Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
824 views5 pages

IPSec over GRE Tunnel Guide

1) The document describes how to configure an IPSec over GRE tunnel between two routers to encrypt traffic flowing between their networks. 2) Key steps include creating a GRE tunnel interface between the routers, enabling OSPF routing over the tunnel, defining an IPSec policy to encrypt GRE traffic, and applying crypto maps to the tunnel and external interfaces. 3) Once configured, the IPSec over GRE tunnel allows encrypted communication between the routers' networks with the ability for intra-network routing.

Uploaded by

Lindsey Benter
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
824 views5 pages

IPSec over GRE Tunnel Guide

1) The document describes how to configure an IPSec over GRE tunnel between two routers to encrypt traffic flowing between their networks. 2) Key steps include creating a GRE tunnel interface between the routers, enabling OSPF routing over the tunnel, defining an IPSec policy to encrypt GRE traffic, and applying crypto maps to the tunnel and external interfaces. 3) Once configured, the IPSec over GRE tunnel allows encrypted communication between the routers' networks with the ability for intra-network routing.

Uploaded by

Lindsey Benter
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

IPSec over GRE Tunnel:

Advantages: Will create a logical virtual interface between the two routers that the traffic will appear to flow across Allows us to run a IGP routing protocol Allows Multicast Routing Encrypted Traffic going through the Internet

Pre-Configuration: ASA ! interface GigabitEthernet0 ip address 100.100.100.2 255.255.255.0 nameif outside security-level 0 no shutdown ! ! interface GigabitEthernet2 ip address 10.10.10.1 255.255.255.252 nameif inside security-level 100 no shutdown Corp ! interface FastEthernet 0/0 ip address 10.10.10.2 255.255.255.252 no shutdown interface FastEthernet 0/1 ip address 10.10.11.1 255.255.255.252 no shutdown Branch ! interface FastEthernet 0/0 ip address 100.100.100.10 255.255.255.0 no shutdown ! interface FastEthernet 0/1 ip address 10.10.14.1 255.255.255.252 no shutdown ASA ! interface GigabitEthernet1

no nameif security-level 0 no ip address no shut ! interface GigabitEthernet1.1 nameif DMZ security-level 50 ip address 20.20.20.1 255.255.255.0 SW1 vlan database vlan 10 name DMZ exit conf t ! no ip routing ! int fa1/0 switchport trunk encapsulation dot1q switchport mode trunk ! interface range FastEthernet 1/1 - 2 switchport mode access switchport access vlan 10 ! ip default-gateway 20.20.20.1 SW2 ! vlan database vlan 2 name Sales vlan 3 name Finance exit conf t ! interface FastEthernet 1/0 switchport mode access switchport access vlan 2 spanning-tree portfast ! interface FastEthernet 1/1 switchport mode access switchport access vlan 3 spanning-tree portfast ! interface vlan 2 ip address 10.10.12.1 255.255.255.0 no shut ! interface vlan 3 ip address 10.10.13.1 255.255.255.0 no shut ! interface FastEthernet 0/0 ip address 10.10.11.2 255.255.255.252 no shut ! ip dhcp excluded-address 10.10.12.1 10.10.12.9 ! ip dhcp pool VLAN2 network 10.10.12.0 /24 default-router 10.10.12.1 dns-server 8.8.8.8 ! ip dhcp excluded-address 10.10.13.1 10.10.13.9 ! ip dhcp pool VLAN3 network 10.10.13.0 /24 default-router 10.10.13.1 dns-server 8.8.8.8 SW3 ! vlan database

vlan 2 name Accounting vlan 3 name Management exit conf t ! interface FastEthernet 1/0 switchport mode access switchport access vlan 2 spanning-tree portfast ! interface FastEthernet 1/1 switchport mode access switchport access vlan 3 spanning-tree portfast ! interface vlan 2 ip address 10.10.15.1 255.255.255.0 no shut ! interface vlan 3 ip address 10.10.16.1 255.255.255.0 no shut ! interface FastEthernet 0/0 ip address 10.10.14.2 255.255.255.252 no shut ! ip dhcp excluded-address 10.10.15.1 10.10.15.9 ! ip dhcp pool VLAN2 network 10.10.15.0 /24 default-router 10.10.15.1 dns-server 8.8.8.8 ! ip dhcp excluded-address 10.10.16.1 10.10.16.9 ! ip dhcp pool VLAN3 network 10.10.16.0 /24 default-router 10.10.16.1 dns-server 8.8.8.8 Advantages: Will create a logical virtual interface between the two routers that the traffic will appear to flow across Allows us to run a IGP routing protocol Allows Multicast Routing Encrypted Traffic going through the Internet

