Re: IPSEC in GRE

paa · ‎03-23-2007

Hello all! I have a strange prolem, during I try to put IPSEC in GRE.

[IPSEC-PIX]---[GW]---[cisco 851], between PIX and 851 IPSEC, between GW and 851 - GRE. Now I try to put all IPSEC in GRE. Create tunnel, on 851 set following settings:

ip route 0.0.0.0 0.0.0.0 tun0

inter fast4

crypto map IPSEC

I can ping remote end of GRE tunnel, remote end of IPSEC tunnel, BUT, no IPSEC session created (access-list is right). What to do? )

sundar.palaniappan · ‎03-23-2007

Did you check your IKE parameters and IPSEC transform set to see if they match. If you are still having issues then can you post the configuration of both devices.

HTH

Sundar

paa · ‎03-24-2007

I'll check it. I don't understand, can a tunnel using be a problem when I use IPSEC? I want to encapsulare entry IPSEC packet in GRE, it is possible?

royalblues · ‎03-24-2007

Post your configurations.

It is possible to enacapsulate the ESP packet into a GRE tunnel.

Mostly people use it to send multicast routing protocol packets as IPSEC doesn't support multicast

Have a look at this link

http://www.cisco.com/univercd/cc/td/doc/product/vpn/solution/aswan15/sig/sig_05.htm

HTH, rate if it does

Narayan

Danilo Dy · ‎03-25-2007

Can you post your config and the "show ver" output?

For a while, turn off the don't defragment bit with a route-map or using the crypto command 'crypto ipsec df-bit clear'.

paa · ‎03-26-2007

Thanks your guys!

My config:

[851]

inter tunn0

ip address 10.10.10.1 255.255.255.252

tunnel src fast4

tunnel dest 100.100.100.1

tunnel mode ipip

inter fast4

ip address dhcp client-id fast4

ip mtu 1492

ip route-cache flow

crypto map MAP

On the PIX peer address for IPSEC is the address of fast4, not tunnel.

Important: GRE between 851 and ISP router, not between 851 and PIX.

koontzuap · ‎03-24-2007

Without seeing your configs it is hard to troubleshoot. Perhaps the config snippets of GRE over IPSEC that I have provided below will help. This config was used on an ISR router connecting to another ISR router. It will work for a router to PIX or VPN3K as well. If using a PIX or VPN3K you will need a router behind it to anchor the GRE tunnel. Also, with the GRE & IPSEC overhead, you may need to adjust the MTU on the Tunnel interface. I found that adjusting the MTU to 1400 and the MSS to 1360 works the best.

Enjoy!

interface Loopback0

description *** Loopback 0 ***

ip address X.X.X.X 255.255.255.255

!

interface Loopback2

description *** Anchor for GRE Tunnels ***

ip address X.X.X.X 255.255.255.255

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key address

!

crypto ipsec transform-set secure esp-3des esp-md5-hmac

!

crypto map IOSVPN 105 ipsec-isakmp

description *** Crypto Map to ?????? ***

set peer

set transform-set secure

match address 105

!

interface Tunnel105

description *** GRE Tunnel to ????? ***

bandwidth 1024

ip address X.X.X.X 255.255.255.252

ip mtu 1400

ip route-cache flow

ip tcp adjust-mss 1360

keepalive 3 3

tunnel source

tunnel destination

!

interface FastEthernet0/0

description *** Public Interface ***

ip address X.X.X.X 255.255.255.X

crypto map IOSVPN

!

router eigrp 100

passive-interface FastEthernet0/0

network X.X.0.0

no auto-summary

eigrp stub connected summary

!

ip route X.X.X.X 255.255.255.255 ISP Next Hop name ?-GRE (Route to far-end Lo2)

ip route 255.255.255.255 ISP Next Hop name ?? (Route to far end VPN)

!

access-list 105 remark --- loopback 2 for GRE Tunnel ---

access-list 105 permit gre host host