topic Easy VPN GRE in Network Security

Easy VPN GRE

jack samuel — Mon, 11 Mar 2019 23:17:24 GMT

Hi folks,

My routers at two different sites are connected through GRE tunnels. I want to configure IPSec over it, but throug easy vpn server and client setup. Is it possible???? Apparently the most reasonable configuration for the mentioned scenario is site-to-site vpn, but I want to configure it through easy vpn. I would also appreciate if some one can refer to any configuration example of such kind of setup.The GRE tunnel is up and pings are successful but the traffic which passess through is not encryted.

Thanks

Re: Easy VPN GRE

Jeff Van Houten — Sat, 09 Jun 2012 23:47:23 GMT

Look on cisco.com for document Id 41940 which describes gre over DMVPN. Extremely simple to setup.

Sent from Cisco Technical Support iPad App

Re: Easy VPN GRE

rizwanr74 — Sun, 10 Jun 2012 02:53:06 GMT

Hi Jack,

Please see the attached file.

It is for dynamic L2L tunnel, in your case you want to encrypt GRE traffic, therefore your crypto acl (i.e. interesting traffic for IPSec tunnel) will be your GRE tunnel's local address and destination address.

Hope that helps.

thanks

Rizwan Rafeek

Re: Easy VPN GRE

jack samuel — Thu, 14 Jun 2012 22:57:07 GMT

Hi folks,

router R2 (easy vpn Server)---internet-------R4(client)

It does'nt work. I really need help on this issue.

Below are the configs and sh outputs for crypto ipsec sa.

R4# sh running-config

Building configuration...

Current configuration : 1539 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname R4

crypto ipsec client ezvpn R4

connect auto

group easyvpn key cisco123

mode network-extension

peer 192.168.20.1

acl 102

username cisco password cisco

xauth userid mode local

interface Loopback0

ip address 4.4.4.4 255.255.255.0

ip nat inside

ip virtual-reassembly

crypto ipsec client ezvpn R4 inside

interface Loopback1

ip address 40.40.40.1 255.255.255.0

interface Tunnel0

ip address 10.10.10.2 255.255.255.0

tunnel source FastEthernet0/1

tunnel destination 192.168.20.1

interface FastEthernet0/0

ip address 200.200.200.1 255.255.255.0

duplex auto

speed auto

interface FastEthernet0/1

ip address 192.168.20.3 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto ipsec client ezvpn R4

router ospf 1

router-id 4.4.4.4

log-adjacency-changes

network 4.4.4.4 0.0.0.0 area 0

network 10.10.10.2 0.0.0.0 area 0

network 200.200.200.200 0.0.0.0 area 0

ip forward-protocol nd

ip http server

no ip http secure-server

access-list 101 permit ip any any

access-list 102 permit gre host 192.168.20.3 host 192.168.20.1

end

#################################################################################################

R2#sh run

R2#sh running-config

Building configuration...

Current configuration : 1940 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname R2

boot-start-marker

boot-end-marker

aaa new-model

aaa authentication login vpnauthen local

aaa authorization network vpnauthor local

aaa session-id common

memory-size iomem 5

ip cef

username cisco password 0 cisco

Re: Easy VPN GRE

jack samuel — Fri, 15 Jun 2012 14:11:33 GMT

Anybody can put some shade on this thread.

Re: Easy VPN GRE

rizwanr74 — Fri, 15 Jun 2012 16:24:19 GMT

Hi Jack,

Please delete all vpn config from R1 and R4 spoke routers and follow the config below.

As you have mixed up with remote-vpn-client config on the routers with dynamic L2L tunnel for routers.

So, please delete them and start from scratch.

This goes on R1 Hub router.

crypto isakmp enable

crypto isakmp policy 99

encr aes

authentication pre-share

group 2

crypto ipsec transform-set Jack-ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto keyring Jacks-spoker-routers

pre−shared−key address 0.0.0.0 0.0.0.0 key jack-the-king-of-the-hill

crypto isakmp profile Jacks-L2L-routers

description LAN−to−LAN for spoke router(s) connection

keyring Jacks-spoker-routers

match identity address 0.0.0.0

crypto dynamic−map Jacks-dyna-map 100

set transform−set Jacks-ESP-AES-128-SHA

set isakmp−profile Jacks-L2L-routers

crypto map Jacks-Crypto 1 ipsec−isakmp dynamic Jacks-dyna-map

interface FastEthernet0/1

crypto map Jacks-Crypto

-------------------------------------------------------------------------------------------------------

On spoke router R4.

crypto isakmp enable

crypto isakmp policy 99

encr aes

authentication pre-share

group 2

crypto isakmp key jack-the-king-of-the-hill address 192.168.20.1

crypto ipsec transform-set Jack-ESP-AES-128-SHA esp-aes esp-sha-hmac

access−list 100 permit ip host 192.168.20.3 host 192.168.20.1

crypto map Jacks-Crypto 10 ipsec−isakmp

set peer 192.168.20.1

set transform−set Jack-ESP-AES-128-SHA

match address 100

interface FastEthernet0/1

crypto map Jacks-Crypto

---------------------------------

Please let me know, how this coming along.

thanks

Rizwan Rafeek

Message was edited by: Rizwan Mohamed

Re: Easy VPN GRE

jack samuel — Fri, 15 Jun 2012 19:39:14 GMT

Dear Rizwan,

Thanks for your reply and explanation , I appreciate ur replies.but my needs are something different which are tied with easy vpn server and client setup.

