GRE IPSec VPN - ACL question

Wow... so many acronyms in that title...

Anyway, been going over GRP IPSec VPN configs for some fun and have a few questions.

I have this config;

crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address 192.168.128.9 no-xauth
!
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
 mode transport
!
crypto map VPN 10 ipsec-isakmp
 set peer 192.168.128.9
 set transform-set VPN
 match address VPN_TRAFFIC
!
interface Tunnel0
 ip address 203.1.1.1 255.255.255.0
 tunnel source 10.2.2.1
 tunnel destination 192.168.128.9
 crypto map VPN
!
ip access-list extended VPN_TRAFFIC
 permit ip 192.168.200.0 0.0.0.255 192.168.240.0 0.0.0.255
 deny   ip any any

I have a similar confg on the other end of the VPN and everything works fine. But my questions are;
1) - Where is the reccomended place to put the crypto map statement? Tunnel interface or physical interface?
2) - for the ACL, i seem to remember needed to permit gre in the ACL. So something like
permit gre 192.168.200.0 0.0.0.255 192.168.240.0 0.0.0.255.
But my VPN works with the ACL i have defined... So when do you need to define gre in the ACL?

Cheers.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

jason_lunde

1) I have always put the crypto map statement on the physical interface...thats what the ISCW port. shows as well; but it does say in some older ios's you will need to apply it to both

2)Ya normally not to open the acl up that wide open, you can just go host to host with gre...something like:
access-list 101 permit gre host <ip> host <ip>

That way not to much is permitted in the acl.Hope this helps man!

chrisone

Jason is correct, you do not want to apply a whole /24 in your ACL when your creating a GRE "OVER" IPSEC.

I believe what you did by configuring the cryptomap on the GRE was IPSEC "OVER" GRE, which is complete reverse of a gre/ipsec.

for example ipsec/GRE (X)

GRETunnel

(X)GRE/IPSEC

Remember GRE acts like a connected interface between two routers like if it were connected with crossover ethernet cable. You can create a GRE tunnel without IPSEC and it will act like a cable was connecting the two routers. Well in Lab theory it is, but over ISPs and using public IPs / loopbacks, you cant connect two routers using a cable now could we lol so thats where GRE falls into place and will act like a connected "unprotected" interface between the two. So you want to create an IPSEC tunnel first , then have GRE flow within the IPSEC. Thats why on your ACL for the IPSEC you allow GRE hosts to flow through it and apply this to the interface for the IPSEC and not on the GRE Tunnel interface. I hope this clear things up.

GRE/IPSEC (X)

IPSEC

(X)IPSEC/GRE is an example of GRE within IPSEC

SysAdmin4066

The biggest reason for the GRE portion of this config is to run dynamic routing protocols. The tunnel interface allows for peering, which is required for most dynamic routing protocols. The GRE tunnel is created first, then ipsec is used to encrypt the content of the tunnel.

The ACL can be much narrower in a secure GRE tunnel, because you again have two peering interfaces. So you can use "gre" and "host" statements, as opposed to "network" statements. It will work with "ip" and "network" statement, but it's just more secure to use the first option. Thats why your config works. Best practice is to set interesting traffic as the GRE tunnel interfaces with GRE being the protocol.

APA

if you applied the crypto map to the physical exit interface then you would need to use permit gre host x.x.x.x host x.x.x.x

As the traffic would have passed through the Tunnel interface and been encrypted as GRE traffic. So therefore the interesting traffic for the physical interface to match on would need to be the traffic between the GRE endpoints.

The ACL works for your Tunnel interface because the interesting traffic hasn't been encrypted as GRE yet... it would be encrypted then encapsulated as GRE then passed along...

