GRE Configuraion LAB Question

eleguaelegua Member Posts: 282
Hi Guys,

I have a question, this is my first time doing this and i need your opinions, after watched Chris and Jeremy ISCW VPN videos, i started doing some labs (studing for the exam) and i came up with this lab, i used SDM and before apply it to the router i saved the configuration to look at it and lean more in details, ok the question is:

Based in this scenario is this configuration correct or do i need to add/change something?, in this lab only one policy and pre-share keys were configured.

eigrpgre.jpg

Here is the configuration:

R_1
ip access-list extended GRE_TRAFFIC
permit gre host 172.16.30.1 host 172.16.30.2
!
crypto ipsec transform-set AES_SHA_1 esp-sha-hmac esp-aes 128
mode tunnel
exit
!
crypto map GRE_MAP 1 ipsec-isakmp
description Tunnel to 172.16.30.2
set transform-set AES_SHA_1
set peer 172.16.30.2
match address GRE_TRAFFIC
exit
!
interface Serial0/1
crypto map GRE_MAP
exit
!
interface Tunnel0
exit
!
default interface Tunnel0
interface Tunnel0
ip mtu 1420
ip address 10.5.1.1 255.255.255.252
crypto map GRE_MAP
tunnel source Serial0/1
tunnel destination 172.16.30.2
tunnel path-mtu-discovery
no shutdown
exit
!
router eigrp 100
network 10.5.1.0 0.0.0.3
exit
!
crypto isakmp policy 1
authentication pre-share
encr aes 128
hash sha
group 2
lifetime 86400
exit
!
crypto isakmp key ******** address 172.16.30.2

R_2
ip access-list extended GRE_TRAFFIC
permit gre host 172.16.30.2 host 172.16.30.1
!
crypto ipsec transform-set AES_SHA_1 esp-sha-hmac esp-aes 128
mode tunnel
exit
!
crypto map GRE_MAP 1 ipsec-isakmp
description Tunnel to 172.16.30.1
set transform-set AES_SHA_1
set peer 172.16.30.1
match address GRE_TRAFFIC
exit
!
interface Serial0/0
crypto map GRE_MAP
exit
!
interface Tunnel0
exit
!
default interface Tunnel0
interface Tunnel0
ip mtu 1420
ip address 10.5.1.2 255.255.255.252
crypto map GRE_MAP
tunnel source Serial0/0
tunnel destination 172.16.30.1
tunnel path-mtu-discovery
no shutdown
exit
!
router eigrp 100
network 10.5.1.0 0.0.0.3
exit
!
crypto isakmp policy 1
authentication pre-share
encr aes 128
hash sha
group 2
lifetime 86400
exit
!
crypto isakmp key ******** address 172.16.30.1

Thanks Guys in advance. icon_thumright.gif

Comments

  • ColbyGColbyG Member Posts: 1,264
  • eleguaelegua Member Posts: 282
    ColbyNA wrote: »
    You can't put it in and test it?

    Hi,

    Yeah sure, i have 2 2650xm for this lab but i just wanted to go over the configuration steps first (first time doing this), but you are right, let me apply both configurations and get back here.

    Thanks in advance. icon_thumright.gif
  • TurgonTurgon Banned Posts: 6,308 ■■■■■■■■■□
    Gre? Awesome. Watch out for flapping routes. That was stock in trade in the old CCIE written.
  • eleguaelegua Member Posts: 282
    ColbyNA wrote: »
    You can't put it in and test it?

    Here is the test using SDM, it looks like the configuration is fine in both routers, wow first try and bingo (i know this isn't the real deal but a good start), i have to blame Jeremy for this, this guy is a dam good teacher, i love the way he uses to teach, now go back to the book and start doing some VPN labs until i get tired of it icon_lol.gif.

    vpntest.jpg

    If you guys have something to add i'll appreciate it, more info better results.

    Thanks in advance. icon_thumright.gif
  • ilcram19-2ilcram19-2 Banned Posts: 436
    elegua wrote: »
    Here is the test using SDM, it looks like the configuration is fine in both routers, wow first try and bingo (i know this isn't the real deal but a good start), i have to blame Jeremy for this, this guy is a dam good teacher, i love the way he uses to teach, now go back to the book and start doing some VPN labs until i get tired of it icon_lol.gif.

    vpntest.jpg

    If you guys have something to add i'll appreciate it, more info better results.

