cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1900
Views
0
Helpful
10
Replies
Highlighted

GRE tunnel

Hi -- i am trying to figure out how the network described in the configuration http://pastebin.com/fM40vxcG is structured. I am struggling to work out how i get connected to 10.144.254.1 before building a gre tunnel on it using the node as tunnel destination. thanks a lot

regards

vladimir

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

Re: GRE tunnel

Hello Vladimir,

I checked your link.

I would be you I wouldn't paste my VPN Pwd on a public forum, that's not really secure (exept if you used a fake pass). If not, you may edit your post and point to another link with pw stripped and may change public ip addresses as well.

Regarding your config, you have a crypto map configured, with an ACL which match the tunnel.

So at the end, your GRE tunnel which use private IP address is encapsuled in an IPSEC Tunnel which use public ip addresses (see set peer in crypto map) : you have then a tunneled tunnel.


I can't tell you the purpose of that since I don't know your topology.

Hope this helps,

Bastien.

View solution in original post

Highlighted
Cisco Employee

Re: GRE tunnel

Vladimir,

I'm not sure how to read your scheme, but here's what happen:

You have the ACL 100 that define what traffic should be encrypted in the ipsec tunnel.

It has this line:

access-list 100 permit gre host 10.144.0.112 host 10.144.254.1 which match GRE tunnel source/dest

Now,when a packet is routed to the GRE tunnel interface, let's say [PACKET A], it will be encapsuled in a new GRE packet with the IPs defined in the tunnel int, so you will have [GRE SRC:10.144.0.112/DST 10.144.254.1[PACKET A]] (as well as other headers).

Then, the DST to this packet is routed via the line:

ip route 10.144.254.1 255.255.255.255 (ip address of corporate internet router)

So it goes out the default interface which has the crypto map. As the crypto acl defined in the crypto map match the SRC/DST of the GRE packet, it will encapsulate it again using ipsec (ESP or AH) so that you'll have:

[IPSEC SRC:83.167.115.174/DST:128.177.22.14 [GRE SRC:10.144.0.112/DST 10.144.254.1[PACKET A]]]

The distant peer will then remove the IPSEC header and decrypt packet, read the GRE packet, see that it's directed to its tunnel int, route the gre packet to it, then the virtual tunnel int will remove the GRE header and then handle PACKET A with routing table.

View solution in original post

10 REPLIES 10
Highlighted
Cisco Employee

Re: GRE tunnel

I am assuming that you are trying to configure GRE over IPSec VPN  tunnel base on the sample configuration provided. For GRE over IPSec VPN  tunnel, both end of the vpn gateways need to terminate the GRE tunnel  hence you would need to configure tunnel interface as well on the other  end. Are you configuring the GRE over IPSec vpn between 2 cisco routers?

You were asking about the tunnel destination ip address of 10.144.254.1.  If you are routing the GRE over IPSec vpn tunnel traffic via the  Internet, the tunnel destination for the GRE tunnel needs to be a  publicly routable ip address. It is typically the external interface  (outside interface) of the peer router. Similarly the tunnel source of  the router would be the external interface of the router itself. So if  you are routing it via Internet (not MPLS where normally private ip  addressing is allowed as per agreement with MPLS provider), both tunnel  source and tunnel destination for the GRE tunnel interface needs to be  publicly routable ip address and typically it would be the router  external interface where you terminates your IPSec VPN tunnel, ie: the  vpn peer address.

Here is a sample configuration of GRE over IPSec tunnel for your reference:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800946b8.shtml

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml

Hope that helps.

Highlighted

Re: GRE tunnel

Thanks for your reply

Yes, this is configuration between 2 cisco routers.

I was expecting publicly routable ip as tunnel destination but it is private. This is a mystery for me as I don't understand how it gets accessible. It must be some line in the configuration where it becomes accessible from my machine.

Highlighted
Cisco Employee

Re: GRE tunnel

Hello Vladimir,

You are right, the tunnel destination is the public destination address, and the tunnel source is either the public source address, or the interface which is configured with the public source.

The example use private addresses just for demonstration purpose.

Highlighted

Re: GRE tunnel

Bastien, thanks for reply -- but the tunnel destination 10.144.254.1 we are talking about is not public and i cant see a line in my configuration where it gets accessible but this one

ip route 10.144.254.1 255.255.255.255 (ip address of corporate internet router)

is it an ipsec tunnel?

Highlighted
Cisco Employee

Re: GRE tunnel

Hello Vladimir,

I checked your link.

I would be you I wouldn't paste my VPN Pwd on a public forum, that's not really secure (exept if you used a fake pass). If not, you may edit your post and point to another link with pw stripped and may change public ip addresses as well.

Regarding your config, you have a crypto map configured, with an ACL which match the tunnel.

So at the end, your GRE tunnel which use private IP address is encapsuled in an IPSEC Tunnel which use public ip addresses (see set peer in crypto map) : you have then a tunneled tunnel.


I can't tell you the purpose of that since I don't know your topology.

Hope this helps,

Bastien.

View solution in original post

Highlighted

Re: GRE tunnel

Bastien, now i see what is going on -- thanks for your reply. I am interested in substituting the cisco router having the configuration with a linux computer implementing all the features in the configuration. Do you happen to know anyone that might perform the task -- a person knowing cisco and linux? Appreciate your help.

Highlighted
Cisco Employee

Re: GRE tunnel

Hi Vladimir,

Please mark the question as answered and/or rate the post that helped you if you found the answers to your questions

Concerning your linux question, I'm sorry but I don't know anyone that can help you on this. I would guess that you might have more luck in linux specialized forums, but is there a particular reason for you to remove your router ? Most of the newest routers have hardware accelerating features and using a computer as router can led to performances issues.


Regards,

Bastien

Highlighted

Re: GRE tunnel

The reason is that i want to use cloud computing services for the connectivity where i wont be able to plug a router.

Highlighted

Re: GRE tunnel

As i understand the ipsec tunnel on which the gre tunnel is based has the following details :

source ip  -> subnet -> public ip  <->   peer <-   subnet <- source ip

10.144.112.2 ->  10.144.112.0/24     83.167.115.174  <->   128.177.22.14  <-   10.144.254.1/32   <-   10.144.254.1

Highlighted
Cisco Employee

Re: GRE tunnel

Vladimir,

I'm not sure how to read your scheme, but here's what happen:

You have the ACL 100 that define what traffic should be encrypted in the ipsec tunnel.

It has this line:

access-list 100 permit gre host 10.144.0.112 host 10.144.254.1 which match GRE tunnel source/dest

Now,when a packet is routed to the GRE tunnel interface, let's say [PACKET A], it will be encapsuled in a new GRE packet with the IPs defined in the tunnel int, so you will have [GRE SRC:10.144.0.112/DST 10.144.254.1[PACKET A]] (as well as other headers).

Then, the DST to this packet is routed via the line:

ip route 10.144.254.1 255.255.255.255 (ip address of corporate internet router)

So it goes out the default interface which has the crypto map. As the crypto acl defined in the crypto map match the SRC/DST of the GRE packet, it will encapsulate it again using ipsec (ESP or AH) so that you'll have:

[IPSEC SRC:83.167.115.174/DST:128.177.22.14 [GRE SRC:10.144.0.112/DST 10.144.254.1[PACKET A]]]

The distant peer will then remove the IPSEC header and decrypt packet, read the GRE packet, see that it's directed to its tunnel int, route the gre packet to it, then the virtual tunnel int will remove the GRE header and then handle PACKET A with routing table.

View solution in original post