Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

GRE on router 800 serie

I have a question how can you GRE tunnel on a cisco router 800 series set for a site to site vpn ipsec + gre who can help me?

62 REPLIES

Re: GRE on router 800 serie

http://www.cisco.com/en/US/tech/tk827/tk369/tk287/tsd_technology_support_sub-protocol_home.html

Sent from Cisco Technical Support iPad App

GRE on router 800 serie

please read this thread link below, GRE setup method outlined, step by step, by me.

https://supportforums.cisco.com/message/3568936#3568936

New Member

Re: GRE on router 800 serie

I have a problem with GRE tunnel packets are encrypted but can not ping and no connection to the clients

I configured this...

Re: GRE on router 800 serie

Please change highlighted line below.

R1

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key key address 84.197.161.59 <<<<<<<<< I assume, this is your R2 public address.

Please copy the highlighted line on Router R1.

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map OUTSIDE-CRYTPO 1 ipsec-isakmp

set peer 84.197.161.59 <<<<<<<<<< Do the same, and make sure you put the R2 public address.

set transform-set ESP-AES-128-SHA

set pfs group5

match address 100

reverse-route

access-list 100 permit ip host xxx.xxx.xxx.xxx host 84.197.161.59 < x is on acl 100 is public address of the R1.

interface Tunnel0

ip address 11.11.11.1 255.255.255.252

ip ospf mtu-ignore

keepalive 3 2

tunnel source GigabitEthernet0

tunnel destination 84.197.161.59 <<<<<<<<<<<<<<<<<< this is router R2's public address.

ip mtu 1400

interface GigabitEthernet0

crypto map OUTSIDE-CRYTPO

-------------------------------------------------------------------------------------------------

Please change highlighted line below R2

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key key address xxx.xxx.xxx.xxx <<<<<<<<<<<<< R1 public address.

!

Please copy the highlighted line on R2.

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map OUTSIDE-CRYTPO 1 ipsec-isakmp

set peer xxx.xxx.xxx.xxx <<<<<<<<<<<<<<<<< R1 public address.

set transform-set ESP-AES-128-SHA

set pfs group5

match address 100

reverse-route

access-list 100 permit ip host 84.197.161.59 host xxx.xxx.xxx.xxx << X is R1 public ip address.

interface Tunnel0

ip address 11.11.11.2 255.255.255.252

ip ospf mtu-ignore

keepalive 3 2

ip mtu 1400

tunnel source GigabitEthernet0

tunnel destination xxx.xxx.xxx.xxx <<<<<<<<<<< X is public address of the R1.

interface GigabitEthernet0

crypto map OUTSIDE-CRYTPO

Hope that helps.

thanks

New Member

Re: GRE on router 800 serie

it is intended that the encrypted tunnel interface'm not the wan interface

and multiple site to site VPN tunnels ipsec want to put

Re: GRE on router 800 serie

Hi there,

Please note the hightlighted lines below and you have to change on your config and I also have delete some lines from your config.

R1

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key key address xxx.xxx.xxx.xxx<<<<<<< X is R2 public address!
!
crypto ipsec transform-set TRANS-SET-GRE-TUNNEL esp-aes 256 esp-sha-hmac
!
crypto ipsec profile IPSEC_TUNNEL
set transform-set TRANS-SET-GRE-TUNNEL

!
!
!
!
!
!
interface Tunnel0
ip address 11.11.11.1 255.255.255.0
ip ospf mtu-ignore
keepalive 3 2
ip mtu 1400
tunnel source GigabitEthernet0
tunnel destination xxx.xxx.xxx.xxx <<<<<<< X is R2 public address

tunnel mode IPsec ipv4
tunnel protection ipsec profile IPSEC_TUNNEL

-------------------------------------------------------------------------

R2

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key key address xxx.xxx.xxx.xxx<<<<<<< R1 Public address!
!
crypto ipsec transform-set TRANS-SET-GRE-TUNNEL esp-aes 256 esp-sha-hmac
!
crypto ipsec profile IPSEC_TUNNEL
set transform-set TRANS-SET-GRE-TUNNEL

!
!
!
!
!
!
interface Tunnel0
ip address 11.11.11.1 255.255.255.0
ip ospf mtu-ignore
keepalive 3 2
ip mtu 1400
tunnel source GigabitEthernet0
tunnel destination xxx.xxx.xxx.xxx <<<<<<< R1 Public address!

tunnel mode IPsec ipv4
tunnel protection ipsec profile IPSEC_TUNNEL

You must have static route to push network traffic located on R1 router through static-route on R2 and vice versa, to initiate the tunnel.

show crypto session

Hope that helps.

thanks

Rizwan Rafeek

New Member

Re: GRE on router 800 serie

that is done but I can not connect to the clients or pinging

sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

84.197.161.59 84,197,174,182 QM_IDLE 2004 ACTIVE

sh crypto ipsec sa

interface: Tunnel0

Crypto map tag: Tunnel0-head-0, local addr 84,197,174,182

Protected VRF: (none)

local ident (addr / mask / prot / port): (84.197.174.182/255.255.255.255/47/0)

remote ident (addr / mask / prot / port): (84.197.161.59/255.255.255.255/47/0)

current_peer 84.197.161.59 port 500

PERMIT, flags = {origin_is_acl,}

# pkts encaps: 43167, # pkts encrypt: 43167, # pkts digest: 43167

# pkts decaps: 43153, # pkts decrypt: 43153, # pkts verify: 43153

# pkts compressed: 0, # pkts decompressed: 0

# pkts not compressed: 0, # pkts compr. failed: 0

# pkts not decompressed: 0, # pkts DECOMPRESS failed: 0

# send errors 12, # recv errors 0

local crypto endpt.: 84,197,174,182, remote crypto endpt.: 84.197.161.59

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0

current outbound spi: 0x49705B0 (77006256)

