cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
3515
Views
0
Helpful
2
Replies

Configuring GRE over IPsec

Capturar.PNG

 

Greetings!

 

I´m trying to configure this lab and PC1 can ping Server, but for PC0 to ping server I had to configure a static route (

ip route 10.0.0.0 255.0.0.0 192.168.0.5), but not on PC1  (All routers have EIGRP configured.)

I can´t really understand why. I´ve checked configurations but I must be missing something. 

I´de appreciate any help on understanding what´s happening and why.

I´ve attached the lab if someone wants to give it a try and help me solve this.

 

 

R0:
access-list 101 permit ip 10.0.0.0 0.255.255.255 172.16.0.0
0.0.3.255
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
crypto isakmp key vpn-key address 64.102.46.2
crypto isakmp key vpn-key address 64.100.13.2
crypto ipsec transform-set R0_SET esp-aes esp-sha-hmac
crypto map R0_MAP 101 ipsec-isakmp
set peer 64.102.46.2
set peer 64.100.13.2
set transform-set R0_SET
match address 101
interface serial 0/0/0
crypto map R0_MAP

 

interface tunnel 0
ip address 192.168.0.1 255.255.255.252
tunnel source serial 0/0/0
tunnel destination 64.100.13.2
tunnel mode gre ip

 

interface tunnel 1
ip address 192.168.0.5 255.255.255.252
tunnel source serial 0/0/0
tunnel destination 64.102.46.2
tunnel mode gre ip

ip route 172.16.0.0 255.255.252.0 192.168.0.2
ip route 172.16.4.0 255.255.252.0 192.168.0.6


R3:
access-list 101 permit ip 172.16.4.0 0.0.3.255 10.0.0.0 0.255.255.255
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
crypto isakmp key vpn-key address 209.165.118.1
crypto ipsec transform-set R4-SET esp-aes esp-sha-hmac
crypto map R4_MAP 101 ipsec-isakmp
set peer 209.165.118.1
set transform-set R4-SET
match address 101
interface serial 0/0/0
crypto map R4_MAP

 

interface tunnel 1
ip address 192.168.0.6 255.255.255.252
tunnel source serial 0/0/0
tunnel destination 209.165.118.1
tunnel mode gre ip

 

ip route 10.0.0.0 255.0.0.0 192.168.0.5


R4:
access-list 101 permit ip 172.16.0.0 0.0.3.255 10.0.0.0 0.255.255.255
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
crypto isakmp key vpn-key address 209.165.118.1
crypto ipsec transform-set R3-SET esp-aes esp-sha-hmac
crypto map R3_MAP 101 ipsec-isakmp
set peer 209.165.118.1
set transform-set R3-SET
match address 101
interface serial 0/0/0
crypto map R3_MAP

interface tunnel 0
ip address 192.168.0.2 255.255.255.252
tunnel source serial 0/0/0
tunnel destination 209.165.118.1
tunnel mode gre ip

 

1 ACCEPTED SOLUTION

Accepted Solutions
Rob Ingram
VIP Mentor

@bruno.machado.Mac 

I don't have packet-tracer to check your full configuration, you say you've got EIGRP configured on all routers, is the traffic being routed unencrypted?

 

Check "show crypto ipsec sa" on R0 and confirm there are active SAs to R4 and the counters encaps|decpas increase when PC1 pings the server.

 

It could also potentially be that because your crypto ACL permits "ip" from the local networks, traffic is being encrypted over the crypto map without being sent over the tunnel interface. Again the "show crypto ipsec sa" would confirm the traffic selectors, provide the output for further review.

 

 

View solution in original post

2 REPLIES 2
Rob Ingram
VIP Mentor

@bruno.machado.Mac 

I don't have packet-tracer to check your full configuration, you say you've got EIGRP configured on all routers, is the traffic being routed unencrypted?

 

Check "show crypto ipsec sa" on R0 and confirm there are active SAs to R4 and the counters encaps|decpas increase when PC1 pings the server.

 

It could also potentially be that because your crypto ACL permits "ip" from the local networks, traffic is being encrypted over the crypto map without being sent over the tunnel interface. Again the "show crypto ipsec sa" would confirm the traffic selectors, provide the output for further review.

 

 

View solution in original post

Hi Rob.

 

Thank´s mate!

I must have had a misconfigured netmask and crytpo map missplaced. I now can ping from PC0.

I also checked isakmp sa and an association wasn´t built successfuly between R3 and R0 even though it was using the tunnel (very odd).

 

R0#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

64.100.13.2 209.165.118.1 QM_IDLE 1026 0 ACTIVE

 

R4#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

209.165.118.1 64.100.13.2 QM_IDLE 1062 0 ACTIVE

 

R3#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

209.165.118.1 64.102.46.2 QM_IDLE 1073 0 ACTIVE

 

(PC0)

C:\>tracert 10.0.0.2

 

Tracing route to 10.0.0.2 over a maximum of 30 hops:

 

1 0 ms 0 ms 0 ms 172.16.4.1

2 8 ms 3 ms 15 ms 192.168.0.5

3 3 ms 11 ms 19 ms 10.0.0.2

 

(PC1)

C:\>tracert 10.0.0.2

 

Tracing route to 10.0.0.2 over a maximum of 30 hops:

 

1 0 ms 0 ms 0 ms 172.16.0.1

2 3 ms 10 ms 11 ms 192.168.0.1

3 9 ms 8 ms 9 ms 10.0.0.2

 

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (35%)

Content for Community-Ad