Solved: Re: packets are not encrypting/decrypting using GRE OVER IPSEC

prabinchand · ‎12-14-2021

I am doing GRE OVER IPSEC but not able to encrypt and decrypt packets..

configuraiton is all right from my side.

NOTE: topology is attached below.

CONFIGURATION

HQ


HQ(config)#do sh run
Building configuration...

Current configuration : 1575 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname HQ
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key admin address 2.2.2.2
!
!
crypto ipsec transform-set adminset esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map adminmap 1 ipsec-isakmp
set peer 2.2.2.2
set transform-set adminset
match address GRE
!
!
!
!
!
!
interface Tunnel1
ip address 172.16.10.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 2.2.2.2
!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
speed auto
duplex auto
crypto map adminmap
!
interface FastEthernet0/1
ip address 192.168.10.1 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 192.168.20.0 255.255.255.0 172.16.10.2
!
ip access-list extended GRE
permit gre host 192.168.10.2 host 192.168.20.2
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

BR

BR(config)#DO SH RUN
Building configuration...

Current configuration : 1575 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname BR
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key admin address 1.1.1.2
!
!
crypto ipsec transform-set adminset esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map adminmap 1 ipsec-isakmp
set peer 1.1.1.2
set transform-set adminset
match address GRE
!
!
!
!
!
!
interface Tunnel1
ip address 172.16.10.2 255.255.255.0
tunnel source FastEthernet1/1
tunnel destination 1.1.1.2
!
interface FastEthernet0/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet0/1
ip address 192.168.20.1 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 2.2.2.2 255.255.255.0
speed auto
duplex auto
crypto map adminmap
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 2.2.2.1
ip route 192.168.20.0 255.255.255.0 172.16.10.1
!
ip access-list extended GRE
permit gre host 192.168.20.2 host 192.168.10.2
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

ISP

ISP(config)#do sh run
Building configuration...

Current configuration : 1040 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname ISP
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 2.2.2.1 255.255.255.0
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 1.1.1.2
ip route 0.0.0.0 0.0.0.0 2.2.2.2
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

Seb Rupik · ‎12-14-2021

Hi there,

If you want the GRE tunnel to form via the IPSec tunnel then you need to update your 'GRE' crytpo ACL to permit the traffic between the GRE tunnel endpoints. Delete the existing ACL on HQ and BRANCH and replace with. Also add a dynamic IGP into the mix to advertise routes via the GRE tunnel.

!! HQ
! 
ip access-list extended GRE
 permit gre host 1.1.1.2 host 2.2.2.2
!
ip route 2.2.2.2 0.0.0.0 1.1.1.1
!
router eigrp 1
 network 172.16.10 0.0.0.255
 network 192.168.10. 0.0.0.255
!

!! BRANCH
!
ip access-list extended GRE
permit gre host 2.2.2.2 host 1.1.1.2
!
ip route 1.1.1.2 0.0.0.0 2.2.2.1
!
router eigrp 1
 network 172.16.10 0.0.0.255
 network 172.16.10 0.0.0.255
!

cheers,

Seb.

View solution in original post

Deepak Kumar · ‎12-14-2021

In your original configuration, you are using GRE over IPsec so you need to adjust your interested ACL "GRE" accordingly.

<<<HQ>>>
! 
ip access-list extended GRE
 permit gre host 1.1.1.2 host 2.2.2.2
!
ip route 2.2.2.2 0.0.0.0 1.1.1.1
!
<<<BRANCH>>>
!
ip access-list extended GRE
permit gre host 2.2.2.2 host 1.1.1.2
!
ip route 1.1.1.2 0.0.0.0 2.2.2.1

It is not necessary to use Dynamic routing and static routing also works fine.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

Seb Rupik · ‎12-14-2021

Hi there,

If you want the GRE tunnel to form via the IPSec tunnel then you need to update your 'GRE' crytpo ACL to permit the traffic between the GRE tunnel endpoints. Delete the existing ACL on HQ and BRANCH and replace with. Also add a dynamic IGP into the mix to advertise routes via the GRE tunnel.

!! HQ
! 
ip access-list extended GRE
 permit gre host 1.1.1.2 host 2.2.2.2
!
ip route 2.2.2.2 0.0.0.0 1.1.1.1
!
router eigrp 1
 network 172.16.10 0.0.0.255
 network 192.168.10. 0.0.0.255
!

!! BRANCH
!
ip access-list extended GRE
permit gre host 2.2.2.2 host 1.1.1.2
!
ip route 1.1.1.2 0.0.0.0 2.2.2.1
!
router eigrp 1
 network 172.16.10 0.0.0.255
 network 172.16.10 0.0.0.255
!

cheers,

Seb.

prabinchand · ‎12-14-2021

hello respected sir,

is it necessary to use dynamic routing while using gre over ipsec or what ??

i have used static, therefore it didn't worked sir ??

aslo access-list has the host ip of router interface why ??? i didn't get that

please clearify me, i'm new to this networking field sir.

Seb Rupik · ‎12-14-2021

Hi there,

One of the benefits of using a GRE tunnel is that it can encapsulate multicast traffic, this means it can then be used for carrying IGP traffic. Static routes are fine if you are using contigious IP addressing at either sites which lends itself to address summarisation. However if you don't have well defined addressing at either sites then setting up multiple static routes will become an admin overhead. Using an IGP reduces this workload for you.

We chance the GRE ACL to list the 'outside' interface IPs at either site, as when a GRE packets egress that interface they are identified by the crypto map and sent via the IPSec tunnel.

cheers,

Seb.

Deepak Kumar · ‎12-14-2021

In your original configuration, you are using GRE over IPsec so you need to adjust your interested ACL "GRE" accordingly.

<<<HQ>>>
! 
ip access-list extended GRE
 permit gre host 1.1.1.2 host 2.2.2.2
!
ip route 2.2.2.2 0.0.0.0 1.1.1.1
!
<<<BRANCH>>>
!
ip access-list extended GRE
permit gre host 2.2.2.2 host 1.1.1.2
!
ip route 1.1.1.2 0.0.0.0 2.2.2.1

It is not necessary to use Dynamic routing and static routing also works fine.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

prabinchand · ‎12-14-2021

hello respected sir,

access-list has the host ip of router interface, why??? i didn't it

will you help me clarifying it.?