I will explore more.

Current setup is Easy VPN SERVER - and Clients in Network Extension Mode.

I have 4 No's branch router's with ADSL link connecting to Internet and also to HO (Cisco 3825) acting as Easy VPN Server. Now i am planing for the backup of the ADSL i.e the async port on the branch router, whenever the ADSL link fails the async should dial up and connectivity to HO remains up,

Back link failover successful:

Whenever the ADSL fails the async interface dials up and the async link between the HO and branch comes up, point-to-point pings are successful between the async interfaces.

Problem:

The problem is No pings are successful from branch LAN to the HO LAN because the return traffic from HO is not hitting to async interface of HO for the particular (ADSL failed) branch ,it is choosing a default route which is pointing to Internet.

Now help me to achieve the goal.

I want to achieve the failover to async interface for a particular failed branch on the Easy VPN Server (HO) end.

Thanjks

Re: Easy VPN GRE

rizwanr74 — Fri, 15 Jun 2012 20:34:04 GMT

"the return traffic from HO is not hitting to async interface of HO for the particular (ADSL failed) branch ,it is choosing a default route which is pointing to Internet."

You can use IP-SLA to failover a particular static-route for particular branch office distination using IP-SLA, please read the thread below.

https://supportforums.cisco.com/message/3649158#3649158

thanks

Easy VPN GRE

jack samuel — Fri, 15 Jun 2012 21:10:05 GMT

Hello Rizwan

i can't put a static route on the Easy VPN Server to the branch router becz it will always use the async interface, and it will not use the default route which is the lease line with fixed public IP on which easy vpn server is negotiating an ipsec tunnel to branch routers . i need to use the async interface only at the time of branch ADSL links goes down.

Thanks

Re: Easy VPN GRE

rizwanr74 — Sat, 16 Jun 2012 00:31:01 GMT

"it will always use the async interface, and it will not use the default route which is the lease line with fixed public IP on which easy vpn server is negotiating an ipsec tunnel to branch routers ."

Hi Jack,

IP-SLA enable static-route is like floating route, in the event "lease line" goes down, only then second route will be used by the router.

Please read this above thread I sent you before and likewise one below and it will work like charm.

https://supportforums.cisco.com/thread/2034251

Beside, your remote-spoke router can use dual-peering address, one as a primary and second as failover.

Thanks

Re: Easy VPN GRE

jack samuel — Sat, 16 Jun 2012 11:17:44 GMT

Dear Rizwan,

I appreciate ur response,

Please find the attached topology diagram.

I dont have only 1 branch , I have many branches, If you say track a default route with an IP SLA to the remote branch IP and when pings fails it will remove the default route and the traffic will flow to the async but what about other branches ??? their link is still up on their ADSL and they are communicating to HO through the HO primary interface.

If still i am missing from ur expierience please write a config for HO if 2 No's of branch routers failed.

Thanks

Re: Easy VPN GRE

rizwanr74 — Sat, 16 Jun 2012 12:58:50 GMT

"when pings fails it will remove the default route and the traffic will flow to the async but what about other branches ??? their link is still up on their ADSL and they are communicating to HO through the HO primary interface."

Hi Jack,

I understand you point now. You do not need IP-SLA on HO router but maybe appliable on remote-branch office router.

Please let me understand your "dials up and the async link" please show me your "dials up and the async link" config method, they maybe parameter within "dials up and the async link" interface as such "backup interface async"

Please update.

thanks

Re: Easy VPN GRE

jack samuel — Sat, 16 Jun 2012 13:44:51 GMT

Dear Rizwan,

I have configured the branch routers perfectly without any issues whenever the ADSL fails the dialer initiates and the async interface comes up and point -to point links of async interface ping are successful but what about the internal LAN in HO that i m not able to ping,because the return traffic doen't come back to the async interface it goes according to the default route.....

It is good that that now we are in sync and in proper understanding that what is our goal.

Is it rizwan can we will be able to do by the attached file.???

Thanks

Re: Easy VPN GRE

rizwanr74 — Sun, 17 Jun 2012 04:00:10 GMT

"ADSL fails the dialer initiates and the async interface comes up and point -to point links of async interface ping are successful"

You can introduce routing protocol on the remote-branch router and make each branch-routers as stub-zone and advertise local internal network, you must create GRE tunnel interface on branch router and hub-router, make your "async interface" as your tunnel's source address at branch office.