    Thanks in advance. icon_thumright.gif


    Here is another GRE/IPSEC tunnel that is been working alot nicer for me
    PS try not to use the SDM it makes a mess on the configuration

    example phase 1
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    lifetime 28800

    crypto isakmp key 112812888jJJsad9123^%%s address x.x.x.x

    Example phase 2
    crypto ipsec transform-set ipsec/gre esp-3des esp-md5-hmac
    *****instead of a crypto map you create an ipsec profile*********
    crypto ipsec profile ipsec/gre
    set transform-set ipsec/gre

    Creating tunnel interfacinterface Tunnel99
    ip address 10.1.100.1 255.255.255.252
    tunnel source LOCALWANIP
    tunnel destination REMOTEWANIP
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile ipsec/gre

    and you are done
    Please note that on this you dont have to specify a crypto map with an ACL for the encrypted traffic all the traffic is protected by the IPSEC profile.

    Interface: Tunnel99
    Session status: UP-ACTIVE
    Peer: 38.113.137.146 port 500
    IKE SA: local 98.199.2.38/500 remote 38.113.137.146/500 Active
    IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0<
    all traffic encrypted
    Active SAs: 2, origin: crypto map
  • ColbyGColbyG Member Posts: 1,264
    See, you didn't even need our help! Glad it's working. What's next? :D
  • eleguaelegua Member Posts: 282
    ilcram19-2 wrote: »
    Here is another GRE/IPSEC tunnel that is been working alot nicer for me
    PS try not to use the SDM it makes a mess on the configuration

    example phase 1
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    lifetime 28800

    crypto isakmp key 112812888jJJsad9123^%%s address x.x.x.x

    Example phase 2
    crypto ipsec transform-set ipsec/gre esp-3des esp-md5-hmac
    *****instead of a crypto map you create an ipsec profile*********
    crypto ipsec profile ipsec/gre
    set transform-set ipsec/gre

    Creating tunnel interfacinterface Tunnel99
    ip address 10.1.100.1 255.255.255.252
    tunnel source LOCALWANIP
    tunnel destination REMOTEWANIP
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile ipsec/gre

    and you are done
    Please note that on this you dont have to specify a crypto map with an ACL for the encrypted traffic all the traffic is protected by the IPSEC profile.

    Interface: Tunnel99
    Session status: UP-ACTIVE
    Peer: 38.113.137.146 port 500
    IKE SA: local 98.199.2.38/500 remote 38.113.137.146/500 Active
    IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0<
    all traffic encrypted
    Active SAs: 2, origin: crypto map

    Hi ilcram19-2,

    Thanks for your input, i really appreciate it, regarding your configuration, ex: if i have more than one remote office, the only thing that i have to do is create another tunnel interface or do i need to do something else?, let says that all remote offices are using the same parameters, also do i have to include this cmd under the tunnel interface: tunnel mode ipsec ipv4, i asking just for curiosity, also i noticed that you don't have any routing protocol running in this configuration, do i need it?.

    Yeah you are right, i noticed that SDM added a few thing to the original configuration, i removed another police that i didn't create, i'll try your configuration in my lab right now and let you know.

    Thank you very much. icon_thumright.gif
  • eleguaelegua Member Posts: 282
    ColbyNA wrote: »
    See, you didn't even need our help! Glad it's working. What's next? :D

    Hi ColbyNA,

    Yeah, thanks for the tip, i was a little excited and the first thing that crossed my mind was ask, things that i learned since i was a little boy, ask first and them do it (mom voice in my head) unfortunately not always happen. icon_lol.gificon_lol.gif

    For sure I'll come back with more, my exam is soon.

    Thanks. icon_thumright.gif
  • ilcram19-2ilcram19-2 Banned Posts: 436
    elegua wrote: »
    Hi ilcram19-2,

    Thanks for your input, i really appreciate it, regarding your configuration, ex: if i have more than one remote office, the only thing that i have to do is create another tunnel interface or do i need to do something else?, let says that all remote offices are using the same parameters, also do i have to include this cmd under the tunnel interface: tunnel mode ipsec ipv4, i asking just for curiosity, also i noticed that you don't have any routing protocol running in this configuration, do i need it?.

    Yeah you are right, i noticed that SDM added a few thing to the original configuration, i removed another police that i didn't create, i'll try your configuration in my lab right now and let you know.

