GRE Tunnel over IPSec with EIGRP through a VPN Concentrator

andymh · ‎06-17-2003

Has anyone managed to get this working ?

Scenario thus:

Remote site router dials up to the internet via ISDN

Concentrator sits on 2Mb internet link with router behind it on the private side.

Basically I believe it is possible to terminate the GRE tunnel on a router behind the concentrator. Is this possible and if so what address should the remote site have for the tunnel destination ?

artherrera · ‎06-22-2003

Hi Andy,

Yes, this is possible, you will configure your IPsec tunnel between the remote router and the concentrator, then the GRE tunnel from this same router to the router behind the concentrator, the address that the router is going to point to is the routers inside address (behind the concentrator), so the 3000 will decrypt the packet and pass the GRE encapsulated packet to your router behind it.

Regards

Arthur

andymh · ‎06-24-2003

Thanks for your reply Arthur. This is still proving elusive to setup in practice. I have used the following config on the routers.... I think I still may have it setup incorrectly .

REMOTE SITE

-----------

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key ####### address x.x.x.x {concentrator public addr}

!

crypto ipsec transform-set to_vpn esp-des esp-md5-hmac

!

crypto map gre 50 ipsec-isakmp

set peer x.x.x.x {concentrator public addr}

set transform-set to_vpn

match address 101

!

interface Tunnel0

ip address 192.168.20.2 255.255.255.0

tunnel source Ethernet0

tunnel destination 10.0.x.x {router addr behind concentrator}

crypto map gre

!

interface Ethernet0

ip address 10.230.x.x 255.255.0.0

no ip route-cache

no ip mroute-cache

crypto map gre

!

interface BRI0

no ip address

encapsulation ppp

dialer pool-member 1

isdn switch-type basic-net3

!

interface Dialer1

ISP dialup blurb

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

!

map-class dialer DialClass

access-list 101 permit gre host y.y.y.y {remotesite public addr} host x.x.x.x {concentrator public addr}

dialer-list 1 protocol ip permit

HQ SITE

-------

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key ####### address y.y.y.y {remotesite public addr}

!

crypto ipsec transform-set to_vpn esp-des esp-md5-hmac

!

crypto map gre local-address Ethernet0

crypto map gre 50 ipsec-isakmp

set peer y.y.y.y {remotesite public addr}

set transform-set to_vpn

match address 101

!

interface Tunnel0

ip address 192.168.20.1 255.255.255.0

tunnel source Ethernet0

tunnel destination y.y.y.y {remotesite public addr}

crypto map gre

!

interface Ethernet0

ip address 10.0.x.x 255.255.0.0

no ip route-cache

no ip mroute-cache

!

ip classless

ip route 0.0.0.0 0.0.0.0 Tunnel0

ip route y.y.y.y {remotesite public addr} 255.255.255.252 z.z.z.z {conc private address}

no ip http server

!

access-list 101 permit gre host x.x.x.x {concentrator public addr} host y.y.y.y {remotesite public addr}

artherrera · ‎06-24-2003

Hi Andy,

I am seeing that you have applied the crypto map to the internal interface, this could be the main reason, please apply the crypto map to the outside interface, either BRI, Dialer or both.

Arthur

andymh · ‎06-26-2003

Arthur,

I am still having no joy whatsoever on this. I can bring up a straight IPsec tunnel between remote router and concentrator with ease. As soon as I try to bring GRE into the equation with the router behind the concentrator I am getting no tunnel, and no conncetion to concentrator. I presume my configs are correct with your change implemented.

I've read countless GRE examples from the Cisco site, but there appears to be nothing specific to what I am trying to do. Do you know of any examples ??

thanks for your help on this Arthur,

regards

Andrew.