You also need to keep IP-SLA on branch router to push traffic via ADSL (as primary) and in the event ADSL goes down your GRE tunnel will kick in and will establish GRE-over-IPSec (i.e. IP-SLA will start to using dial-out async interface), when GRE tunnel is establish your hub-router will learn available routes via each respective GRE tunnel to push traffic accordingly, however your default-route at hub-router remain the same, it does not change, but hub-router will learn the routes via GRE tunnel and will be able to route to each branch offices.

Hope that make sense.

thanks

Message was edited by: Rizwan Mohamed

Re: Easy VPN GRE

jack samuel — Sun, 17 Jun 2012 20:50:33 GMT

rizwan,

I will apply live and i will update the thread but i have some doubt below please clear them.

solution looks to be perfect, but 1 thing i notice is that why i need to confiure gre tunnel with source and destination Ip of the async interface i can run directly routing protocols on the async interface.

can i send the traffic on async interface without encryption ????

or i have to configure the async interface as a backup easy vpn client ,, I mean to say,,

crypto ipsec client ezvpn EZ

connect auto

backup EZ_Backup track 20

group X.X key cisco

mode network-extension

peer X.X.X.X default

xauth userid mode interactive

crypto ipsec client ezvpn EZ_Backup

connect auto

group X.X key cisco

mode network-extension

peer (async interface ) default

xauth userid mode interactive

int e0

crypto ipsec client ezvpn EZ_Backup inside

crypto ipsec client ezvpn EZ inside

Int dialer0

crypto ipsec client ezvpn EZ outside

int async 1

crypto ipsec client ezvpn EZ_Backup outside

ON HO

int serial0 ( primary with fixed IP)

crypto map easyvpn

int group-async 0 (On which all branch async interface will hit)

crypto map easyvpn

Re: Easy VPN GRE

rizwanr74 — Sun, 17 Jun 2012 23:23:21 GMT

Hi Jack,

"i can run directly routing protocols on the async interface." Sure, if it works, go for it.

"can i send the traffic on async interface without encryption" Sure, if you are fine with it.

"or i have to configure the async interface as a backup easy vpn client ,, I mean to say,,"

VPN will burden your dialup connection, therefore none-encrypted traffic will suit with dialup and you may want to check your company policy.

thanks

Rizwan Rafeek

Re: Easy VPN GRE

jack samuel — Mon, 18 Jun 2012 10:37:56 GMT

Rizwan,

I facing strange issues i have configured eigrp on branch and HO router,, from branch router i advertise my LAN and from HO i m advertising his internal LAN, Both EIGRP Neighbors are up but when i do sh ip route eigrp on HO router there are no routes for eigrp, And on branch i m receiving the routes of HO LAN.

when i do sh ip route on HO it shows me static route in the table for the branch router with a next hop of public IP which it learned automatically when a easy vpn client tried to create a tunnel with server,on ADSL connection this is the reason EIGRP routes are not included in the route table, How the static routes from HO router will be disappear when the branch ADSL fails.?????
I more strange issue i m facing is when i specifically put static route pointing to async interface on HO still i m not able to ping the branch LAN,,,the branch router has a eigrp route to HO router for HO LAN.

Thanks

Re: Easy VPN GRE

rizwanr74 — Mon, 18 Jun 2012 13:35:52 GMT

Hi Jack,

On your branch router and HO router have you disabled auto-summary? as (no auto-summary) If you have not, please do so.

If you have put branch router on stub-zone, please make you have "eigrp stub connected" is being advertised.

If that did not help, please post your config from both ends, as an attachedment.

thanks

Rizwan Rafeek.

Re: Easy VPN GRE

jack samuel — Mon, 18 Jun 2012 13:52:47 GMT

Rizwan,

Thanks for being kind and for ur replies,

I found the problem ,it is with RRI, But i dont know why the route is not deleted when a SA is been deleted, It is taking too long time approximately 4 hrs to delete the static route from the routing table. Is it safe to execute command set reverse-route distance or from your exp any other hint.

On your branch router and HO router have you disabled auto-summary? as (no auto-summary) If you have not, please do so

YES

If you have put branch router on stub-zone, please make you have "eigrp stub connected" is being advertised

YES

I have 1 question on Eigrp routing protocol,the neighbor relation will be always up and the async interface will be always up though we have made the branch router stub, if i m not wrong the stub router advertises the connected route only and any other router does"nt queries the stub router for any active route but the neighbor hello will keep the link active.

Thanks

Re: Easy VPN GRE

rizwanr74 — Tue, 19 Jun 2012 13:45:58 GMT

"any other router does"nt queries the stub router for any active route but the neighbor hello will keep the link active."

Yes, your understanding is correct but remember you have to copy IP-SLA on the branch-router, which is one of the reason why you will be better off using plain text GRE tunnel, due to a reason, GRE needs tunnel source and destination, so this tunnel source and destination can be manipulated by IP-SLA default-route failover which will solve your problem the neighbor hello will keep the link active.

When GRE tunnel's source and destination address cannot be reache via active connection, your GRE tunnel will stay down which result keeping "async interface" in idle state and when IP-SLA fails over to "async interface" then GRE tunnel's destination address will be reachable as dialout kick in.

Hope that make sense.

thanks

Rizwan Rafeek.