    Thank you very much. icon_thumright.gif

    you dont need a routing protocol you can use even ip routes i do have OSPF configured it works either way. Since this is just a point to point gre tunnel you will need an interface for each gre/ipsec tunnel on each side. multipoint GRE mode can resolve this in case having one interface peer tunnel is a problem you can setup multipoint tunnel interface


    this is an example of a dmvpn tunnel interface config on a HUB

    interface Tunnel0
    description "DMVPN connection for remoter sites"
    bandwidth 1000
    ip address 10.0.0.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip mtu 1400
    ip flow ingress
    ip nhrp authentication password
    ip nhrp map multicast dynamic
    ip nhrp network-id 99
    ip nhrp holdtime 300
    ip nhrp registration no-unique
    ip virtual-reassembly
    ip tcp adjust-mss 1360
    no ip split-horizon eigrp 1
    delay 1000
    qos pre-classify
    tunnel source GigabitEthernet0/0
    tunnel mode gre multipoint
    tunnel key 100000
    tunnel protection ipsec profile vpnippro<----notice the ipsec profile needed here too

    Example on a Remote router
    interface Tunnel0
    description ""
    bandwidth 1000
    ip address 10.0.0.2 255.255.255.0
    no ip redirects
    ip mtu 1400
    no ip next-hop-self eigrp 1
    ip nhrp authentication password
    ip nhrp map 10.0.0.1 HUBIP
    ip nhrp map multicast HUBIP
    ip nhrp network-id 99
    ip nhrp holdtime 300
    ip nhrp nhs 10.0.0.1
    ip tcp adjust-mss 1360
    delay 30
    qos pre-classify
    tunnel source FastEthernet4
    tunnel mode gre multipoint
    tunnel key 100000
    tunnel protection ipsec profile vpn


    with the help of nhrp (next hosp resolution protocol) host can be map automatically even if the have dynamic ISP address im also using eigrp on this setup
  • ilcram19-2ilcram19-2 Banned Posts: 436
    here is an NHRP table

    UpDn Time --> Up or Down Time for a Tunnel
    ==========================================================================

    Interface: Tunnel0, IPv4 NHRP Details
    Type:Hub, NHRP Peers:8,

    # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb





    1 64.2x.x.193 10.0.0.2 UP 1d01h DN
    1 1.11.x.2x6 10.0.0.3 UP 1d01h D
    1 24.x.87.x 10.0.0.4 UP 1d01h D
    1 74.11.99.82 10.0.0.5 UP 1d01h D
    1 6.196.211.57 10.0.0.6 UP 1d01h D
    1 6.9.152.22 10.0.0.7 UP 1d00h D
    1 9.14.23.165 10.0.0.8 UP 1d00h D
    1 6.17.148.88 10.0.0.9 UP 1d00h D
  • ColbyGColbyG Member Posts: 1,264
    DMVPN might be jumping a little ahead for him, lol.
  • ConstantlyLearningConstantlyLearning Member Posts: 445
    Is GRE used much in the real world?

    Just check the ISCW topics and most of the configs are done through the SDM. Thought they would have gotten test takers to use the command line more.
    "There are 3 types of people in this world, those who can count and those who can't"
  • ColbyGColbyG Member Posts: 1,264
    Is GRE used much in the real world?

    Just check the ISCW topics and most of the configs are done through the SDM. Thought they would have gotten test takers to use the command line more.

    We use GRE/IPSEC tunnels at my company quite a bit.

    ISCW does use SDM a lot, probably because it covers a ton of different things and memorizing it all from the CLI might have been harder.
  • eleguaelegua Member Posts: 282
    Is GRE used much in the real world?

    Just check the ISCW topics and most of the configs are done through the SDM. Thought they would have gotten test takers to use the command line more.

    Hi ConstantlyLearning,

    As ColbyNA says, ISCW only cover SDM configuration, CLI is for CCSP track.

    icon_thumright.gif
  • SysAdmin4066SysAdmin4066 Member Posts: 443
    You'll need to know how to use both SDM and CLI for all of the topics pretty much. SDM makes the firewall stuff very easy in my opinion, but you have to know it without it. ilcram is right about SDM adding stuff to the configuration unnecessarily. For example, it adds the crypto map statement to the tunnel interface, which is not necessary. It adds a default policy as you saw. Anything that is not needed, can be a security risk in the real world. Complexity is the enemy of security and more lines of code counts for more complexity. Just my .02, looking good man. Good luck, this was a fun exam, about as hard as I thought it would be and I had a lot of fun (surprise surprise, the security guy liked the security exam the most).
    In Progress: CCIE R&S Written Scheduled July 17th (Tentative)

    Next Up: CCIE R&S Lab
  • ilcram19-2ilcram19-2 Banned Posts: 436
    Is GRE used much in the real world?

