(8 votes, average: 5 out of 5)
Loading ...Sat 8 Mar 2008
How to configure a GRE/IPSec VPN - Part 2
Posted by Josh under Cisco , Cisco Routers , Dynamips , GNS3 -In Part 2 of the GRE/IPSec tutorial series, you will learn how to encrypt the GRE tunnels you built in Part 1. Although I only show you how to create a hub and spoke topology, it is also possible to create a fully meshed topology or even a partial mesh. I highly recommend creating GRE tunnels from the branch to every datacenter in your organization.
This tutorial is part two of a two part series. If you have not already been through the internat lab series, I recommend watching them before starting the GRE/IPSec tutorials - Internet Lab Part 1 and Internet Lab Part 2.
Here are the final router configs for you to download.
r1-gre-vpn.log
r2-gre-vpn.log
r3-gre-vpn.log
isp-cfg.txt
March 9th, 2008 at 10:10 am
Great tutorial!!
Have few clarification.
1. Should the tunnel interfaces also have ‘crypto map vpn’ bound to it or does binding ‘crypto map vpn’ to s0/0 sort of supercede it.
2. In ‘crypto map vpn 10 ipsec-isakmp’, vpn has an id 10. But when binding the crypto map to the interface, ‘crypto map vpn’ is used without the id. Not sure how the syntax is not similar to access-list where ‘match address ‘ is used.
3. Is the tunnel mode implicit (mode transport)
March 9th, 2008 at 2:57 pm
Deepak,
1. There are some versions of IOS that require the crypto map be applied to both the tunnel interfaces as well as the serial interface.
2. I can see how this would be confusing. The reason there are ids is because you can configure several different VPN tunnels on the same crypto map. The IDs are irrelevant when applying the crypto map, the name of the crypto map is referenced.
I think of it like named access-lists. The access-list has a name, but each permit/deny statement also has a sequence id.
For instance on router R1, I configured two a crypto maps with the same name. One for R2 (id 10) and one for R3 (id 11). When I applied the crypto map, it enabled both crypto maps for R2 and R3.
I just posted the full configurations. Please take a look at the full config to see if it makes sense.
3. I believe tunnel mode is the default.
March 9th, 2008 at 4:20 pm
Thanks for the response.
March 9th, 2008 at 4:40 pm
The explanation makes sense.
Your example with the named acces list really helped to understand the crypto map binding.
March 11th, 2008 at 7:17 pm
[...] How to configure a GRE/IPSec VPN - Part 2 [...]
March 12th, 2008 at 5:57 am
[...] Full article here [...]
March 12th, 2008 at 7:08 am
Good stuff again, Josh. I was just checking to doing a multipoint GRE over IPSec tunnel for a customer, when, lo and behold, a couple of great tutorials.
Keep it up.
March 30th, 2008 at 12:45 am
Aaron,
When configuring DMVPN you would use crypto profiles, which is like a crypto map but only requires one main attribute; the transform set.
- Joshua Walton
CCIE #19763 - Security
April 4th, 2008 at 2:02 pm
Thanks a lot for the video extremely helpful.Keep it up
April 4th, 2008 at 9:52 pm
You are welcome.