01-13-2011 08:19 AM
I have a GRE tunnel (tunnel10) between routers, R1----telecom1 cloud----R2. The IPsec crypto map is applied on the serial interface (s0) that faces R2. Tunnel 10 source interface is s0 and destination is a logical interface on destination router R2. Transform-set is set to transport mode. Communication between R1-R2 is operational and working well as expected.
Now I have to setup a new GRE tunnel (tunnel20) between routers R1-passing through R2 to terminate on R3. R1----telecom1 cloud----R2----telecom2 cloud----R3. On R1, I setup a new GRE tunnel 20 with the source of local logical tunnel 10. Destination is a logical interface on R3. I set transform-set to tunnel mode since the remote end-point is not locally on R2, but I am not married to either mode – just need it to work! I setup a 2nd crypto isakmp key with IP of remote R3 destination.
My Cisco 2821 router running IOS c2801-advsecurityk9-mz.151-2.T2.bin, accepts the configuration as seen below.
My question is once I add the static routing statements to the configuration shown below and implement into the active and operational R1 and of course config the remote end, does anyone think this is not going to work? Did I miss something in this configuration?
I will also add MTU statements once operational.
Thanks again for your support!
Frank
R1 configuration:
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
!
crypto isakmp key SSSSSFFF address 10.14.6.18
crypto isakmp key EEE55555 address 172.16.0.1
!
crypto ipsec transform-set TRANSPORT-MODE esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set TUNNEL-MODE esp-aes 256 esp-sha-hmac
! mode tunnel ! default mode
!
crypto map gggJJJ 10 ipsec-isakmp
set peer 10.14.6.18
set transform-set TRANSPORT-MODE
match address INTERESTING-TRAFFIC
!
crypto map gggJJJ 20 ipsec-isakmp
set peer 172.16.0.1
set transform-set TUNNEL-MODE
match address TEN-NET-TRAFFIC
!
interface Tunnel10
ip address 10.14.1.18 255.255.255.252
tunnel source S0
tunnel destination 10.14.6.18
!
interface Tunnel20
ip unnumbered S0
tunnel source Tunnel10
tunnel destination 172.16.0.1
!
interface S0
ip address 10.199.120.1 255.255.255.252
crypto map gggJJJ
!
ip access-list extended TEN-NET-TRAFFIC
permit ip host 192.168.1.3 10.14.6.0 0.0.0.255
!
ip access-list extended INTERESTING-TRAFFIC
permit ip any 10.14.6.0 0.0.0.255
01-19-2011 06:56 AM
Hi,
Did you already implement this and if so, did it work? I am a little skeptic with tunnel 20 using tunnel 10 as it's source! I am not sure i understood your requirement quite right. Are you trying to pass traffic from R1 to R3 through R2 or is there going to be a direct VPN tunnel between R1 an R3?
Are R1 and R3 connected to different interfaces of R2 or are they through the same interface on R2?
Cheers,
Prapanch
01-19-2011 08:20 AM
Hi Prapanch
The requirement is to implement a new tunnel between R1 and R3.
R2 is the telecom and all traffic must pass thru this router.
R2 is the encryption end-point for R1's traffic.
All traffic must arrive on R1's serial interface - s0/0/0.
If tunnel 10 is down, I must drop tunnel 20 also.
:::::
R3's traffic must also pass thru R2 (telecom) as R2 authenticates and validates R3's traffic.
::::::
EX:
R3---cellular----R2-----cloud-----R1
R1 and R2 already have a VPN logical link - working and operational
:::::::
I am working on setting this up in the lab ------ today.
Hope this is clearer than mud.
Tks
Frank
01-20-2011 06:54 AM
Hi Frank,
Did you manage to get it working in the lab?
Cheers,
Prapanch
02-07-2011 11:23 AM
Yes, This setup is now operational with an IPsec over GRE configuration!
Regards
Frank
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide