cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
488
Views
5
Helpful
7
Replies

Tunnel using GRE with IPSec

zulqurnain
Level 3
Level 3

Hi All,

it's stupid to ask but i want to clear it out.

as the title says we are configuring it between one remote location and HO, no proplem in it but if i want to do it with all remote office then would it be creating new tunnels between these new remote office and HO or the one i created initially between the 1st remote location and HO, the same one can be used to establish the tunnels between the rest of the remote locations.

7 Replies 7

jackyoung
Level 6
Level 6

As I know, you have to create individual tunnels between HO to remote offices. Like hub and spokes design.

Sample here :

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

Hope this helps.

thanks for the links, the configuration works prefectly and i can ping tunnel interfaces and external interface ends of R1 and R2 from one another. but i have a problem, i cannot ping to local interface of R1 or vice versa.

ilya.varlashkin
Level 3
Level 3

Hi,

DMVPN is there for exactly such scenarios. You'll configure multipoint GRE (mGRE) at hub site and either point-to-point (if you don't want spokes to communicate directly) or multipoint GRE (if you'd like direct communication between spokes dynamically exchanged) at spoke sites.

There are several good documents on DMVPN at CCO (check http://www.cisco.com/application/pdf/en/us/guest/netsol/ns130/c649/ccmigration_09186a0080685cc2.pdf and then http://www.cisco.com/go/srnd/).

I've tested it recently and it really saves a lot of work for connecting new sites.

hi,

thanks i got what you are saying , but i would like to add something here, that if i remove the GRE and IPSec from both R1 and R2 i can ping the local interface R2 from router R1 external or tunnel interface. so i think it has to do something with either Access-list or routing. please advice

It's very likely to be tunnel config problem. Did you configure GRE and IPsec as p2p on both sides or have you gone DMVPN way? In later case make sure that NHRP is correctly configured. Could you post your configs somewhere (only relevant parts but from both sides)?

there you go, i am attaching both the config

The destination address of the tunnels should be that, which is used on the source interface (ethernet) of the opposite side, but you've specified address assigned on the remote tunnel interface itself. Changing destination should fix the problem.

Besides, configuration can be more simple if you use IPsec as tunnel protection instead of crypto-maps on the ethernet interface. Here is example:

! this part the same as you have

crypto isakmp policy 1

authentication pre-share

crypto isakmp key bitesandbytes address 0.0.0.0

!

crypto ipsec transform-set strong esp-3des esp-md5-hmac

mode transport

!

! use profile instead of crypto map

crypto ipsec profile vpn-profile

set security-association lifetime seconds 120

set transform-set strong

!

! Apply profile to tunnel

interface Tunnel0

bandwidth 100000

ip address 1.1.1.1 255.255.255.0

tunnel source GigabitEthernet0/1

tunnel destination

tunnel protection ipsec profile vpn-profile

!

So you don't have to worry about ACL for selecting traffic to put through IPsec. 'bandwidth' command is desirable if you're running routing protocol over the tunnel - it will result in more accurate metric.

Once you have this running, with only few more changes you can transform it to DMVPN and provision only remote offices, while no extra changes at the hub site.

Hope this helps.

Review Cisco Networking for a $25 gift card