cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1448
Views
5
Helpful
4
Replies

GRE over IPSEC

aprasad11
Level 1
Level 1

Hi All,

I am trying to create GRE over IPSEC tunnel.. I am able to get OSPF neighbors peered through the GRE tunnel but when traffic is sent through the gre tunnel it does not encrypt and transmitting it through clear text despite  sourcing it from the loopback interfaces

Below are my config 


R1 config
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key test address 192.168.1.2

crypto ipsec transform-set test esp-aes esp-sha-hmac

crypto map test local-address Ethernet0/0
crypto map test 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set test
match address GRE

ip access-list extended GRE
permit gre 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255

interface Ethernet0/0
no switchport
ip address 192.168.1.1 255.255.255.0
crypto map test

interface Loopback0
ip address 10.0.10.1 255.255.255.0
ip ospf 1 area 0

interface Tunnel1
ip address 10.0.100.2 255.255.255.0
ip ospf 1 area 0
tunnel source Ethernet0/0
tunnel destination 192.168.1.1
end

-----------------------------------------------------------
R2 config

crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key test address 192.168.1.1
!
!
crypto ipsec transform-set test esp-aes esp-sha-hmac
!
!
!
crypto map test local-address Ethernet0/0
crypto map test 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set test
match address GR
!

ip access-list extended GR
permit gre 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255

interface Ethernet0/0
no switchport
ip address 192.168.1.2 255.255.255.0
crypto map test

interface Loopback0
ip address 10.0.20.1 255.255.255.0
ip ospf 1 area 0

interface Tunnel1
ip address 10.0.100.1 255.255.255.0
ip ospf 1 area 0
tunnel source Ethernet0/0
tunnel destination 192.168.1.2
end

-------------------------------------------

1 Accepted Solution

Accepted Solutions

Hi,

With the p2p GRE over IPsec solution, all traffic between sites is encapsulated in a p2p GRE packet before the encryption process.

More info on this link:

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/P2P_GRE/2_p2pGRE_Phase2.html

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

4 Replies 4

Greg Smalley
Level 1
Level 1

Crypto maps are the legacy way of applying IPSEC encryption.  You should create an IPSEC profile and apply it to the GRE tunnel using the "tunnel protection" command.

crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key test address 192.168.1.2

crypto ipsec transform-set test esp-aes esp-sha-hmac

crypto ipsec profile my-ipesec-profile
set transform-set test

int tunnel1
tunnel protection profile my-ipsec-profile

Thanks Greg for your reply.

If i apply ipsec profile in the tunnel interface i believe data is first encrypted then GRE headers/encapsulation are added which will work but not the best way. (IPSEC over GRE).

 

I would encrypt data after gre encapsulation. (GRE over IPSEC).

Kind Regards

Anal Prasad

Hi,

With the p2p GRE over IPsec solution, all traffic between sites is encapsulated in a p2p GRE packet before the encryption process.

More info on this link:

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/P2P_GRE/2_p2pGRE_Phase2.html

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Thanks Aditya for your reply and link. After having a look at the documentation i was able to figure out the issue with my current setup. issue was that my GRE access list was not correct.

had to change it to below.

R1

ip access-list extended GRE

permit gre host 192.168.1.1 host 192.168.1.2

R2

ip access-list extended GR

permit gre host 192.168.1.2 host 192.168.1.1