02-24-2012 02:51 PM
I have a question how can you GRE tunnel on a cisco router 800 series set for a site to site vpn ipsec + gre who can help me?
02-24-2012 07:18 PM
http://www.cisco.com/en/US/tech/tk827/tk369/tk287/tsd_technology_support_sub-protocol_home.html
Sent from Cisco Technical Support iPad App
02-24-2012 07:50 PM
please read this thread link below, GRE setup method outlined, step by step, by me.
03-04-2012 01:38 PM
03-04-2012 05:42 PM
Please change highlighted line below.
R1
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key key address 84.197.161.59 <<<<<<<<< I assume, this is your R2 public address.
Please copy the highlighted line on Router R1.
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map OUTSIDE-CRYTPO 1 ipsec-isakmp
set peer 84.197.161.59 <<<<<<<<<< Do the same, and make sure you put the R2 public address.
set transform-set ESP-AES-128-SHA
set pfs group5
match address 100
reverse-route
access-list 100 permit ip host xxx.xxx.xxx.xxx host 84.197.161.59 < x is on acl 100 is public address of the R1.
interface Tunnel0
ip address 11.11.11.1 255.255.255.252
ip ospf mtu-ignore
keepalive 3 2
tunnel source GigabitEthernet0
tunnel destination 84.197.161.59 <<<<<<<<<<<<<<<<<< this is router R2's public address.
ip mtu 1400
interface GigabitEthernet0
crypto map OUTSIDE-CRYTPO
-------------------------------------------------------------------------------------------------
Please change highlighted line below R2
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key key address xxx.xxx.xxx.xxx <<<<<<<<<<<<< R1 public address.
!
Please copy the highlighted line on R2.
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map OUTSIDE-CRYTPO 1 ipsec-isakmp
set peer xxx.xxx.xxx.xxx <<<<<<<<<<<<<<<<< R1 public address.
set transform-set ESP-AES-128-SHA
set pfs group5
match address 100
reverse-route
access-list 100 permit ip host 84.197.161.59 host xxx.xxx.xxx.xxx << X is R1 public ip address.
interface Tunnel0
ip address 11.11.11.2 255.255.255.252
ip ospf mtu-ignore
keepalive 3 2
ip mtu 1400
tunnel source GigabitEthernet0
tunnel destination xxx.xxx.xxx.xxx <<<<<<<<<<< X is public address of the R1.
interface GigabitEthernet0
crypto map OUTSIDE-CRYTPO
Hope that helps.
thanks
03-04-2012 11:37 PM
it is intended that the encrypted tunnel interface'm not the wan interface
and multiple site to site VPN tunnels ipsec want to put
03-05-2012 06:17 AM
Hi there,
Please note the hightlighted lines below and you have to change on your config and I also have delete some lines from your config.
R1
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key key address xxx.xxx.xxx.xxx<<<<<<< X is R2 public address!
!
crypto ipsec transform-set TRANS-SET-GRE-TUNNEL esp-aes 256 esp-sha-hmac
!
crypto ipsec profile IPSEC_TUNNEL
set transform-set TRANS-SET-GRE-TUNNEL
!
!
!
!
!
!
interface Tunnel0
ip address 11.11.11.1 255.255.255.0
ip ospf mtu-ignore
keepalive 3 2
ip mtu 1400
tunnel source GigabitEthernet0
tunnel destination xxx.xxx.xxx.xxx <<<<<<< X is R2 public address
tunnel mode IPsec ipv4
tunnel protection ipsec profile IPSEC_TUNNEL
-------------------------------------------------------------------------
R2
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key key address xxx.xxx.xxx.xxx<<<<<<< R1 Public address!
!
crypto ipsec transform-set TRANS-SET-GRE-TUNNEL esp-aes 256 esp-sha-hmac
!
crypto ipsec profile IPSEC_TUNNEL
set transform-set TRANS-SET-GRE-TUNNEL
!
