RE: GRE Tunnel with IPSec encapsulation!

From: Brown, Patrick (NSOC-OCF} (PBrown4@chartercom.com)
Date: Mon Mar 17 2003 - 12:38:33 GMT-3

• Next message: MADMAN: "Re: Make Bandwidth Aggregation over ISDN"
• Previous message: Brian Dennis: "RE: What is the extended access list used for in BGP?"
• Maybe in reply to: Tasuka Amano Hsu: "GRE Tunnel with IPSec encapsulation!"
• Next in thread: Tasuka Amano Hsu: "Re: GRE Tunnel with IPSec encapsulation!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You only need the access-list 101 permit gre host <tunnel source> host <tunnel destination> on both routers. All traffic traversing the GRE tunnel will be encrypted. Set the configuration to TRANSPORT mode on your IPSEC transform sets.
You also have to set the Crypto maps on the GRE interfaces, and the egress interface.

Thanks,

Patrick B
-----Original Message-----
From: Tasuka Amano Hsu [mailto:tasuka@mac.com]
Sent: Monday, March 17, 2003 2:30 AM
To: ccielab Groupstudy
Subject: GRE Tunnel with IPSec encapsulation!

Here is my GRE tunnel over IPSec configuration, and it can work, but
does I consider too much at access-list ? or use too many command to do
it ? I am tried the IP-IP tunnel mode and GRE-IP mode is same config.
If I did not put the crypto map at interface tunnel0, then will got an
error say the protocol type 47 not encapsulation with IPSec.
Somebody could share yours ?

The R1 and R2 is connect via Ethernet directly.

Best Regards

Tasuka

!
hostname R1
!
crypto isakmp policy 1
  hash md5
  authentication pre-share
  group 2
  lifetime 3600
crypto isakmp key cisco address 172.16.100.174
!
!
crypto ipsec transform-set IPform1 ah-md5-hmac
crypto ipsec transform-set IPform2 esp-des
!
crypto map IPSEC 10 ipsec-isakmp
  set peer 172.16.100.174
  set transform-set IPform2 IPform1
  set pfs group1
  match address 101
!
interface Tunnel0
  ip address 172.16.11.1 255.255.255.0
  tunnel source 172.16.100.253
  tunnel destination 172.16.100.174
  tunnel sequence-datagrams
  tunnel checksum
  tunnel path-mtu-discovery
  crypto map IPSEC
!
interface Ethernet0
  ip address 172.16.100.253 255.255.255.0
  no ip route-cache
  no ip mroute-cache
  crypto map IPSEC
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.100.174
no ip http server
!
access-list 101 deny ahp any any
access-list 101 deny esp any any
access-list 101 permit gre host 172.16.100.253 host 172.16.100.174
access-list 101 permit ip host 172.16.100.253 host 172.16.100.174
!

!
hostname R2
!
enable password cisco
!
ip subnet-zero
ip tcp synwait-time 5
no ip domain-lookup
!
crypto isakmp policy 1
  hash md5
  authentication pre-share
  group 2
  lifetime 3600
crypto isakmp key cisco address 172.16.100.253
!
!
crypto ipsec transform-set IPform1 ah-md5-hmac
crypto ipsec transform-set IPform2 esp-des
!
crypto map IPSS 10 ipsec-isakmp
  set peer 172.16.100.253
  set transform-set IPform2 IPform1
  set pfs group1
  match address 101
!
interface Tunnel0
  ip address 172.16.11.2 255.255.255.0
  tunnel source 172.16.100.174
  tunnel destination 172.16.100.253
  tunnel sequence-datagrams
  tunnel checksum
  tunnel path-mtu-discovery
  crypto map IPSS
!
interface Ethernet0
  ip address 172.16.100.174 255.255.255.0
  no ip route-cache
  no ip mroute-cache
  crypto map IPSS
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.100.253
no ip http server
!
access-list 101 deny ahp any any
access-list 101 deny esp any any
access-list 101 permit gre host 172.16.100.174 host 172.16.100.253
access-list 101 permit ip host 172.16.100.174 host 172.16.100.253
!

• Next message: MADMAN: "Re: Make Bandwidth Aggregation over ISDN"
• Previous message: Brian Dennis: "RE: What is the extended access list used for in BGP?"
• Maybe in reply to: Tasuka Amano Hsu: "GRE Tunnel with IPSec encapsulation!"
• Next in thread: Tasuka Amano Hsu: "Re: GRE Tunnel with IPSec encapsulation!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:41 GMT-3