Re: GRE on router 800 serie

pcfreak49 · ‎02-24-2012

I have a question how can you GRE tunnel on a cisco router 800 series set for a site to site vpn ipsec + gre who can help me?

Jeff Van Houten · ‎02-24-2012

http://www.cisco.com/en/US/tech/tk827/tk369/tk287/tsd_technology_support_sub-protocol_home.html

Sent from Cisco Technical Support iPad App

rizwanr74 · ‎02-24-2012

please read this thread link below, GRE setup method outlined, step by step, by me.

https://supportforums.cisco.com/message/3568936#3568936

pcfreak49 · ‎03-04-2012

I have a problem with GRE tunnel packets are encrypted but can not ping and no connection to the clients

I configured this...

rizwanr74 · ‎03-04-2012

Please change highlighted line below.

R1

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key key address 84.197.161.59 <<<<<<<<< I assume, this is your R2 public address.

Please copy the highlighted line on Router R1.

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map OUTSIDE-CRYTPO 1 ipsec-isakmp

set peer 84.197.161.59 <<<<<<<<<< Do the same, and make sure you put the R2 public address.

set transform-set ESP-AES-128-SHA

set pfs group5

match address 100

reverse-route

access-list 100 permit ip host xxx.xxx.xxx.xxx host 84.197.161.59 < x is on acl 100 is public address of the R1.

interface Tunnel0

ip address 11.11.11.1 255.255.255.252

ip ospf mtu-ignore

keepalive 3 2

tunnel source GigabitEthernet0

tunnel destination 84.197.161.59 <<<<<<<<<<<<<<<<<< this is router R2's public address.

ip mtu 1400

interface GigabitEthernet0

crypto map OUTSIDE-CRYTPO

-------------------------------------------------------------------------------------------------

Please change highlighted line below R2

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key key address xxx.xxx.xxx.xxx <<<<<<<<<<<<< R1 public address.

!

Please copy the highlighted line on R2.

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map OUTSIDE-CRYTPO 1 ipsec-isakmp

set peer xxx.xxx.xxx.xxx <<<<<<<<<<<<<<<<< R1 public address.

set transform-set ESP-AES-128-SHA

set pfs group5

match address 100

reverse-route

access-list 100 permit ip host 84.197.161.59 host xxx.xxx.xxx.xxx << X is R1 public ip address.

interface Tunnel0

ip address 11.11.11.2 255.255.255.252

ip ospf mtu-ignore

keepalive 3 2

ip mtu 1400

tunnel source GigabitEthernet0

tunnel destination xxx.xxx.xxx.xxx <<<<<<<<<<< X is public address of the R1.

interface GigabitEthernet0

crypto map OUTSIDE-CRYTPO

Hope that helps.

thanks

pcfreak49 · ‎03-04-2012

it is intended that the encrypted tunnel interface'm not the wan interface

and multiple site to site VPN tunnels ipsec want to put

rizwanr74 · ‎03-05-2012

Hi there,

Please note the hightlighted lines below and you have to change on your config and I also have delete some lines from your config.

R1

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key key address xxx.xxx.xxx.xxx<<<<<<< X is R2 public address!
!
crypto ipsec transform-set TRANS-SET-GRE-TUNNEL esp-aes 256 esp-sha-hmac
!
crypto ipsec profile IPSEC_TUNNEL
set transform-set TRANS-SET-GRE-TUNNEL

!
!
!
!
!
!
interface Tunnel0
ip address 11.11.11.1 255.255.255.0
ip ospf mtu-ignore
keepalive 3 2
ip mtu 1400
tunnel source GigabitEthernet0
tunnel destination xxx.xxx.xxx.xxx <<<<<<< X is R2 public address

tunnel mode IPsec ipv4
tunnel protection ipsec profile IPSEC_TUNNEL

-------------------------------------------------------------------------

R2

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key key address xxx.xxx.xxx.xxx<<<<<<< R1 Public address!
!
crypto ipsec transform-set TRANS-SET-GRE-TUNNEL esp-aes 256 esp-sha-hmac
!
crypto ipsec profile IPSEC_TUNNEL
set transform-set TRANS-SET-GRE-TUNNEL

