How to Configure GRE Over IPSec Site to Site VPN

GRE Over IPSec Site to Site Configuration
Recommended Read:
- What is VPN and Types of VPN
- Site to Site VPN Configuration with PRE Shared Key
- Summary/Difference: CCNA,CCNP,CCIE
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
int s0/0
no shutdown
ip add 101.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 101.1.1.1
ISP
interface s0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int s0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.1 255.255.255.0
no shutdown
int s0/0
no shutdown
ip add 102.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 102.1.1.1
R1
R1#ping 192.168.101.1
#Type escape sequence to abort.
#Sending 5, 100-byte ICMP Echos to 192.168.101.1,
#timeout is 2 seconds: !!!!!
#Success rate is 100 percent (5/5),
#round-trip min/avg/max = 4/4/8 ms
R1#ping 102.1.1.100
#Type escape sequence to abort.
#Sending 5, 100-byte ICMP Echos to 102.1.1.100,
#timeout is 2 seconds: !!!!!
#Success rate is 100 percent (5/5),
#round-trip min/avg/max = 1/26/80 ms
R2
R2#ping 192.168.102.1
#Type escape sequence to abort.
#Sending 5, 100-byte ICMP Echos to 192.168.102.1,
#timeout is 2 seconds: !!!!!
#Success rate is 100 percent (5/5),
#round-trip min/avg/max = 4/4/4 ms
R2#ping 101.1.1.100
#Type escape sequence to abort.
#Sending 5, 100-byte ICMP Echos to 101.1.1.100,
#timeout is 2 seconds:
#!!!!! Success rate is 100 percent (5/5),
#round-trip min/avg/max = 1/22/80 ms
R1
interface tunnel 0 ip add 192.168.1.1 255.255.255.0
tunnel source serial 0/0
tunnel destination 102.1.1.100
tunnel mode gre ip
ip ospf 100 area 0
int f0/0
ip ospf 100 area 0
R2
interface tunnel 0
ip add 192.168.1.2 255.255.255.0
tunnel source serial 0/0
tunnel destination 101.1.1.100
tunnel mode gre ip
ip ospf 100 area 0
int f0/0
ip ospf 100 area 0
R1
R1#sh ip ospf neighbor
#Neighbor ID Pri State Dead Time Address Interface 192.168.102.1 0 FULL/ - 00:00:35 192.168.1.2 Tunnel0
R1#sh ip route ospf O 192.168.102.0/24
#[110/11121] via 192.168.1.2, 00:00:18, Tunnel0
R2
R2#sh ip ospf
#neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.101.1 0 FULL/ - 00:00:39 192.168.1.1 Tunnel0
R2#sh ip route ospf O 192.168.101.0/24
#[110/11121] via 192.168.1.1, 00:00:50, Tunnel0
R1#ping 192.168.102.1 source f0/0 repeat 100
#Type escape sequence to abort. Sending 100,
#100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds: Packet sent with a source address of #192.168.101.1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#Success rate is 100 percent (100/100),
#round-trip min/avg/max = 1/5/40 ms
R2#ping 192.168.101.1 source fastEthernet 0/0 repeat 100
#Type escape sequence to abort.
#Sending 100,
#100-byte ICMP Echos to 192.168.101.1,
#timeout is 2 seconds:
#Packet sent with a source address of 192.168.102.1
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#Success rate is 100 percent (100/100), round-trip min/avg/max = 1/4/48 ms
R1#sh crypto ipsec sa No SAs found
R2#sh crypto ipsec sa No SAs found
R1 crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5
lifetime 1800
exit
crypto isakmp key shiva add 102.1.1.100
crypto ipsec transform-set t-set esp-aes esp-sha-hmac mode tunnel
exit
crypto ipsec profile shiva set transform-set t-set int t0 tunnel protection ipsec profile shiva do sh hist R1(config-if)# *Mar 1 00:06:55.835: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /101.1.1.100, src_addr= 102.1.1.100, prot= 47
R1(config-if)# *Mar 1 00:07:25.859: %OSPF-5-ADJCHG: Process 100, Nbr 192.168.102.1 on Tunnel0 from FULL to DOWN, Neighbor Down: Dead timer expired
R2
crypto isakmp policy 1
authentication pre-share encryption aes hash sha group 5 lifetime 1800
exit
crypto isakmp key shiva add 101.1.1.100 crypto ipsec transform-set t-set esp-aes esp-sha-hmac mode tunnel exit
crypto ipsec profile shiva set transform-set t-set exit interface tunnel 0 tunnel protection ipsec profile shiva
R1#ping 192.168.102.1 source fastEthernet 0/0 repeat 100 Type escape sequence to abort.
