Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5997
Views
0
Helpful
2
Replies

Configuring GRE over IPsec

Go to solution
bruno.machado.Mac
Level 1
Level 1

‎09-23-2021 08:57 AM

Capturar.PNG

 

Greetings!

 

I´m trying to configure this lab and PC1 can ping Server, but for PC0 to ping server I had to configure a static route (

ip route 10.0.0.0 255.0.0.0 192.168.0.5), but not on PC1  (All routers have EIGRP configured.)

I can´t really understand why. I´ve checked configurations but I must be missing something. 

I´de appreciate any help on understanding what´s happening and why.

I´ve attached the lab if someone wants to give it a try and help me solve this.

 

 

R0:
access-list 101 permit ip 10.0.0.0 0.255.255.255 172.16.0.0
0.0.3.255
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
crypto isakmp key vpn-key address 64.102.46.2
crypto isakmp key vpn-key address 64.100.13.2
crypto ipsec transform-set R0_SET esp-aes esp-sha-hmac
crypto map R0_MAP 101 ipsec-isakmp
set peer 64.102.46.2
set peer 64.100.13.2
set transform-set R0_SET
match address 101
interface serial 0/0/0
crypto map R0_MAP

 

interface tunnel 0
ip address 192.168.0.1 255.255.255.252
tunnel source serial 0/0/0
tunnel destination 64.100.13.2
tunnel mode gre ip

 

interface tunnel 1
ip address 192.168.0.5 255.255.255.252
tunnel source serial 0/0/0
tunnel destination 64.102.46.2
tunnel mode gre ip

ip route 172.16.0.0 255.255.252.0 192.168.0.2
ip route 172.16.4.0 255.255.252.0 192.168.0.6


R3:
access-list 101 permit ip 172.16.4.0 0.0.3.255 10.0.0.0 0.255.255.255
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
crypto isakmp key vpn-key address 209.165.118.1
crypto ipsec transform-set R4-SET esp-aes esp-sha-hmac
crypto map R4_MAP 101 ipsec-isakmp
set peer 209.165.118.1
set transform-set R4-SET
match address 101
interface serial 0/0/0
crypto map R4_MAP

 

interface tunnel 1
ip address 192.168.0.6 255.255.255.252
tunnel source serial 0/0/0
tunnel destination 209.165.118.1
tunnel mode gre ip

 

ip route 10.0.0.0 255.0.0.0 192.168.0.5


R4:
access-list 101 permit ip 172.16.0.0 0.0.3.255 10.0.0.0 0.255.255.255
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
crypto isakmp key vpn-key address 209.165.118.1
crypto ipsec transform-set R3-SET esp-aes esp-sha-hmac
crypto map R3_MAP 101 ipsec-isakmp
set peer 209.165.118.1
set transform-set R3-SET
match address 101
interface serial 0/0/0
crypto map R3_MAP

interface tunnel 0
ip address 192.168.0.2 255.255.255.252
tunnel source serial 0/0/0
tunnel destination 209.165.118.1
tunnel mode gre ip

 

Labels:
GRE over IPsec.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-23-2021 09:18 AM

@bruno.machado.Mac 

I don't have packet-tracer to check your full configuration, you say you've got EIGRP configured on all routers, is the traffic being routed unencrypted?

 

Check "show crypto ipsec sa" on R0 and confirm there are active SAs to R4 and the counters encaps|decpas increase when PC1 pings the server.

 

It could also potentially be that because your crypto ACL permits "ip" from the local networks, traffic is being encrypted over the crypto map without being sent over the tunnel interface. Again the "show crypto ipsec sa" would confirm the traffic selectors, provide the output for further review.

 

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎09-23-2021 09:18 AM

@bruno.machado.Mac 

I don't have packet-tracer to check your full configuration, you say you've got EIGRP configured on all routers, is the traffic being routed unencrypted?

 

Check "show crypto ipsec sa" on R0 and confirm there are active SAs to R4 and the counters encaps|decpas increase when PC1 pings the server.

 

It could also potentially be that because your crypto ACL permits "ip" from the local networks, traffic is being encrypted over the crypto map without being sent over the tunnel interface. Again the "show crypto ipsec sa" would confirm the traffic selectors, provide the output for further review.

 

 

0 Helpful

Go to solution
bruno.machado.Mac
Level 1
Level 1
In response to Rob Ingram

‎09-23-2021 11:39 AM

Hi Rob.

 

Thank´s mate!

I must have had a misconfigured netmask and crytpo map missplaced. I now can ping from PC0.

I also checked isakmp sa and an association wasn´t built successfuly between R3 and R0 even though it was using the tunnel (very odd).

 

R0#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

64.100.13.2 209.165.118.1 QM_IDLE 1026 0 ACTIVE

 

R4#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

209.165.118.1 64.100.13.2 QM_IDLE 1062 0 ACTIVE

 

R3#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

209.165.118.1 64.102.46.2 QM_IDLE 1073 0 ACTIVE

 

(PC0)

C:\>tracert 10.0.0.2

 

Tracing route to 10.0.0.2 over a maximum of 30 hops:

 

1 0 ms 0 ms 0 ms 172.16.4.1

2 8 ms 3 ms 15 ms 192.168.0.5

3 3 ms 11 ms 19 ms 10.0.0.2

 

(PC1)

C:\>tracert 10.0.0.2

 

Tracing route to 10.0.0.2 over a maximum of 30 hops:

 

1 0 ms 0 ms 0 ms 172.16.0.1

2 3 ms 10 ms 11 ms 192.168.0.1

3 9 ms 8 ms 9 ms 10.0.0.2

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents