Skip navigation
Cisco Learning Home > Connections > Documents

_Communities

Up to Documents in Connections

This is an archived version of the document. The current version can be viewed here.

Currently Being Moderated

IPSEC over GRE Tunnel

VERSION 5 
Created on: Jul 21, 2008 11:22 AM by shafagh - Last Modified:  Jul 15, 2009 2:00 PM by shafagh

We can encrypt our GRE tunnels using IPsec, and it is also possible to have GRE over IPSEC, in other words: Sending GRE header inside the IPsec transport headers. (transport mode instead of tunnel mode)

 

What we are trying to cover in this text is IPsec over GRE tunnels (as a transport) not GRE over IPSEC (tunneled).

 

In this example, There’s no need to define Crypto-map as long as IPsec is defined inside the tunnel interface using "tunnel protection" command.

 

The same concept is used in DMVPN implementations however we use multipoint GRE in Dynamic Multipoint Virtual Private Networks…

 

GREIPSEC.png

 

 

R1 and R2 are connected over internet and there’s a firewall before R2 protecting the R2 network from the internet threats….

 

Template Configuration on Routers:

 

crypto isakmp policy 10

authentication pre-share

crypto isakmp key CISCO address 217.218.1.1

!

crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac

mode transport

crypto ipsec profile MyProfile

set transform-set MyTransSet

!

interface Tunnel0

ip address 10.254.25.4 255.255.255.254

tunnel source 81.12.50.1

tunnel destination 217.218.1.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile MyProfile

 

After the configuration on both routers firewall will detect some  UDP port 500 (ISAKMP) followed by (if accepted) numerous ESP (Protocol number 50) packets over the link.

 

The first activity is related to ISAKMP (over UDP 500):

 

%PIX-2-106006: Deny inbound UDP from 81.12.50.1/500 to 217.218.1.1/500 on interface outside.

 

The second one is related to ESP packets:

 

%PIX-3-106010: Deny inbound protocol 50 src outside:81.12.50.1 dst inside:217.218.1.1 on interface outside

 

  • So we need to permit this traffic to the inside of the network to establish the GRE Tunnel… by:

 

access-list outin permit udp host 81.12.50.1 eq 500 host 217.218.1.1 eq 500    
access-list outin permit esp host 81.12.50.1 host 217.218.1.1

 

Let’s ping the other side of tunnel to make sure everything is all right…

 

R1#ping 10.254.25.5

Type escape sequence to abort.    
Sending 5, 100-byte ICMP Echos to 10.254.25.5, timeout is 2 seconds:     
!!!!!     
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/137/312 ms

 

Now, let’s check the ISAKMP and IPsec by show crypto command:

 

R1#show crypto isakmp sa
dst             src             state          conn-id slot status     
81.12.50.1      217.218.1.1     QM_IDLE              1    0 ACTIVE

 

R1#show crypto ipsec sa

interface: Tunnel0    
    Crypto map tag: Tunnel0-head-0, local addr 81.12.50.1 
   current_peer 217.218.1.1 port 500     
     PERMIT, flags={origin_is_acl,}     
    #pkts encaps: 25, #pkts encrypt: 25, #pkts digest: 25     
    #pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25     
    #pkts compressed: 0, #pkts decompressed: 0

     local crypto endpt.: 81.12.50.1, remote crypto endpt.: 217.218.1.1

 

Configurations:

 

R1:

 

version 12.4    
!     
hostname R1     
!     
ip cef     
!     
!     
crypto isakmp policy 10     
authentication pre-share     
crypto isakmp key CISCO address 217.218.1.1     
!     
crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac     
mode transport     
!     
crypto ipsec profile MyProfile     
set transform-set MyTransSet     
!     
interface Tunnel0     
ip address 10.254.25.4 255.255.255.254     
tunnel source 81.12.50.1     
tunnel destination 217.218.1.1     
tunnel mode ipsec ipv4     
tunnel protection ipsec profile MyProfile     
!     
interface FastEthernet0/0     
ip address 81.12.50.1 255.255.255.0     
duplex auto     
speed auto     
!     
ip route 0.0.0.0 0.0.0.0 81.12.50.2     
!     
line con 0     
line aux 0     
line vty 0 4     
!     
!     
end

 

R2:

 

version 12.4    
!     
hostname R2     
!     
!     
!     
ip cef     
!     
!     
crypto isakmp policy 10     
authentication pre-share     
crypto isakmp key CISCO address 81.12.50.1     
!     
!     
crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac     
mode transport     
!     
crypto ipsec profile MyProfile     
set transform-set MyTransSet     
!     
interface Tunnel0     
ip address 10.254.25.5 255.255.255.254     
tunnel source 217.218.1.1     
tunnel destination 81.12.50.1     
tunnel mode ipsec ipv4     
tunnel protection ipsec profile MyProfile     
!     
interface FastEthernet0/0     
ip address 217.218.1.1 255.255.255.0     
duplex auto     
speed auto     
!     
ip route 0.0.0.0 0.0.0.0 217.218.1.2     
!     
!     
line con 0     
line aux 0     
line vty 0 4     
!     
!     
end

 

FW1:

 

PIX Version 8.0(4)    
!     
hostname pixfirewall     
names     
!     
interface Ethernet0     
nameif outside     
security-level 0     
ip address 81.12.50.2 255.255.255.0     
!     
interface Ethernet1     
nameif inside     
security-level 100     
ip address 217.218.1.2 255.255.255.0     
!     
!     
access-list outin extended permit udp host 81.12.50.1 eq isakmp host 217.218.1.1 eq isakmp     
access-list outin extended permit esp host 81.12.50.1 host 217.218.1.1

!

access-group outin in interface outside

!

: end

 

 

Link:

http://szandi.wordpress.com/2009/07/16/ipsec-and-gre/

Comments (11)

Actions

Bookmarked By (10)

More Like This

  • Retrieving data ...

More by shafagh