The Journey of a Network Engineer

Aug 7 2013   12:19AM GMT

Configuring Cisco GRE over Site to site VPN

Sulaiman Syed Profile: Sulaiman Syed

Previously we have seen how the site to site VPN works. in this example, I would use the topology below to configure Site to Site VPN. Then we would create a GRE Tunnel and secure it with the IPsec tunnel, called GRE over IPSec. thus providing routing protocols the ability to transverse the sites securely.

IPVPN

First, we need to create Phase 1 using isakmp to secure IP sec communication.

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key cisco123 address 10.0.0.18

phase 2 will be used to negotiate the secure communication. apply the policy to the physical interface. Create the access list to match the GRE tunnel traffic, and lastly configure the GRE tunnel

crypto ipsec transform-set ASA esp-des esp-sha-hmac
!
crypto map SDM 1 ipsec-isakmp
set peer 10.0.0.18
set transform-set ASA
match address 100
!
access-list 100 permit gre host 10.0.0.14 host 10.0.0.18
!
interface FastEthernet0/0
ip address 10.0.0.14 255.255.255.252
crypto map SDM

The tunnel configurations are straight forward.

interface Tunnel1
ip unnumbered Loopback0
tunnel source FastEthernet0/0
tunnel destination 10.0.0.18

similarly we would configure a the second router

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key cisco123 address 10.0.0.14
!
!
crypto ipsec transform-set ASA esp-des esp-sha-hmac
!
crypto map SDM 1 ipsec-isakmp
set peer 10.0.0.14
set transform-set ASA
match address 100
interface Tunnel1
ip unnumbered Loopback0
tunnel source FastEthernet0/0
tunnel destination 10.0.0.14
!
interface FastEthernet0/0
ip address 10.0.0.18 255.255.255.252
speed 100
full-duplex
crypto map SDM

access-list 100 permit gre host 10.0.0.18 host 10.0.0.14

In this method, we have created the IPsec tunnel between the physical interfaces, and picked the GRE traffic as the interesting traffic. and lastly created the tunnel.

Another method exist where the IPsec policy would be defined, then the GRE Tunnel interface would be protected. there would be slight changes in the configuration as shown below.

Phase 1 will be used to set the transport-set to “mode transport”. There will be no crypto Map. lastly, the Tunnel will be protected with a new profile.

crypto ipsec transform-set TS esp-3des esp-md5-hmac
R1(cfg-crypto-trans)# mode transport

crypto ipsec profile ASA
set security-association lifetime seconds 120
set transform-set ASA

tunnel int 1
tunnel protection ipsec profile protect-gre

a complete configuration for GRE protected with IPsec can be seen below

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key cisco123 address 10.0.0.14
!
!
crypto ipsec transform-set ASA esp-des esp-sha-hmac
mode transport
!
crypto ipsec profile ASA
set security-association lifetime seconds 120
set transform-set ASA
!
interface Tunnel1
ip unnumbered Loopback0
tunnel source FastEthernet0/0
tunnel destination 10.0.0.14
tunnel protection ipsec profile ASA
!

In general, it is better to use the second method to protect the GRE tunnel. This will give us shorter configurations, and when doing multiple sites, that will come in handy.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: