How to configure a GRE/IPSec VPN – Part 1
Posted by Josh on Wed 5 Mar 2008Categories: Cisco , Cisco Routers , Dynamips , GNS3 - [31] Comments
I first discovered GRE with IPSec about 4 years ago when a customer needed to transmit IPX and multicast traffic over his VPN. Since then, I have primarly used GRE/IPSEC tunnels for transmitting internal routing protocols over the internet. RIP, EIGRP or OSPF can be used over a GRE tunnel just as though it were a point to point circuit. It is also very useful for multicast music on hold.
This tutorial is part one of a two part series. If you have not already been through the internat lab series, I recommend watching them before starting the GRE/IPSec tutorials – Internet Lab Part 1 and Internet Lab Part 2.
March 5th, 2008 at 10:40 pm
[...] How to configure a GRE/IPSec VPN – Part 1 unknown wrote an interesting post today onHere’s a quick excerptI first discovered GRE with IPSec about 4 years ago when a customer needed to transmit IPX and multicast traffic over his VPN. Since then, I have primarly used GRE/IPSEC tunnels for transmitting internal routing protocols over the … [...]
March 6th, 2008 at 7:44 am
Great tutotial again, voice capture in the presentation really help.
March 6th, 2008 at 2:16 pm
Great Tutorial once again, thanks alot
March 6th, 2008 at 8:19 pm
[...] Full article here [...]
March 7th, 2008 at 12:59 pm
Can you comment on encryption over GRE tunnels?
March 7th, 2008 at 2:23 pm
That is in Part 2 of this series. I already have it recorded, but I am still editing it.
March 8th, 2008 at 11:08 pm
[...] Part 2 of the GRE/IPSec tutorial series, you will learn how to encrypt the GRE tunnels you built in Part 1. Although I only show you how to create a hub and spoke topology, it is also possible to create a [...]
March 12th, 2008 at 5:57 am
[...] Part 2 of the GRE/IPSec tutorial series, you will learn how to encrypt the GRE tunnels you built in Part 1. Although I only show you how to create a hub and spoke topology, it is also possible to create a [...]
March 18th, 2008 at 9:38 am
[...] let my friend Josh from blindhog.net show you how to do it. He’s got a video on how to configure the tunnels, and another on how to set it up for [...]
April 5th, 2008 at 12:24 pm
I have seen the crypto map actually been applied to the tunnel interface. In your case, you have applied it to the serial interface. Can you explain when one applies the crypto map to a tunnel interface rather than a physical interface.
April 5th, 2008 at 5:26 pm
In older code, it was appropriate to apply the crypto map to both the serial and tunnel interfaces. I am not sure when they changed it, but I do remember having to apply the crypto map to both.
Josh
May 25th, 2008 at 4:47 pm
I couldn´t finish the lab 1 because but i don´t see the tunnels connections between the routers, i can only see the directly connected networks. Did I do something wrong?
It’s seems to me eigrp is not working.
Thanks
June 2nd, 2008 at 4:55 am
[...] labs were built based on BlindHogs’ How to configure a GRE/IPSec VPN – Part 1. Routers Used: [...]
June 2nd, 2008 at 5:06 am
[...] labs were built based on BlindHogs’ How to configure a GRE/IPSec VPN – Part 2 Routers Used: [...]
June 10th, 2008 at 3:22 am
@Gabriel – I had the same issue. I wondered how w/o an IGP of sorts Josh was able to send traffic between R1 & R2 when neither knew of each other because of the ISP router. I had to look closer at the output of ‘sh ip route’ to see that John had set a default route (gateway of last resort). I don’t remember whether that was addressed or not in the ISP Setup Video.
This is where good trouble shooting comes in. Even if you follow someone else’s steps and maybe miss a part of it; that you can think through the layers to figure out what is missing or wrong.
June 17th, 2008 at 8:12 pm
[...] labs were built based on BlindHogs’ How to configure a GRE/IPSec VPN – Part 2 Routers Used: [...]
