GRE Configuraion LAB Question

elegua

Hi Guys,

I have a question, this is my first time doing this and i need your opinions, after watched Chris and Jeremy ISCW VPN videos, i started doing some labs (studing for the exam) and i came up with this lab, i used SDM and before apply it to the router i saved the configuration to look at it and lean more in details, ok the question is:

Based in this scenario is this configuration correct or do i need to add/change something?, in this lab only one policy and pre-share keys were configured.



Here is the configuration:

R_1

---

ip access-list extended GRE_TRAFFIC
permit gre host 172.16.30.1 host 172.16.30.2
!
crypto ipsec transform-set AES_SHA_1 esp-sha-hmac esp-aes 128
mode tunnel
exit
!
crypto map GRE_MAP 1 ipsec-isakmp
description Tunnel to 172.16.30.2
set transform-set AES_SHA_1
set peer 172.16.30.2
match address GRE_TRAFFIC
exit
!
interface Serial0/1
crypto map GRE_MAP
exit
!
interface Tunnel0
exit
!
default interface Tunnel0
interface Tunnel0
ip mtu 1420
ip address 10.5.1.1 255.255.255.252
crypto map GRE_MAP
tunnel source Serial0/1
tunnel destination 172.16.30.2
tunnel path-mtu-discovery
no shutdown
exit
!
router eigrp 100
network 10.5.1.0 0.0.0.3
exit
!
crypto isakmp policy 1
authentication pre-share
encr aes 128
hash sha
group 2
lifetime 86400
exit
!
crypto isakmp key ******** address 172.16.30.2

---

R_2

---

ip access-list extended GRE_TRAFFIC
permit gre host 172.16.30.2 host 172.16.30.1
!
crypto ipsec transform-set AES_SHA_1 esp-sha-hmac esp-aes 128
mode tunnel
exit
!
crypto map GRE_MAP 1 ipsec-isakmp
description Tunnel to 172.16.30.1
set transform-set AES_SHA_1
set peer 172.16.30.1
match address GRE_TRAFFIC
exit
!
interface Serial0/0
crypto map GRE_MAP
exit
!
interface Tunnel0
exit
!
default interface Tunnel0
interface Tunnel0
ip mtu 1420
ip address 10.5.1.2 255.255.255.252
crypto map GRE_MAP
tunnel source Serial0/0
tunnel destination 172.16.30.1
tunnel path-mtu-discovery
no shutdown
exit
!
router eigrp 100
network 10.5.1.0 0.0.0.3
exit
!
crypto isakmp policy 1
authentication pre-share
encr aes 128
hash sha
group 2
lifetime 86400
exit
!
crypto isakmp key ******** address 172.16.30.1

---

Thanks Guys in advance.

ColbyG

You can't put it in and test it?

elegua

ColbyNA wrote: »

You can't put it in and test it?

Hi,

Yeah sure, i have 2 2650xm for this lab but i just wanted to go over the configuration steps first (first time doing this), but you are right, let me apply both configurations and get back here.

Thanks in advance.

Turgon

Gre? Awesome. Watch out for flapping routes. That was stock in trade in the old CCIE written.

elegua

ColbyNA wrote: »

You can't put it in and test it?

Here is the test using SDM, it looks like the configuration is fine in both routers, wow first try and bingo (i know this isn't the real deal but a good start), i have to blame Jeremy for this, this guy is a dam good teacher, i love the way he uses to teach, now go back to the book and start doing some VPN labs until i get tired of it .



If you guys have something to add i'll appreciate it, more info better results.

Thanks in advance.

ilcram19-2

elegua wrote: »

Here is the test using SDM, it looks like the configuration is fine in both routers, wow first try and bingo (i know this isn't the real deal but a good start), i have to blame Jeremy for this, this guy is a dam good teacher, i love the way he uses to teach, now go back to the book and start doing some VPN labs until i get tired of it .



If you guys have something to add i'll appreciate it, more info better results.

Thanks in advance.

Here is another GRE/IPSEC tunnel that is been working alot nicer for me
PS try not to use the SDM it makes a mess on the configuration

example phase 1
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800

crypto isakmp key 112812888jJJsad9123^%%s address x.x.x.x

Example phase 2
crypto ipsec transform-set ipsec/gre esp-3des esp-md5-hmac
*****instead of a crypto map you create an ipsec profile*********
crypto ipsec profile ipsec/gre
set transform-set ipsec/gre

Creating tunnel interfacinterface Tunnel99
ip address 10.1.100.1 255.255.255.252
tunnel source LOCALWANIP
tunnel destination REMOTEWANIP
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec/gre

and you are done
Please note that on this you dont have to specify a crypto map with an ACL for the encrypted traffic all the traffic is protected by the IPSEC profile.

