Step 2 – Access Network Voyager with your web browser and click Config > Interfaces > Tunnels. At this juncture, your only choice will be a drop down box:

Choose “GRE” and click “Apply”

Step 3 – Configure the logical interface by clicking on the new tunnel name, in our case “tun0c0.” You will be presented with a screen asking for several IP addresses:

Here is a brief description of what each box represents: Local Address: Local IP address of the GRE Tunnel Remote Address: Remote IP address of the GRE Tunnel Local Endpoint: Local IP address of the tunnel endpoint interface (In our case it is the serial interface of the Nokia platform: ser-s2p1c0) Remote Endpoint: Remote IP address of the tunnel endpoint interface (In our case it is the serial interface of the remote Cisco router: Serial2/0)

After entering the proper IP addresses, click the Apply button to accept the changes.

Step 4 – Add static route to route traffic destined for the San Francisco network. We will use the remote tunnel interface as our next hop:

Destination: 172.16.100.0 Mask Length: 24 Next hop type: Normal Gateway: 196.100.101.1

Step 5 – Save changes. Click “Apply” and then “Save” to save your changes. Test configuration.

2 GRE Tunnels Between Cisco and Nokia Greg Schwartzkopf – Systems Engineer - Technical Theory May 29, 2003 Page 3 of 4

Part Two – Configuring the GRE tunnel on the Cisco router

Step 1 – Enter configuration mode. Define local GRE tunnel interface and assign it an IP address by typing the following commands:

SFN_Router(config)# interface tunnel 0 SFN_Router(config-if)# ip address 196.100.101.1 255.255.255.0

Step 2 – Specify the tunnel interface source. This is the IP addresss of the interface on the local router that GRE tunnel traffic will originate from (in our case the serial interface of the Cisco router: serial2/0). Enter the following commands:

SFN_Router(config-if)# tunnel source 196.100.100.1

Step 3 – Specify the tunnel destination address. This is the IP address of the remote router that the GRE tunnel traffic will be destined for (in our case, the serial interface of the Nokia platform: ser-s2p1c0). Enter the following commands:

SFN_Router(config-if)# tunnel destination 38.49.214.1

Step 4 – Configure the tunnel mode for GRE.

SFN_Router(config-if)# tunnel mode gre ip

Step 5 – Bring the tunnel interface up.

SFN_Router(config-if)# no shutdown

Step 6 – Add static route to route traffic destined for the Los Angeles network over the GRE tunnel.

SFN_Router(config-if)# ip route 172.16.10.0 255.255.255.0 tunnel 0

Step 7 – Save changes and test configuration.

SFN_Router# write memory

Once both configurations have been tested and confirmed, it is necessary to re- implement the security policy on the Nokia firewall and allow GRE traffic to and from the networks involved. Please consult your Checkpoint Firewall documentation for more information.

3 GRE Tunnels Between Cisco and Nokia Greg Schwartzkopf – Systems Engineer - Technical Theory May 29, 2003 Page 4 of 4

Summary

We have reviewed configuration of GRE tunnels on both Cisco and Nokia platforms. GRE is a standard protocol that is used by many platforms today. It is understood that the method described within this paper is NOT recommended for secure communications over the Internet. This particular scenario has not been tested to date. There may be some interoperability issues that arise due to lack of adherence by 3rd parties to standards set forth in RFCs, as well as bugs in 3rd party IOS. GRE is operated at standards with no options by the Nokia platform.

Cisco is a registered trademark of Cisco Systems Inc Checkpoint is a registered trademark of Checkpoint, Inc

4