IPSEC over GRE - Crypto Maps
November 26th, 2008 in
CCIE,
Security | tags:
GRE,
GRE over IPSEC,
IPSEC In this post I will talk about GRE over IPSEC and one way to configure this. Below you can see the network-diagram we will use for this.
What we want to accomplish is to be able to ping from Router R4 to router R5 over the GRE/IPSEC tunnel.
Let’s configure IKE phase I and II :
IKE Phase 1, establishing a secure tunnel :
Create ISAKMP Policy, configure pre-shared key :
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 23.23.23.2
Configuring IKE Phase 2, for securing the actual data :
crypto ipsec transform-set set esp-des esp-md5-hmac
Create mirrored ACLs defining GRE traffic to be encrypted :
access-list 100 permit gre host 12.12.12.2 host 23.23.23.2
Set up IPSec crypto-map:
crypto map vpn 11 ipsec-isakmp
set peer 23.23.23.2
set transform-set set
match address 100
Tie the crypto-map to the interface :
interface FastEthernet0/0
ip address 12.12.12.2 255.255.255.0
duplex auto
speed auto
crypto map vpn
Point traffic into the tunnel :
ip route 172.16.3.0 255.255.255.0 Tunnel10
Final relevant configuration on router R1 and router R3 :
R1 :
|
|
|
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 23.23.23.2
no crypto isakmp ccm
!
!
crypto ipsec transform-set set esp-des esp-md5-hmac
!
crypto map vpn 11 ipsec-isakmp
set peer 23.23.23.2
set transform-set set
match address 100
!
!
interface Tunnel10
ip address 10.10.10.70 255.255.255.252
ip mtu 1412
keepalive 10 3
tunnel source 12.12.12.2
tunnel destination 23.23.23.2
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 12.12.12.2 255.255.255.0
duplex auto
speed auto
crypto map vpn
!
interface FastEthernet1/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 12.12.12.1
ip route 172.16.3.0 255.255.255.0 Tunnel10
!
!
!
access-list 100 permit gre host 12.12.12.2 host 23.23.23.2
|
R3 :
|
|
|
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 12.12.12.2
no crypto isakmp ccm
!
!
crypto ipsec transform-set set esp-des esp-md5-hmac
!
crypto map vpn 11 ipsec-isakmp
set peer 12.12.12.2
set transform-set set
match address 100
!
interface Tunnel10
ip address 10.10.10.69 255.255.255.252
ip mtu 1412
keepalive 10 3
tunnel source 23.23.23.2
tunnel destination 12.12.12.2
!
interface Loopback1
ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
ip address 23.23.23.2 255.255.255.0
duplex auto
speed auto
crypto map vpn
!
interface FastEthernet1/0
ip address 172.16.3.1 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 23.23.23.1
ip route 172.16.1.0 255.255.255.0 Tunnel10
!
access-list 100 permit gre host 23.23.23.2 host 12.12.12.2
|
Now let’s do some pings back and forth :
R4 :
|
|
|
R4#ping 172.16.3.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/90/172 ms
|
R1 :
|
|
|
R1#sh crypto isakmp sa
dst src state conn-id slot status
12.12.12.2 23.23.23.2 QM_IDLE 1 0 ACTIVE
|
R5 :
|
|
|
R5#ping 172.16.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/116/184 ms
|
R3 :
|
|
|
R3#sh crypto isakmp sa
dst src state conn-id slot status
12.12.12.2 23.23.23.2 QM_IDLE 1 0 ACTIVE
|