Skip navigation
Cisco Learning Home > Connections > Documents

_Communities

Up to Documents in Connections
Currently Being Moderated

IPSEC over GRE Tunnel

VERSION 10 
Created on: Jul 21, 2008 11:22 AM by shafagh - Last Modified:  Feb 4, 2013 11:49 PM by shafagh

What we are trying to cover in this text is IPsec over GRE tunnels (as a transport not tunneled) you can also call it GRE over IPsec, or Routed base tunnels versus Policy based tunnel, all lead to the same thing: encrypting your data with IPsec while GRE is your logical interface to route or do fancy stuff like multicast!

 

In this example, There’s no need to define Crypto-map (Policy based tunnels are not cool) as long as IPsec is defined inside the tunnel interface using "tunnel protection" command. (Routed based tunnel)

 

The same concept is used in DMVPN implementations however we use multipoint GRE in Dynamic Multipoint Virtual Private Networks…

 

GREIPSEC.png

 

 

R1 and R2 are connected over internet and there’s a firewall before R2 protecting the R2 network from the internet threats….

 

Template Configuration on Routers:

 

crypto isakmp policy 10

authentication pre-share

crypto isakmp key CISCO address 217.218.1.1

!

crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac

mode transport

crypto ipsec profile MyProfile

set transform-set MyTransSet

!

interface Tunnel0

ip address 10.254.25.4 255.255.255.254

tunnel source 81.12.50.1

tunnel destination 217.218.1.1

tunnel protection ipsec profile MyProfile

 

After the configuration on both routers firewall will detect some  UDP port 500 (ISAKMP) followed by (if accepted) numerous ESP (Protocol number 50) packets over the link.

 

The first activity is related to ISAKMP (over UDP 500):

 

%PIX-2-106006: Deny inbound UDP from 81.12.50.1/500 to 217.218.1.1/500 on interface outside.

 

The second one is related to ESP packets:

 

%PIX-3-106010: Deny inbound protocol 50 src outside:81.12.50.1 dst inside:217.218.1.1 on interface outside

 

  • So we need to permit ESP (IPsec) traffic to the inside to establish the GRE Tunnel by:

 

access-list outin permit udp host 81.12.50.1 eq 500 host 217.218.1.1 eq 500    
access-list outin permit esp host 81.12.50.1 host 217.218.1.1

 

Let’s ping the other side of tunnel to make sure everything is all right…

 

R1#ping 10.254.25.5

Type escape sequence to abort.    
Sending 5, 100-byte ICMP Echos to 10.254.25.5, timeout is 2 seconds:     
!!!!!     
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/137/312 ms

 

Now, let’s check the ISAKMP and IPsec by show crypto command:

 

R1#show crypto isakmp sa
dst             src             state          conn-id slot status     
81.12.50.1      217.218.1.1     QM_IDLE              1    0 ACTIVE

 

R1#show crypto ipsec sa

interface: Tunnel0    
    Crypto map tag: Tunnel0-head-0, local addr 81.12.50.1 
   current_peer 217.218.1.1 port 500     
     PERMIT, flags={origin_is_acl,}     
    #pkts encaps: 25, #pkts encrypt: 25, #pkts digest: 25     
    #pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25     
    #pkts compressed: 0, #pkts decompressed: 0

     local crypto endpt.: 81.12.50.1, remote crypto endpt.: 217.218.1.1

 

Configurations:

 

R1:

 

version 12.4    
!     
hostname R1     
!     
ip cef     
!     
!     
crypto isakmp policy 10     
authentication pre-share     
crypto isakmp key CISCO address 217.218.1.1     
!     
crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac     
mode transport     
!     
crypto ipsec profile MyProfile     
set transform-set MyTransSet     
!     
interface Tunnel0     
ip address 10.254.25.4 255.255.255.254     
tunnel source 81.12.50.1     
tunnel destination 217.218.1.1         
tunnel protection ipsec profile MyProfile     
!     
interface FastEthernet0/0     
ip address 81.12.50.1 255.255.255.0     
duplex auto     
speed auto     
!     
ip route 0.0.0.0 0.0.0.0 81.12.50.2     
!     
line con 0     
line aux 0     
line vty 0 4     
!     
!     
end

 

R2:

 

version 12.4    
!     
hostname R2     
!     
!     
!     
ip cef     
!     
!     
crypto isakmp policy 10     
authentication pre-share     
crypto isakmp key CISCO address 81.12.50.1     
!     
!     
crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac     
mode transport     
!     
crypto ipsec profile MyProfile     
set transform-set MyTransSet     
!     
interface Tunnel0     
ip address 10.254.25.5 255.255.255.254     
tunnel source 217.218.1.1     
tunnel destination 81.12.50.1          
tunnel protection ipsec profile MyProfile     
!     
interface FastEthernet0/0     
ip address 217.218.1.1 255.255.255.0     
duplex auto     
speed auto     
!     
ip route 0.0.0.0 0.0.0.0 217.218.1.2     
!     
!     
line con 0     
line aux 0     
line vty 0 4     
!     
!     
end

 

FW1:

 

PIX Version 8.0(4)    
!     
hostname pixfirewall     
names     
!     
interface Ethernet0     
nameif outside     
security-level 0     
ip address 81.12.50.2 255.255.255.0     
!     
interface Ethernet1     
nameif inside     
security-level 100     
ip address 217.218.1.2 255.255.255.0     
!     
!     
access-list outin extended permit udp host 81.12.50.1 eq isakmp host 217.218.1.1 eq isakmp     
access-list outin extended permit esp host 81.12.50.1 host 217.218.1.1

!

access-group outin in interface outside

!

: end

 

Link

http://www.shafagh.net/2009/07/ipsec-and-gre.html


Comments (11)

Actions

Bookmarked By (10)

More Like This

  • Retrieving data ...

More by shafagh