Re: GRE over IPSEC

AyoubC · ‎09-01-2022

Hello Sec Gurus,

I'm running into a solution design misunderstanding, as the same time implementation,

an ISP suggested the below design to have an internal subnet in the right tunneled back to his MPLS network back to the main office, to reach ISP gateway, we have have an EDGE ASA that can establish an IPSEC vpn back to the nearest ISP gateway, and have my GRE built out from the switch back to the gateway GRE interface.

is this a valid design? how this can be configured in the ASA and the switch.

Thank you !!!

balaji.bandi · ‎09-01-2022

I have not implemented a kind of setup, but technically this can be feasible. (what you see limitation here ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎09-01-2022

@AyoubC what device will the GRE tunnel be terminated on (on the left of the diagram)? If you want this GRE tunnel to be encrypted over the ASA to Router VPN, you need to ensure the traffic from the switch (on the right of the diagram) to it's GRE peer is defined in the crypto ACL.

AyoubC · ‎09-01-2022

Thank you very much for catching that post -

@balaji.bandi

from the IPSEC setup site, It sounds tricky and I don't know what could be the local subnet/ remote subnet. The ISP said I don't have a remote subnet that I can provide, the only IP I can provide you is the one in blue (192.168.20.55 from ISP end and 192.168.20.56 from my end.).

@Rob Ingram - from the left I think it's a cisco router. it will perform both IPSEC and GRE tunnels,

@Rob Ingram but both GRE are in the same subnet, how I can specify that in the crypto ACL, should I do something like 192.168.20.56/32 as a local IP and 192.168.20.55/32 as a remote subnet?

Also do I need an inside ip that belong to the GRE ip peer subnet ?

Rob Ingram · ‎09-01-2022

@AyoubC the 192.168.20.54/32 networks would be the GRE tunnel interface IP addresses? The physical interface of the switch and router would be the source of the GRE tunnel and therefore need to be defined in the crypto ACL.

AyoubC · ‎09-01-2022

@Rob Ingram thanks for the quick replies - the 192.168.20.5x/30 network represents the GRE tunnel interface IP addresses as long as they are in the same subnet,

Yes that was my assumption also, but ISP said there is no extra subnet to be provided, So I got stack as I don't have a deep knowledge of the GRE,

@Rob Ingram , alow me to ask that question, If you were me, what information you will need to complete that scenario (my side is only the right side of the diagram)?

MHM Cisco World · ‎09-01-2022

two tunnel
GRE tunnel from MPLS router to L3 SW
IPsec tunnel from MPLS router (other interface) to ASA edge

i.e. dont run IPSec profile under GRE tunnel and you will be fine.

AyoubC · ‎09-01-2022

@MHM Cisco World I would say I'll also need guidance on setup

GRE tunnel from MPLS router to L3 SW - Can you please give a setup example for that (I saw some config that are mentioning the source interface and destination interface, but ISP said you won't need that info, how this can be done?)
IPsec tunnel from MPLS router (other interface) to ASA edge - in this section what will be the remote and local subnets ?

i.e. dont run IPSec profile under GRE tunnel and you will be fine. - how I can avoid that in term of setup.

MHM Cisco World · ‎09-01-2022

OK,
GRE tunnel
in tunnel x
tunnel source <MPLS Router>
tunnel destination <L3SW>
!
in <MPLS Router>
crypto map MHM
!
Crypto map MHM 10 ipsec-isakmp
set peer <ASA OUT interface>

NOW the MPLS router will encrypt the GRE traffic but the IPSec will end in ASA, and from ASA to L3SW the traffic is pure GRE.

AyoubC · ‎09-02-2022

Hello @MHM Cisco World

Per my understanding, the setup above is for is from the ISP side (left side), based in the topology above: <MPLS Router>=192.168.20.55 and the <L3SW>=192.168.20.56 ? so what could be now the "in tunnel" ?

MHM Cisco World · ‎09-02-2022

this small lab explain my idea

in R1 I config static route
ip route 4.4.4.4 255.255.255.255 s3/0

in R2 I config two static route
ip route 1.1.1.1 255.255.255.255 s3/0
ip route 4.4.4.4 255.255.255.255 s3/3

in R4 I config static route
ip route 1.1.1.1 255.255.255.255 s3/3

that it and it work.

AyoubC · ‎09-02-2022

Thanks @MHM Cisco World the challenge I have from my end is in the ASA as I don't think I can use Loopback Address to have tunnel UP - thoughts??

from the crypto map side, I can do the local subnet to be unique IP "192.168.20.56/32" and destination subnet "192.168.20.55/32".

MHM Cisco World · ‎09-02-2022

I full know that ASA dont support LO,
the Lo and GRE tunnel end in L3SW not in ASA
in ASA the IPSec tunnel end.

AyoubC · ‎09-02-2022

@MHM Cisco World went through your reply a couple of time but I still get confused and I try to plot that on the setup and input that I have in my scenario, I understood from what you mentioned above that you are using Site to Site wirh VTI in the ASA and you distribute route via OSPF. I don't have a lot of experience with that and I m hoping if you can zoom with me into the same case I mentioned above

I want to ask a question, the ISP gave me only its Router gateway public IP and the GRE tunnel IP (192.168.20.55/30) (of coure along with the VPN phases encryption ....) do you think that's enough to make the necessary setup from the ASA side ?

MHM Cisco World · ‎09-02-2022

I dont run VTI

I run policy based vpn,

The ipsec tunnel is connect asa outside to your mpls router interface, the acl of ipsec permit ip of gre tunnel,

Gre tunnel is from l3sw to mpls router.