Basically GRE tunnels allow to
tunnel unicast, multicast and broadcast traffic between routers and are often
used for routing protocols between different sites. The negative side of GRE
tunneling is that it is clear text and offers no form of protection. On Cisco
IOS routers however we can use IPSEC to encrypt the entire GRE tunnel, this
allows us to have a safe and secure site-to-site tunnel. In this lesson I
will show you how to configure an encrypted GRE tunnel with IPSEC. This is the
topology that we will use:
We will use above topology. The HQ and Branch router each have a
loopback interface that will represent their LAN connection. Both routers are
connected to “the Internet” using the ISP router.
We
will create a GRE tunnel between the HQ and Branch router and ensure that the
172.16.1.0 /24 and 172.16.3.0 /24 can reach each other while all traffic
between the two networks is encrypted with IPSEC.
HQ(config)#interface fastEthernet 0/0
HQ(config-if)#ip address 192.168.12.1
255.255.255.0
HQ(config-if)#description ***Connected to ISP***
HQ(config)#interface loopback0
HQ(config-if)#ip address 172.16.1.1
255.255.255.0
HQ(config-if)#exit
HQ(config)#ip route 192.168.23.3
255.255.255.255 192.168.12.2
We will configure Tunnel IP
HQ(config)#interface tunnel 1
HQ(config-if)#tunnel source fastEthernet 0/0
HQ(config-if)#tunnel destination 192.168.23.3
HQ(config-if)#ip address 192.168.13.1 255.255.255.0
We are not bother about ISP Side router
We will configure Branch router with WAN interface IP, Loopback
and Tunnel
Branch(config)#interface fastEthernet 0/0
Branch(config-if)#ip address 192.168.23.3 255.255.255.0
Branch(config-if)#exit
Branch(config)#interface loopback 0
Branch(config-if)#ip address 172.16.3.3 255.255.255.0
Branch(config-if)#exit
Branch(config)#ip route 192.168.12.1 255.255.255.255 192.168.23.2
Branch(config)#interface tunnel 1
Branch(config-if)#tunnel source fastEthernet 0/0
Branch(config-if)#tunnel destination 192.168.12.1
Branch(config-if)#ip address 192.168.13.3 255.255.255.0
Now we will use static route to the destination
HQ(config)#ip route 172.16.3.0 255.255.255.0
Tunnel1
Branch(config)#ip route 172.16.1.0 255.255.255.0 Tunnel
Check the GRE tunnel Up and we are able to ping Point to Point
Now we will configure Crypto ISAKMP Phase 1
HQ(config)#crypto isakmp policy 10
HQ(config-isakmp)#encr aes 256
HQ(config-isakmp)#authentication pre-share
HQ(config-isakmp)#group 5
HQ(config-isakmp)#lifetime 3600
HQ(config)#crypto isakmp key CISCO123 address 192.168.23.3
HQ(config)#crypto ipsec transform-set TRANS esp-aes 256 esp-sha-hmac
HQ(config)#access-list 100 permit ip any any
HQ(config)#crypto map CMAP 10 ipsec-isakmp
HQ(config-crypto-map)#set peer 192.168.23.3
HQ(config-crypto-map)#set transform-set TRANS
HQ(config-crypto-map)#match address 100
Branch
Branch(config)#crypto isakmp policy 10
Branch(config-isakmp)#encr aes 256
Branch(config-isakmp)#authentication pre-share
Branch(config-isakmp)#group 5
Branch(config-isakmp)#lifetime 3600
Branch(config)#crypto isakmp key CISCO123 address 192.168.12.1
Branch(config)#crypto ipsec transform-set TRANS esp-aes 256 esp-sha-hmac
Branch(config)#access-list 100 permit ip any any
Branch(config)#crypto map CMAP 10 ipsec-isakmp
Branch(config-crypto-map)#set peer 192.168.12.1
Branch(config-crypto-map)#set transform-set TRANS
Branch(config-crypto-map)#match address 100
Now go to the outside interface any apply the crypto map
HQ(config)#interface fastEthernet 0/0
HQ(config-if)#cyrpto map CMAP
Same on the Brancch router
Branch(config)#interface fastEthernet 0/0
Branch(config-if)#crypto map CMAPThank You
This is dummy text. It is not meant to be read. Accordingly, it is difficult to figure out when to end it. But then, this is dummy text. It is not meant to be read. Period.
ConversionConversion EmoticonEmoticon