Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

GRE over IPSec ( in a redundant WAN)

All,

     I am attempting to encrypt the traffic on this WAN ( Please attached diagram). The creation of the GRE tunnel was successful, the pronlem occurs when i apply the encryption to the remote router (LBI) and the host router (LBI) i am unable to see anything after the tunnel.

Please see attached files with configuration for two routers. ISD=Host, LBI=Remote. Can someone tell where i am going wrong.

Regards,

Quincy

Everyone's tags (6)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

GRE over IPSec ( in a redundant WAN)

Orson

The config for the ISD router still shows the crypto map applied to the tunnel interface. Unless you are running quite old code on these routers the crypto map should be only on the physical interface.

Also the access list has two lines. You only need the first line which permits the GRE traffic. I suggest that you remove the line

Access-list 110 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

HTH

Rick

Bronze

GRE over IPSec ( in a redundant WAN)

All other traffic is encapsulated in GRE, so, in essence, it will be encrypted as well.  I employ Richard's suggestion frequently, and it works well.

-Chris

8 REPLIES
Bronze

GRE over IPSec ( in a redundant WAN)

Orson,

Firstly, you won't have to specify the 'crypto map' statement on the tunnel interface, the physical should suffice.  Also, you need to set your tunnel sources correctly:

ISD Router:

Tunnel source should be FastE0/1.1

LBI Router:

Tunnel source should be FastE0/1.1

I am not sure how you got the GRE tunnel working with this configuration, as you mentioned in your second sentence.  Unless there is some other configuration I'm not seeing.

Also, apply the crypto map to the FastE0/1.1 interface instead of FastE0/1.2.

HTH!

-Chris

New Member

GRE over IPSec ( in a redundant WAN)

Chris,

     There was a mistake in the configuration, its now corrected in the document.

Orson

Hall of Fame Super Silver

GRE over IPSec ( in a redundant WAN)

Orson

The config for the ISD router still shows the crypto map applied to the tunnel interface. Unless you are running quite old code on these routers the crypto map should be only on the physical interface.

Also the access list has two lines. You only need the first line which permits the GRE traffic. I suggest that you remove the line

Access-list 110 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

HTH

Rick

New Member

GRE over IPSec ( in a redundant WAN)

It is working without the access-list mentioned above, however all the documentation I read suggests to "create access lists to define the traffic for encryption". I interpret that to mean all traffic that is passing between the sites.

"The crypto access list will specify which data traffic will pass through the IPSec

tunnel. Crypto access lists are more like security associations than traditional ip

access lists. “…the access lists used for IPSec are used only to determine which

traffic should be protected by IPSec, not which traffic should be blocked or

permitted…”. "IPSec Network Security" cisco systems inc

If we remove that access-list line, then only the GRE traffic will be encrypted... what happens to the other traffic?

Bronze

GRE over IPSec ( in a redundant WAN)

All other traffic is encapsulated in GRE, so, in essence, it will be encrypted as well.  I employ Richard's suggestion frequently, and it works well.

-Chris

Hall of Fame Super Silver

GRE over IPSec ( in a redundant WAN)

Chris

Thanks for the good explanation and for the endorsement of my approach.

The paragraph that Orson quotes does apply to a standard IPSec tunnel (without GRE) and I suspect that if he completely identified the source we would find that it was in fact discussing an IPSec tunnel that does not use GRE.

The basic point is still true - that the access list identifies the traffic to be encrypted. But when the data traffic is forwarded through a GRE tunnel then the traffic to be encrypted is nothing but GRE.

HTH

Rick

New Member

GRE over IPSec ( in a redundant WAN)

Thanks for the clarifications

Hall of Fame Super Silver

GRE over IPSec ( in a redundant WAN)

Orson

I am glad that we were able to supply answers that helped to solve your question. Thank you for using the rating system to mark the question as resolved. It makes the forum more useful when people can read a question and can know that an answer was found. Your marking has contributed to this process.

HTH

Rick

992
Views
0
Helpful
8
Replies
CreatePlease to create content