rakem

Ok so i have been playing around a bit more and now i have this config;

crypto isakmp policy 20
 encr aes
 authentication pre-share
 group 2
crypto isakmp key luca address 10.1.1.2
!
!
crypto ipsec transform-set LUCA esp-3des esp-sha-hmac
 mode transport
!
crypto map LUCA 20 ipsec-isakmp
 set peer 10.1.1.2
 set transform-set LUCA
 match address VPN_TRAFFIC
!
interface Tunnel1
 ip address 172.16.1.1 255.255.255.0
 tunnel source 192.168.90.2
 tunnel destination 10.1.1.2
!
interface FastEthernet0/0
 ip address 192.168.90.2 255.255.255.0
 speed 100
 full-duplex
 crypto map LUCA
!
router eigrp 1
 network 3.3.3.0 0.0.0.255
 network 4.4.4.0 0.0.0.255
 network 100.100.100.0 0.0.0.255
 network 172.16.1.0 0.0.0.255
 network 192.168.90.0
 no auto-summary
!
ip route 10.1.1.0 255.255.255.0 FastEthernet0/0

I was getting the following error for a bit;
"%TUN-5-RECURDOWN: Tunnel1 temporarily disabled due to recursive routing"
Which after some research was fixed but adding in the above static route. Got that info from The "%TUN-5-RECURDOWN" Error Message and Flapping EIGRP/OSPF/BGP Neighbors Over a GRE Tunnel - Cisco Systems

So anyway from what i can see eigrp packets are being sent over the tunnel, but nothing is being encrypted... there is no IPSec tunnel.

interface: FastEthernet0/0
    Crypto map tag: LUCA, local addr 192.168.90.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.16.1.2/255.255.255.255/47/0)
   current_peer 10.1.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.90.2, remote crypto endpt.: 10.1.1.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)
!
!
R6#sho crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status

IPv6 Crypto ISAKMP SA

R6#
!

R6#sh int tun1
Tunnel1 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 172.16.1.1/24
  MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 192.168.90.2, destination 10.1.1.2
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255
  Fast tunneling enabled
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Last input 00:00:01, output 00:00:02, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 9
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     265 packets input, 22976 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     332 packets output, 29048 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
R6#

APA

1) ISAKMP SA association has failed... ensure isakmp key's match between peers.

2) Ensure VPN-TRAFFIC ACL has 'permit gre host x.x.x.x host x.x.x.x' this will ensure that all GRE traffic between the two routers will be encrypted.

3) For the traffic to be encrypted ensure routes are pointing towards\or learnt via the GRE tunnel interfaces... this will ensure the traffic will be encapsulated as GRE and therefore match the CRYPTO map interesting traffic when exiting the physical interface.

Here is a working config that I just threw together.. to enforce the concept of using the CRYPTO MAP on the physical interface so your Crypto ACL only has to have the host to host GRE ACL entry.

Host A

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ipsectest address 10.8.8.0 255.255.255.254
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set 3DES-SHA ah-sha-hmac esp-3des
!
crypto map LAB-TEST 10 ipsec-isakmp
 set peer 10.8.8.0
 set transform-set 3DES-SHA
 set pfs group2
 match address 100
!
!
interface Loopback0
 ip address 192.168.20.254 255.255.255.255
!
interface Loopback1
 ip address 172.16.10.1 255.255.255.255
!
interface Tunnel1
 bandwidth 100000
 ip address 172.16.20.1 255.255.255.254
 tunnel source Loopback1
 tunnel destination 172.16.10.0
!
interface FastEthernet0/0
 bandwidth 100000
 ip address 10.8.8.1 255.255.255.254
 duplex auto
 speed auto
 crypto map LAB-TEST
!
router eigrp 1
 passive-interface default
 no passive-interface Tunnel1
 network 10.8.8.0 0.0.0.1
 network 172.16.10.0 0.0.0.1
 network 192.168.20.254 0.0.0.0
 no auto-summary
!
no ip http server
no ip http secure-server
ip classless
ip route 172.16.10.0 255.255.255.255 10.8.8.0
!
!
access-list 100 permit gre host 172.16.10.1 host 172.16.10.0
!
APALAB2620_B#sh crypto isakmp sa
dst             src             state          conn-id slot
10.8.8.1        10.8.8.0        QM_IDLE              8    0

