Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
409
Views
0
Helpful
4
Replies

IOS GRE Tunnel question

berndtonn
Level 1
Level 1

‎06-26-2003 04:19 AM - edited ‎03-09-2019 03:49 AM

Dear all,

I have set up a VPN with IOS routers using GRE tunnels over IPSec. It seems to be working, but I am very surprised that

1) incoming on the Internet interface I can see a few GRE packets as well as many IPSec packets

2) outgoing on the Internet interface I can see only GRE packets (no IPSec).

Previously I had expected to see only IPSec packets on the Internet interface (because GRE is encapsulated within IPSec). But I remember that every packet is evaluated twice by access-lists on interfaces with applied crypto maps (once before en- or de-cryption and once after). So in that case I expect to see to see equally GRE and IPSec packets.

Please have a look at the attached configuration fragment of my central router (of course with changed IP addresses). Am I doing something wrong, or is the behaviour I've noticed absolutely normal ?

Thank you very much !

crypto isakmp policy 100

encr 3des

group 2

!

crypto ipsec transform-set to_vpn esp-3des esp-sha-hmac

mode transport

!

crypto map mycryptomap 99 ipsec-isakmp

description VPN to Location99

set peer 99.99.99.99

set transform-set to_vpn

match address Location99

crypto map mycryptomap 147 ipsec-isakmp

description VPN to Location147

set peer 147.147.147.147

set transform-set to_vpn

match address Location147

crypto map mycryptomap 202 ipsec-isakmp

description VPN to Location202

set peer 202.202.202.202

set transform-set to_vpn

match address Location202

!

interface Tunnel99

description Location99

bandwidth 512

ip address 10.227.99.1 255.255.255.252

ip accounting output-packets

ip mtu 1440

tunnel source Ethernet0

tunnel destination 99.99.99.99

crypto map mycryptomap

!

interface Tunnel147

description Location147

bandwidth 512

ip address 10.227.147.1 255.255.255.252

ip accounting output-packets

ip mtu 1440

tunnel source Ethernet0

tunnel destination 147.147.147.147

crypto map mycryptomap

!

interface Tunnel202

description Location202

bandwidth 512

ip address 10.227.202.1 255.255.255.252

ip accounting output-packets

ip mtu 1440

tunnel source Ethernet0

tunnel destination 202.202.202.202

crypto map mycryptomap

!

interface Ethernet0

description to Internet

ip address 193.193.193.193 255.255.255.248

ip access-group 140 in

ip access-group 150 in

ip accounting output-packets

half-duplex

crypto map mycryptomap

!

!

ip access-list extended Location99

permit gre host 193.193.193.193 host 99.99.99.99

ip access-list extended Location147

permit gre host 193.193.193.193 host 147.147.147.147

ip access-list extended Location202

permit gre host 193.193.193.193 host 202.202.202.202

!

access-list 140 permit esp any host 193.193.193.193

access-list 140 permit udp any eq isakmp host 193.193.193.193 eq isakmp

access-list 140 permit icmp any host 193.193.193.193

access-list 140 permit gre any host 193.193.193.193 log

access-list 140 deny ip any any log

access-list 150 permit esp host 193.193.193.193 any

access-list 150 permit udp host 193.193.193.193 eq isakmp any eq isakmp

access-list 150 permit icmp host 193.193.193.193 any

access-list 150 permit gre host 193.193.193.193 any log

access-list 150 deny ip any any log

Labels:
0 Helpful
4 Replies 4

b.speltz
Level 4
Level 4

‎07-07-2003 07:33 AM

Check out the following URL on GRE, may be these examples might give you a better idea.

http://www.cisco.com/en/US/tech/tk827/tk369/tk287/tech_protocol_home.html

0 Helpful

berndtonn
Level 1
Level 1
In response to b.speltz

‎07-07-2003 11:06 PM

The URL is interesting, but doesn't answer my question. My question is : Is the protocol distribution I have noticed normal or not ? Or : Is my configuration correct or not ?

0 Helpful

reswaran
Cisco Employee
Cisco Employee
In response to berndtonn

‎07-08-2003 08:05 AM

My reply might not be a complete answer for your question.

Cisco has come up with Security Device Manager aka SDM, a GUI tool in access routers for configuring Security features like VPN., Firewall. You can take a look at it. It will help you in generating the correct GREoIPSec configuration that you need.

http://www.cisco.com/go/SDM.

Ravikumar

0 Helpful

mnaveen
Level 1
Level 1

‎07-09-2003 02:20 AM

Your configuration is alright. The only thing that is missing in the above config is the "ip route ..." command which says to use the tunnel interface as the default route. Hope that's there in your configs.

In my lab setup with back to back connected peers, I see only IPSec packets going out and coming in through the tunnel. This I feel is the normal behavior. Did you check whether the GRE and IPSec packets incoming on your Internet interface is from the same peer or not. It could be that plain GRE packets might be coming to your internet interface. Let us know.

0 Helpful
Customers Also Viewed These Support Documents