PFS (Y / N): Y DH group: group16 that is done but I can not connect to the clients or pinging

Re: GRE on router 800 serie

Missing route to tunnel.

show ip route

New Member

Re: GRE on router 800 serie

I configured this way

ip route 0.0.0.0 0.0.0.0 84.197.160.1

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 84.197.160.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 84.197.160.1
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.10.20.0/24 is directly connected, Vlan2
L        10.10.20.1/32 is directly connected, Vlan2
C        10.20.10.0/24 is directly connected, Vlan1
L        10.20.10.1/32 is directly connected, Vlan1
      84.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        84.196.160.0/20 is directly connected, FastEthernet8
L        84.196.169.102/32 is directly connected, FastEthernet8
C        84.197.160.0/20 is directly connected, GigabitEthernet0
L        84.197.174.182/32 is directly connected, GigabitEthernet0
      195.130.137.0/32 is subnetted, 1 subnets
S        195.130.137.3 [254/0] via 84.197.160.1, GigabitEthernet0

Re: GRE on router 800 serie

"ip route 0.0.0.0 0.0.0.0 84.197.160.1"

well this is not going to help.

push both (both ends) private network traffic to tunnel interface.

this default route for the router "ip route 0.0.0.0 0.0.0.0 84.197.160.1"

All your private ip ranges traffic must be routed to tunnel interface from both ends.

thanks

New Member

Re: GRE on router 800 serie

I must indicate which tunnel interface

ip route 0.0.0.0 0.0.0.0 11.11.11.2

Re: GRE on router 800 serie

Not everything as "0.0.0.0 0.0.0.0" but private ip ranges which are located on the remote end of the tunnel.

Re: GRE on router 800 serie

example below, assume network 10.0.35.0 is located either side of the tunnel.

ip route 10.0.35.0 255.255.255.0 Tunnel0
New Member

Re: GRE on router 800 serie

Router 1 and Router 2 have the same ip addresses

how can you ipadressen the router block a single to ipadress you can go through the tunnel

R1

ip address 10.10.20.0 255.255.255.0 for LAN

ip address 10.20.10.0 255.255.255.0 for WLAN

R2

ip address 10.20.10.0 255.255.255.0 for LAN

ip address 10.10.20.0 255.255.255.0 for WLAN

Re: GRE on router 800 serie

You cannot do much but you have to re-IP your LAN and WLAN.

R1

ip address 10.10.10.0 255.255.255.0 for LAN

ip address 10.10.20.0 255.255.255.0 for WLAN

R2

ip address 10.20.10.0 255.255.255.0 for LAN

ip address 10.20.20.0 255.255.255.0 for WLAN

Thanks

New Member

Re: GRE on router 800 serie

you should do that for each range of IP addresses

Re: GRE on router 800 serie

yes re-ip your network which will fix your duplicate fragmented networks from both ends.

you dont want to add individual static-route for individual network to tunnel interface on each router, then introduce routing protocol, which will exchange routes dynamically over the tunnel interface.

Re: GRE on router 800 serie

Please rate helpful post.

thanks

New Member

Re: GRE on router 800 serie

, it is possible to do so by means of a routing protocol such as OSPF and BGP in place of a static route to add

Re: GRE on router 800 serie

"it is possible to do so by means of a routing protocol such as OSPF and BGP in place of a static route to add"

Yes, stay with OSPF or EIGRP and you do with BGP as well but BGP is for bigger network with gears about 1000 or more.

Please rate helpful posts.

thanks

New Member

Re: GRE on router 800 serie

would configure OSPF how you do that though because then I tried to connect to another router

R1

router ospf 123

network 10.10.10.0 0.0.0.255 area 0

network 10.10.10.0 0.0.0.255 area 0

R2

router ospf 123

network 10.20.10.0 0.0.0.255 area 0

network 10.20.10.0 0.0.0.255 area 0

Re: GRE on router 800 serie

Apply this on Router1

interface Tunnel0

ip address 11.11.11.1 255.255.255.252

exit

router ospf 123

network 11.11.11.0 0.0.0.3

----------------------------------------------


Apply this on Router2

interface Tunnel0

ip address 11.11.11.2 255.255.255.252

exit

router ospf 123
network 11.11.11.0 0.0.0.3

-------------------------------------------------------------


When done, look for ospf neighbor on network 11.11.11.0


Piece of strong advise, please use tunnel interface on /30 mask, othewise if your network grows you will run into problems and please make sure your tunnel interface contain private-ip address "11.11.11.0" is a public address.

Hope that helps.


thanks

New Member

Re: GRE on router 800 serie

that have applied but can not connect to the other router?

GRE on router 800 serie

Can you ping the public address of the each other routers?

New Member

GRE on router 800 serie

yes I can ping the public ip address from R1 to R2 and to otherwise

GRE on router 800 serie

I do not get this, why your default-gateway going to same IP on both routers: 195.197.160.1?


Try this on router one.


on router one:


ip route 84.197.174.182 255.255.255.255 GigabitEthernet0

on router two:

ip route 84.197.161.59 255.255.255.255 GigabitEthernet0

Just to be sure, please also add this line below on both routers, "ip routing"

Please let me know.

thanks

New Member

GRE on router 800 serie

I did it but can not connect to the other router

Re: GRE on router 800 serie

Hi there,

I did test your similar setup on my home lab, it was 100 successful.

Please review the config attached.

thanks

Rizwan Rafeek

New Member

GRE on router 800 serie

I tried as your router then restart it stops working

1922
Views
0
Helpful
62
Replies
CreatePlease login to create content