Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2890
Views
0
Helpful
10
Replies

GRE tunnel

Go to solution
ivanov.vladimir
Level 1
Level 1

‎01-31-2011 03:10 PM

Hi -- i am trying to figure out how the network described in the configuration http://pastebin.com/fM40vxcG is structured. I am struggling to work out how i get connected to 10.144.254.1 before building a gre tunnel on it using the node as tunnel destination. thanks a lot

regards

vladimir

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee
In response to ivanov.vladimir

‎02-01-2011 01:28 AM

Hello Vladimir,

I checked your link.

I would be you I wouldn't paste my VPN Pwd on a public forum, that's not really secure (exept if you used a fake pass). If not, you may edit your post and point to another link with pw stripped and may change public ip addresses as well.

Regarding your config, you have a crypto map configured, with an ACL which match the tunnel.

So at the end, your GRE tunnel which use private IP address is encapsuled in an IPSEC Tunnel which use public ip addresses (see set peer in crypto map) : you have then a tunneled tunnel.


I can't tell you the purpose of that since I don't know your topology.

Hope this helps,

Bastien.

View solution in original post

0 Helpful

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee
In response to ivanov.vladimir

‎02-01-2011 02:09 AM

Vladimir,

I'm not sure how to read your scheme, but here's what happen:

You have the ACL 100 that define what traffic should be encrypted in the ipsec tunnel.

It has this line:

access-list 100 permit gre host 10.144.0.112 host 10.144.254.1 which match GRE tunnel source/dest

Now,when a packet is routed to the GRE tunnel interface, let's say [PACKET A], it will be encapsuled in a new GRE packet with the IPs defined in the tunnel int, so you will have [GRE SRC:10.144.0.112/DST 10.144.254.1[PACKET A]] (as well as other headers).

Then, the DST to this packet is routed via the line:

ip route 10.144.254.1 255.255.255.255 (ip address of corporate internet router)

So it goes out the default interface which has the crypto map. As the crypto acl defined in the crypto map match the SRC/DST of the GRE packet, it will encapsulate it again using ipsec (ESP or AH) so that you'll have:

[IPSEC SRC:83.167.115.174/DST:128.177.22.14 [GRE SRC:10.144.0.112/DST 10.144.254.1[PACKET A]]]

The distant peer will then remove the IPSEC header and decrypt packet, read the GRE packet, see that it's directed to its tunnel int, route the gre packet to it, then the virtual tunnel int will remove the GRE header and then handle PACKET A with routing table.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-31-2011 06:49 PM

I am assuming that you are trying to configure GRE over IPSec VPN  tunnel base on the sample configuration provided. For GRE over IPSec VPN  tunnel, both end of the vpn gateways need to terminate the GRE tunnel  hence you would need to configure tunnel interface as well on the other  end. Are you configuring the GRE over IPSec vpn between 2 cisco routers?

You were asking about the tunnel destination ip address of 10.144.254.1.  If you are routing the GRE over IPSec vpn tunnel traffic via the  Internet, the tunnel destination for the GRE tunnel needs to be a  publicly routable ip address. It is typically the external interface  (outside interface) of the peer router. Similarly the tunnel source of  the router would be the external interface of the router itself. So if  you are routing it via Internet (not MPLS where normally private ip  addressing is allowed as per agreement with MPLS provider), both tunnel  source and tunnel destination for the GRE tunnel interface needs to be  publicly routable ip address and typically it would be the router  external interface where you terminates your IPSec VPN tunnel, ie: the  vpn peer address.

Here is a sample configuration of GRE over IPSec tunnel for your reference:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800946b8.shtml

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml

Hope that helps.

0 Helpful

Go to solution
ivanov.vladimir
Level 1
Level 1
In response to Jennifer Halim

‎01-31-2011 11:54 PM

Thanks for your reply

Yes, this is configuration between 2 cisco routers.

I was expecting publicly routable ip as tunnel destination but it is private. This is a mystery for me as I don't understand how it gets accessible. It must be some line in the configuration where it becomes accessible from my machine.

0 Helpful

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee
In response to ivanov.vladimir

‎02-01-2011 12:35 AM

Hello Vladimir,

You are right, the tunnel destination is the public destination address, and the tunnel source is either the public source address, or the interface which is configured with the public source.