!
!
!
!
!
interface Tunnel0
ip address 11.11.11.1 255.255.255.0
ip ospf mtu-ignore
keepalive 3 2
ip mtu 1400
tunnel source GigabitEthernet0
tunnel destination xxx.xxx.xxx.xxx <<<<<<< R1 Public address!
tunnel mode IPsec ipv4
tunnel protection ipsec profile IPSEC_TUNNEL
You must have static route to push network traffic located on R1 router through static-route on R2 and vice versa, to initiate the tunnel.
show crypto session
Hope that helps.
thanks
Rizwan Rafeek
03-06-2012 12:18 AM
that is done but I can not connect to the clients or pinging
sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
84.197.161.59 84,197,174,182 QM_IDLE 2004 ACTIVE
sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 84,197,174,182
Protected VRF: (none)
local ident (addr / mask / prot / port): (84.197.174.182/255.255.255.255/47/0)
remote ident (addr / mask / prot / port): (84.197.161.59/255.255.255.255/47/0)
current_peer 84.197.161.59 port 500
PERMIT, flags = {origin_is_acl,}
# pkts encaps: 43167, # pkts encrypt: 43167, # pkts digest: 43167
# pkts decaps: 43153, # pkts decrypt: 43153, # pkts verify: 43153
# pkts compressed: 0, # pkts decompressed: 0
# pkts not compressed: 0, # pkts compr. failed: 0
# pkts not decompressed: 0, # pkts DECOMPRESS failed: 0
# send errors 12, # recv errors 0
local crypto endpt.: 84,197,174,182, remote crypto endpt.: 84.197.161.59
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
current outbound spi: 0x49705B0 (77006256)
PFS (Y / N): Y DH group: group16 that is done but I can not connect to the clients or pinging
03-06-2012 02:18 AM
Missing route to tunnel.
show ip route
03-06-2012 02:26 AM
I configured this way
ip route 0.0.0.0 0.0.0.0 84.197.160.1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 84.197.160.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 84.197.160.1
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.10.20.0/24 is directly connected, Vlan2
L 10.10.20.1/32 is directly connected, Vlan2
C 10.20.10.0/24 is directly connected, Vlan1
L 10.20.10.1/32 is directly connected, Vlan1
84.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 84.196.160.0/20 is directly connected, FastEthernet8
L 84.196.169.102/32 is directly connected, FastEthernet8
C 84.197.160.0/20 is directly connected, GigabitEthernet0
L 84.197.174.182/32 is directly connected, GigabitEthernet0
195.130.137.0/32 is subnetted, 1 subnets
S 195.130.137.3 [254/0] via 84.197.160.1, GigabitEthernet0
03-06-2012 02:32 AM
"ip route 0.0.0.0 0.0.0.0 84.197.160.1"
well this is not going to help.
push both (both ends) private network traffic to tunnel interface.
this default route for the router "ip route 0.0.0.0 0.0.0.0 84.197.160.1"
All your private ip ranges traffic must be routed to tunnel interface from both ends.
thanks
03-06-2012 02:36 AM
I must indicate which tunnel interface
ip route 0.0.0.0 0.0.0.0 11.11.11.2
03-06-2012 02:40 AM
Not everything as "0.0.0.0 0.0.0.0" but private ip ranges which are located on the remote end of the tunnel.
03-06-2012 02:54 AM
example below, assume network 10.0.35.0 is located either side of the tunnel.
ip route 10.0.35.0 255.255.255.0 Tunnel0
03-06-2012 03:37 AM
Router 1 and Router 2 have the same ip addresses
how can you ipadressen the router block a single to ipadress you can go through the tunnel
R1
ip address 10.10.20.0 255.255.255.0 for LAN
ip address 10.20.10.0 255.255.255.0 for WLAN
R2
ip address 10.20.10.0 255.255.255.0 for LAN
ip address 10.10.20.0 255.255.255.0 for WLAN
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide