cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
821
Views
2
Helpful
12
Replies

Problem with GRE over IPSEC Implementation

Gopinath_Pigili
Spotlight
Spotlight

Gopinath_Pigili_0-1725111555421.png

Hello I am trying implement gre with ipsec....before ipsec implemenation....I am able to ping from R1 loopback to R3 loopback. But, after ipsec implemenation no communication between them...any help appreciated..!!

Here is the configuration for R1 and R3

R1

ip tcp synwait-time 5
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco@123 address 3.3.3.3
!
!
crypto ipsec transform-set TS1 esp-3des esp-md5-hmac
mode transport
!
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 172.16.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 192.168.23.3
tunnel protection ipsec profile protect-gre
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
duplex auto
!
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 3.3.3.3 255.255.255.255 FastEthernet0/0
ip route 192.168.23.0 255.255.255.0 FastEthernet0/0
!
access-list 101 permit ip host 1.1.1.1 host 3.3.3.3 log
!
R3

ip tcp synwait-time 5
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco@123 address 1.1.1.1
!
!
crypto ipsec transform-set TS3 esp-3des esp-md5-hmac
mode transport
!
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS3
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
ip address 172.16.0.3 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 192.168.12.1
tunnel protection ipsec profile protect-gre
!
interface FastEthernet0/0
ip address 192.168.23.3 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
duplex auto
!
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 1.1.1.1 255.255.255.255 FastEthernet0/0
ip route 192.168.12.0 255.255.255.0 FastEthernet0/0
!

Gopinath_Pigili_1-1725112007934.png

 

2 Accepted Solutions

Accepted Solutions

hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
crypto isakmp key cisco@123 address 200.0.0.3
!
!
!
!
crypto ipsec profile prof
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 5.0.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 200.0.0.3
tunnel protection ipsec profile prof
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.0.0.2
ip route 3.3.3.3 255.255.255.255 Tunnel0
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end


hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
crypto isakmp key cisco@123 address 100.0.0.1
!
!
!
!
crypto ipsec profile prof
!
!
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
ip address 5.0.0.3 255.255.255.0
tunnel source FastEthernet1/1
tunnel destination 100.0.0.1
tunnel protection ipsec profile prof
!
interface FastEthernet0/0
no ip address
shutdown
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 200.0.0.3 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 200.0.0.2
ip route 1.1.1.1 255.255.255.255 Tunnel0
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

Screenshot (726).png

View solution in original post

Sorry for the late response..!!

it work's perfectly..!! Thanks for the configuration..!!

previously... i used crypto isakmp key cisco@123 address 3.3.3.3, changed to crypto isakmp key cisco@123 address 192.168.23.3

same way I changed  in R3 crypto isakmp key cisco@123 address 1.1.1.1 changed to crypto isakmp key cisco@123 address 192.168.12.1

Thanks

View solution in original post

12 Replies 12

Only one step wrong 

Instead of using LO IP in crypto isakmp key use tunnel destination.

That it 

Do change abd check

Note:- you need static route in each peer of LO the egress interface will be tunnel interface' this route based vpn not policy vpn' so traffic need to encrypt must pass through tunnel

MHM

Still tunnel status is Down

I have done following changes

R1

ip route 3.3.3.3 255.255.255.255 Tunnel0

crypto isakmp key cisco@123 address 172.16.0.3

R3

ip route 1.1.1.1 255.255.255.255 tunnel 0

crypto isakmp key cisco@123 address 172.16.0.1

 

Tunnel destination not tunnel IP

Use 192.168.12.1 and 192.168.23.3

MHM

I changed  to physical int  ip's

R1--> crypto isakmp key cisco@123 address 192.168.23.3

R3--> crypto isakmp key cisco@123 address 192.168.12.1

Still...status down...

 

If you remove ipsec profile form tunnel 

And do show ip interface breif 

Do you see tunnel up/up?

MHM

Yes...it is up

Gopinath_Pigili_0-1725114712054.png

 

Show ip route in both peer 

Thanks 

MHM

this lab for you 
check the routing 
and use tunnel destination in crypto isakmp key 

hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
crypto isakmp key cisco@123 address 200.0.0.3
!
!
!
!
crypto ipsec profile prof
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 5.0.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 200.0.0.3
tunnel protection ipsec profile prof
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.0.0.2
ip route 3.3.3.3 255.255.255.255 Tunnel0
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end


hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
crypto isakmp key cisco@123 address 100.0.0.1
!
!
!
!
crypto ipsec profile prof
!
!
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
ip address 5.0.0.3 255.255.255.0
tunnel source FastEthernet1/1
tunnel destination 100.0.0.1
tunnel protection ipsec profile prof
!
interface FastEthernet0/0
no ip address
shutdown
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 200.0.0.3 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 200.0.0.2
ip route 1.1.1.1 255.255.255.255 Tunnel0
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

Screenshot (726).png

Any update about this issue?

MHM

Sorry for the late response..!!

it work's perfectly..!! Thanks for the configuration..!!

previously... i used crypto isakmp key cisco@123 address 3.3.3.3, changed to crypto isakmp key cisco@123 address 192.168.23.3

same way I changed  in R3 crypto isakmp key cisco@123 address 1.1.1.1 changed to crypto isakmp key cisco@123 address 192.168.12.1

Thanks

You are so welcome friend

MHM