Problems with GRE tunnels in Hub-to-spoke design

JUSTIN LOUCKS · ‎02-23-2004

I am trying to convert my VPN infrastructure from a model where the remote routers terminate their IPSec tunnels on a VPN concentrator and static routing is used for all sites, to a model where we employ GRE tunnels and enable EIGRP over those tunnels for spoke-to-spoke communications through the hub.

I have three routers setup in a test lab and have configured one of them as a moc hub and the other two as spokes. Testing looks like it works, but if I do a 'show crypto engine conn active' on the hub router, it shows that both remote routers have terminated on a one of the tunnel interfaces instead of each tunnel terminating on its own.

Any assistance and/or feedback on design would be greatly appreciated.

Thank you,

Justin Loucks

Here are excerpts of the configs of each router...

Hub router config

-----------------

Router-A#show config

Using 1617 out of 29688 bytes

!

version 12.3

!

crypto isakmp policy 1

authentication pre-share

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set 3des esp-3des esp-md5-hmac

mode transport

!

crypto map vpn 1 ipsec-isakmp

set peer 10.10.227.10

set transform-set 3des

match address 101

crypto map vpn 2 ipsec-isakmp

set peer 10.10.227.14

set transform-set 3des

match address 102

!

interface Tunnel1

ip address 172.31.1.1 255.255.255.0

tunnel source Ethernet0

tunnel destination 10.10.227.10

crypto map vpn

!

interface Tunnel2

ip address 172.31.2.1 255.255.255.0

tunnel source Ethernet0

tunnel destination 10.10.227.14

crypto map vpn

!

interface Ethernet0

description tunnel endpoint

ip address 10.10.227.18 255.255.255.252

half-duplex

crypto map vpn

!

interface FastEthernet0

description inside

ip address 192.168.0.1 255.255.255.0

speed auto

!

router eigrp 10

network 172.16.0.0

network 172.31.0.0

network 192.168.0.0

no auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet0

no ip http server

no ip http secure-server

!

access-list 101 permit gre host 10.10.227.18 host 10.10.227.10

access-list 102 permit gre host 10.10.227.18 host 10.10.227.14

!

end

Spoke router1

-------------

Router-B#show config

Using 1283 out of 29688 bytes

!

crypto isakmp policy 1

authentication pre-share

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set 3des esp-3des esp-md5-hmac

mode transport

!

crypto map vpn 1 ipsec-isakmp

set peer 10.10.227.18

set transform-set 3des

match address 111

!

interface Tunnel0

ip address 172.31.1.2 255.255.255.0

no keepalive

tunnel source Ethernet0

tunnel destination 10.10.227.18

crypto map vpn

!

interface Ethernet0

description outside

ip address 10.10.227.10 255.255.255.252

ip nat outside

half-duplex

crypto map vpn

!

interface FastEthernet0

description inside

ip address 192.168.1.1 255.255.255.128

ip nat inside

speed auto

!

router eigrp 10

network 172.31.0.0

network 192.168.1.0

auto-summary

no eigrp log-neighbor-changes

!

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet0

no ip http server

ip pim bidir-enable

!

access-list 111 permit gre host 10.10.227.10 host 10.10.227.18

!

end

Spoke router2

-------------

Router-C#show config

Using 1281 out of 29688 bytes

!

crypto isakmp policy 1

authentication pre-share

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set 3des esp-3des esp-md5-hmac

mode transport

!

crypto map vpn 2 ipsec-isakmp

set peer 10.10.227.18

set transform-set 3des

match address 102

!

interface Tunnel0

ip address 172.31.2.2 255.255.255.0

no keepalive

tunnel source Ethernet0

tunnel destination 10.10.227.18

crypto map vpn

!

interface Ethernet0

description outside

ip address 10.10.227.14 255.255.255.252

ip nat outside

half-duplex

crypto map vpn

!

interface FastEthernet0

description inside

ip address 192.168.212.1 255.255.255.128

ip nat inside

speed auto

!

router eigrp 10

network 172.31.0.0

network 192.168.0.0

auto-summary

no eigrp log-neighbor-changes

!

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet0

no ip http server

ip pim bidir-enable

!

access-list 102 permit gre host 10.10.227.14 host 10.10.227.18

!

end

gfullage · ‎02-23-2004

This is just a cosmetic bug with the output of the command. With your configuration the tunnels will be terminating correctly on the two different hub tunnel interfaces, it's just the command output that's wrong (it's been that way for a while actually, I never take any notice of the interface that shows up in this command output).

FYI, if you're just starting to implement GRE/IPSec, you might want to look at Dynamic Multipoint VPN (DMVPN). It's GRE/IPSec, but makes the config on the hub small and allows for your spokes to have dynamic IP addresses, via PPPoE/DHCP on ADSL/Cable for example. Once you set the hub up you never need to change it when you add additional spokes, unlike standard GRE/IPSec where the hub config gets larger as each spoke is added.

You can read all you'll ever want to know about it here:

http://www.cisco.com/warp/public/105/dmvpn.html

JUSTIN LOUCKS · ‎02-24-2004

In regards to the DMVPN, I have always worried about setting up a hub router to accept connections from any IP address. Am I just paranoid here or is there a security risk in doing this? Just for clarification, I did modify the configurations in my original post to show private IPs, but my end project will be running over public space.

sergej.gurenko · ‎03-11-2004

Small but nice improvement: from IOS 12.3(13)T you only need to apply "crypto map vpn" to physical intefface. I tihnk this feature included to IOS 12.3.