gre over vpn question

marcusaureliusbrutus

Hi,

I have gone through several items on the net regarding gre/eigrp/vpn. I just wish to verify if this setup will work if i have an acl with a permit gre any any and link this acl with a crypto map say testcrypto and just apply this crypto on the wan interface and not on the tunnel as specified by cisco tech notes.

Thanks.

ilcram19-2

marcusaureliusbrutus wrote: »

Hi,

I have gone through several items on the net regarding gre/eigrp/vpn. I just wish to verify if this setup will work if i have an acl with a permit gre any any and link this acl with a crypto map say testcrypto and just apply this crypto on the wan interface and not on the tunnel as specified by cisco tech notes.

Thanks.

yes it needs to be on the outside interface if you are planning to use routing protocols cuz if you applied it on the tunnel ospf and eigrp wont work, and it needs to be gre your wan ip and their wan ip not the tunnel ip. i also reccomend to look in to appliying a ipsec profile to the tunnel interface the config looks something like this

crypto isakmp policy 1
authentication pre-share
crypto isakmp key test address 2.2.2.2

crypto ipsec transform-set ipsec/gre esp-3des esp-md5-hmac

crypto ipsec profile ipsec/gre
set transform-set ipsec/gre

interface Tunnel99
ip address 10.1.100.1 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 2.2.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec/gre

notice that there is not use of crypto map, the security profile is protecting all the traffic going from the tunnel source to the tunnel destination.

Interface: Tunnel99
Session status: UP-ACTIVE
Peer: 198.199.2.38 port 500
IKE SA: local 138.113.17.46/500 remote 198.199.2.38/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0<

---

notice the ipsec flow
Active SAs: 2, origin: crypto map


which on a cryto applied to the WAN interface will look some thing like this

Interfacer: fastethernet0/0
Peer: 198.199.2.38 port 500
IKE SA: local 138.113.17.46/500 remote 198.199.2.38/500 Active
IPSEC FLOW: permit 47 host 138.113.17.46 host 198.199.2.38<---only GRE on the ipsec flow
Active SAs: 2, origin: crypto map

marcusaureliusbrutus

Thank you so much ilcram19-2.

I have read about the below and find it very promising.

tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec/gre


For redundancy, failover, is the above approach the best?

ilcram19-2

i would have to check your topology and what you are trying to accomplish, if you have a private link (frame-relay, point to point, etc) and you are configuring this to go over the internet as a backup link in case your private link goes down, in that case yea is good solution you will have to use a routing protol to use automatic failover to the tunnel and re-route traffic.

marcusaureliusbrutus

Thanks again ilcram19-2.

The network i am working with is primarily over the open internet. We basically have two primary ISPs connecting to multiple sites also with dual ISPs.

kalebksp

marcusaureliusbrutus wrote: »

Thank you so much ilcram19-2.

I have read about the below and find it very promising.

tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec/gre


For redundancy, failover, is the above approach the best?

Just an FYI, that configuration creates an IPSec VTI tunnel, no GRE invloved, but it should still do the job.

ilcram19-2

marcusaureliusbrutus wrote: »

Thanks again ilcram19-2.

The network i am working with is primarily over the open internet. We basically have two primary ISPs connecting to multiple sites also with dual ISPs.

o yea you could do that just configure it for both of the ISP and 2 tunnels for each isp on the remote router and you could also load balance between them is like having to links to the MAIN office from the remote office if one doesnt work the other one will i hope