    Just check the ISCW topics and most of the configs are done through the SDM. Thought they would have gotten test takers to use the command line more.

    it has more advantages over regular ipsec you can do routing, qos, multicast, unicast traffic.
    it us like a dedicated point to point link but you dont pay that price of a private frame relay link all the traffic is private and encrypted. i dont really like the SDM becasue it make a mess of the config and i the configurations that i need to manage are pretty huge and i like to be able to control that may be for a lab but not for real life
  • eleguaelegua Member Posts: 282
    Hi Guys,

    Here again (Monday 2:30am, oh god my girl will kill me), well after go over few times to the configuration posted by ilcram19-2 using IPSEC profile instead crypto map/ACL and read a cisco documentation about GRE i came up with this lab, i configured a Frame Relay Cloud with 3 routers, a HQ and 2 Branches (HUB and SPOKE Point-to-Point), then i created a GRE/IPSEC running EIGRP, first i configured Frame Relay and then the rest, the result was amazing, after testing using extended ping to simulate traffic (ping ip XX.XX.XX.XX source XX.XX.XX.XX size 1500 repeat 1000, don't have hosts connected) i got a GRE successfully configured, it wasn't easy because this time i didn't use SDM but after few tries i got it working.

    I'm going to put here all configurations just in case someone want to try this, i think for learning purposes is worth it, you can practice Frame Relay, GRE/IPSEC and EIGRP, here is the Cisco documentation if you guys want to read more about it.

    IPSec Negotiation/IKE Protocols Configuration Examples and TechNotes - Cisco Systems

    Well, here the HQ Configuration:

    ==============================
    HQ#sh config                         
    Using 1916 out of 29688 bytes, uncompressed size = 3101 bytes
    Uncompressed configuration from 1916 bytes to 3101 bytes
    !
    ! NVRAM config last updated at 02:09:30 EST Mon Jan 11 2010
    !
    hostname HQ
    !
    crypto isakmp policy 1
     encr aes
     authentication pre-share
     group 2
     lifetime 28800
    crypto isakmp key cisco123 address 192.168.1.2
    crypto isakmp key cisco123 address 192.168.2.2
    !
    !
    crypto ipsec transform-set IPSEC_GRE esp-aes esp-sha-hmac 
    !
    crypto ipsec profile TRAFFIC_IPSEC_GRE
     set transform-set IPSEC_GRE 
    !
    !
    interface Loopback0
     ip address 172.16.0.1 255.255.255.0
    !
    interface Tunnel12
     ip address 10.5.1.1 255.255.255.252
     ip mtu 1420
     tunnel source 192.168.1.1
     tunnel destination 192.168.1.2
     tunnel mode ipsec ipv4
     tunnel path-mtu-discovery
     tunnel protection ipsec profile TRAFFIC_IPSEC_GRE
    !
    interface Tunnel22
     ip address 10.5.2.1 255.255.255.252
     ip mtu 1420
     tunnel source 192.168.2.1
     tunnel destination 192.168.2.2
     tunnel mode ipsec ipv4
     tunnel path-mtu-discovery
     tunnel protection ipsec profile TRAFFIC_IPSEC_GRE
    !
    !
    interface Serial0/0
     no ip address
     encapsulation frame-relay
    !
    interface Serial0/0.122 point-to-point
     description TO BRANCH-1_DLCI-122
     ip address 192.168.1.1 255.255.255.252
     snmp trap link-status
     frame-relay interface-dlci 122   
    !
    interface Serial0/0.123 point-to-point
     description TO BRANCH-2_DLCI-123
     ip address 192.168.2.1 255.255.255.252
     snmp trap link-status
     frame-relay interface-dlci 123   
    !
    !
    router eigrp 90
     network 10.5.1.0 0.0.0.3
     network 10.5.2.0 0.0.0.3
     network 172.16.0.0 0.0.0.255
     no auto-summary
    !
    end
    
    HQ#
    
    ==============================

    BRANCH-1 Configuration:

