Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
791
Views
0
Helpful
2
Replies

GRE tunnel in site to site VPN HELP

austinmbailey1
Level 1
Level 1

‎09-18-2015 04:10 AM - edited ‎03-05-2019 02:20 AM

Hello,

 

I'm having a bit of trouble. I have a site to site VPN and I need to be able to pass multicast traffic over it. I know that the IPSEC tunnel can't handle the multicast traffic, so could someone explain what all I need to configure to set up a GRE tunnel as well as what I need to do in the ASA's?

I currently have the below setup done and I have verified connectivity from end to end.

I would like the tunnel to go from the inside interface of RTR1 to the inside interface of RTR2.

 

My network looks like this:

 

PC1-------RTR1-------ASA1-------ASA2------RTR2-------PC2

 

 

PC1- 10.0.0.5/16

RTR1 inside-10.0.0.1/16

RTR1 outside-192.168.1.2/24

ASA1 inside-192.168.1.1/24

ASA1 outside-20.20.20.1/30

ASA2 outside-20.20.20.2/30

ASA2 inside-192.168.10.1/24

RTR2 outside-192.168.10.2/24

RTR2 inside-10.10.0.1/16

PC2- 10.10.0.5/16

 

 

 

Any help or advice you have would be appreciated as this is the first GRE configuration I've done. Thanks!

Labels:
0 Helpful
2 Replies 2

paul driver
VIP
VIP

‎09-18-2015 04:22 AM

Hello

Look  at Cisco IPSec VTI  this does support m/c

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html

 

Aplogies for post on my works phone and it a wee bit flaky

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to paul driver

‎09-18-2015 05:41 AM

Paul's suggestion of using VTI on the routers is one way of satisfying the requirement to pass multicast traffic between the sites. One requirement for VTI tunnels is that there must be IP connectivity between the tunnel source address and the tunnel destination address. In this situation that would require some configuration on the ASA about routing and address translation.  The VTI tunnel passes multicast in a way that is very similar to GRE and the encryption would be performed on the router and not by the ASA. It might be a bit tricky to set up the VTI peering when the VTI peers are behind ASAs that are doing address translation on the traffic. In this situation the outbound VTI traffic would be permitted by default and the ASA would perform address translation for the outbound VTI traffic. The ASA would need to be configured to permit incoming VTI traffic from the peer and forward the encrypted traffic to the inside router.

 

The original post asked about how to implement a GRE tunnel between the routers and to have the ASAs encrypt that traffic. This is possible and is another alternative to consider. Conceptually it is pretty simple. Each router configures a GRE tunnel which has a source address of the router inside interface (or could be the outside interface - it does not make a great difference which is used) and a destination address of the remote router. You then set up the multicast so that it is forwarded through the GRE tunnel. On the ASA you set up a site to site VPN where the traffic to be sent through the VPN is the GRE tunnel traffic. In this alternative the tunneled traffic is not translated. And in this alternative the incoming encrypted GRE traffic from the remote peer is automatically permitted, and is forwarded to the inside router.

 

I have a customer who set up their network using GRE tunnels and then encrypting the GRE traffic on their ASA. It worked fairly well.

 

HTH

 

Rick 

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents