Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
496
Views
0
Helpful
2
Replies

2 GRE tunnels or 1 GRE and 1 site to site

Michael Durham
Level 4
Level 4

‎05-23-2019 07:52 AM

Using IOS 15.1, I have configured a DMVPN GRE tunnel and it works as expected.  I use this to connect to customer's sites and they have the ability to enable and disable the tunnel at will.  No problems thus far.

Some of our customers already have a GRE configured on their system (non Cisco and before our Cisco router) and it seems to be preventing our GRE from working.

ie:  OUR_GRE->internet->Customer_GRE->Customer_Cisco_router_GRE->phones&desktops.

We looked into setting up a site-to-site VPN and it might work.  But, the problem is that the site-to-site VPN is always on.  Unlike the GRE Tunnel, you cannot simply enter a shut command to bring down the connection.  

Anyone know how to set up a site-to-site VPN using a tunnel interface so we can enable and disable it via the shut command? Or, how can we have two completely different GREs working as above?

Labels:
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎05-23-2019 11:28 AM

Hello,

 

not sure what exactly you mean: if you use an SVTI (tunnel interface), shutting the tunnel shuts down the VPN...

 

Can you elaborate on what configuration you have in mind ?

0 Helpful

Michael Durham
Level 4
Level 4
In response to Georg Pauwen

‎05-23-2019 12:36 PM

We have a DMVPN configured and it works as expected.  It is on interface Tunnel1.  Our clients have the other side of the VPN configured on a Cisco 2811 router.  When they need us to work with their router's config, they enable the tunnel vial a web page that we created.  This all works, when they enable the tunnel (issue a no shut command via the custom web page), their router is connected to us and we can make the necessary changes.  We then shut their side of the tunnel down and we are disconnected.  The custom web page also has a button that they can click the will issue a shut command and disconnects us at their will.  All good so far.

We do NOT want access to our customer's network side of things, PCs, phones, etc so no ip route statements are needed.

We have one customer (more to come I am sure) that they already have a GRE tunnel to somewhere else; thus port 47 is in use and we cannot connect our GRE tunnel without them first disconnecting the other one.  That is not acceptable to them and I agree.

From what little testing I have had time to do, it looks like I can set up a site-to-site VPN to them and it will work.  The problem is, site-to-site VPN's are not in a tunnel interface where you can just issue a shut or no shut command to enable and disable the connection.  If you can use a tunnel interface as part of the site-to-site, then that would fix the problem.

 

Here is our Side of the GRE tunnel config:
crypto isakmp policy 100
encr aes 256
hash sha512
authentication pre-share
group 16
lifetime 3600
crypto isakmp key 6 abc123def456 address 0.0.0.0
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set support ah-sha512-hmac esp-3des
!
crypto ipsec profile support
set security-association lifetime seconds 86400
set transform-set support
!
crypto dynamic-map DYNAMIC_Support_VPN 100
set security-association lifetime seconds 86400
set transform-set support
!
crypto map CONVERTED_DYNAMIC-MAP_TO_STATIC-MAP 1 ipsec-isakmp dynamic DYNAMIC_Support_VPN
!
interface Tunnel1
description mGRE - DMVPN Tunnel for customer remote support
ip address 172.16.0.1 255.255.0.0
no ip redirects
ip nhrp authentication abc123def456
ip nhrp map multicast dynamic
ip nhrp network-id 5551212
tunnel source 100.100.100.191
tunnel mode gre multipoint
tunnel protection ipsec profile support
!
interface Cellular0/3/0
crypto map CONVERTED_DYNAMIC-MAP_TO_STATIC-MAP
!

 

CUSTOMER's SIDE GRE Tunnel

crypto isakmp policy 100
encr aes 256
hash sha512
authentication pre-share
group 16
lifetime 3600
crypto isakmp key 6 abc123def456 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set support ah-sha512-hmac esp-3des
!
crypto ipsec profile support
set security-association lifetime seconds 86400
set transform-set support

interface Tunnel1
description DMVPN mGRE tunnel to support
ip address 172.16.1.1 255.255.0.0
no ip redirects
ip nhrp authentication abc123def456
ip nhrp map multicast 100.100.100.191
ip nhrp map 172.16.0.1 100.100.100.191
ip nhrp network-id 5551212
ip nhrp nhs 172.16.0.1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile support

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card