June 17th, 2008 at 8:13 pm
[...] These labs were built based on BlindHogs’ How to configure a GRE/IPSec VPN – Part 1 [...]
June 27th, 2008 at 6:56 am
[...] Some help I used: How to configure a GRE/IPSec VPN – Part 1 [...]
June 28th, 2008 at 5:49 pm
[...] Some help I used: BlindHog – How to configure a GRE/IPSec VPN – Part 1 [...]
June 28th, 2008 at 5:51 pm
[...] Some help I used: BlindHog – How to configure a GRE/IPSec VPN – Part 1 [...]
August 6th, 2008 at 6:05 pm
[...] How to configure a GRE/IPSec VPN – Part 1 [...]
April 30th, 2009 at 1:31 am
wonderful and marvelous…
its very interesting
September 7th, 2009 at 10:38 am
Hi
Need some help on this tutorial
R2> show ip route
gives a default route to 23.45.67.1 where is this interface connected to
i did not get it
thanks in advance
rbary
September 26th, 2009 at 3:21 am
@bdk @gabriel,
I had same problem, i can’t make telnet to 192.168.1.1 from R2. Even I can ping cross over ISP from R1 to R2 and other way around. But after make GREIP tunnel from R1 and R2 as for 192.168.200.0 the connection not created.
What I missed?
September 26th, 2009 at 3:43 am
hi i need help,
i already follow basic internet 1 & 2.
able to ping cross over routers through ISP.
but however when continue on this tutorial ‘how-to-configure-a-greipsec-vpn-part-1′ i stuck. on the tutorial on ‘Look at the routing’ at ‘D 192.168.1.0/24 [90/297246976] via 192.168.200.1, 00:00:27, Tunnel0′ I don’t have this line. I’m using ISO ‘c3640-jk9o3s-mz.124-16.extracted.bin’
September 5th, 2010 at 9:49 pm
[...] How to configure a GRE/IPSec VPN – Part 1 [...]
November 30th, 2010 at 6:21 am
I want to ask a few questions :
1. When I setting up my VPN with GRE, like yours, (but I’m using a different routing protocol on it), There’s no packets decrypt or encrypt in mine…Why is that? It’s zero…
2. What’s the difference between IPsec using crypto map and tunnel protection…Do u have some kind of reference for me to read about that issues?
Thanks a lot..
December 1st, 2010 at 1:08 pm
Trema,
1. It is hard to tell without more information. There several things that could cause the behavior you are experiencing.
2. Actually, the tunnel protection method is easier and better. I started using it after creating this tutorial. It skips all the access-lists and crypto maps.
crypto isakmp policy 1
authentication pre-share
hash sha
encryption 3des
crypto isakmp key blidngho12 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec profile GRE-VPN
set transform-set 3des-sha
int Tunnel0
ip address 192.168.200.1 255.255.255.252
tunnel source 12.34.56.78
tunnel destination 23.45.67.89
tunnel protection ipsec profile GRE-VPN
December 3rd, 2010 at 6:49 am
Josh,
Thank u very much for the answers…^^
1. I will try to remake it first..
2. Thank u very much for the recommendation, I will try to make it in tunnel protection too..by the way, do u have some kind of reference about tunnel protection and crypto map..
Thanks for ur help…I really appreciate it.^^
December 16th, 2010 at 11:48 pm
I tried to make it, both using tunnel protection n crypto map, but still I can’t see the encrypt an decrypt packet..I wonder why..
Is there an important config that especially affected the result…?
crypto isakmp key blidngho12 address 0.0.0.0 0.0.0.0
I changed it into my destination address of the tunnel…Should I use 0.0.0.0 ? or maybe I didn’t use the wildcard on it?
January 18th, 2011 at 4:49 am
[...] How to configure a GRE/IPSec VPN – Part 1 [...]