Interface: Tunnel99
Session status: UP-ACTIVE
Peer: 38.113.137.146 port 500
IKE SA: local 98.199.2.38/500 remote 38.113.137.146/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0<

---

all traffic encrypted
Active SAs: 2, origin: crypto map

ColbyG

See, you didn't even need our help! Glad it's working. What's next?

elegua

ilcram19-2 wrote: »

Here is another GRE/IPSEC tunnel that is been working alot nicer for me
PS try not to use the SDM it makes a mess on the configuration

example phase 1
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800

crypto isakmp key 112812888jJJsad9123^%%s address x.x.x.x

Example phase 2
crypto ipsec transform-set ipsec/gre esp-3des esp-md5-hmac
*****instead of a crypto map you create an ipsec profile*********
crypto ipsec profile ipsec/gre
set transform-set ipsec/gre

Creating tunnel interfacinterface Tunnel99
ip address 10.1.100.1 255.255.255.252
tunnel source LOCALWANIP
tunnel destination REMOTEWANIP
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec/gre

and you are done
Please note that on this you dont have to specify a crypto map with an ACL for the encrypted traffic all the traffic is protected by the IPSEC profile.

Interface: Tunnel99
Session status: UP-ACTIVE
Peer: 38.113.137.146 port 500
IKE SA: local 98.199.2.38/500 remote 38.113.137.146/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0<

---

all traffic encrypted
Active SAs: 2, origin: crypto map

Hi ilcram19-2,

Thanks for your input, i really appreciate it, regarding your configuration, ex: if i have more than one remote office, the only thing that i have to do is create another tunnel interface or do i need to do something else?, let says that all remote offices are using the same parameters, also do i have to include this cmd under the tunnel interface: tunnel mode ipsec ipv4, i asking just for curiosity, also i noticed that you don't have any routing protocol running in this configuration, do i need it?.

Yeah you are right, i noticed that SDM added a few thing to the original configuration, i removed another police that i didn't create, i'll try your configuration in my lab right now and let you know.

Thank you very much.

elegua

ColbyNA wrote: »

See, you didn't even need our help! Glad it's working. What's next?

Hi ColbyNA,

Yeah, thanks for the tip, i was a little excited and the first thing that crossed my mind was ask, things that i learned since i was a little boy, ask first and them do it (mom voice in my head) unfortunately not always happen.

For sure I'll come back with more, my exam is soon.

Thanks.

ilcram19-2

elegua wrote: »

Hi ilcram19-2,

Thanks for your input, i really appreciate it, regarding your configuration, ex: if i have more than one remote office, the only thing that i have to do is create another tunnel interface or do i need to do something else?, let says that all remote offices are using the same parameters, also do i have to include this cmd under the tunnel interface: tunnel mode ipsec ipv4, i asking just for curiosity, also i noticed that you don't have any routing protocol running in this configuration, do i need it?.

Yeah you are right, i noticed that SDM added a few thing to the original configuration, i removed another police that i didn't create, i'll try your configuration in my lab right now and let you know.

Thank you very much.

you dont need a routing protocol you can use even ip routes i do have OSPF configured it works either way. Since this is just a point to point gre tunnel you will need an interface for each gre/ipsec tunnel on each side. multipoint GRE mode can resolve this in case having one interface peer tunnel is a problem you can setup multipoint tunnel interface


this is an example of a dmvpn tunnel interface config on a HUB

interface Tunnel0
description "DMVPN connection for remoter sites"
bandwidth 1000
ip address 10.0.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip flow ingress
ip nhrp authentication password
ip nhrp map multicast dynamic
ip nhrp network-id 99
ip nhrp holdtime 300
ip nhrp registration no-unique
ip virtual-reassembly
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
delay 1000
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnippro<----notice the ipsec profile needed here too

Example on a Remote router
interface Tunnel0
description ""
bandwidth 1000
ip address 10.0.0.2 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip nhrp authentication password
ip nhrp map 10.0.0.1 HUBIP
ip nhrp map multicast HUBIP
ip nhrp network-id 99
ip nhrp holdtime 300
ip nhrp nhs 10.0.0.1
ip tcp adjust-mss 1360
delay 30
qos pre-classify
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpn


with the help of nhrp (next hosp resolution protocol) host can be map automatically even if the have dynamic ISP address im also using eigrp on this setup

ilcram19-2

here is an NHRP table

UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:8,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

---

---

---

---

---

---

1 64.2x.x.193 10.0.0.2 UP 1d01h DN
1 1.11.x.2x6 10.0.0.3 UP 1d01h D
1 24.x.87.x 10.0.0.4 UP 1d01h D
1 74.11.99.82 10.0.0.5 UP 1d01h D
1 6.196.211.57 10.0.0.6 UP 1d01h D
1 6.9.152.22 10.0.0.7 UP 1d00h D
1 9.14.23.165 10.0.0.8 UP 1d00h D
1 6.17.148.88 10.0.0.9 UP 1d00h D

ColbyG

DMVPN might be jumping a little ahead for him, lol.

