Master CCNA

How to Master CCNA Ebook

 

 Start your networking career and Master CCNA

Master CCNP SWITCH

How to master CCNP SWITCH ebook

 

 Become a switching guru and Master CCNP SWITCH

Master CCNP ROUTE

How to master CCNP ROUTE Ebook

 

 Dominate routing protocols and Master CCNP ROUTE

Master CCNP TSHOOT

How to Master CCNP TSHOOT

 

 Complete your CCNP R&S journey and Master CCNP TSHOOT

Print

Encrypted GRE Tunnel

Written by Rene Molenaar on . Posted in Tunneling & GRE

Scenario:

Your colleagues at "BigLabs" are very pleased with your performance so far...you managed to succesfully configure the "Basic GRE" lab and the "Site-to-Site IPSEC VPN" lab. Now it's time to show them who the true networking expert is and teach them how to configure a Secure GRE tunnel. This allows you to send routing protocol updates through the GRE tunnel, and use IPSEC to encrypt this traffic....let's do it!

Goal:

  • All IP addresses are preconfigured as specified in the topology picture.
  • Router Godzilla and Nessie have the following loopback interfaces:
    Godzilla: Loopback0: 1.1.1.1 /24 Loopback1: 11.11.11.11 /24
  • Nessie: Loopback0: 3.3.3.3 /24 Loopback1: 33.33.33.33 /24
  • Configure EIGRP AS1 on all 3 routers, only advertise the 192.168.12.0 and 192.168.23.0 network, do not advertise the loopbacks.
  • Ensure Router Godzilla and Nessie can ping each other.
  • Configure a GRE tunnel between Router Godzilla and Nessie.
  • Configure the 192.168.13.0 /24 network on the GRE tunnel:
    Godzilla: 192.168.13.1
    Nessie: 192.168.13.3
  • Ensure you can ping the IP addresses that you configured on the tunnel interface.
  • Configure OSPF and use network commands to advertise the network on the GRE tunnel.
  • Advertise Loopback1 in OSPF on Router Godzilla and Nessie.
  • Ensure you establish a OSPF neighbour relationship and that you see the loopback1 interfaces in the routing table.
  • Now it's time to setup the IPSEC connection!
  • Create an IKE Policy with the following parameters:
    Authentication: pre-shared-key
    Encryption: AES 256
    Hashing: sha
    DH: Group 5
    Lifetime: 3600
  • The pre-shared-key should be "VAULT".
  • Create an IPSEC Transform-set with the following parameters:
    ESP (Encapsulatiing Security Payload)
    Encryption: AES 256
    Hashing: SHA-HMAC
  • Create the correct access-lists to encrypt the GRE tunnel traffic.
  • Create the correct crypto-map to finish the IPSEC configuration.
  • Verify the IPSEC configuration, you can use the following show/debug commands:
    show crypto ipsec transform-set
    show crypto map
    show crypto ipsec sa
  • debug crypto isakmp

IOS:

c3640-jk9s-mz.124-16.bin

Topology:

Video Solution:

You need to a flashplayer enabled browser to view this YouTube video

You need to register to be able to download the GNS3 Topology File. (Registration is Free!)

Only registered users can write comments!

Comments (9)

  • avatar
    xtophe02
    2011-05-05 15:26:54

    ***********Godzilla************
    host Godzilla
    line con 0
    logg sy
    int f0/0
    ip add 192.168.12.1 255.255.255.0
    no sh
    !
    int l0
    ip add 1.1.1.1 255.255.255.0
    !

    router eigrp 1
    netw 192.168.12.0 0.0.0.255
    !
    int tun 0
    ip add 192.168.13.1 255.255.255.0
    tu so f0/0
    tu des 192.168.23.3
    cry map mymap
    !
    int l1
    ip add 11.11.11.11 255.255.255.0
    !
    router ospf 1
    !netw 192.168.12.0 0.0.0.255 are 0
    netw 1.1.1.1 0.0.0.255 are 0
    netw 11.11.11.11 0.0.0.255 are 0
    netw 192.168.13.0 0.0.0.255 are 0
    !
    cryp isa po 10
    authe pre
    enc aes 256
    has sha
    gr 5
    life 3600
    !
    cry isa key 0 vault add 192.168.23.3
    !
    cry ips tra myset esp-aes 256 ah-sha-h
    !
    cry map mymap 10 ipsec-is
    set peer 192.168.23.3
    set tran myset
    match add 110
    !
    acc 110 perm ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
    acc 110 perm ip 1.1.1.0 0.0.0.255 33.33.33.0 0.0.0.255
    acc 110 perm ip 11.11.11.0 0.0.0.255 3.3.3.0 0.0.0.255
    acc 110 perm ip 11.11.11.0 0.0.0.255 33.33.33.0 0.0.0.255
    !