#Sending 100, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds: Packet sent with a source address of 192.168.101.1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#Success rate is 100 percent (100/100),
#round-trip min/avg/max = 48/62/80 ms
R2#ping 192.168.101.1 source f0/0 repeat 100 Type escape sequence to abort.
#Sending 100, 100-byte ICMP Echos to 192.168.101.1,
#timeout is 2 seconds:
#Packet sent with a source address of 192.168.102.1 #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! #Success rate is 100 percent (100/100),
#round-trip min/avg/max = 44/61/80 ms
#R1#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 101.1.1.100 102.1.1.100 QM_IDLE 1001 0 ACTIVE IPv6 Crypto ISAKMP SA
#R1#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0,
#local addr 101.1.1.100 protected vrf: (none) local ident (addr/mask/prot/port): (101.1.1.100/255.255.255.255/47/0)
#remote ident (addr/mask/prot/port): (102.1.1.100/255.255.255.255/47/0)
#current_peer 102.1.1.100 port 500 PERMIT, flags={origin_is_acl,}
#pkts encaps: 218,
#pkts encrypt: 218,
#pkts digest: 218
#pkts decaps: 218,
#pkts decrypt: 218,
#pkts verify: 218
#pkts compressed: 0,
#pkts decompressed: 0
#pkts not compressed: 0,
#pkts compr. failed: 0
#pkts not decompressed: 0,
#pkts decompress failed: 0
#send errors 9,
#recv errors 0 local crypto endpt.: 101.1.1.100,
#remote crypto endpt.: 102.1.1.100 path mtu 1500,
#ip mtu 1500,
#ip mtu idb Serial0/0 current outbound spi: 0x4180C433(1098957875)
#inbound esp sas: spi: 0x75735F2(123155954)
#transform: esp-aes esp-sha-hmac ,
#in use settings ={Tunnel, } conn id: 1, flow_id: SW:1,
#crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4555042/3502)
#IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x4180C433(1098957875)
#transform: esp-aes esp-sha-hmac ,
#in use settings ={Tunnel, } conn id: 2, flow_id: SW:2,
#crypto map: Tunnel0-head-0
#sa timing: remaining key lifetime (k/sec): (4555041/3501)
#IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:
R2#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 101.1.1.100 102.1.1.100 #QM_IDLE 1001 0
#ACTIVE IPv6 Crypto ISAKMP SA
#R2#sh crypto ipsec sa interface: Tunnel0
#Crypto map tag: Tunnel0-head-0,
#local addr 102.1.1.100 protected vrf: (none) local ident (addr/mask/prot/port): (102.1.1.100/255.255.255.255/47/0)
#remote ident (addr/mask/prot/port): (101.1.1.100/255.255.255.255/47/0)
#current_peer 101.1.1.100 port 500 PERMIT,
#flags={origin_is_acl,}
#pkts encaps: 221,
#pkts encrypt: 221,
#pkts digest: 221
#pkts decaps: 222,
#pkts decrypt: 222,
#pkts verify: 222
#pkts compressed: 0,
#pkts decompressed: 0
#pkts not compressed: 0,
#pkts compr. failed: 0
#pkts not decompressed: 0,
#pkts decompress failed: 0
#send errors 0,
#recv errors 0
#local crypto endpt.: 102.1.1.100,
#remote crypto endpt.: 101.1.1.100 path mtu 1500,
#ip mtu 1500,
#ip mtu idb Serial0/0
#current outbound spi: 0x75735F2(123155954)
#inbound esp sas: spi: 0x4180C433(1098957875)
#transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: SW:1,
#crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4501054/3467)
#IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x75735F2(123155954) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: SW:2,
#crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4501054/3465) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:
Please post a blog on ssl vpn. M very confused in remote vpn , ssl vpn , ike v1 and Ike v2 , what is ssl vpn with ike v1 and v3 . Please post brief theory on it.