Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IOS GRE Tunnel question

Dear all,

I have set up a VPN with IOS routers using GRE tunnels over IPSec. It seems to be working, but I am very surprised that

1) incoming on the Internet interface I can see a few GRE packets as well as many IPSec packets

2) outgoing on the Internet interface I can see only GRE packets (no IPSec).

Previously I had expected to see only IPSec packets on the Internet interface (because GRE is encapsulated within IPSec). But I remember that every packet is evaluated twice by access-lists on interfaces with applied crypto maps (once before en- or de-cryption and once after). So in that case I expect to see to see equally GRE and IPSec packets.

Please have a look at the attached configuration fragment of my central router (of course with changed IP addresses). Am I doing something wrong, or is the behaviour I've noticed absolutely normal ?

Thank you very much !

crypto isakmp policy 100

encr 3des

group 2

!

crypto ipsec transform-set to_vpn esp-3des esp-sha-hmac

mode transport

!

crypto map mycryptomap 99 ipsec-isakmp

description VPN to Location99

set peer 99.99.99.99

set transform-set to_vpn

match address Location99

crypto map mycryptomap 147 ipsec-isakmp

description VPN to Location147

set peer 147.147.147.147

set transform-set to_vpn

match address Location147

crypto map mycryptomap 202 ipsec-isakmp

description VPN to Location202

set peer 202.202.202.202

set transform-set to_vpn

match address Location202

!

interface Tunnel99

description Location99

bandwidth 512

ip address 10.227.99.1 255.255.255.252

ip accounting output-packets

ip mtu 1440

tunnel source Ethernet0

tunnel destination 99.99.99.99

crypto map mycryptomap

!

interface Tunnel147

description Location147

bandwidth 512

ip address 10.227.147.1 255.255.255.252

ip accounting output-packets

ip mtu 1440

tunnel source Ethernet0

tunnel destination 147.147.147.147

crypto map mycryptomap

!

interface Tunnel202

description Location202

bandwidth 512

ip address 10.227.202.1 255.255.255.252

ip accounting output-packets

ip mtu 1440

tunnel source Ethernet0

tunnel destination 202.202.202.202

crypto map mycryptomap

!

interface Ethernet0

description to Internet

ip address 193.193.193.193 255.255.255.248

ip access-group 140 in

ip access-group 150 in

ip accounting output-packets

half-duplex

crypto map mycryptomap

!

!

ip access-list extended Location99

permit gre host 193.193.193.193 host 99.99.99.99

ip access-list extended Location147

permit gre host 193.193.193.193 host 147.147.147.147

ip access-list extended Location202

permit gre host 193.193.193.193 host 202.202.202.202

!

access-list 140 permit esp any host 193.193.193.193

access-list 140 permit udp any eq isakmp host 193.193.193.193 eq isakmp

access-list 140 permit icmp any host 193.193.193.193

access-list 140 permit gre any host 193.193.193.193 log

access-list 140 deny ip any any log

access-list 150 permit esp host 193.193.193.193 any

access-list 150 permit udp host 193.193.193.193 eq isakmp any eq isakmp

access-list 150 permit icmp host 193.193.193.193 any

access-list 150 permit gre host 193.193.193.193 any log

access-list 150 deny ip any any log

4 REPLIES
Bronze

Re: IOS GRE Tunnel question

Check out the following URL on GRE, may be these examples might give you a better idea.

http://www.cisco.com/en/US/tech/tk827/tk369/tk287/tech_protocol_home.html

New Member

Re: IOS GRE Tunnel question

The URL is interesting, but doesn't answer my question. My question is : Is the protocol distribution I have noticed normal or not ? Or : Is my configuration correct or not ?

Cisco Employee

Re: IOS GRE Tunnel question

My reply might not be a complete answer for your question.

Cisco has come up with Security Device Manager aka SDM, a GUI tool in access routers for configuring Security features like VPN., Firewall. You can take a look at it. It will help you in generating the correct GREoIPSec configuration that you need.

http://www.cisco.com/go/SDM.

Ravikumar

New Member

Re: IOS GRE Tunnel question

Your configuration is alright. The only thing that is missing in the above config is the "ip route ..." command which says to use the tunnel interface as the default route. Hope that's there in your configs.

In my lab setup with back to back connected peers, I see only IPSec packets going out and coming in through the tunnel. This I feel is the normal behavior. Did you check whether the GRE and IPSec packets incoming on your Internet interface is from the same peer or not. It could be that plain GRE packets might be coming to your internet interface. Let us know.

101
Views
0
Helpful
4
Replies
CreatePlease to create content