gre over vpn question

marcusaureliusbrutusmarcusaureliusbrutus Member Posts: 73 ■■□□□□□□□□
Hi,

I have gone through several items on the net regarding gre/eigrp/vpn. I just wish to verify if this setup will work if i have an acl with a permit gre any any and link this acl with a crypto map say testcrypto and just apply this crypto on the wan interface and not on the tunnel as specified by cisco tech notes.

Thanks.

Comments

  • ilcram19-2ilcram19-2 Banned Posts: 436
    Hi,

    I have gone through several items on the net regarding gre/eigrp/vpn. I just wish to verify if this setup will work if i have an acl with a permit gre any any and link this acl with a crypto map say testcrypto and just apply this crypto on the wan interface and not on the tunnel as specified by cisco tech notes.

    Thanks.

    yes it needs to be on the outside interface if you are planning to use routing protocols cuz if you applied it on the tunnel ospf and eigrp wont work, and it needs to be gre your wan ip and their wan ip not the tunnel ip. i also reccomend to look in to appliying a ipsec profile to the tunnel interface the config looks something like this

    crypto isakmp policy 1
    authentication pre-share
    crypto isakmp key test address 2.2.2.2

    crypto ipsec transform-set ipsec/gre esp-3des esp-md5-hmac

    crypto ipsec profile ipsec/gre
    set transform-set ipsec/gre

    interface Tunnel99
    ip address 10.1.100.1 255.255.255.252
    tunnel source FastEthernet0/0
    tunnel destination 2.2.2.2
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile ipsec/gre

    notice that there is not use of crypto map, the security profile is protecting all the traffic going from the tunnel source to the tunnel destination.

    Interface: Tunnel99
    Session status: UP-ACTIVE
    Peer: 198.199.2.38 port 500
    IKE SA: local 138.113.17.46/500 remote 198.199.2.38/500 Active
    IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0<
    notice the ipsec flow
    Active SAs: 2, origin: crypto map


    which on a cryto applied to the WAN interface will look some thing like this

    Interfacer: fastethernet0/0
    Peer: 198.199.2.38 port 500
    IKE SA: local 138.113.17.46/500 remote 198.199.2.38/500 Active
    IPSEC FLOW: permit 47 host 138.113.17.46 host 198.199.2.38<---only GRE on the ipsec flow
    Active SAs: 2, origin: crypto map
  • marcusaureliusbrutusmarcusaureliusbrutus Member Posts: 73 ■■□□□□□□□□
    Thank you so much ilcram19-2.

    I have read about the below and find it very promising.

    tunnel mode ipsec ipv4
    tunnel protection ipsec profile ipsec/gre


    For redundancy, failover, is the above approach the best?
  • ilcram19-2ilcram19-2 Banned Posts: 436
    i would have to check your topology and what you are trying to accomplish, if you have a private link (frame-relay, point to point, etc) and you are configuring this to go over the internet as a backup link in case your private link goes down, in that case yea is good solution you will have to use a routing protol to use automatic failover to the tunnel and re-route traffic.
  • marcusaureliusbrutusmarcusaureliusbrutus Member Posts: 73 ■■□□□□□□□□
    Thanks again ilcram19-2.

    The network i am working with is primarily over the open internet. We basically have two primary ISPs connecting to multiple sites also with dual ISPs.
  • kalebkspkalebksp Member Posts: 1,033 ■■■■■□□□□□
    Thank you so much ilcram19-2.

    I have read about the below and find it very promising.

    tunnel mode ipsec ipv4
    tunnel protection ipsec profile ipsec/gre


    For redundancy, failover, is the above approach the best?

    Just an FYI, that configuration creates an IPSec VTI tunnel, no GRE invloved, but it should still do the job.
  • ilcram19-2ilcram19-2 Banned Posts: 436
    Thanks again ilcram19-2.

    The network i am working with is primarily over the open internet. We basically have two primary ISPs connecting to multiple sites also with dual ISPs.

    o yea you could do that just configure it for both of the ISP and 2 tunnels for each isp on the remote router and you could also load balance between them is like having to links to the MAIN office from the remote office if one doesnt work the other one will i hope
Sign In or Register to comment.