APALAB2620_B#sh cry
APALAB2620_B#sh crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: LAB-TEST, local addr. 10.8.8.1

   protected vrf:
   local  ident (addr/mask/prot/port): (172.16.10.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.16.10.0/255.255.255.255/47/0)
   current_peer: 10.8.8.0:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 13729, #pkts encrypt: 13729, #pkts digest 13729
    #pkts decaps: 13728, #pkts decrypt: 13728, #pkts verify 13728
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 3, #recv errors 0

     local crypto endpt.: 10.8.8.1, remote crypto endpt.: 10.8.8.0
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: D68D9FC5

     inbound esp sas:
      spi: 0x9FF974F5(2683925749)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2002, flow_id: 1, crypto map: LAB-TEST
        sa timing: remaining key lifetime (k/sec): (4409561/83343)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:
      spi: 0xCA3EE2D(212069933)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: LAB-TEST
        sa timing: remaining key lifetime (k/sec): (4409561/83341)
        replay detection support: Y

     inbound pcp sas:

     outbound esp sas:
      spi: 0xD68D9FC5(3599605701)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2003, flow_id: 2, crypto map: LAB-TEST
        sa timing: remaining key lifetime (k/sec): (4409560/83341)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:
      spi: 0x712D3754(1898788692)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: LAB-TEST
        sa timing: remaining key lifetime (k/sec): (4409560/83339)
        replay detection support: Y

     outbound pcp sas:
APALAB2620_B#
!
APALAB2620_B#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     192.168.10.0/32 is subnetted, 1 subnets
D       192.168.10.254 [90/12953600] via 172.16.20.0, 00:36:47, Tunnel1
     172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C       172.16.20.0/31 is directly connected, Tunnel1
S       172.16.10.0/32 [1/0] via 10.8.8.0
C       172.16.10.1/32 is directly connected, Loopback1
     192.168.20.0/32 is subnetted, 1 subnets
C       192.168.20.254 is directly connected, Loopback0
     10.0.0.0/31 is subnetted, 1 subnets
C       10.8.8.0 is directly connected, FastEthernet0/0
APALAB2620_B#

HOST B

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ipsectest address 10.8.8.1 255.255.255.254
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set 3DES-SHA ah-sha-hmac esp-3des
!
crypto map LAB-TEST 10 ipsec-isakmp
 set peer 10.8.8.1
 set transform-set 3DES-SHA
 set pfs group2
 match address 100
!
interface Loopback0
 ip address 192.168.10.254 255.255.255.255
!
interface Loopback1
 ip address 172.16.10.0 255.255.255.255
!
interface Tunnel1
 bandwidth 100000
 ip address 172.16.20.0 255.255.255.254
 tunnel source Loopback1
 tunnel destination 172.16.10.1
!
interface FastEthernet0/0
 bandwidth 100000
 ip address 10.8.8.0 255.255.255.254
 duplex auto
 speed auto
 crypto map LAB-TEST
!
router eigrp 1
 passive-interface default
 no passive-interface Tunnel1
 network 10.8.8.0 0.0.0.1
 network 172.16.10.0 0.0.0.1
 network 192.168.10.254 0.0.0.0
 no auto-summary
!
ip route 172.16.10.1 255.255.255.255 10.8.8.1
!
access-list 100 permit gre host 172.16.10.0 host 172.16.10.1
!
APA-LAB2620_RT01#sh crypto isakmp sa
dst             src             state          conn-id slot
10.8.8.1        10.8.8.0        QM_IDLE              8    0

APA-LAB2620_RT01#sh cry
APA-LAB2620_RT01#sh crypto ipse
APA-LAB2620_RT01#sh crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: LAB-TEST, local addr. 10.8.8.0

   protected vrf:
   local  ident (addr/mask/prot/port): (172.16.10.0/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.16.10.1/255.255.255.255/47/0)
   current_peer: 10.8.8.1:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 13774, #pkts encrypt: 13774, #pkts digest 13774
    #pkts decaps: 13775, #pkts decrypt: 13775, #pkts verify 13775
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 9, #recv errors 0

     local crypto endpt.: 10.8.8.0, remote crypto endpt.: 10.8.8.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 9FF974F5

     inbound esp sas:
      spi: 0xD68D9FC5(3599605701)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2002, flow_id: 1, crypto map: LAB-TEST
        sa timing: remaining key lifetime (k/sec): (4389663/83131)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:
      spi: 0x712D3754(1898788692)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: LAB-TEST
        sa timing: remaining key lifetime (k/sec): (4389663/83130)
        replay detection support: Y

