cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Setting up a GRE tunnel (IP-NAT, GRE AND IPSEC)

1942
Views
15
Helpful
1
Comments

Hi, here is an example how to configure IP-NAT, GRE, IPSEC. I've seen plenty of questions and this might be a good solution! (Mostly the use of commands that might remind u)

 

IP NAT

=============================================================================

Name of router that should be configured : *****DETAILS LIKE INTERFACES AND IP CAN BE DIFFERENT.

Ip route 0.0.0.0 0.0.0.0 serial0/0/0 (To the network outside, interface can be different)

interface FastEthernet0/0 (Inside network)

ip nat inside

interface Serial0/0/0 (Outside network) 

ip nat outside

exit

 

access-list 101 permit ip 10.13.0.0 0.0.255.255 any  (Ip range from the network inside)

ip nat inside source list 101 interface Serial0/0/0 overload 

 

Check if NAT works from devices 

 

GRE TUNNEL 

===============================================================

Make a new tunnel between locations 

- Router(config)#interface tunnel 1

Give tunnel an IP

Location X: Router x (config-if)#ip address 10.254.0.2 255.255.255.252
Location Y: Router Y (config-if)#ip address 10.254.0.1 255.255.255.252

 

Give the tunnel a source (Most of the time router inbetween the routers you are configuring)
Location X: Router(config-if)#tunnel source Serial0/0/0
Location Y: Router(config-if)#tunnel source Serial0/0/1

 

Enter the destination, this is NOT the IP of the tunnel at the other side. This is the IP of the physical interface at the other side. 
Location X: Router(config-if)#tunnel destination 208.10.10.2
Location Y: Router(config-if)#tunnel destination 208.10.10.10

 

There must be IP routes to make sure network traffic goes to right places. 

Location X

ip route 10.11.0.0 255.255.0.0 10.254.0.1  (Inside address, subet, End tunnel adress)

Location Y

Ip route 10.13.0.0 255.255.0.0 10.254.0.2

 

Test tunnel by tracert from a computer to another. 

 

 ========================================================

GRE TUNNEL FOR THIRD NETWORK

Location X – Location Z

 

Do the same steps if there is an location Z But then with the other ip from the location Z

 ========================================================

 acceslist ****** ip and interfaces may be different

Make sure ONLY serial interfaces may transfer GRE Traffic. This is able by accesslists

Location X

access-list 111 permit gre host 208.10.10.10 host 208.10.10.6 
access-list 112 permit gre host 208.10.10.10 host 208.10.10.2

Location Y

access-list 112 permit gre host 208.10.10.2 host 208.10.10.10

 

Location Z

access-list 111 permit gre host 208.10.10.6 host 208.10.10.10

 

Test it by doing a tracert
========================================================

IPSEC ISAKMP

Router X: crypto isakmp policy 1
Router X: authentication pre-share

X – Y. (x-y)

router X & Y: Crypto isakmp enable

Router X : crypto isakmp key SURI-ROTT address 208.10.10.2 (fill in the ip from the interface At other side)

Router Y: crypto isakmp key SURI-ROTT address 208.10.10.10 (fill in the ip from the interface At other side)

Router X & Y: crypto ipsec transform-set IMPEX-SET esp-aes 256 esp-sha-hmac

Router X: crypto map VPN-MAP 20 ipsec-isakmp (Used 20 because it's a available number )

router X: match address 112

router X: set peer 208.10.10.2

router X: Set pfs group2

router X: Set transform-set IMPEX-SET

router X: exit

router Y: crypto map VPN-MAP 20 ipsec-isakmp (Used 20 because it's a available number )

router Y: match address 112

router Y: set peer 208.10.10.10

router Y: Set pfs group2

router Y: set transform-set IMPEX-SET

router Y: Exit

router X: crypto map VPN-MAP (In de serial interface)

router X & Y: Exit

 

send a tracert through the tunnel and use the following command if the tunnel works 

 

show crypto isakmp sa

Connection between X and Y works now 

===================================================================

Do the same proces between router X and Z but with different numbers 

router X - Eindhoven. (SURI-END)

router X & Eindhoven: Crypto isakmp enable

router X: crypto isakmp key SURI-END address 208.10.10.6 (So you enter the ip of the physical interface from the other side)

router Z: crypto isakmp key SURI-EIND address 208.10.10.10 (So you enter the ip of the physical interface from the other side)

router X & Z: crypto ipsec transform-set IMPEX-SET esp-aes 256 esp-sha-hmac

router X: crypto map VPN-MAP 30 ipsec-isakmp (30 because 10 is already owned by the Rotterdam to

router Z connection, and 20 is occupied by Suriname - Rotterdam)

router X: match address 111

router X: set peer 208.10.10.6

router X: IMPEX-SET transform set set

router X: exit

router Z: crypto map VPN-MAP 30 ipsec-isakmp 30 ( because 10 is already owned by another connection)

router Z: match address 111

router Z: set of pear 208.10.10.10

router Z: IMPEX-SET transform set set

router Z: exit

router X& router Z: VPN-MAP crypto map (In the serial interface)

router X& router Z: Exit

Send a trace through the tunnel and check the operation with the following command in a router:

 

show crypto isakmp sa

 

router X- router Z connection is now ready

Comments
Beginner

Very helpful , answered my question , you saved the day !