!
!
!
!
!
!
interface Tunnel0
ip address 11.11.11.1 255.255.255.0
ip ospf mtu-ignore
keepalive 3 2
ip mtu 1400
tunnel source GigabitEthernet0
tunnel destination xxx.xxx.xxx.xxx <<<<<<< R1 Public address!

tunnel mode IPsec ipv4
tunnel protection ipsec profile IPSEC_TUNNEL

You must have static route to push network traffic located on R1 router through static-route on R2 and vice versa, to initiate the tunnel.

show crypto session

Hope that helps.

thanks

Rizwan Rafeek

pcfreak49 · ‎03-06-2012

that is done but I can not connect to the clients or pinging

sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

84.197.161.59 84,197,174,182 QM_IDLE 2004 ACTIVE

sh crypto ipsec sa

interface: Tunnel0

Crypto map tag: Tunnel0-head-0, local addr 84,197,174,182

Protected VRF: (none)

local ident (addr / mask / prot / port): (84.197.174.182/255.255.255.255/47/0)

remote ident (addr / mask / prot / port): (84.197.161.59/255.255.255.255/47/0)

current_peer 84.197.161.59 port 500

PERMIT, flags = {origin_is_acl,}

# pkts encaps: 43167, # pkts encrypt: 43167, # pkts digest: 43167

# pkts decaps: 43153, # pkts decrypt: 43153, # pkts verify: 43153

# pkts compressed: 0, # pkts decompressed: 0

# pkts not compressed: 0, # pkts compr. failed: 0

# pkts not decompressed: 0, # pkts DECOMPRESS failed: 0

# send errors 12, # recv errors 0

local crypto endpt.: 84,197,174,182, remote crypto endpt.: 84.197.161.59

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0

current outbound spi: 0x49705B0 (77006256)

PFS (Y / N): Y DH group: group16 that is done but I can not connect to the clients or pinging

rizwanr74 · ‎03-06-2012

Missing route to tunnel.

show ip route

pcfreak49 · ‎03-06-2012

I configured this way

ip route 0.0.0.0 0.0.0.0 84.197.160.1

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 84.197.160.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 84.197.160.1
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.10.20.0/24 is directly connected, Vlan2
L        10.10.20.1/32 is directly connected, Vlan2
C        10.20.10.0/24 is directly connected, Vlan1
L        10.20.10.1/32 is directly connected, Vlan1
      84.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        84.196.160.0/20 is directly connected, FastEthernet8
L        84.196.169.102/32 is directly connected, FastEthernet8
C        84.197.160.0/20 is directly connected, GigabitEthernet0
L        84.197.174.182/32 is directly connected, GigabitEthernet0
      195.130.137.0/32 is subnetted, 1 subnets
S        195.130.137.3 [254/0] via 84.197.160.1, GigabitEthernet0

rizwanr74 · ‎03-06-2012

"ip route 0.0.0.0 0.0.0.0 84.197.160.1"

well this is not going to help.

push both (both ends) private network traffic to tunnel interface.

this default route for the router "ip route 0.0.0.0 0.0.0.0 84.197.160.1"

All your private ip ranges traffic must be routed to tunnel interface from both ends.

thanks

pcfreak49 · ‎03-06-2012

I must indicate which tunnel interface

ip route 0.0.0.0 0.0.0.0 11.11.11.2

rizwanr74 · ‎03-06-2012

Not everything as "0.0.0.0 0.0.0.0" but private ip ranges which are located on the remote end of the tunnel.

rizwanr74 · ‎03-06-2012

example below, assume network 10.0.35.0 is located either side of the tunnel.

ip route 10.0.35.0 255.255.255.0 Tunnel0

pcfreak49 · ‎03-06-2012

Router 1 and Router 2 have the same ip addresses

how can you ipadressen the router block a single to ipadress you can go through the tunnel

R1

ip address 10.10.20.0 255.255.255.0 for LAN

ip address 10.20.10.0 255.255.255.0 for WLAN

R2

ip address 10.20.10.0 255.255.255.0 for LAN

ip address 10.10.20.0 255.255.255.0 for WLAN