    ==============================
    BRANCH-1#sh config
    Using 1340 out of 29688 bytes, uncompressed size = 2117 bytes
    Uncompressed configuration from 1340 bytes to 2117 bytes
    !
    ! NVRAM config last updated at 02:16:21 EST Mon Jan 11 2010 
    !
    hostname BRANCH-1
    !
    !
    crypto isakmp policy 1
     encr aes
     authentication pre-share
     group 2
     lifetime 28800
    crypto isakmp key cisco123 address 192.168.1.1
    !
    !
    crypto ipsec transform-set IPSEC_GRE esp-aes esp-sha-hmac 
    !
    !
    crypto ipsec profile TRAFFIC_IPSEC_GRE
     set transform-set IPSEC_GRE 
    !
    !
    interface Loopback1
     ip address 172.16.1.1 255.255.255.0
    !
    interface Loopback2
     ip address 172.16.2.1 255.255.255.0
    !
    !
    interface Tunnel12
     ip address 10.5.1.2 255.255.255.252
     ip mtu 1420
     tunnel source 192.168.1.2
     tunnel destination 192.168.1.1
     tunnel mode ipsec ipv4
     tunnel path-mtu-discovery
     tunnel protection ipsec profile TRAFFIC_IPSEC_GRE
    !
    !
    interface Serial0/0
     no ip address
     encapsulation frame-relay
    !
    interface Serial0/0.221 point-to-point
     description TO HQ_DLCI-221
     ip address 192.168.1.2 255.255.255.252
     snmp trap link-status
     frame-relay interface-dlci 221   
    !         
    router eigrp 90
     network 10.5.1.0 0.0.0.3
     network 172.16.1.0 0.0.0.255
     network 172.16.2.0 0.0.0.255
     no auto-summary
    !
    !
    end
    
    BRANCH-1#
    
    ==============================

    BRANCH-2 Configuration:

    ==============================
    BRANCH-2#sh config
    Using 1345 out of 29688 bytes, uncompressed size = 2117 bytes
    Uncompressed configuration from 1345 bytes to 2117 bytes
    !
    ! NVRAM config last updated at 02:19:21 EST Mon Jan 11 2010
    !
    hostname BRANCH-2
    !
    !
    crypto isakmp policy 1
     encr aes
     authentication pre-share
     group 2
     lifetime 28800
    crypto isakmp key cisco123 address 192.168.2.1
    !
    !
    crypto ipsec transform-set IPSEC_GRE esp-aes esp-sha-hmac 
    !
    crypto ipsec profile TRAFFIC_IPSEC_GRE
     set transform-set IPSEC_GRE
    !
    interface Loopback3
     ip address 172.16.3.1 255.255.255.0
    !
    interface Loopback4
     ip address 172.16.4.1 255.255.255.0
    !
    interface Tunnel22
     ip address 10.5.2.2 255.255.255.252
     ip mtu 1420
     tunnel source 192.168.2.2
     tunnel destination 192.168.2.1
     tunnel mode ipsec ipv4
     tunnel path-mtu-discovery
     tunnel protection ipsec profile TRAFFIC_IPSEC_GRE
    !
    !
    interface Serial0/0
     no ip address
     encapsulation frame-relay
    !
    interface Serial0/0.321 point-to-point
     description TO HQ_DLCI-321
     ip address 192.168.2.2 255.255.255.252
     snmp trap link-status
     frame-relay interface-dlci 321   
    !         
    router eigrp 90
     network 10.5.2.0 0.0.0.3
     network 172.16.3.0 0.0.0.255
     network 172.16.4.0 0.0.0.255
     no auto-summary
    !
    !
    end
    
    BRANCH-2#
    
    ==============================

    Here the sh cmds in the HQ:
    HQ:
    
    HQ#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id slot status
    192.168.1.1     192.168.1.2     QM_IDLE           1001    0 ACTIVE
    192.168.2.1     192.168.2.2     QM_IDLE           1002    0 ACTIVE
    
    IPv6 Crypto ISAKMP SA
    
    HQ#
    
    HQ#sh crypto ipsec sa 
    
    interface: Tunnel12
        Crypto map tag: Tunnel12-head-0, local addr 192.168.1.1
    
       protected vrf: (none)
       local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
       remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
       current_peer 192.168.1.2 port 500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 21299, #pkts encrypt: 21299, #pkts digest: 21299
        #pkts decaps: 21295, #pkts decrypt: 21295, #pkts verify: 21295
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 0, #recv errors 0
    
    interface: Tunnel22
        Crypto map tag: Tunnel22-head-0, local addr 192.168.2.1
    
       protected vrf: (none)
       local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
       remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
       current_peer 192.168.2.2 port 500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 21246, #pkts encrypt: 21246, #pkts digest: 21246
        #pkts decaps: 21239, #pkts decrypt: 21239, #pkts verify: 21239
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 0, #recv errors 0
    
    Ok guys, thank you all for your help, now i got better understanding about VPN Site-to-Side and GRE because i configured and tested by myself, i got it done in the real gears, i love this stuff, this will keep me busy for a week, i'll try all possible configurations that i can find, i know this will be far beyond the exam but it will help me in the real word for sure.

    PS: DMVPN, you are next. icon_wink.gif

    Thanks again. icon_thumright.gificon_thumright.gif
Sign In or Register to comment.