The example use private addresses just for demonstration purpose.

0 Helpful

Go to solution
ivanov.vladimir
Level 1
Level 1
In response to Bastien Migette

‎02-01-2011 01:17 AM

Bastien, thanks for reply -- but the tunnel destination 10.144.254.1 we are talking about is not public and i cant see a line in my configuration where it gets accessible but this one

ip route 10.144.254.1 255.255.255.255 (ip address of corporate internet router)

is it an ipsec tunnel?

0 Helpful

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee
In response to ivanov.vladimir

‎02-01-2011 01:28 AM

Hello Vladimir,

I checked your link.

I would be you I wouldn't paste my VPN Pwd on a public forum, that's not really secure (exept if you used a fake pass). If not, you may edit your post and point to another link with pw stripped and may change public ip addresses as well.

Regarding your config, you have a crypto map configured, with an ACL which match the tunnel.

So at the end, your GRE tunnel which use private IP address is encapsuled in an IPSEC Tunnel which use public ip addresses (see set peer in crypto map) : you have then a tunneled tunnel.


I can't tell you the purpose of that since I don't know your topology.

Hope this helps,

Bastien.

0 Helpful

Go to solution
ivanov.vladimir
Level 1
Level 1
In response to Bastien Migette

‎02-01-2011 01:37 AM

Bastien, now i see what is going on -- thanks for your reply. I am interested in substituting the cisco router having the configuration with a linux computer implementing all the features in the configuration. Do you happen to know anyone that might perform the task -- a person knowing cisco and linux? Appreciate your help.

0 Helpful

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee
In response to ivanov.vladimir

‎02-01-2011 01:45 AM

Hi Vladimir,

Please mark the question as answered and/or rate the post that helped you if you found the answers to your questions

Concerning your linux question, I'm sorry but I don't know anyone that can help you on this. I would guess that you might have more luck in linux specialized forums, but is there a particular reason for you to remove your router ? Most of the newest routers have hardware accelerating features and using a computer as router can led to performances issues.


Regards,

Bastien

0 Helpful

Go to solution
ivanov.vladimir
Level 1
Level 1
In response to Bastien Migette

‎02-01-2011 01:48 AM

The reason is that i want to use cloud computing services for the connectivity where i wont be able to plug a router.

0 Helpful

Go to solution
ivanov.vladimir
Level 1
Level 1
In response to Bastien Migette

‎02-01-2011 02:00 AM

As i understand the ipsec tunnel on which the gre tunnel is based has the following details :

source ip  -> subnet -> public ip  <->   peer <-   subnet <- source ip

10.144.112.2 ->  10.144.112.0/24     83.167.115.174  <->   128.177.22.14  <-   10.144.254.1/32   <-   10.144.254.1

0 Helpful

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee
In response to ivanov.vladimir

‎02-01-2011 02:09 AM

Vladimir,

I'm not sure how to read your scheme, but here's what happen:

You have the ACL 100 that define what traffic should be encrypted in the ipsec tunnel.

It has this line:

access-list 100 permit gre host 10.144.0.112 host 10.144.254.1 which match GRE tunnel source/dest

Now,when a packet is routed to the GRE tunnel interface, let's say [PACKET A], it will be encapsuled in a new GRE packet with the IPs defined in the tunnel int, so you will have [GRE SRC:10.144.0.112/DST 10.144.254.1[PACKET A]] (as well as other headers).

Then, the DST to this packet is routed via the line:

ip route 10.144.254.1 255.255.255.255 (ip address of corporate internet router)

So it goes out the default interface which has the crypto map. As the crypto acl defined in the crypto map match the SRC/DST of the GRE packet, it will encapsulate it again using ipsec (ESP or AH) so that you'll have:

[IPSEC SRC:83.167.115.174/DST:128.177.22.14 [GRE SRC:10.144.0.112/DST 10.144.254.1[PACKET A]]]

The distant peer will then remove the IPSEC header and decrypt packet, read the GRE packet, see that it's directed to its tunnel int, route the gre packet to it, then the virtual tunnel int will remove the GRE header and then handle PACKET A with routing table.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents