Scribd Logo
Upload

Welcome to Scribd!

  • IPsec Over GRE Tunnel

    Uploaded by

    tester tester
    12 views6 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    12 views6 pages

    IPsec Over GRE Tunnel

    Uploaded by

    tester tester

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    Router 1: Router 3:

    configure terminal configure terminal


    ! !
    ![Basic configuration for connection to internet] ![Basic configuration for connection to internet]
    interface g0/0 interface g0/0
    ip address 12.0.0.1 255.0.0.0 ip address 23.0.0.1 255.0.0.0
    ip ospf 1 area 0 ip ospf 1 area 0
    no shutdown no shutdown
    interface loopback 1 interface loopback 1
    ip address 10.1.1.1 255.255.255.255 ip address 10.3.1.1 255.255.255.255
    interface loopback 2 interface loopback 2
    ip address 10.2.1.1 255.255.255.255 ip address 10.4.1.1 255.255.255.255
    ! !
    ![Configuration for Tunnel] ![Configuration for Tunnel]
    interface tunnel 0 interface tunnel 0
    tunnel mode gre tunnel mode gre
    ip address 172.16.0.1 255.255.0.0 ip address 172.16.0.2 255.255.0.0
    tunnel source g0/0 tunnel source g0/0
    tunnel destination 23.0.0.3 tunnel destination 12.0.0.1
    ! !
    ![Routing para Tunnel] ![Routing para Tunnel]
    router eigrp 10 router eigrp 10
    network 10.0.0.0 network 10.0.0.0
    network 172.16.0.0 network 172.16.0.0
    no auto-summary no auto-summary
    ! !
    ![Configure IPsec] ![Configure IPsec]
    crypto isakmp policy 10 crypto isakmp policy 10
    encryption 3des encryption 3des
    authentication pre-share authentication pre-share
    hash md5 hash md5
    group 2 group 2
    ! !
    crypto isakmp key CISCO123 address 23.0.0.3 crypto ipsec profile GRE-SEC
    ! set transform-set tset
    crypto ipsec transform-set tset esp-3des esp-sha-hmac
    mode transport
    ! show ip
    crypto ipsec profile GRE-SEC
    set transform-set tset
    !
    interface tunnel 0
    tunnel protection ipsec profile GRE-SEC

    Router 2:
    configure terminal
    !
    interface g0/0
    ip address 12.0.0.2 255.0.0.0
    ip ospf 1 area 0
    no shutdown
    interface g1/0
    ip address 12.0.0.2 255.0.0.0
    ip ospf 1 area 0
    no shutdown
    !
    IPsec over DMVPN

    Router 1: Router 2:
    ! !
    crypto isakmp policy 10 crypto isakmp policy 10
    encryption aes 192 encryption aes 192
    hash md5 hash md5
    authentication pre-share authentication pre-share
    group 2 group 2
    ! !
    crypto isakmp key 0 MGRE-SEC address 0.0.0.0 crypto isakmp key 0 MGRE-SEC address 0.0.0.0
    ! !
    crypto ipsec transform-set DMVPN-TRNS-SET esp-aes 256 esp-md5-hmac crypto ipsec transform-set DMVPN-TRNS-SET esp-aes 256 esp-md5-hmac
    ! !
    crypto ipsec profile DMVPN-PROFILE crypto ipsec profile DMVPN-PROFILE
    set security-association lifetime seconds 120 (default = 86400) set security-association lifetime seconds 120 (default = 86400)
    set transform-set DMVPN-TRNS-SET set transform-set DMVPN-TRNS-SET
    ! !
    ! !
    interface tunnel 0 interface tunnel 0
    ip address 192.168.1.1 255.255.255.0 ip address 192.168.1.2 255.255.255.0
    no ip redirect no ip redirect
    ip mtu 1440 ip mtu 1440
    ip tcp adjust-mss 1360 ip tcp adjust-mss 1360
    ip nhrp authentication MGRE-SEC ip nhrp authentication MGRE-SEC
    ip nhrp map multicast dynamic ip nhrp map multicast dynamic
    ip nhrp network-id 1 ip nhrp nhs 192.168.1.1
    no ip split-horizon eigrp 10 ip nhrp map 192.168.1.1 54.45.12.1
    no ip next-hop-self eigrp 10 (not apply this command in a MPLS network) ip nhrp map multicast 54.45.12.1
    tunnel source fastethernet 0/0 ip nhrp network-id 1
    tunnel mode gre multipoint tunnel source fastethernet 0/0
    tunnel key 0 tunnel mode gre multipoint
    tunnel protection ipsec profile DMVPN-PROFILE tunnel key 0
    ! tunnel protection ipsec profile DMVPN-PROFILE
    router eigrp 10 !
    network 192.168.1.0 router eigrp 10
    ! network 192.168.1.0
    !
    Router 3:
    !
    crypto isakmp policy 10
    encryption aes 192
    hash md5
    authentication pre-share
    group 2
    !
    crypto isakmp key 0 MGRE-SEC address 0.0.0.0
    !
    crypto ipsec transform-set DMVPN-TRNS-SET esp-aes 256 esp-md5-hmac
    !
    crypto ipsec profile DMVPN-PROFILE
    set security-association lifetime seconds 120 (default = 86400)
    set transform-set DMVPN-TRNS-SET
    !
    !
    interface tunnel 0
    ip address 192.168.1.3 255.255.255.0
    no ip redirect
    ip mtu 1440
    ip tcp adjust-mss 1360
    ip nhrp authentication MGRE-SEC
    ip nhrp map multicast dynamic
    ip nhrp nhs 192.168.1.1
    ip nhrp map 192.168.1.1 54.45.12.1
    ip nhrp map multicast 54.45.12.1
    ip nhrp network-id 1
    tunnel source fastethernet 0/0
    tunnel mode gre multipoint
    tunnel key 0
    tunnel protection ipsec profile DMVPN-PROFILE
    !
    router eigrp 10
    network 192.168.1.0
    !

