cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
912
Views
0
Helpful
7
Replies

GRE OVER IPSEC

arshad_cisco86
Level 1
Level 1

 

A). two router (R1&R2) connected through firewall /

B).GRE over ipsec configuration has been configured on both router .

c).Acls have been created on the R1 router to see the debug traffic .

access-list 101 permit esp any any

access-list 101 permit gre any any

debug ip packets detail 101

 

Q.1.sh crypto ipsec sa - it is showing me local and remote traffic with GRE protocol instead of ESP protocol . 

2.debug ip packets detail 101 - showing me GRE packets instead of ESP

7 Replies 7

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Arshad,

Could you please share the outputs and configurations done?

Regards,

Kanwal

Note: Please mark answers if they are helpful.

One site configuration is :-Plz check and advice .....for further

access-list 100 permit gre host 192.168.2.1 host 192.168.1.1
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
 exit
crypto isakmp key cisco address 192.168.1.1

crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
 exit


crypto map cryptomap 10 ipsec-isakmp
 set peer 192.168.1.1
 set transform-set esp-3des-md5
 match address 100
 exit


interface FastEthernet0/0
 crypto map cryptomap
 exit

 

Use transport mode in the transform-set

crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
 mode transport
exit
 
for more details, Plz find the enclosed attachment snap-shot
P#show crypto ipsec sa
 
Still showing protocol 47 instead of ip protocol 50 .
 
 
Regards
Arshad Ayub
 
 
 

There is nothing wrong with the show crypto output . It shows the passenger info GRE (IP/47) as intended.

Passenger2 packets are encapsulated into GRE packets.

GRE packets (passenger1 and carrier2) are encapsulated into IPsec packets.

IPsec packets (carrier1) are sent over L2.

 

show crypto ipsec commands' SA info always shows the negotiated passenger IP subnets and protocol

OK, transport mode does not entirely encapsulates the full GRE packet but the point remains valid.

Hi Peter ,

 

plz describe in detail

 Just i started CCIE Security by my self ,.......

 

Regards

Arshad Ayub