ConstantlyLearning

Is GRE used much in the real world?

Just check the ISCW topics and most of the configs are done through the SDM. Thought they would have gotten test takers to use the command line more.

ColbyG

ConstantlyLearning wrote: »

Is GRE used much in the real world?

Just check the ISCW topics and most of the configs are done through the SDM. Thought they would have gotten test takers to use the command line more.

We use GRE/IPSEC tunnels at my company quite a bit.

ISCW does use SDM a lot, probably because it covers a ton of different things and memorizing it all from the CLI might have been harder.

elegua

ConstantlyLearning wrote: »

Is GRE used much in the real world?

Just check the ISCW topics and most of the configs are done through the SDM. Thought they would have gotten test takers to use the command line more.

Hi ConstantlyLearning,

As ColbyNA says, ISCW only cover SDM configuration, CLI is for CCSP track.

SysAdmin4066

You'll need to know how to use both SDM and CLI for all of the topics pretty much. SDM makes the firewall stuff very easy in my opinion, but you have to know it without it. ilcram is right about SDM adding stuff to the configuration unnecessarily. For example, it adds the crypto map statement to the tunnel interface, which is not necessary. It adds a default policy as you saw. Anything that is not needed, can be a security risk in the real world. Complexity is the enemy of security and more lines of code counts for more complexity. Just my .02, looking good man. Good luck, this was a fun exam, about as hard as I thought it would be and I had a lot of fun (surprise surprise, the security guy liked the security exam the most).

ilcram19-2

ConstantlyLearning wrote: »

Is GRE used much in the real world?

Just check the ISCW topics and most of the configs are done through the SDM. Thought they would have gotten test takers to use the command line more.

it has more advantages over regular ipsec you can do routing, qos, multicast, unicast traffic.
it us like a dedicated point to point link but you dont pay that price of a private frame relay link all the traffic is private and encrypted. i dont really like the SDM becasue it make a mess of the config and i the configurations that i need to manage are pretty huge and i like to be able to control that may be for a lab but not for real life

elegua

Hi Guys,

Here again (Monday 2:30am, oh god my girl will kill me), well after go over few times to the configuration posted by ilcram19-2 using IPSEC profile instead crypto map/ACL and read a cisco documentation about GRE i came up with this lab, i configured a Frame Relay Cloud with 3 routers, a HQ and 2 Branches (HUB and SPOKE Point-to-Point), then i created a GRE/IPSEC running EIGRP, first i configured Frame Relay and then the rest, the result was amazing, after testing using extended ping to simulate traffic (ping ip XX.XX.XX.XX source XX.XX.XX.XX size 1500 repeat 1000, don't have hosts connected) i got a GRE successfully configured, it wasn't easy because this time i didn't use SDM but after few tries i got it working.

I'm going to put here all configurations just in case someone want to try this, i think for learning purposes is worth it, you can practice Frame Relay, GRE/IPSEC and EIGRP, here is the Cisco documentation if you guys want to read more about it.

IPSec Negotiation/IKE Protocols Configuration Examples and TechNotes - Cisco Systems

Well, here the HQ Configuration:

==============================

HQ#sh config                         
Using 1916 out of 29688 bytes, uncompressed size = 3101 bytes
Uncompressed configuration from 1916 bytes to 3101 bytes
!
! NVRAM config last updated at 02:09:30 EST Mon Jan 11 2010
!
hostname HQ
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key cisco123 address 192.168.1.2
crypto isakmp key cisco123 address 192.168.2.2
!
!
crypto ipsec transform-set IPSEC_GRE esp-aes esp-sha-hmac 
!
crypto ipsec profile TRAFFIC_IPSEC_GRE
 set transform-set IPSEC_GRE 
!
!
interface Loopback0
 ip address 172.16.0.1 255.255.255.0
!
interface Tunnel12
 ip address 10.5.1.1 255.255.255.252
 ip mtu 1420
 tunnel source 192.168.1.1
 tunnel destination 192.168.1.2
 tunnel mode ipsec ipv4
 tunnel path-mtu-discovery
 tunnel protection ipsec profile TRAFFIC_IPSEC_GRE
!
interface Tunnel22
 ip address 10.5.2.1 255.255.255.252
 ip mtu 1420
 tunnel source 192.168.2.1
 tunnel destination 192.168.2.2
 tunnel mode ipsec ipv4
 tunnel path-mtu-discovery
 tunnel protection ipsec profile TRAFFIC_IPSEC_GRE
!
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
!
interface Serial0/0.122 point-to-point
 description TO BRANCH-1_DLCI-122
 ip address 192.168.1.1 255.255.255.252
 snmp trap link-status
 frame-relay interface-dlci 122   
!
interface Serial0/0.123 point-to-point
 description TO BRANCH-2_DLCI-123
 ip address 192.168.2.1 255.255.255.252
 snmp trap link-status
 frame-relay interface-dlci 123   
!
!
router eigrp 90
 network 10.5.1.0 0.0.0.3
 network 10.5.2.0 0.0.0.3
 network 172.16.0.0 0.0.0.255
 no auto-summary
!
end

