IPSec over GRE with Cat6503 and SPA IPSec

rrsstefano · ‎12-12-2006

Hi all,

I trying to test a solution using IPSEC-SPA to encrypt traffic and put it over a tunnel interface ( mode ipip or GRE ).

The tunnel encapsulation should be done by Cat65XX itself.From documentation and from my first test results that is not permitted to configured the crypto map under the tunnel interface as wanted.

Thera are no solution for this?

thanks

Stefano

dogarnet · ‎12-14-2006

Sure it's possible.......

You don't need to apply the Crypto Map to the Tunnel interface.

Apply the Crypto Map to the "Inside" port (VLAN as usual) from VPN-SPA's perspective.

Connect the "Outside" port from VPN-SPA's perspective to the "Inside" port (VLAN).

Use the "Inside" port (VLAN) as the Tunnel Source.

interface vlan 1000

description - VPNSPA Inside VLAN

ip address 1.1.1.1 255.255.255.0

crypto map MAP_STATIC

crypto engine slot 1/0

interface vlan 1001

description - VPNSPA Outside VLAN

crypto connect vlan 1000

crypto engine slot 1/0

interface tunnel 1000

bandwidth 1000

ip address 9.9.9.1 255.255.255.0

tunnel source vlan 1000

tunnel destination 2.2.2.2

access-list 100 permit gre host 1.1.1.1 host 2.2.2.2

***This is of course assuming that the peer's Tunnel ip is 9.9.9.x/24 and it's global IP is 2.2.2.2***

Also http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/cfgnotes/78_14459.htm#wp1273613 (this is for VPNSM but config is relatively the same. Note 'Switch #1, Tunnel intf #1' should read "tunnel source vlan 2")

Good Luck,

Don