Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
688
Views
0
Helpful
5
Replies

Help with configuring GRE over IPsec

CavanP11
Level 1
Level 1

‎02-15-2022 06:28 AM - edited ‎02-15-2022 06:29 AM

I'm trying to create a encrypted tunnel use GRE over IPSec, but I am unable to get it to work. I believe I'm messing up my ip routes and getting them confused. My tunnels work before I try to encrypt them, but when I attempt to do it, I can no longer ping them anymore. The IP routes on the routers below are fine, I haven't left tin my attempt at doing them.

In case it's needed, the whole network is 10.100.0.0/19

This is a screenshot of it currently.

 

image_2022-02-15_142736.png

Carlow Router:

Building configuration...

Current configuration : 2572 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Carlow_Router
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO2911/K9 sn FTX1524693Y-
license boot module c2900 technology-package securityk9
!
!
!
crypto isakmp policy 102
 encr aes
 authentication pre-share
 group 5
!
crypto isakmp key cisco address 149.153.1.6
!
!
!
crypto ipsec transform-set CarlowBelfast_Set esp-aes esp-sha-hmac
!
crypto map CarlowBelfast_Map 102 ipsec-isakmp 
 set peer 149.153.1.6
 set transform-set CarlowBelfast_Set 
 match address 102
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
 ip address 172.16.250.1 255.255.255.252
 mtu 1476
 tunnel source Serial0/0/0
 tunnel destination 149.153.1.6
!
!
interface GigabitEthernet0/0
 no ip address
 ip nat inside
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 10.100.0.1 255.255.255.128
 ip nat inside
!
interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 ip address 10.100.0.129 255.255.255.224
 ip nat inside
!
interface GigabitEthernet0/0.30
 encapsulation dot1Q 30
 ip address 10.100.0.161 255.255.255.224
 ip nat inside
!
interface GigabitEthernet0/0.40
 encapsulation dot1Q 40
 ip address 10.100.0.193 255.255.255.224
 ip nat inside
!
interface GigabitEthernet0/0.50
 encapsulation dot1Q 50
 ip address 10.100.0.225 255.255.255.224
 ip nat inside
!
interface GigabitEthernet0/0.60
 encapsulation dot1Q 60
 ip address 10.100.1.1 255.255.255.240
 ip nat inside
!
interface GigabitEthernet0/0.70
 encapsulation dot1Q 70
 ip address 10.100.1.17 255.255.255.248
 ip nat inside
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Serial0/0/0
 ip address 149.153.1.2 255.255.255.252
 crypto map CarlowBelfast_Map
!
interface Serial0/0/1
 no ip address
 clock rate 2000000
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 network 10.100.0.0 0.0.255.255 area 1
 network 149.153.1.4 0.0.0.3 area 1
 network 149.153.1.0 0.0.0.3 area 1
!
router ospf 2
 log-adjacency-changes
 network 172.16.250.0 0.0.0.3 area 2
!
ip classless
ip route 0.0.0.0 0.0.0.0 149.153.1.1 
!
ip flow-export version 9
!
!
access-list 102 permit ip 10.100.0.0 0.0.255.255 10.100.0.0 0.0.255.255
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

Belfast Router:

Building configuration...

Current configuration : 2479 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Belfast_Router
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO2911/K9 sn FTX15247LB2-
license boot module c2900 technology-package securityk9
!
!
!
crypto isakmp policy 102
 encr aes
 authentication pre-share
 group 5
!
crypto isakmp key cisco address 149.153.1.2
!
!
!
crypto ipsec transform-set BelfastCarlow_Set esp-aes esp-sha-hmac
!
crypto map BelfastCarlow_Map 102 ipsec-isakmp 
 set peer 149.153.1.2
 set transform-set BelfastCarlow_Set 
 match address 102
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
 ip address 172.16.250.2 255.255.255.252
 mtu 1476
 tunnel source Serial0/0/1
 tunnel destination 149.153.1.2
!
!
interface GigabitEthernet0/0
 no ip address
 ip nat inside
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 10.100.2.1 255.255.255.224
 ip nat inside
!
interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 ip address 10.100.2.33 255.255.255.224
 ip nat inside
!
interface GigabitEthernet0/0.30
 encapsulation dot1Q 30
 ip address 10.100.2.65 255.255.255.224
 ip nat inside
!
interface GigabitEthernet0/0.40
 encapsulation dot1Q 40
 ip address 10.100.2.97 255.255.255.240
 ip nat inside
!
interface GigabitEthernet0/0.50
 encapsulation dot1Q 50
 ip address 10.100.2.113 255.255.255.248
 ip nat inside
!
interface GigabitEthernet0/0.60
 encapsulation dot1Q 60
 ip address 10.100.2.121 255.255.255.248
 ip nat inside
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Serial0/0/0
 no ip address
 clock rate 2000000
 shutdown
!
interface Serial0/0/1
 ip address 149.153.1.6 255.255.255.252
 clock rate 2000000
 crypto map BelfastCarlow_Map
!
interface Vlan1
 no ip address
 shutdown
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 10.100.0.0 0.0.255.255 area 1
 network 149.153.1.4 0.0.0.3 area 1
 network 149.153.1.0 0.0.0.3 area 1
!
router ospf 2
 log-adjacency-changes
 network 172.16.250.0 0.0.0.3 area 2
!
ip classless
ip route 0.0.0.0 0.0.0.0 149.153.1.5 
!
ip flow-export version 9
!
!
access-list 102 permit ip 10.100.0.0 0.0.255.255 10.100.0.0 0.0.255.255
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end 

 

Labels:
0 Helpful
5 Replies 5

georgehewittuk1
Level 1
Level 1

‎02-15-2022 11:55 AM

Hello,

 

I only have a minute to reply saw your post and thought i could help.

 

First of all i would opt for protecting the GRE tunnel with IPSEC all in the same configuration so anything that goes over the tunnel is encrypted.

 

https://networklessons.com/cisco/ccie-routing-switching-written/ipsec-static-virtual-tunnel-interface

 

Second of all for your issues looks like you are not accounting for the fact in the IPSEC crypto ACL that the traffic will be matching the GRE tunnel source <-> destination not the LAN traffic.

 

Regards

George

0 Helpful

Georg Pauwen
VIP
VIP

‎02-15-2022 12:09 PM

Hello,

 

if this is a Packet Tracer project, post the zipped project (.pkt) file...

0 Helpful

CavanP11
Level 1
Level 1
In response to Georg Pauwen

‎02-15-2022 12:13 PM

I have left the zip below!

CavanV9.0.zip
0 Helpful

Georg Pauwen
VIP
VIP
In response to CavanP11

‎02-15-2022 12:40 PM

Hello,

 

what instructions are you following ? You have legacy crypto maps, tunnel interfaces, OSPF, static routes and partial NAT all mixed up.

0 Helpful

Georg Pauwen
VIP
VIP
In response to CavanP11

‎02-15-2022 01:30 PM

Hello,

 

in any case, the access lists for the crypto map are wrong. They need to be:

 

Carlow_Router
access-list 102 permit ip 10.100.0.0 0.0.0.255 10.100.2.0 0.0.0.255

 

Belfast_Router
access-list 102 permit ip 10.100.2.0 0.0.0.255 10.100.0.0 0.0.0.255

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card