Solved: GRE over IPSEC

aprasad11 · ‎07-26-2016

Hi All,

I am trying to create GRE over IPSEC tunnel.. I am able to get OSPF neighbors peered through the GRE tunnel but when traffic is sent through the gre tunnel it does not encrypt and transmitting it through clear text despite sourcing it from the loopback interfaces

Below are my config

R1 config
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key test address 192.168.1.2

crypto ipsec transform-set test esp-aes esp-sha-hmac

crypto map test local-address Ethernet0/0
crypto map test 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set test
match address GRE

ip access-list extended GRE
permit gre 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255

interface Ethernet0/0
no switchport
ip address 192.168.1.1 255.255.255.0
crypto map test

interface Loopback0
ip address 10.0.10.1 255.255.255.0
ip ospf 1 area 0

interface Tunnel1
ip address 10.0.100.2 255.255.255.0
ip ospf 1 area 0
tunnel source Ethernet0/0
tunnel destination 192.168.1.1
end

-----------------------------------------------------------
R2 config

crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key test address 192.168.1.1
!
!
crypto ipsec transform-set test esp-aes esp-sha-hmac
!
!
!
crypto map test local-address Ethernet0/0
crypto map test 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set test
match address GR
!

ip access-list extended GR
permit gre 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255

interface Ethernet0/0
no switchport
ip address 192.168.1.2 255.255.255.0
crypto map test

interface Loopback0
ip address 10.0.20.1 255.255.255.0
ip ospf 1 area 0

interface Tunnel1
ip address 10.0.100.1 255.255.255.0
ip ospf 1 area 0
tunnel source Ethernet0/0
tunnel destination 192.168.1.2
end

-------------------------------------------

Aditya Ganjoo · ‎07-26-2016

Hi,

With the p2p GRE over IPsec solution, all traffic between sites is encapsulated in a p2p GRE packet before the encryption process.

More info on this link:

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/P2P_GRE/2_p2pGRE_Phase2.html

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

Greg Smalley · ‎07-26-2016

Crypto maps are the legacy way of applying IPSEC encryption. You should create an IPSEC profile and apply it to the GRE tunnel using the "tunnel protection" command.

crypto isakmp policy 10
encr aes
authentication pre-share
group 5 
crypto isakmp key test address 192.168.1.2

crypto ipsec transform-set test esp-aes esp-sha-hmac

crypto ipsec profile my-ipesec-profile
set transform-set test

int tunnel1
tunnel protection profile my-ipsec-profile

aprasad11 · ‎07-26-2016

Thanks Greg for your reply.

If i apply ipsec profile in the tunnel interface i believe data is first encrypted then GRE headers/encapsulation are added which will work but not the best way. (IPSEC over GRE).

I would encrypt data after gre encapsulation. (GRE over IPSEC).

Kind Regards

Anal Prasad

Aditya Ganjoo · ‎07-26-2016

Hi,

With the p2p GRE over IPsec solution, all traffic between sites is encapsulated in a p2p GRE packet before the encryption process.