Configuration GRE Tunnel: Step 1: Create OSPF routing process: CORP(config)# router ospf 123 CORP(config-router)# network 192.168.1.0 0.0.0.255 area 0 BRANCH(config)# router ospf 123 BRANCH(config-router)# network 10.1.1.0 0.0.0.255 area 0

Step 2: Configure layer 3 tunnel interfaces: CORP(config)# interface tunnel 0 CORP(config-if)# tunnel source f0/0 CORP(config-if)# tunnel destination 192.168.137.10 CORP(config-if)# ip address 10.10.1.1 255.255.255.252 CORP(config-if)# tunnel path-mtu-discovery CORP(config-if)# ip ospf mtu-ignore BRANCH(config)# interface tunnel 0 BRANCH(config-if)# tunnel source f0/0 BRANCH(config-if)# tunnel destination 192.168.137.2 BRANCH(config-if)# ip address 10.10.1.2 255.255.255.252 BRANCH(config-if)# tunnel path-mtu-discovery BRANCH(config-if)# ip ospf mtu-ignore

Verify: CORP# ping 10.10.1.2

Step 3: Update OSPF Network Statements: CORP(config)# router ospf 123 CORP(config-router)# network 10.10.1.0 0.0.0.3 area 0 BRANCH(config)# router ospf 123 BRANCH(config-router)# network 10.10.1.0 0.0.0.3 area 0

Verify: CORP# show ip ospf neighbor

Configure IPSec: Step 1: Define Traffic to be encrypted CORP(config)# ip access-list extended IPSEC-TRAFFIC CORP(config-ext-nacl)# remark VPN Traffic CORP(config-ext-nacl)# permit gre host 192.168.137.2 host 192.168.137.10 BRANCH(config)# ip access-list extended IPSEC-TRAFFIC BRANCH(config-ext-nacl)# remark VPN Traffic BRANCH(config-ext-nacl)# permit gre host 192.168.137.10 host 192.168.137.2 Step 2: Phase 1: Isakmp policy CORP(config)# crypto isakmp policy 1 CORP(config-isakmp)# authentication pre-share CORP(config-isakmp)# encryption aes 128 CORP(config-isakmp)# hash sha CORP(config-isakmp)# group 2 BRANCH(config)# crypto isakmp policy 1 BRANCH(config-isakmp)# authentication pre-share BRANCH(config-isakmp)# encryption aes 128 BRANCH(config-isakmp)# hash sha BRANCH(config-isakmp)# group 2 Step 3: Define Shared Secret CORP(config)# crypto isakmp key 0 CISCO address 192.168.137.10 BRANCH(config)# crypto isakmp key 0 CISCO address 192.168.137.2 Step 4: Phase 2: IPSec transform set CORP(config)# crypto ipsec transform-set TRANS-SET-GRE-TUNNEL esp-aes 128 esp-sha-hmac CORP(cfg-crypto-trans)# mode tunnel BRANCH(config)# crypto ipsec transform-set TRANS-SET-GRE-TUNNEL esp-aes 128 esp-sha-hmac BRANCH(cfg-crypto-trans)# mode tunnel Step 5: Create crypto-map CORP(config)# crypto map CRYPTO-MAP 1 ipsec-isakmp CORP(config-crypto-map)# description to BRANCH CORP(config-crypto-map)# match address IPSEC-TRAFFIC CORP(config-crypto-map)# set peer 192.168.137.10 CORP(config-crypto-map)# set transform-set TRANS-SET-GRE-TUNNEL BRANCH(config)# crypto map CRYPTO-MAP 1 ipsec-isakmp BRANCH(config-crypto-map)# description to CORP BRANCH(config-crypto-map)# match address IPSEC-TRAFFIC BRANCH(config-crypto-map)# set peer 192.168.137.2 BRANCH(config-crypto-map)# set transform-set TRANS-SET-GRE-TUNNEL Step 6: Apply crypto-map to interfaces CORP(config)# interface f0/0 CORP(config-if)# crypto map CRYPTO-MAP CORP(config-if)# interface tunnel 0

CORP(config-if)# crypto map CRYPTO-MAP BRANCH(config)# interface f0/0 BRANCH(config-if)# crypto map CRYPTO-MAP BRANCH(config-if)# interface tunnel 0 BRANCH(config-if)# crypto map CRYPTO-MAP Step 7: Verification CORP# show ip ospf neighbor CORP# show crypto ipsec sa CORP# ping 10.10.1.2 repeat 50

You might also like