IPSec over GRE Tunnel

Cisco Ipsec over Gre Tunnel Configuration Example:

Main – Branch Point to point connection w/LAN on opposite side:

IPSec over GRE

Main Router Config:

Main#sh run
Building configuration…

Current configuration : 1866 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Main
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip domain name colbyc.me
!
multilink bundle-name authenticated
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
lifetime 28800
crypto isakmp key Welcome01 address 172.22.1.2
crypto isakmp keepalive 10 5 periodic
!
!
crypto ipsec transform-set IKE_TRANS esp-aes esp-sha-hmac
!
crypto map IPSec_Map 10 ipsec-isakmp
set peer 172.22.1.2
set transform-set IKE_TRANS
set pfs group5
match address CRYPTO_MAP_PROXY_ID
!
archive
log config
hidekeys
!
ip ssh version 2
!
interface Tunnel10
description TUNNEL_to_BRANCH
ip address 10.20.30.2 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 091E6D01180C1956
ip ospf 100 area 0
keepalive 10 3
tunnel source 172.22.1.1
tunnel destination 172.22.1.2
!
interface FastEthernet0/0
description COLBYC LAN
ip address 172.16.0.5 255.255.0.0
ip ospf 100 area 0
duplex auto
speed auto
!
interface FastEthernet0/1
description MAIN TO BRANCH
ip address 172.22.1.1 255.255.255.248
duplex auto
speed auto
crypto map IPSec_Map
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
router ospf 100
router-id 1.1.1.1
log-adjacency-changes
default-information originate
!
ip route 0.0.0.0 0.0.0.0 172.16.0.12
!
!
ip http server
no ip http secure-server
!
ip access-list extended CRYPTO_MAP_PROXY_ID
permit ip host 172.22.1.1 host 172.22.1.2
!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
webvpn cef
!
end

Branch Router Config:

Branch#sh run
Building configuration…

Current configuration : 1819 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Branch
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
no ip domain lookup
ip domain name colbyc.me
!
multilink bundle-name authenticated
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
lifetime 28800
crypto isakmp key Welcome01 address 172.22.1.1
crypto isakmp keepalive 10 5 periodic
!
!
crypto ipsec transform-set IKE_TRANS esp-aes esp-sha-hmac
!
crypto map IPSec_MAP 10 ipsec-isakmp
set peer 172.22.1.1
set transform-set IKE_TRANS
set pfs group5
match address CRYPTO_MAP_PROXY_ID
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
interface Tunnel10
description Tunnel_to_MAIN
ip address 10.20.30.1 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 091E6D01180C1956
ip ospf 100 area 0
keepalive 10 3
tunnel source 172.22.1.2
tunnel destination 172.22.1.1
!
interface FastEthernet0/0
description BRANCH LAN
ip address 172.21.1.1 255.255.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
description BRANCH_TO_MAIN
ip address 172.22.1.2 255.255.255.248
duplex auto
speed auto
crypto map IPSec_MAP
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
router ospf 100
router-id 2.2.2.2
log-adjacency-changes
network 172.21.0.0 0.0.255.255 area 0
!
ip http server
no ip http secure-server
!
ip access-list extended CRYPTO_MAP_PROXY_ID
permit ip host 172.22.1.2 host 172.22.1.1
!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
webvpn cef
!
end

Main#sh ip ospf nei

Neighbor ID Pri State Dead Time Address Interface

2.2.2.2 0 FULL/ – 00:00:35 10.20.30.1 Tunnel10

Branch#sh ip ospf nei

Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 0 FULL/ – 00:00:31 10.20.30.2 Tunnel10

Checking traffic coming through the Tunnel:

Main#sh crypto ipsec sa

interface: FastEthernet0/1
Crypto map tag: IPSec_Map, local addr 172.22.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (172.22.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.22.1.2/255.255.255.255/0/0)
current_peer 172.22.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 33, #pkts encrypt: 33, #pkts digest: 33
#pkts decaps: 33, #pkts decrypt: 33, #pkts verify: 33
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0

local crypto endpt.: 172.22.1.1, remote crypto endpt.: 172.22.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xC1B7DBE8(3250052072)

inbound esp sas:
spi: 0x7AD23F65(2060599141)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: IPSec_Map
sa timing: remaining key lifetime (k/sec): (4576913/3512)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xC1B7DBE8(3250052072)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: IPSec_Map
sa timing: remaining key lifetime (k/sec): (4576913/3509)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

 

Posted in Networking, OSPF

Leave a Reply

Your email address will not be published. Required fields are marked *

*