    ***********KingKong************

    host KingKong
    line con 0
    logg sy
    int f0/0
    ip add 192.168.12.2 255.255.255.0
    no sh
    int f1/0
    ip add 192.168.23.2 255.255.255.0
    no sh
    !
    router eigrp 1
    netw 192.168.12.0 0.0.0.255
    netw 192.168.23.0 0.0.0.255
    !

    ***********nessie********

    host Nessie
    line con 0
    logg sy
    int f0/0
    ip add 192.168.23.3 255.255.255.0
    no sh
    !
    int l0
    ip add 3.3.3.3 255.255.255.0
    !
    router eigrp 1
    netw 192.168.23.0 0.0.0.255
    !
    !
    int tun 0
    ip add 192.168.13.3 255.255.255.0
    tu so f0/0
    tu des 192.168.12.1
    cry map mymap
    !
    int l1
    ip add 33.33.33.33 255.255.255.0
    !
    router ospf 1
    !netw 192.168.23.0 0.0.0.255 are 0
    netw 192.168.13.0 0.0.0.255 are 0
    netw 3.3.3.3 0.0.0.255 are 0
    netw 33.33.33.33 0.0.0.255 are 0
    !
    !
    cryp isa po 10
    authe pre
    enc aes 256
    has sha
    gr 5
    life 3600
    !
    cry isa key 0 vault add 192.168.12.1
    !
    cry ips tra myset esp-aes 256 ah-sha-h
    !
    cry map mymap 10 ipsec-is
    set peer 192.168.12.1
    set tran myset
    match add 110
    !
    acc 110 perm ip 3.3.3.0 0.0.0.255 1.1.1.0 0.0.0.255
    acc 110 perm ip 33.33.33.0 0.0.0.255 1.1.1.0 0.0.0.255
    acc 110 perm ip 3.3.3.0 0.0.0.255 11.11.11.0 0.0.0.255
    acc 110 perm ip 33.33.33.0 0.0.0.255 11.11.11.0 0.0.0.255
    !

  • avatar
    ReneMolenaar
    2011-06-09 22:02:26

    Hi Kase,

    Where did you put the crypto-map on? In my example I put it on the physical interface. Did you try my final config with the access-list that has "GRE" as protocol?

    If you use the "permit GRE host" solution you are encrypting the entire tunnel...if you use anything else like your access-list you can select yourself what traffic you want to encrypt, my solution just does the whole GRE tunnel.

    Rene

  • avatar
    ebalmon
    2011-06-09 11:13:42

    Hi Reene,

    i'm a bit confused with this lab. I can't stablish the isakmp sa with this access-list:

    access-list 110 permit gre host 192.168.12.1 host 192.168.23.3

    But if I can do it whit this (and can see the ESP packets with Wireshark)

    access-list 110 permit ip 11.11.11.0 0.0.0.255 33.33.33.0 0.0.0.255

    I guess that the crypto ACL must matched the interesting traffic but I'm not sure... Thanks for your help!!!!

  • avatar
    ebalmon
    2011-06-09 22:25:24

    oopss, you are right, I did put on tunnel interface. I will try this way and tell you the results

  • avatar
    baloo247
    2011-08-09 13:07:37

    Hi,

    Can you tell me what the difference is between an encrypted GRE tunnel vs the more tradition GRE over IPSEC?? Both methods use IPSEC encryption techniques, so I dont understand in which situations you would use one or the other?

    Thanks
    Bal

  • avatar
    ReneMolenaar
    2011-08-12 13:59:08
    Quote:
    Hi,

    Can you tell me what the difference is between an encrypted GRE tunnel vs the more tradition GRE over IPSEC?? Both methods use IPSEC encryption techniques, so I dont understand in which situations you would use one or the other?

    Thanks
    Bal

    Good question and to be honest I'm not 100% sure. I just googled for it and found this post on groupstudy that makes sense:

    http://www.groupstudy.com/archives/ccielab/200307/msg00972.html

    If anyone else can enlighten me please do.

  • avatar
    SteveOcchO86
    2011-12-16 06:51:20

    Wouldn't it be easier to configure tunnel protection?

  • avatar
    SteveOcchO86
    2012-01-27 06:12:10

    Can be found here http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html

feedback