cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
588
Views
2
Helpful
5
Replies

GRE over IPsec Issue

iskra
Level 1
Level 1

I'm in a tough spot and currently having an issue with configuring a GRE over IPsec in my personal project. I think the configurations are right based on the verification commands that I used which are: show crypto isakmp sa and show crypto ipsec sa. However, when I try to ping from a network to another, it doesn't use the tunnel that I've established. Example:

iskra_2-1711550874429.png

Here is the configuration:


*DEPT-R1 to DEPT-R2

en
conf t
int tunnel 1
ip address 20.0.0.1 255.255.255.252
tunnel source s0/1/0
tunnel destination 10.0.0.6
end

crypto isakmp policy 1
encryption aes 256
hash sha
authentication pre-share
group 2
lifetime 3600
ext

crypto isakmp key privkey address 10.0.0.6
crypto ipsec transform-set GRE-VPN esp-aes 256 esp-sha-hmac

ip access-list extended GRE-VPN-ACL
permit gre host 10.0.0.1 host 10.0.0.6
exit

crypto map GRE-CMAP 10 ipsec-isakmp
match address GRE-VPN-ACL
set transform-set GRE-VPN
set peer 10.0.0.6
exit

int s0/1/0
crypto map GRE-CMAP

// CONFIG OSPF TO ADVERTISE TUNNEL INT

router ospf 10
network 20.0.0.0 0.0.0.3 area 0

*DEPT-R2 to DEPT-R1
en
conf t
int tunnel 1
ip address 20.0.0.2 255.255.255.252
tunnel source s0/1/1
tunnel destination 10.0.0.1
tunnel mode gre ip
end

crypto isakmp policy 1
encryption aes 256
hash sha
authentication pre-share
group 2
lifetime 3600
ex

crypto isakmp key privkey address 10.0.0.1
crypto ipsec transform-set GRE-VPN esp-aes 256 esp-sha-hmac

ip access-list extended GRE-VPN-ACL
permit gre host 10.0.0.6 host 10.0.0.1
exit

crypto map GRE-CMAP 10 ipsec-isakmp
match address GRE-VPN-ACL
set transform-set GRE-VPN
set peer 10.0.0.1
exit

int s0/1/1
crypto map GRE-CMAP


// CONFIG OSPF TO ADVERTISE TUNNEL INT

router ospf 10
network 20.0.0.0 0.0.0.3 area 0


Thanks, 

M

5 Replies 5

Much appreciated. Will try it again. 

GRE/IPSec tunnels using crypto maps is an old approach.

If you're using 4k ISRs, would expect the to support VTI IPSec tunnels, eliminates GRE overhead.

I also recall (???) GRE/IPSec tunnel later variants didn't need to use a crypto map.

Edit: just looked at @@MHM Cisco World reference, and it appears to show using GRE/IPSec without a crypto map.

I just found out that using crypto maps were outdated. My resource material, aka YouTube is not helping me right now, lol.  Currently trying and learning it right now. Thank you for replying. ☺️

Good source of Cisco information is Cisco's main site.  Especially look at documentation for your IOS release and TechNotes or WhitePapers explaining an aspect of Cisco technology.