Add GRE to existing IPSEC VPN for EIGRP? 1

[NettableWalker]

Hi Everyone,

I have existing IPSEC VPN's across 3 sites and need to somehow apply GRE so that i can pass routing info (EIGRP) across the links.

Can i simply add a bit of code like the following:

interface Tunnel0
description here to there - GRE Tunnel
ip address 10.0.0.222 255.255.255.252
tunnel source FastEthernet0
tunnel destination 10.1.0.222

with an inversely addressed similar code on the remote router.

Will i need to completely reshape the ACL's etc. and apply the Crypto map to the tunnel interface instead of the existing external interface?

Will this cut me off from the remote site?

is this possible to just bolt on GRE or will i have to basically rebuild the VPN configs from scratch?

 

[NettableWalker]

GRE? anyone?

help?

 

[lgarner]

You want GRE tunnelled inside IPSEC, not the other way around. We have done this, but are migrating away from it.

Basically your GRE peers will be the outside interfaces or your routers, and that traffic needs to be added to your crypto ACL. In fact, that's the only traffic which needs to be in the ACL. Traffic will first be tunnelled by GRE, then encrypted by IPSEC.

 

[hunterdw]

lgarner--

You say you are moving away from it... can I ask why?

I too am looking to move TOWARD this on my VPN links...

Before you totally migrate away from it, can you give a sample config?

--DW

 

[Jynxx]

Example configs to allow a couple1710 routers to talk to each other, establish IPSEC tunnels, then encapsulate the traffic in GRE to allow for a routing protocol such as OSPF to be used.

*****NEAR SIDE ROUTER CONFIG*****

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key password address 10.10.100.1
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ipsec-tunnel esp-3des esp-md5-hmac
!
crypto map vpn 1 ipsec-isakmp
set peer 10.10.100.1
set security-association lifetime seconds 28800
set security-association idle-time 180
set transform-set ipsec-tunnel
match address 101
!
interface Loopback0
description Local Loopback Facing Remote Router
ip address 192.168.1.1 255.255.255.255
!
interface Tunnel1
description GRE to Remote Router
ip address 10.10.101.1 255.255.255.252
no ip proxy-arp
ip mtu 1400
ip tcp adjust-mss 1340
ip ospf authentication
ip ospf authentication-key password
ip ospf cost 10
tunnel source Loopback0
tunnel destination 192.168.1.2
crypto map vpn
!
interface Ethernet0
description Link to Broadband Bridge/Gateway
ip address 10.100.10.1 255.255.255.252
ip access-group 103 in
ip access-group 104 out
half-duplex
no cdp enable
crypto map vpn
!
interface FastEthernet0
description Local LAN
ip address 10.10.15.254 255.255.255.0
no ip proxy-arp
ip route-cache flow
ip ospf authentication
ip ospf authentication-key password
ip ospf cost 10
speed 100
full-duplex
no cdp enable
!
router ospf 14882
router-id 10.10.15.254
log-adjacency-changes
network 10.10.15.1 0.0.0.0 area 0.0.0.0
network 10.10.101.1 0.0.0.0 area 0.0.0.0
!
ip route 10.10.100.1 255.255.255.255 10.100.10.2
!
access-list 1 permit 10.10.101.2
access-list 1 permit 10.10.16.0 0.0.0.255
access-list 101 permit gre host 192.168.1.1 host 192.168.1.2
access-list 103 permit gre any any
access-list 103 permit ahp host 10.10.100.1 any
access-list 103 permit esp host 10.10.100.1 any
access-list 103 permit udp host 10.10.100.1 any eq isakmp
access-list 103 permit ip 10.10.16.0 0.0.0.255 any
access-list 103 permit icmp 10.10.16.0 0.0.0.255 any
access-list 104 permit gre any any
access-list 104 permit ahp any host 10.10.100.1
access-list 104 permit esp any host 10.10.100.1
access-list 104 permit udp any host 10.10.100.1 eq isakmp
access-list 104 permit ip any 10.10.16.0 0.0.0.255
access-list 104 permit icmp any 10.10.16.0 0.0.0.255

*****FAR SIDE ROUTER CONFIG*****

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key password address 10.100.10.1
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ipsec-tunnel esp-3des esp-md5-hmac
!
crypto map vpn 1 ipsec-isakmp
set peer 10.100.10.1
set security-association lifetime seconds 28800
set security-association idle-time 180
set transform-set ipsec-tunnel
match address 101
!
interface Loopback0
description Local Loopback Facing Near Router
ip address 192.168.1.2 255.255.255.255
!
interface Tunnel1
description GRE to Remote Router
ip address 10.10..101.2 255.255.255.252
no ip proxy-arp
ip mtu 1400
ip tcp adjust-mss 1340
ip ospf authentication
ip ospf authentication-key password
ip ospf cost 10
tunnel source Loopback0
tunnel destination 192.168.1.1
crypto map vpn
!
interface Ethernet0
description Link to Broadband Bridge/Gateway
ip address 10.10.100.1 255.255.255.252
ip access-group 103 in
ip access-group 104 out
half-duplex
no cdp enable
crypto map vpn
!
interface FastEthernet0
description Local LAN
ip address 10.10.16.254 255.255.255.0
no ip proxy-arp
ip route-cache flow
ip ospf authentication
ip ospf authentication-key password
ip ospf cost 10
speed 100
full-duplex
no cdp enable
!
router ospf 14882
router-id 10.10.16.254
log-adjacency-changes
network 10.10.16.254 0.0.0.0 area 0.0.0.0
network 10.10.101.2 0.0.0.0 area 0.0.0.0
!
ip route 0.0.0.0 0.0.0.0 10.10.101.1
ip route 10.100.10.1 255.255.255.255 10.10.100.2
!
access-list 1 permit 10.10.101.1
access-list 1 permit 10.10.15.0 0.0.0.255
access-list 101 permit gre host 192.168.1.2 host 192.168.1.1
access-list 103 permit gre any any
access-list 103 permit ahp host 10.100.101 any
access-list 103 permit esp host 10.100.10.1 any
access-list 103 permit udp host 10.100.10.1 any eq isakmp
access-list 103 permit ip 10.10.15.0 0.0.0.255 any
access-list 103 permit icmp 10.10.15.0 0.0.0.255 any
access-list 104 permit gre any any
access-list 104 permit ahp any host 10.100.10.1
access-list 104 permit esp any host 10.100.10.1
access-list 104 permit udp any host 10.100.10.1 eq isakmp
access-list 104 permit ip any 10.10.15.0 0.0.0.255
access-list 104 permit icmp any 10.10.15.0 0.0.0.255

 

[hunterdw]

Thank you. Star for you!

--DW