    Show commands:
    show crypto isakmp sa -> verificar o túnel of fase 1
    debug crypto isakmp ->

    Create a ACL 100 to allow networks, exemple:


    access-list 100 remark **** Netwoks VPN ****
    access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

    Create a ACL for NAT:


    access-list 101 remark **** NAT ACL ****
    access-list 101 deny 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
    access-list 102 permit ip 10.1.1.0 0.0.0.255 any

    !Very important
    crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
    crypto isakmp key cisco123 hostname r2.cisco.com -> Spoke router in the Hub or Hub router int the spoke
    Dynamic VPN (with Dynamic Public IP address)

    Router 1: Router 2:
    ! !
    access-list 100 remark ****** Link to r2.cisco.com ****** access-list 100 remark ****** Link to r1.cisco.com ******
    access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 100 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
    ! !
    access-list 101 remarK ****** NAT ACL ****** access-list 101 remarK ****** NAT ACL ******
    access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
    access-list 101 permit ip 10.1.1.0 0.0.0.255 any access-list 101 permit ip 10.1.2.0 0.0.0.255 any
    ! !
    ip nat inside source route-map nonat interface FastEhternet 0/0 overload ip nat inside source route-map nonat interface FastEhternet 0/0 overload
    ! !
    route map nonat permit 10 route map nonat permit 10
    match ip address 101 match ip address 101
    ! !
    crypto isakmp policy 10 crypto isakmp policy 10
    hash md5 hash md5
    authentication pre-share authentication pre-share
    encryption 3des encryption 3des
    group 2 group 2
    lifetime 3600 lifetime 3600
    ! !
    crypto isakmp key CISCO123 address 0.0.0.0 0.0.0.0 crypto isakmp key CISCO123 address 0.0.0.0 0.0.0.0
    crypto isakmp key CISCO123 hostname r2.cisco.com crypto isakmp key CISCO123 hostname r1.cisco.com
    ! !
    crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto ipsec transform-set myset esp-3des esp-md5-hmac
    mode tunnel mode tunnel
    ! !
    crypto dynamic-map dynmap 120 crypto dynamic-map dynmap 120
    description ****** Dynamic Map to r2.cisco.com ****** description ****** Dynamic Map to r1.cisco.com ******
    set transform-set myset set transform-set myset
    set pfs group2 set pfs group2
    match address 100 match address 100
    set security-association lifetime seconds 3600 set security-association lifetime seconds 3600
    set security-association lifetime kilobytes 4608000 set security-association lifetime kilobytes 4608000
    ! !
    crypto map mymap 130 ipsec-isakmp dynamic dynmap crypto map mymap 130 ipsec-isakmp dynamic dynmap
    ! !
    crypto map mymap 110 ipsec-isakmp crypto map mymap 110 ipsec-isakmp
    description ****** Static VPN MAP to r2.cisco.com ****** description ****** Static VPN MAP to r1.cisco.com ******
    set peer r2.cisco.com dynamic set peer r1.cisco.com dynamic
    set transform-set myset set transform-set myset
    set pfs group2 set pfs group2
    match address 100 match address 100
    set security-association lifetime seconds 3600 set security-association lifetime seconds 3600
    set security-association lifetime kilobytes 4608000 set security-association lifetime kilobytes 4608000
    ! !
    interface FastEthernet 0/0 interface FastEthernet 0/0
    ip address 1.1.1.1 255.255.255.0 ip address 1.1.1.2 255.255.255.0
    host R1 host R2
    crypto map mymap crypto map mymap
    ip nat outside ip nat outside
    ! !
    interface FastEthernet 0/1 interface FastEthernet 0/1
    ip nat inside ip address 10.1.2.1 255.255.255.0
    ! ip nat inside
    ip route 0.0.0.0 0.0.0.0 1.1.1.2 !
    ip name-server 1.1.1.100 ip route 0.0.0.0 0.0.0.0 1.1.1.1
    ! ip name-server 1.1.1.100
    !

    You might also like