Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
612
Views
2
Helpful
5
Replies

GRE over IPsec Issue

iskra
Level 1
Level 1

‎03-27-2024 07:54 AM

I'm in a tough spot and currently having an issue with configuring a GRE over IPsec in my personal project. I think the configurations are right based on the verification commands that I used which are: show crypto isakmp sa and show crypto ipsec sa. However, when I try to ping from a network to another, it doesn't use the tunnel that I've established. Example:

iskra_2-1711550874429.png

Here is the configuration:


*DEPT-R1 to DEPT-R2

en
conf t
int tunnel 1
ip address 20.0.0.1 255.255.255.252
tunnel source s0/1/0
tunnel destination 10.0.0.6
end

crypto isakmp policy 1
encryption aes 256
hash sha
authentication pre-share
group 2
lifetime 3600
ext

crypto isakmp key privkey address 10.0.0.6
crypto ipsec transform-set GRE-VPN esp-aes 256 esp-sha-hmac

ip access-list extended GRE-VPN-ACL
permit gre host 10.0.0.1 host 10.0.0.6
exit

crypto map GRE-CMAP 10 ipsec-isakmp
match address GRE-VPN-ACL
set transform-set GRE-VPN
set peer 10.0.0.6
exit

int s0/1/0
crypto map GRE-CMAP

// CONFIG OSPF TO ADVERTISE TUNNEL INT

router ospf 10
network 20.0.0.0 0.0.0.3 area 0

*DEPT-R2 to DEPT-R1
en
conf t
int tunnel 1
ip address 20.0.0.2 255.255.255.252
tunnel source s0/1/1
tunnel destination 10.0.0.1
tunnel mode gre ip
end

crypto isakmp policy 1
encryption aes 256
hash sha
authentication pre-share
group 2
lifetime 3600
ex

crypto isakmp key privkey address 10.0.0.1
crypto ipsec transform-set GRE-VPN esp-aes 256 esp-sha-hmac

ip access-list extended GRE-VPN-ACL
permit gre host 10.0.0.6 host 10.0.0.1
exit

crypto map GRE-CMAP 10 ipsec-isakmp
match address GRE-VPN-ACL
set transform-set GRE-VPN
set peer 10.0.0.1
exit

int s0/1/1
crypto map GRE-CMAP


// CONFIG OSPF TO ADVERTISE TUNNEL INT

router ospf 10
network 20.0.0.0 0.0.0.3 area 0


Thanks, 

M

0 Helpful
5 Replies 5

iskra
Level 1
Level 1
In response to MHM Cisco World

‎03-27-2024 08:10 AM

Much appreciated. Will try it again. 

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to iskra

‎03-27-2024 08:50 AM - edited ‎03-27-2024 08:55 AM

GRE/IPSec tunnels using crypto maps is an old approach.

If you're using 4k ISRs, would expect the to support VTI IPSec tunnels, eliminates GRE overhead.

I also recall (???) GRE/IPSec tunnel later variants didn't need to use a crypto map.

Edit: just looked at @@MHM Cisco World reference, and it appears to show using GRE/IPSec without a crypto map.

iskra
Level 1
Level 1
In response to Joseph W. Doherty

‎03-27-2024 09:07 AM

I just found out that using crypto maps were outdated. My resource material, aka YouTube is not helping me right now, lol.  Currently trying and learning it right now. Thank you for replying. ☺️

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to iskra

‎03-27-2024 10:28 AM

Good source of Cisco information is Cisco's main site.  Especially look at documentation for your IOS release and TechNotes or WhitePapers explaining an aspect of Cisco technology.

0 Helpful
Customers Also Viewed These Support Documents