     inbound pcp sas:

     outbound esp sas:
      spi: 0x9FF974F5(2683925749)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2003, flow_id: 2, crypto map: LAB-TEST
        sa timing: remaining key lifetime (k/sec): (4389663/83130)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:
      spi: 0xCA3EE2D(212069933)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: LAB-TEST
        sa timing: remaining key lifetime (k/sec): (4389663/83129)
        replay detection support: Y

     outbound pcp sas:
APA-LAB2620_RT01#

Here is where I clear the SA counters... then show that the route to the host is via the GRE tunnel, which leads into the ICMP test and then viewing of the SA counters.

APA-LAB2620_RT01#clear crypto sa counters
APA-LAB2620_RT01#sh ip route 192.168.20.254
Routing entry for 192.168.20.254/32
  Known via "eigrp 1", distance 90, metric 12953600, type internal
  Redistributing via eigrp 1
  Last update from 172.16.20.1 on Tunnel1, 00:40:55 ago
  Routing Descriptor Blocks:
  * 172.16.20.1, from 172.16.20.1, 00:40:55 ago, via Tunnel1
      Route metric is 12953600, traffic share count is 1
      Total delay is 505000 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1476 bytes
      Loading 1/255, Hops 1

APA-LAB2620_RT01#ping 192.168.20.254 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.20.254, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 12/12/16 ms
APA-LAB2620_RT01#sh cry
APA-LAB2620_RT01#sh crypto ipse
APA-LAB2620_RT01#sh crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: LAB-TEST, local addr. 10.8.8.0

   protected vrf:
   local  ident (addr/mask/prot/port): (172.16.10.0/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.16.10.1/255.255.255.255/47/0)
   current_peer: 10.8.8.1:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 107, #pkts encrypt: 107, #pkts digest 107
    #pkts decaps: 107, #pkts decrypt: 107, #pkts verify 107
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.8.8.0, remote crypto endpt.: 10.8.8.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 9FF974F5

     inbound esp sas:
      spi: 0xD68D9FC5(3599605701)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2002, flow_id: 1, crypto map: LAB-TEST
        sa timing: remaining key lifetime (k/sec): (4389642/83049)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:
      spi: 0x712D3754(1898788692)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: LAB-TEST
        sa timing: remaining key lifetime (k/sec): (4389642/83047)
        replay detection support: Y

     inbound pcp sas:

     outbound esp sas:
      spi: 0x9FF974F5(2683925749)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2003, flow_id: 2, crypto map: LAB-TEST
        sa timing: remaining key lifetime (k/sec): (4389642/83047)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:
      spi: 0xCA3EE2D(212069933)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: LAB-TEST
        sa timing: remaining key lifetime (k/sec): (4389642/83046)
        replay detection support: Y

     outbound pcp sas:
APA-LAB2620_RT01#

Hope this helps

jason_lunde

so what does your topology and IP scheme look like here? Just wondering.

rakem

Ok so finally got it working, but something strange i noticed, is the following;

R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
10.1.1.2        192.168.90.2    QM_IDLE           1003    0 ACTIVE

IPv6 Crypto ISAKMP SA

R1#sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.2        YES NVRAM  up                    up
FastEthernet0/1            unassigned      YES NVRAM  administratively down down
Loopback200                192.168.200.1   YES NVRAM  up                    up
Tunnel0                    172.18.1.2      YES manual up                    up
R1#
!
!
!
R6#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
10.1.1.2        192.168.90.2    QM_IDLE           1003    0 ACTIVE

IPv6 Crypto ISAKMP SA

R6#
R6#
R6#sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.90.2    YES NVRAM  up                    up
FastEthernet0/1            unassigned      YES NVRAM  administratively down down
Loopback1                  1.1.1.1         YES NVRAM  up                    up
Loopback2                  2.2.2.2         YES NVRAM  up                    up
Loopback100                100.100.100.1   YES NVRAM  up                    up
Tunnel0                    172.18.1.1      YES manual up                    up
R6#

Both routers are showing the same source IP..... wtf is with that?

