Cisco Gre over Ipsec Configuration Example
In this example we will test gre over ipsec.The tunnel will be established between Loopback0 ip addresses of R2 and R5 routers.We will use Ospf for reachability between Loopback0 interfaces.We will use eigrp through the gre tunnel for reachability of data networks in each sites.All packets that pass through the tunnel will be encrypted.
Configuration of R2
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key cisco123 address 5.5.5.5
!
!
crypto ipsec transform-set set2 esp-aes esp-sha-hmac
!
crypto map map2 local-address Loopback0
crypto map map2 1 ipsec-isakmp
set peer 5.5.5.5
set transform-set set2
match address 101
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Loopback22
ip address 22.22.22.22 255.255.255.255
!
interface Tunnel52
ip address 192.168.52.2 255.255.255.0
tunnel source Loopback0
tunnel destination 5.5.5.5
!
interface FastEthernet0/1
ip address 192.168.25.2 255.255.255.0
duplex auto
speed auto
crypto map map2
!
router eigrp 100
network 22.22.22.22 0.0.0.0
network 192.168.52.0
no auto-summary
!
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 192.168.25.0 0.0.0.255 area 0
!
access-list 101 permit gre host 2.2.2.2 host 5.5.5.5
Configuration R5
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key cisco123 address 2.2.2.2
!
!
crypto ipsec transform-set set2 esp-aes esp-sha-hmac
!
crypto map map2 local-address Loopback0
crypto map map2 1 ipsec-isakmp
set peer 2.2.2.2
set transform-set set2
match address 101
!
interface Loopback0
ip address 5.5.5.5 255.255.255.255
!
interface Loopback55
ip address 55.55.55.55 255.255.255.255
!
interface Tunnel52
ip address 192.168.52.5 255.255.255.0
tunnel source Loopback0
tunnel destination 2.2.2.2
!
interface FastEthernet0/1
ip address 192.168.25.5 255.255.255.0
duplex auto
speed auto
crypto map map2
!
router eigrp 100
network 55.55.55.55 0.0.0.0
network 192.168.52.0
no auto-summary
!
router ospf 1
router-id 5.5.5.5
log-adjacency-changes
network 5.5.5.5 0.0.0.0 area 0
network 192.168.25.0 0.0.0.255 area 0
!
access-list 101 permit gre host 5.5.5.5 host 2.2.2.2
Lets check the connectivity and be sure the all packets that go through the gre tunnel are encrypted.
R2#show ip eigrp neighbor
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.52.5 Tu52 14 00:00:47 260 5000 0 11
R2#
R2#show ip route eigrp
55.0.0.0/32 is subnetted, 1 subnets
D 55.55.55.55 [90/297372416] via 192.168.52.5, 00:00:50, Tunnel52
R2#
R2#ping 55.55.55.55 source 22.22.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 55.55.55.55, timeout is 2 seconds:
Packet sent with a source address of 22.22.22.22
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/129/152 ms
R2#
R2#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: map2, local addr 2.2.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/47/0)
current_peer 5.5.5.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 257, #pkts encrypt: 257, #pkts digest: 257
#pkts decaps: 254, #pkts decrypt: 254, #pkts verify: 254
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 75, #recv errors 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 5.5.5.5
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xF0037D54(4026760532)
inbound esp sas:
spi: 0xB3EB58EB(3018545387)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 3, flow_id: SW:3, crypto map: map2
sa timing: remaining key lifetime (k/sec): (4506809/3009)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF0037D54(4026760532)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 4, flow_id: SW:4, crypto map: map2
sa timing: remaining key lifetime (k/sec): (4506809/3009)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
In this example we will test gre over ipsec.The tunnel will be established between Loopback0 ip addresses of R2 and R5 routers.We will use Ospf for reachability between Loopback0 interfaces.We will use eigrp through the gre tunnel for reachability of data networks in each sites.All packets that pass through the tunnel will be encrypted.
Configuration of R2
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key cisco123 address 5.5.5.5
!
!
crypto ipsec transform-set set2 esp-aes esp-sha-hmac
!
crypto map map2 local-address Loopback0
crypto map map2 1 ipsec-isakmp
set peer 5.5.5.5
set transform-set set2
match address 101
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Loopback22
ip address 22.22.22.22 255.255.255.255
!
interface Tunnel52
ip address 192.168.52.2 255.255.255.0
tunnel source Loopback0
tunnel destination 5.5.5.5
!
interface FastEthernet0/1
ip address 192.168.25.2 255.255.255.0
duplex auto
speed auto
crypto map map2
!
router eigrp 100
network 22.22.22.22 0.0.0.0
network 192.168.52.0
no auto-summary
!
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 192.168.25.0 0.0.0.255 area 0
!
access-list 101 permit gre host 2.2.2.2 host 5.5.5.5
Configuration R5
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key cisco123 address 2.2.2.2
!
!
crypto ipsec transform-set set2 esp-aes esp-sha-hmac
!
crypto map map2 local-address Loopback0
crypto map map2 1 ipsec-isakmp
set peer 2.2.2.2
set transform-set set2
match address 101
!
interface Loopback0
ip address 5.5.5.5 255.255.255.255
!
interface Loopback55
ip address 55.55.55.55 255.255.255.255
!
interface Tunnel52
ip address 192.168.52.5 255.255.255.0
tunnel source Loopback0
tunnel destination 2.2.2.2
!
interface FastEthernet0/1
ip address 192.168.25.5 255.255.255.0
duplex auto
speed auto
crypto map map2
!
router eigrp 100
network 55.55.55.55 0.0.0.0
network 192.168.52.0
no auto-summary
!
router ospf 1
router-id 5.5.5.5
log-adjacency-changes
network 5.5.5.5 0.0.0.0 area 0
network 192.168.25.0 0.0.0.255 area 0
!
access-list 101 permit gre host 5.5.5.5 host 2.2.2.2
Lets check the connectivity and be sure the all packets that go through the gre tunnel are encrypted.
R2#show ip eigrp neighbor
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.52.5 Tu52 14 00:00:47 260 5000 0 11
R2#
R2#show ip route eigrp
55.0.0.0/32 is subnetted, 1 subnets
D 55.55.55.55 [90/297372416] via 192.168.52.5, 00:00:50, Tunnel52
R2#
R2#ping 55.55.55.55 source 22.22.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 55.55.55.55, timeout is 2 seconds:
Packet sent with a source address of 22.22.22.22
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/129/152 ms
R2#
R2#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: map2, local addr 2.2.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/47/0)
current_peer 5.5.5.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 257, #pkts encrypt: 257, #pkts digest: 257
#pkts decaps: 254, #pkts decrypt: 254, #pkts verify: 254
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 75, #recv errors 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 5.5.5.5
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xF0037D54(4026760532)
inbound esp sas:
spi: 0xB3EB58EB(3018545387)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 3, flow_id: SW:3, crypto map: map2
sa timing: remaining key lifetime (k/sec): (4506809/3009)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF0037D54(4026760532)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 4, flow_id: SW:4, crypto map: map2
sa timing: remaining key lifetime (k/sec): (4506809/3009)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Great post, helped me a lot in understanding the way I should be using routing protocols, but it would be excellent if you could just put the topology.
ReplyDeleteBut none the less, I had get time looking and understanding the above configuration.
if we get topology also with all post it would be nice to learn
ReplyDelete