Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1982
Views
0
Helpful
5
Replies

GRE Over IPSEC Over 3G With Dynamic Ip

Cameron Prior
Level 1
Level 1

‎06-20-2011 11:11 PM - edited ‎02-21-2020 05:24 PM

Hey Guys

I am struggling with an issue at the moment and was hoping to get a answer from someone who has done this type of thing before

Here is a general outline of what I am trying to achieve

Problems.jpg

The Remote office needs to connect to the IPSEC router in a secure gateway environment (due to restrictions) - This part is working fine

The Remote office then needs to establish a GRE tunnel to the Anchor router behind the ipsec router

The problem is, the remote router is running a 3g wireless connection that has a Dynamic IP address allocated to it, Since you need a source and destination address to bring up a GRE tunnel, this seems impossible

Could I use NHRP or VTI's to get this to work

If you need anymore information just ask..

Cheers

Cameron

Message was edited by: Cameron Prior I have also attached a larger picture

Labels:
Preview file
23 KB
0 Helpful
5 Replies 5

fsebera
Level 4
Level 4

‎06-21-2011 05:41 AM

Hey Cameron,

I use DMVPN to establish VPN tunnels with remote dynamic addressing clients. In my setup as I understand it, only the "HUB" needs a static address.

:

Also You may want to look at IPsec over GRE if you are trying to establish two tunnels on that remote client. Keep in mind older IOS does not support IPsec over GRE only GRE over IPSec.

Hope this helps

Frank

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to fsebera

‎06-21-2011 10:16 AM

Cameron, Frank,

Is it required that we terminate IPsec and GRE on HQ side on two separate devices?

If not DMVPN could be a solution as Frank suggests.

If so, dynamic crypto map + RRI on HQ side could be a possibility (with isakmp profile and separate "match" stamements if required). And plain GRE ;-)

It's not as elegant as DMVPN but would allow you to terminate GRE and IPsec in two different places.

Marcin

0 Helpful

Cameron Prior
Level 1
Level 1

‎06-21-2011 08:25 PM

Oki Doki

I have managed to work this out using a Dual Tier Headend approach

Basically I created a loopback on the Remote Office Router

I then created a tunnel interface on both Remote and Anchor Routers

I then added some static routes into all three routers to point traffic down the tunnel

Hey Presto it works

Thanks for your help my friends

If anyone would like to see some configs of how i managed to get it to work, Just shoot me an email

Cheers

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Cameron Prior

‎06-22-2011 04:14 AM

Cameron,

Can I suggest to attach the configs (minus any public IPs/hostnames) to your last post as attachments? :-)

Marcin

0 Helpful

Cameron Prior
Level 1
Level 1

‎06-22-2011 05:50 PM

Here are the configs i used my friends

Enjoy


102029-IPSec.txt.zip
0 Helpful
Customers Also Viewed These Support Documents