VPN tunnel20 through VPN tunnel10 via s0

fsebera · ‎01-13-2011

I have a GRE tunnel (tunnel10) between routers, R1----telecom1 cloud----R2. The IPsec crypto map is applied on the serial interface (s0) that faces R2. Tunnel 10 source interface is s0 and destination is a logical interface on destination router R2. Transform-set is set to transport mode. Communication between R1-R2 is operational and working well as expected.

Now I have to setup a new GRE tunnel (tunnel20) between routers R1-passing through R2 to terminate on R3. R1----telecom1 cloud----R2----telecom2 cloud----R3. On R1, I setup a new GRE tunnel 20 with the source of local logical tunnel 10. Destination is a logical interface on R3. I set transform-set to tunnel mode since the remote end-point is not locally on R2, but I am not married to either mode – just need it to work! I setup a 2^nd crypto isakmp key with IP of remote R3 destination.

My Cisco 2821 router running IOS c2801-advsecurityk9-mz.151-2.T2.bin, accepts the configuration as seen below.

My question is once I add the static routing statements to the configuration shown below and implement into the active and operational R1 and of course config the remote end, does anyone think this is not going to work? Did I miss something in this configuration?

I will also add MTU statements once operational.

Thanks again for your support!

Frank

R1 configuration:

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

!

crypto isakmp key SSSSSFFF address 10.14.6.18

crypto isakmp key EEE55555 address 172.16.0.1

!

crypto ipsec transform-set TRANSPORT-MODE esp-aes 256 esp-sha-hmac

mode transport

crypto ipsec transform-set TUNNEL-MODE esp-aes 256 esp-sha-hmac

! mode tunnel ! default mode

!

crypto map gggJJJ 10 ipsec-isakmp

set peer 10.14.6.18

set transform-set TRANSPORT-MODE

match address INTERESTING-TRAFFIC

!

crypto map gggJJJ 20 ipsec-isakmp

set peer 172.16.0.1

set transform-set TUNNEL-MODE

match address TEN-NET-TRAFFIC

!

interface Tunnel10

ip address 10.14.1.18 255.255.255.252

tunnel source S0

tunnel destination 10.14.6.18

!

interface Tunnel20

ip unnumbered S0

tunnel source Tunnel10

tunnel destination 172.16.0.1

!

interface S0

ip address 10.199.120.1 255.255.255.252

crypto map gggJJJ

!

ip access-list extended TEN-NET-TRAFFIC

permit ip host 192.168.1.3 10.14.6.0 0.0.0.255

!

ip access-list extended INTERESTING-TRAFFIC

permit ip any 10.14.6.0 0.0.0.255

praprama · ‎01-19-2011

Hi,

Did you already implement this and if so, did it work? I am a little skeptic with tunnel 20 using tunnel 10 as it's source! I am not sure i understood your requirement quite right. Are you trying to pass traffic from R1 to R3 through R2 or is there going to be a direct VPN tunnel between R1 an R3?

Are R1 and R3 connected to different interfaces of R2 or are they through the same interface on R2?

Cheers,

Prapanch

fsebera · ‎01-19-2011

Hi Prapanch

The requirement is to implement a new tunnel between R1 and R3.

R2 is the telecom and all traffic must pass thru this router.

R2 is the encryption end-point for R1's traffic.

All traffic must arrive on R1's serial interface - s0/0/0.

If tunnel 10 is down, I must drop tunnel 20 also.

:::::

R3's traffic must also pass thru R2 (telecom) as R2 authenticates and validates R3's traffic.

::::::

EX:

R3---cellular----R2-----cloud-----R1

R1 and R2 already have a VPN logical link - working and operational

:::::::

I am working on setting this up in the lab ------ today.

Hope this is clearer than mud.

Tks

Frank

praprama · ‎01-20-2011

Hi Frank,

Did you manage to get it working in the lab?

Cheers,

Prapanch

fsebera · ‎02-07-2011

Yes, This setup is now operational with an IPsec over GRE configuration!

Regards

Frank