GRE Over IPSec VPN Tunneling

 

R1(config)#int lo0

R1(config-if)#ip add 192.168.1.1 255.255.255.0

R1(config-if)#exit

R1(config)#int fa0/0

R1(config-if)#ip add 197.1.1.2 255.255.255.252

R1(config-if)#no shut

R1(config-if)#exit

R1(config)#ip route 0.0.0.0 0.0.0.0 197.1.1.1

R3(config)#int lo0

R3(config-if)#ip add 192.168.2.1 255.255.255.0

R3(config-if)#exit

R3(config)#int fa0/0

R3(config-if)#ip add 198.1.1.2 255.255.255.252

R3(config-if)#no shut

R3(config-if)#end

R3(config)#ip route 0.0.0.0 0.0.0.0 198.1.1.1

R3(config)#end

ISP(config)#int fa0/0

ISP(config-if)#ip add 197.1.1.1 255.255.255.252

ISP(config-if)#no shut

ISP(config-if)#exit

ISP(config)#int fa1/0

ISP(config-if)#ip add 198.1.1.1 255.255.255.252

ISP(config-if)#no shut

ISP(config-if)#exit

Tunnel Configuration

R1(config)#int tunnel 0

R1(config-if)#ip add 10.1.1.1 255.255.255.252

R1(config-if)#ip mtu 1400

R1(config-if)#tunnel source fastEthernet 0/0

R1(config-if)#tunnel destination 198.1.1.2

R1(config-if)#exit

R3(config)#int tunnel 0

R3(config-if)#ip add 10.1.1.2 255.255.255.252

R3(config-if)#ip mtu 1400

R3(config-if)#tunnel source fa0/0

R3(config-if)#tunnel destination 197.1.1.2

R3(config-if)#exit

R1#ping 10.1.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/30/44 ms

R3#ping 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 88/94/100 ms

Configure Static route for remote local Network

R1(config)#ip route 192.168.2.0 255.255.255.0 10.1.1.2

R3(config)#ip route 192.168.1.0 255.255.255.0 10.1.1.1

IPSec Encryption for the GRE Tunnel

R1(config)#crypto isakmp policy 10

R1(config-isakmp)#encryption aes

R1(config-isakmp)#authentication pre-share

R1(config-isakmp)#group 2

R1(config-isakmp)#hash sha

R1(config-isakmp)#exit

R1(config)#crypto isakmp key 6 Cisco address 198.1.1.2

R1(config)#crypto ipsec transform-set test esp-aes 192 esp-sha-hmac    

R1(cfg-crypto-trans)#exit

R1(config)#crypto ipsec profile test_pro

R1(ipsec-profile)#set transform-set test

R1(ipsec-profile)#int tunnel0

R1(config-if)#tunnel mode ipsec IPv4

R1(config-if)#tunnel protection ipsec profile test_pro

R1(config-if)#exit

R3(config)#crypto isakmp policy 10

R3(config-isakmp)#encryption aes

R3(config-isakmp)#authentication pre-share

R3(config-isakmp)#group 2

R3(config-isakmp)#hash sha

R3(config-isakmp)#exit

R3(config)#crypto isakmp key 6 Cisco address 197.1.1.2

R3(config)#crypto ipsec transform-set test esp-aes 192 esp-sha-hmac

R3(cfg-crypto-trans)#exit

R3(config)#crypto ipsec profile test_pro

R3(ipsec-profile)#set transform-set test

R3(ipsec-profile)#int tunnel0

R3(config-if)#tunnel mode ipsec IPv4

R3(config-if)#tunnel protection ipsec profile test_pro

R1#ping 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 64/93/132 ms

R1#ping 192.168.2.1 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 96/101/120 ms

R1#sh crypto ipsec sa

interface: Tunnel0

    Crypto map tag: Tunnel0-head-0, local addr 197.1.1.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer 198.1.1.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10

    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 197.1.1.2, remote crypto endpt.: 198.1.1.2

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x6972E284(1769136772)

     inbound esp sas:

      spi: 0x98A82A17(2561157655)

        transform: esp-192-aes esp-sha-hmac ,

R1#sho crypto isakmp sa

dst             src             state          conn-id slot status

197.1.1.2       198.1.1.2       QM_IDLE              1    0 ACTIVE

R1#sh crypto session

Crypto session current status

Interface: Tunnel0

Session status: UP-ACTIVE    

Peer: 198.1.1.2 port 500

  IKE SA: local 197.1.1.2/500 remote 198.1.1.2/500 Active

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

        Active SAs: 2, origin: crypto map