Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
911
Views
0
Helpful
7
Replies

GRE OVER IPSEC

arshad_cisco86
Level 1
Level 1

‎08-18-2015 02:50 AM - edited ‎02-21-2020 08:24 PM

 

A). two router (R1&R2) connected through firewall /

B).GRE over ipsec configuration has been configured on both router .

c).Acls have been created on the R1 router to see the debug traffic .

access-list 101 permit esp any any

access-list 101 permit gre any any

debug ip packets detail 101

 

Q.1.sh crypto ipsec sa - it is showing me local and remote traffic with GRE protocol instead of ESP protocol . 

2.debug ip packets detail 101 - showing me GRE packets instead of ESP

Labels:
0 Helpful
7 Replies 7

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎08-18-2015 01:11 PM

Hi Arshad,

Could you please share the outputs and configurations done?

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

arshad_cisco86
Level 1
Level 1
In response to Kanwaljeet Singh

‎08-19-2015 05:33 AM

One site configuration is :-Plz check and advice .....for further

access-list 100 permit gre host 192.168.2.1 host 192.168.1.1
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
 exit
crypto isakmp key cisco address 192.168.1.1

crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
 exit


crypto map cryptomap 10 ipsec-isakmp
 set peer 192.168.1.1
 set transform-set esp-3des-md5
 match address 100
 exit


interface FastEthernet0/0
 crypto map cryptomap
 exit

 
0 Helpful

Peter Koltl
Level 7
Level 7
In response to arshad_cisco86

‎08-21-2015 11:46 AM

Use transport mode in the transform-set

0 Helpful

arshad_cisco86
Level 1
Level 1
In response to Peter Koltl

‎08-25-2015 03:46 AM

crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
 mode transport
exit
 
for more details, Plz find the enclosed attachment snap-shot
P#show crypto ipsec sa
 
Still showing protocol 47 instead of ip protocol 50 .
 
 
Regards
Arshad Ayub
 
 
 
Preview file
128 KB
0 Helpful

Peter Koltl
Level 7
Level 7
In response to arshad_cisco86

‎08-29-2015 03:10 AM

There is nothing wrong with the show crypto output . It shows the passenger info GRE (IP/47) as intended.

Passenger2 packets are encapsulated into GRE packets.

GRE packets (passenger1 and carrier2) are encapsulated into IPsec packets.

IPsec packets (carrier1) are sent over L2.

 

show crypto ipsec commands' SA info always shows the negotiated passenger IP subnets and protocol

0 Helpful

Peter Koltl
Level 7
Level 7
In response to Peter Koltl

‎08-30-2015 12:58 PM

OK, transport mode does not entirely encapsulates the full GRE packet but the point remains valid.

0 Helpful

arshad_cisco86
Level 1
Level 1
In response to Peter Koltl

‎09-07-2015 11:35 PM

Hi Peter ,

 

plz describe in detail

 Just i started CCIE Security by my self ,.......

 

Regards

Arshad Ayub

 

 

 

 
0 Helpful
Customers Also Viewed These Support Documents