Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1260
Views
15
Helpful
5
Replies

packets are not encrypting/decrypting using GRE OVER IPSEC

Go to solution
prabinchand
Level 1
Level 1

‎12-14-2021 01:21 AM - last edited on ‎12-14-2021 04:32 AM by Community Manager

I am doing GRE OVER  IPSEC but not able to encrypt and decrypt packets..

configuraiton is all right from my side.

 

NOTE: topology is attached below.

CONFIGURATION

HQ


HQ(config)#do sh run
Building configuration...

Current configuration : 1575 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname HQ
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key admin address 2.2.2.2
!
!
crypto ipsec transform-set adminset esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map adminmap 1 ipsec-isakmp
set peer 2.2.2.2
set transform-set adminset
match address GRE
!
!
!
!
!
!
interface Tunnel1
ip address 172.16.10.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 2.2.2.2
!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
speed auto
duplex auto
crypto map adminmap
!
interface FastEthernet0/1
ip address 192.168.10.1 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 192.168.20.0 255.255.255.0 172.16.10.2
!
ip access-list extended GRE
permit gre host 192.168.10.2 host 192.168.20.2
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

BR

 

BR(config)#DO SH RUN
Building configuration...

Current configuration : 1575 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname BR
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key admin address 1.1.1.2
!
!
crypto ipsec transform-set adminset esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map adminmap 1 ipsec-isakmp
set peer 1.1.1.2
set transform-set adminset
match address GRE
!
!
!
!
!
!
interface Tunnel1
ip address 172.16.10.2 255.255.255.0
tunnel source FastEthernet1/1
tunnel destination 1.1.1.2
!
interface FastEthernet0/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet0/1
ip address 192.168.20.1 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 2.2.2.2 255.255.255.0
speed auto
duplex auto
crypto map adminmap
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 2.2.2.1
ip route 192.168.20.0 255.255.255.0 172.16.10.1
!
ip access-list extended GRE
permit gre host 192.168.20.2 host 192.168.10.2
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

 

ISP

 

ISP(config)#do sh run
Building configuration...

Current configuration : 1040 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname ISP
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 2.2.2.1 255.255.255.0
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 1.1.1.2
ip route 0.0.0.0 0.0.0.0 2.2.2.2
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end


 

Preview file
52 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎12-14-2021 02:04 AM

Hi there,

If you want the GRE tunnel to form via the IPSec tunnel then you need to update your 'GRE' crytpo ACL to permit the traffic between the GRE tunnel endpoints. Delete the existing ACL on HQ and BRANCH and replace with. Also add a dynamic IGP into the mix to advertise routes via the GRE tunnel.

 

 

!! HQ
! 
ip access-list extended GRE
 permit gre host 1.1.1.2 host 2.2.2.2
!
ip route 2.2.2.2 0.0.0.0 1.1.1.1
!
router eigrp 1
 network 172.16.10 0.0.0.255
 network 192.168.10. 0.0.0.255
!
!! BRANCH
!
ip access-list extended GRE
permit gre host 2.2.2.2 host 1.1.1.2
!
ip route 1.1.1.2 0.0.0.0 2.2.2.1
!
router eigrp 1
 network 172.16.10 0.0.0.255
 network 172.16.10 0.0.0.255
!

 

 

cheers,

Seb.

View solution in original post

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎12-14-2021 02:25 AM

In your original configuration, you are using GRE over IPsec so you need to adjust your interested ACL "GRE" accordingly.

 

<<<HQ>>>
! 
ip access-list extended GRE
 permit gre host 1.1.1.2 host 2.2.2.2
!
ip route 2.2.2.2 0.0.0.0 1.1.1.1
!
<<<BRANCH>>>
!
ip access-list extended GRE
permit gre host 2.2.2.2 host 1.1.1.2
!
ip route 1.1.1.2 0.0.0.0 2.2.2.1

 

It is not necessary to use Dynamic routing and static routing also works fine.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

5 Replies 5

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎12-14-2021 02:04 AM

Hi there,

If you want the GRE tunnel to form via the IPSec tunnel then you need to update your 'GRE' crytpo ACL to permit the traffic between the GRE tunnel endpoints. Delete the existing ACL on HQ and BRANCH and replace with. Also add a dynamic IGP into the mix to advertise routes via the GRE tunnel.

 

 

!! HQ
! 
ip access-list extended GRE
 permit gre host 1.1.1.2 host 2.2.2.2
!
ip route 2.2.2.2 0.0.0.0 1.1.1.1
!
router eigrp 1
 network 172.16.10 0.0.0.255
 network 192.168.10. 0.0.0.255
!
!! BRANCH
!
ip access-list extended GRE
permit gre host 2.2.2.2 host 1.1.1.2
!
ip route 1.1.1.2 0.0.0.0 2.2.2.1
!
router eigrp 1
 network 172.16.10 0.0.0.255
 network 172.16.10 0.0.0.255
!

 

 

cheers,

Seb.

Go to solution
prabinchand
Level 1
Level 1
In response to Seb Rupik

‎12-14-2021 02:17 AM - edited ‎12-14-2021 02:25 AM

hello respected sir,

 

is it necessary to use dynamic routing while using gre over ipsec or what ??

i have used static, therefore it didn't worked sir ??

 

aslo access-list has the host ip of router interface why ??? i didn't get that

 

please clearify me, i'm new to this networking field sir.

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to prabinchand

‎12-14-2021 03:10 AM

Hi there,

One of the benefits of using a GRE tunnel is that it can encapsulate multicast traffic, this means it can then be used for carrying IGP traffic. Static routes are fine if you are using contigious IP addressing at either sites which lends itself to address summarisation. However if you don't have well defined addressing at either sites then setting up multiple static routes will become an admin overhead. Using an IGP reduces this workload for you.

 

We chance the GRE ACL to list the 'outside' interface IPs at either site, as when a GRE packets egress that interface they are identified by the crypto map and sent via the IPSec tunnel.

 

cheers,

Seb.

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎12-14-2021 02:25 AM

In your original configuration, you are using GRE over IPsec so you need to adjust your interested ACL "GRE" accordingly.

 

<<<HQ>>>
! 
ip access-list extended GRE
 permit gre host 1.1.1.2 host 2.2.2.2
!
ip route 2.2.2.2 0.0.0.0 1.1.1.1
!
<<<BRANCH>>>
!
ip access-list extended GRE
permit gre host 2.2.2.2 host 1.1.1.2
!
ip route 1.1.1.2 0.0.0.0 2.2.2.1

 

It is not necessary to use Dynamic routing and static routing also works fine.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Go to solution
prabinchand
Level 1
Level 1
In response to Deepak Kumar

‎12-14-2021 02:27 AM

hello respected sir,

access-list has the host ip of router interface, why??? i didn't it

will you help me clarifying it.?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card