GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: GRE Tunnel with IPSec encapsulation! posted 03/17/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


You only need the access-list 101 permit gre host <tunnel source> host <tunnel destination> on both routers. All traffic traversing the GRE tunnel will be encrypted. Set the configuration to TRANSPORT mode on your IPSEC transform sets. 
You also have to set the Crypto maps on the GRE interfaces, and the egress interface.

Thanks,

Patrick B
-----Original Message-----
From: Tasuka Amano Hsu [mailto:tasuka@xxxxxxx]
Sent: Monday, March 17, 2003 2:30 AM
To: ccielab Groupstudy
Subject: GRE Tunnel with IPSec encapsulation!


Here is my GRE tunnel over IPSec configuration, and it can work, but 
does I consider too much at access-list ? or use too many command to do 
it ? I am tried the IP-IP tunnel mode and GRE-IP mode is same config. 
If I did not put the crypto map at interface tunnel0, then will got an 
error say the protocol type 47 not encapsulation with IPSec.
Somebody could share yours ?

The R1 and R2 is connect via Ethernet directly.

Best Regards

Tasuka


!
hostname R1
!
crypto isakmp policy 1
  hash md5
  authentication pre-share
  group 2
  lifetime 3600
crypto isakmp key cisco address 172.16.100.174
!
!
crypto ipsec transform-set IPform1 ah-md5-hmac
crypto ipsec transform-set IPform2 esp-des
!
crypto map IPSEC 10 ipsec-isakmp
  set peer 172.16.100.174
  set transform-set IPform2 IPform1
  set pfs group1
  match address 101
!
interface Tunnel0
  ip address 172.16.11.1 255.255.255.0
  tunnel source 172.16.100.253
  tunnel destination 172.16.100.174
  tunnel sequence-datagrams
  tunnel checksum
  tunnel path-mtu-discovery
  crypto map IPSEC
!
interface Ethernet0
  ip address 172.16.100.253 255.255.255.0
  no ip route-cache
  no ip mroute-cache
  crypto map IPSEC
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.100.174
no ip http server
!
access-list 101 deny   ahp any any
access-list 101 deny   esp any any
access-list 101 permit gre host 172.16.100.253 host 172.16.100.174
access-list 101 permit ip host 172.16.100.253 host 172.16.100.174
!

!
hostname R2
!
enable password cisco
!
ip subnet-zero
ip tcp synwait-time 5
no ip domain-lookup
!
crypto isakmp policy 1
  hash md5
  authentication pre-share
  group 2
  lifetime 3600
crypto isakmp key cisco address 172.16.100.253
!
!
crypto ipsec transform-set IPform1 ah-md5-hmac
crypto ipsec transform-set IPform2 esp-des
!
crypto map IPSS 10 ipsec-isakmp
  set peer 172.16.100.253
  set transform-set IPform2 IPform1
  set pfs group1
  match address 101
!
interface Tunnel0
  ip address 172.16.11.2 255.255.255.0
  tunnel source 172.16.100.174
  tunnel destination 172.16.100.253
  tunnel sequence-datagrams
  tunnel checksum
  tunnel path-mtu-discovery
  crypto map IPSS
!
interface Ethernet0
  ip address 172.16.100.174 255.255.255.0
  no ip route-cache
  no ip mroute-cache
  crypto map IPSS
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.100.253
no ip http server
!
access-list 101 deny   ahp any any
access-list 101 deny   esp any any
access-list 101 permit gre host 172.16.100.174 host 172.16.100.253
access-list 101 permit ip host 172.16.100.174 host 172.16.100.253
!