HQ#

==============================

BRANCH-1 Configuration:

==============================

BRANCH-1#sh config
Using 1340 out of 29688 bytes, uncompressed size = 2117 bytes
Uncompressed configuration from 1340 bytes to 2117 bytes
!
! NVRAM config last updated at 02:16:21 EST Mon Jan 11 2010 
!
hostname BRANCH-1
!
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key cisco123 address 192.168.1.1
!
!
crypto ipsec transform-set IPSEC_GRE esp-aes esp-sha-hmac 
!
!
crypto ipsec profile TRAFFIC_IPSEC_GRE
 set transform-set IPSEC_GRE 
!
!
interface Loopback1
 ip address 172.16.1.1 255.255.255.0
!
interface Loopback2
 ip address 172.16.2.1 255.255.255.0
!
!
interface Tunnel12
 ip address 10.5.1.2 255.255.255.252
 ip mtu 1420
 tunnel source 192.168.1.2
 tunnel destination 192.168.1.1
 tunnel mode ipsec ipv4
 tunnel path-mtu-discovery
 tunnel protection ipsec profile TRAFFIC_IPSEC_GRE
!
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
!
interface Serial0/0.221 point-to-point
 description TO HQ_DLCI-221
 ip address 192.168.1.2 255.255.255.252
 snmp trap link-status
 frame-relay interface-dlci 221   
!         
router eigrp 90
 network 10.5.1.0 0.0.0.3
 network 172.16.1.0 0.0.0.255
 network 172.16.2.0 0.0.0.255
 no auto-summary
!
!
end

BRANCH-1#

==============================

BRANCH-2 Configuration:

==============================

BRANCH-2#sh config
Using 1345 out of 29688 bytes, uncompressed size = 2117 bytes
Uncompressed configuration from 1345 bytes to 2117 bytes
!
! NVRAM config last updated at 02:19:21 EST Mon Jan 11 2010
!
hostname BRANCH-2
!
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key cisco123 address 192.168.2.1
!
!
crypto ipsec transform-set IPSEC_GRE esp-aes esp-sha-hmac 
!
crypto ipsec profile TRAFFIC_IPSEC_GRE
 set transform-set IPSEC_GRE
!
interface Loopback3
 ip address 172.16.3.1 255.255.255.0
!
interface Loopback4
 ip address 172.16.4.1 255.255.255.0
!
interface Tunnel22
 ip address 10.5.2.2 255.255.255.252
 ip mtu 1420
 tunnel source 192.168.2.2
 tunnel destination 192.168.2.1
 tunnel mode ipsec ipv4
 tunnel path-mtu-discovery
 tunnel protection ipsec profile TRAFFIC_IPSEC_GRE
!
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
!
interface Serial0/0.321 point-to-point
 description TO HQ_DLCI-321
 ip address 192.168.2.2 255.255.255.252
 snmp trap link-status
 frame-relay interface-dlci 321   
!         
router eigrp 90
 network 10.5.2.0 0.0.0.3
 network 172.16.3.0 0.0.0.255
 network 172.16.4.0 0.0.0.255
 no auto-summary
!
!
end

BRANCH-2#

==============================

Here the sh cmds in the HQ:

HQ:

HQ#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
192.168.1.1     192.168.1.2     QM_IDLE           1001    0 ACTIVE
192.168.2.1     192.168.2.2     QM_IDLE           1002    0 ACTIVE

IPv6 Crypto ISAKMP SA

HQ#

HQ#sh crypto ipsec sa 

interface: Tunnel12
    Crypto map tag: Tunnel12-head-0, local addr 192.168.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 192.168.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 21299, #pkts encrypt: 21299, #pkts digest: 21299
    #pkts decaps: 21295, #pkts decrypt: 21295, #pkts verify: 21295
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

interface: Tunnel22
    Crypto map tag: Tunnel22-head-0, local addr 192.168.2.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 192.168.2.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 21246, #pkts encrypt: 21246, #pkts digest: 21246
    #pkts decaps: 21239, #pkts decrypt: 21239, #pkts verify: 21239
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

Ok guys, thank you all for your help, now i got better understanding about VPN Site-to-Side and GRE because i configured and tested by myself, i got it done in the real gears, i love this stuff, this will keep me busy for a week, i'll try all possible configurations that i can find, i know this will be far beyond the exam but it will help me in the real word for sure.

PS: DMVPN, you are next.

Thanks again.