R6 Config;

crypto isakmp policy 20
 encr aes
 authentication pre-share
 group 2
crypto isakmp key luca address 10.1.1.2
!
!
crypto ipsec transform-set LUCA esp-3des esp-sha-hmac
 mode transport
!
crypto map LUCA 20 ipsec-isakmp
 set peer 10.1.1.2
 set transform-set LUCA
 match address VPN_TRAFFIC
!
!
interface Tunnel0
 ip address 172.18.1.1 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 10.1.1.2
!
interface Loopback1
 ip address 1.1.1.1 255.255.255.0
!
interface Loopback2
 ip address 2.2.2.2 255.255.255.0
!
interface Loopback100
 ip address 100.100.100.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.90.2 255.255.255.0
 speed 100
 full-duplex
 crypto map LUCA
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 1
 network 1.1.1.1 0.0.0.0
 network 2.2.2.2 0.0.0.0
 network 100.100.100.0 0.0.0.255
 network 172.18.1.0 0.0.0.255
 network 192.168.90.0
 no auto-summary
!
ip route 10.1.1.0 255.255.255.0 FastEthernet0/0
!
ip access-list extended VPN_TRAFFIC
 permit gre host 192.168.90.2 host 10.1.1.2

R1 Config

crypto isakmp policy 20
 encr aes
 authentication pre-share
 group 2
crypto isakmp key luca address 192.168.90.2
!
!
crypto ipsec transform-set LUCA esp-3des esp-sha-hmac
 mode transport
!
crypto map LUCA 20 ipsec-isakmp
 set peer 192.168.90.2
 set transform-set LUCA
 match address VPN_TRAFFIC
!
!
interface Tunnel0
 ip address 172.18.1.2 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 192.168.90.2
!
interface Loopback200
 ip address 192.168.200.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.1.1.2 255.255.255.0
 duplex auto
 speed auto
 crypto map LUCA
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 1
 network 10.1.1.0 0.0.0.255
 network 172.18.1.0 0.0.0.255
 network 192.168.200.0
 no auto-summary
!
ip route 192.168.90.0 255.255.255.0 FastEthernet0/0
!
ip access-list standard subnets
 permit 10.60.0.0
 permit 10.50.0.0
!
ip access-list extended VPN_TRAFFIC
 permit gre host 10.1.1.2 host 192.168.90.2

APA

yeah confusing at first.... but remember the ISAKMP SA is bi-directional....

Hence we are seeing the one SA agreed upon, with the router that initiated the ISAKMP IKE process being identified by the SRC host field.

ISAKMP SA = Bidirectional

IPSEC SA = Uni-directional (Always a pair of SA's between VPN endpoints for each network that is to be protected)

SysAdmin4066

And lets be careful with encryption versus encapsulation. GRE is encapsulation only, there is no encryption without IPSec.

ilcram19-2

i see what you are trying to do, but the only traffic what will be encrypted will be only the one specify by the ACL going over the tunnel and you dont need the deny on the ACL, but the gre tunnel still unprotected by ipsec so please do the following. you will need to create and ipsec profile to protect the tunnel with it so it will look something like this:

phase 1

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto isakmp key xxxxxxxxxxxxxx address x.x.x.x

Phase 2

crypto ipsec transform-set ipsec/gre esp-3des esp-md5-hmac
!
crypto ipsec profile ipsec/gre<----profile to protect tunnel interface with
set transform-set ipsec/gre

tunnel configuration

interface Tunnel99
ip address 10.1.100.2 255.255.255.252
tunnel source

local public ip or wan interface
tunnel destination --destination IP
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec/gre

do that both sides

Interface: Tunnel99
Session status: UP-ACTIVE
Peer: x.x.x.x port 500
IKE SA: local x.x.x.x/500 remote x.x.x.x/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0<---all encrypted in the gre tunnel
Active SAs: 2, origin: crypto map

Tunnel99 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.1.100.2/30
MTU 1514 bytes, BW 100000 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source x.x.x.x, destination x.x.x.x
Tunnel protocol/transport IPSEC/IP <----
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "ipsec/gre")
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 159
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 449000 bits/sec, 29 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
990804 packets input, 321487722 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1393462 packets output, 501258273 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out

that would work best that adding a crypto map to the tunnel interface