Solved: Re: IPSec secure GRE tunnel

banlan.chen · ‎05-21-2003

Hi All,

I just setup an IPSec tunnel, except use debug crypto ipsec / isakmp how can I verify IPSec is working? When I configure crypto map, can I use tunnel's ip as peer address.

Thanks in advance.

Banlan

mnaveen · ‎05-27-2003

Hi Banlan,

Thanks for your appreciation. I feel honored !

Coming back to your question, regarding GRE inside IPSec, you should use gre as the protocol in the access list; that right, you shud get points for that !! (because the ip packet is first encapsulated by GRE and then AH/ESP headers are added). Also remember that the ip address given as tunnel destination should be globally routeable. You cannot use the tunnel end-point as the tunnel destination (expect, of course when the routers are connected back to back)

See the following configs for GRE inside IPSec.

! ON THE INITIATOR

...

access-list 110 permit GRE host host

...

crypto isakmp policy 12

authentication pre-shared

!

crypto isakmp key xxxxx address

crypto ipsec transform-set TS esp-des

!

crypto map CM 11 ipsec-isakmp

set peer

set transform-set TS

match address 110

!

interface tunnel1

ip unnumbered

tunnel source

tunnel destination

crypto map CM

!

interface

crypto map CM

!

ip route x.x.x.x tunnel1

! ON THE RESPONDER

...

access-list 111 permit GRE host host

...

crypto isakmp policy 11

authentication pre-shared

!

crypto isakmp key xxxxx address

crypto ipsec transform-set TS esp-des

!

crypto map CM 10 ipsec-isakmp

set peer

set transform-set TS

match address 111

!

interface tunnel2

ip unnumbered

tunnel source

tunnel destination

crypto map CM

!

interface

crypto map CM

!

ip route x.x.x.x tunnel2

I think you have the answer now. Catch me if you want anything else.

Cheers :-))

Naveen

mnaveen@cisco.com

View solution in original post

mnaveen · ‎05-21-2003

Hi Banlan,

There are many commands to verify IPSec configurations. Try out these. Depending on the IOS version some may work and some may not.

show pas isa int

show pas isa ?

show int f0/1 stats

show cry ipsec sa

show cry ipsec sa | inc compressed

show cry engine conn active

show cry engine config

Whether you can use tunnels' IP address as peer address depends on how you are configuring IPSec and GRE. There are basically 2 ways of doing it. IPSec over GRE and GRE over IPSec. There is a great deal of difference between the two. Let me know exactly what you want to know about.

Thanks,

Naveen.

banlan.chen · ‎05-22-2003

Hi Naveen,

Thank you for your reply. I try to use some commands you gave to me to show the information, there are work except sh int f0/1 stats I can't catch any info for ipsec. Right now I am using IPSec over GRE, when I try to use tunnel's ip as peer address, it failed. Could you tell me more about GRE over IPSec.

Regards

Banlan

mnaveen · ‎05-22-2003

Hi Banlan,

If you are using IPSec over GRE, then your access-list has to contain the tunnel end-points as the traffic source and destination and use only GRE as the protocol (access-list 110 permit gre ....)

If you are using GRE over IPSec, then the access-list has to use the only IP protocol and use only the hosts as the traffic source and destination.

I have tried some other combinations, but they didn't work. Get back to me if you need more information.

Regards,

Naveen.

mnaveen@cisco.com

banlan.chen · ‎05-23-2003

Hi Naveen,

Could you give more information or link to your website about GRE over IPSec? I wan to know how to configure this kind of senario. Also would you please tell me what is the best rule to pickup a interface at a CBAC environment?

I saw the IOS document at: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htm#15788

but very confusing. Sometime the inspection apply in the external with ACL (Remote Office to ISP Configuration Example), some used on internal interface while the ACL still on external (Ethernet Example).

Thanks a lot.

Banlan

mnaveen · ‎05-26-2003

Hi Banlan,

It is very rare that GRE over IPSec is used. This could possibly be required (i'm not very sure) when you want to send some traffic encrypted through the tunnel and some other unencrypted. Anyway I have tested this configuration also and saved them. I couldn't get my hands on it; i'll get you tommorrow. Is that ok ?

Meanwhile, if you trying to configure it, then please keep the following points in mind.

