Solved: GRE over IPSec ( in a redundant WAN)

netcentre · ‎05-29-2012

All,

I am attempting to encrypt the traffic on this WAN ( Please attached diagram). The creation of the GRE tunnel was successful, the pronlem occurs when i apply the encryption to the remote router (LBI) and the host router (LBI) i am unable to see anything after the tunnel.

Please see attached files with configuration for two routers. ISD=Host, LBI=Remote. Can someone tell where i am going wrong.

Regards,

Quincy

Richard Burts · ‎05-30-2012

Orson

The config for the ISD router still shows the crypto map applied to the tunnel interface. Unless you are running quite old code on these routers the crypto map should be only on the physical interface.

Also the access list has two lines. You only need the first line which permits the GRE traffic. I suggest that you remove the line

Access-list 110 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

HTH

Rick

HTH

Rick

View solution in original post

cflory · ‎06-04-2012

All other traffic is encapsulated in GRE, so, in essence, it will be encrypted as well. I employ Richard's suggestion frequently, and it works well.

-Chris

View solution in original post

cflory · ‎05-29-2012

Orson,

Firstly, you won't have to specify the 'crypto map' statement on the tunnel interface, the physical should suffice. Also, you need to set your tunnel sources correctly:

ISD Router:

Tunnel source should be FastE0/1.1

LBI Router:

Tunnel source should be FastE0/1.1

I am not sure how you got the GRE tunnel working with this configuration, as you mentioned in your second sentence. Unless there is some other configuration I'm not seeing.

Also, apply the crypto map to the FastE0/1.1 interface instead of FastE0/1.2.

HTH!

-Chris

netcentre · ‎05-30-2012

Chris,

There was a mistake in the configuration, its now corrected in the document.

Orson

Richard Burts · ‎05-30-2012

Orson

The config for the ISD router still shows the crypto map applied to the tunnel interface. Unless you are running quite old code on these routers the crypto map should be only on the physical interface.

Also the access list has two lines. You only need the first line which permits the GRE traffic. I suggest that you remove the line

Access-list 110 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

HTH

Rick

HTH

Rick

netcentre · ‎06-04-2012

It is working without the access-list mentioned above, however all the documentation I read suggests to "create access lists to define the traffic for encryption". I interpret that to mean all traffic that is passing between the sites.

"The crypto access list will specify which data traffic will pass through the IPSec

tunnel. Crypto access lists are more like security associations than traditional ip

access lists. “…the access lists used for IPSec are used only to determine which

traffic should be protected by IPSec, not which traffic should be blocked or

permitted…”. "IPSec Network Security" cisco systems inc

If we remove that access-list line, then only the GRE traffic will be encrypted... what happens to the other traffic?

cflory · ‎06-04-2012

All other traffic is encapsulated in GRE, so, in essence, it will be encrypted as well. I employ Richard's suggestion frequently, and it works well.

-Chris

Richard Burts · ‎06-04-2012

Chris

Thanks for the good explanation and for the endorsement of my approach.

The paragraph that Orson quotes does apply to a standard IPSec tunnel (without GRE) and I suspect that if he completely identified the source we would find that it was in fact discussing an IPSec tunnel that does not use GRE.

The basic point is still true - that the access list identifies the traffic to be encrypted. But when the data traffic is forwarded through a GRE tunnel then the traffic to be encrypted is nothing but GRE.

HTH

Rick

HTH

Rick

netcentre · ‎06-05-2012

Thanks for the clarifications

Richard Burts · ‎06-05-2012

Orson

I am glad that we were able to supply answers that helped to solve your question. Thank you for using the rating system to mark the question as resolved. It makes the forum more useful when people can read a question and can know that an answer was found. Your marking has contributed to this process.

HTH

Rick

HTH

Rick