IPSEC over GRE - Tunnel Protection
November 25th, 2008 in CCIE, Security | tags: , ,

In the previous post we configured GRE over IPSEC, in this post we are also going to configure GRE over IPSEC but this time by using VTI tunnels.

Oh yeah for I forget, please click on my google-ads once in a while to keep this site going.

The configuration is slightly different, when using VTI tunnels we create a tunnel and everything in that tunnel will be encrypted.

As you can see below we will use the same diagram as in the previous post. Also the objective will be the same, we want to be able to ping from router R4 to router R5 and the other way around through the tunnel.

GRE over IPSEC


See below the relevant configuration for this :

R1 :


crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 23.23.23.2
no crypto isakmp ccm
!
crypto ipsec transform-set set esp-des esp-md5-hmac
!
crypto ipsec profile VTI
 set transform-set set
!
interface Tunnel10
 ip address 10.10.10.70 255.255.255.252
 ip mtu 1412
 keepalive 10 3
 tunnel source 12.12.12.2
 tunnel destination 23.23.23.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
!
interface Loopback1
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 12.12.12.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 172.16.1.1 255.255.255.0
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 12.12.12.1
ip route 172.16.3.0 255.255.255.0 tunnel10

R3 :


crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 12.12.12.2
no crypto isakmp ccm
!
!
crypto ipsec transform-set set esp-des esp-md5-hmac
!
crypto ipsec profile VTI
 set transform-set set
!
interface Tunnel10
 ip address 10.10.10.69 255.255.255.252
 ip mtu 1412
 keepalive 10 3
 tunnel source 23.23.23.2
 tunnel destination 12.12.12.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
!
interface Loopback1
 ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
 ip address 23.23.23.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 172.16.3.1 255.255.255.0
 duplex auto
 speed auto
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 23.23.23.1
ip route 172.16.1.0 255.255.255.0 tunnel10

R4 :


R4#ping 172.16.3.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/56/100 ms

R5 :


R5#ping 172.16.1.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/58/144 ms

2 Comments

CHADSeptember 8th, 2010 at 12:07 am


CheapTabletsOnline.com. Canadian Health&Care.Special Internet Prices.Best quality drugs.No prescription online pharmacy. No prescription pills. Buy pills online

Buy:Seroquel.Lipitor.Acomplia.Lasix.Nymphomax.SleepWell.Wellbutrin SR.Female Cialis.Prozac.Zetia.Female Pink Viagra.Ventolin.Amoxicillin.Aricept.Zocor.Advair.Cozaar.Buspar.Benicar.Lipothin….

WENDELLNovember 11th, 2010 at 8:51 am


NEW FASHION store. Original designers collection at low prices!!! 20 % TO 70 % OFF. END OF SEASON SALE!!!

BUY FASHION. TOP BRANDS: GUCCI, DOLCE&GABBANA, BURBERRY, DIESEL, ICEBERG, ROBERTO CAVALLI, EMPORIO ARMANI, VERSACE…

Leave a comment

You must be logged in to post a comment.