1. There is no change in the ISAKMP(or IKE) configuration.

2. The key authentication method remains the same.

3. The only difference is in the crypto access-list used.

Eg: The crypto access-list should look like "access-list 110 permit ip host host

Best of luck,

Naveen

mnaveen@cisco.com

PS: Regarding CBAC environment, I don't have much hands-on and so I don't want to mislead by any wrong info. I'll try to get the right info if someone in our team knows well about it. Thanks :-))

yongl · ‎05-26-2003

As I undertand:

-GRE over IPSec is to encapsulate GRE packet using IPSec header(access-list 110 permit gre ...)

-IPSec over GRE is to encapsulate IPSec packet using GRE header

You can refer to http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009430a.shtml

mnaveen · ‎05-27-2003

Hi,

Going by the correct technical parlance, the two types are

1. GRE inside IPSec (which works for both transport and tunnel modes)

2. IPSec inside GRE (works only for tunnel mode and is not used often)

Following are the configs for IPSec inside GRE.

! ON THE INITIATOR

...

access-list 110 permit ip host host

...

crypto isakmp policy 12

authentication pre-shared

!

crypto isakmp key xxxxx address

crypto ipsec transform-set TS esp-des

!

crypto map CM 11 ipsec-isakmp

set peer

set transform-set TS

match address 110

!

interface tunnel1

ip unnumbered

tunnel source

tunnel destination

crypto map CM

!

interface

crypto map CM

!

ip route x.x.x.x tunnel1

! ON THE RESPONDER

...

access-list 111 permit ip host host

...

crypto isakmp policy 11

authentication pre-shared

!

crypto isakmp key xxxxx address

crypto ipsec transform-set TS esp-des

!

crypto map CM 10 ipsec-isakmp

set peer

set transform-set TS

match address 111

!

interface tunnel2

ip unnumbered

tunnel source

tunnel destination

crypto map CM

!

interface

crypto map CM

!

ip route x.x.x.x tunnel2

Try to configure this and let me know if there are any issues. (This is working configuration tested in our lab) :-))

Cheers,

Naveen

mnaveen@cisco.com

banlan.chen · ‎05-27-2003

Hi Naveen ,

Thank you for your help. I really appreciate.

Actually, in my lab, I used simular configuration. The difference is I used static IP on tunnel interface and used two private subnets (behind two routers) in access-list to bring up the ipsec. So this is IPSec inside GRE (so call IPSec over GRE)

I saw the article yongl gave to me " Configuring GRE Over IPSec Between a Cisco IOS Router and a VPN 5000 Concentrator Using Dynamic Routing ". It seems to be the major difference between IPSec inside GRE and GRE inside IPSec is GRE inside IPSec can support both transport and tunnel mode, but IPSec inside GRE can not. Also at GRE Over IPSec you need use GRE traffic to bring up ipsec. Am I right?

BTW, on the RESPONDER site, I should use ip or ip?

Cheers!

Banlan

mnaveen · ‎05-27-2003

Hi Banlan,

Thanks for your appreciation. I feel honored !

Coming back to your question, regarding GRE inside IPSec, you should use gre as the protocol in the access list; that right, you shud get points for that !! (because the ip packet is first encapsulated by GRE and then AH/ESP headers are added). Also remember that the ip address given as tunnel destination should be globally routeable. You cannot use the tunnel end-point as the tunnel destination (expect, of course when the routers are connected back to back)

See the following configs for GRE inside IPSec.

! ON THE INITIATOR

...

access-list 110 permit GRE host host

...

crypto isakmp policy 12

authentication pre-shared

!

crypto isakmp key xxxxx address

crypto ipsec transform-set TS esp-des

!

crypto map CM 11 ipsec-isakmp

set peer

set transform-set TS

match address 110

!

interface tunnel1

ip unnumbered

tunnel source

tunnel destination

crypto map CM

!

interface

crypto map CM

!

ip route x.x.x.x tunnel1

! ON THE RESPONDER

...

access-list 111 permit GRE host host

...

crypto isakmp policy 11

authentication pre-shared

!

crypto isakmp key xxxxx address

crypto ipsec transform-set TS esp-des

!

crypto map CM 10 ipsec-isakmp

set peer

set transform-set TS

match address 111

!

interface tunnel2

ip unnumbered

tunnel source

tunnel destination

crypto map CM

!

interface

crypto map CM

!

ip route x.x.x.x tunnel2

I think you have the answer now. Catch me if you want anything else.

Cheers :-))

Naveen

mnaveen@cisco.com

banlan.chen · ‎05-29-2003

Hi Naveen,

Thank you again. If you get any info about firewall feature, please let me know.

Regards

Banlan