How to Configure GRE Over IPSec Site to Site VPN

by | Jul 16, 2016 | VPN Free Study Material | 1 comment

How to Configure GRE Over IPSec Site to Site VPN

GRE Over IPSec Site to Site Configuration

Recommended Read:

site to site vpn using gre pver ipsec

R1

interface fastEthernet 0/0 
no shutdown 
ip add 192.168.101.1 255.255.255.0 
no shutdown 
int s0/0 
no shutdown 
ip add 101.1.1.100 255.255.255.0 
no shutdown 
ip route 0.0.0.0 0.0.0.0 101.1.1.1

ISP

interface s0/0 
no shutdown 
ip add 101.1.1.1 255.255.255.0 
no shutdown 
int s0/1 
no shutdown 
ip add 102.1.1.1 255.255.255.0 
no shutdown

R2

interface fastEthernet 0/0 
no shutdown 
ip add 192.168.102.1 255.255.255.0 
no shutdown 
int s0/0 
no shutdown 
ip add 102.1.1.100 255.255.255.0 
no shutdown 
ip route 0.0.0.0 0.0.0.0 102.1.1.1

R1

R1#ping 192.168.101.1 
#Type escape sequence to abort. 
#Sending 5, 100-byte ICMP Echos to 192.168.101.1, 
#timeout is 2 seconds: !!!!! 
#Success rate is 100 percent (5/5), 
#round-trip min/avg/max = 4/4/8 ms
 
R1#ping 102.1.1.100 
#Type escape sequence to abort. 
#Sending 5, 100-byte ICMP Echos to 102.1.1.100, 
#timeout is 2 seconds: !!!!! 
#Success rate is 100 percent (5/5), 
#round-trip min/avg/max = 1/26/80 ms

R2

R2#ping 192.168.102.1 
#Type escape sequence to abort. 
#Sending 5, 100-byte ICMP Echos to 192.168.102.1, 
#timeout is 2 seconds: !!!!! 
#Success rate is 100 percent (5/5), 
#round-trip min/avg/max = 4/4/4 ms 

R2#ping 101.1.1.100 
#Type escape sequence to abort. 
#Sending 5, 100-byte ICMP Echos to 101.1.1.100, 
#timeout is 2 seconds: 
#!!!!! Success rate is 100 percent (5/5), 
#round-trip min/avg/max = 1/22/80 ms

R1

interface tunnel 0 ip add 192.168.1.1 255.255.255.0 
tunnel source serial 0/0 
tunnel destination 102.1.1.100 
tunnel mode gre ip 
ip ospf 100 area 0 
int f0/0 
ip ospf 100 area 0

R2

interface tunnel 0 
ip add 192.168.1.2 255.255.255.0 
tunnel source serial 0/0 
tunnel destination 101.1.1.100 
tunnel mode gre ip 
ip ospf 100 area 0 
int f0/0 
ip ospf 100 area 0

R1

R1#sh ip ospf neighbor 
#Neighbor ID Pri State Dead Time Address Interface 192.168.102.1 0 FULL/ - 00:00:35 192.168.1.2 Tunnel0

R1#sh ip route ospf O 192.168.102.0/24 
#[110/11121] via 192.168.1.2, 00:00:18, Tunnel0

R2

R2#sh ip ospf 
#neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.101.1 0 FULL/ - 00:00:39 192.168.1.1 Tunnel0 

R2#sh ip route ospf O 192.168.101.0/24 
#[110/11121] via 192.168.1.1, 00:00:50, Tunnel0 

R1#ping 192.168.102.1 source f0/0 repeat 100 
#Type escape sequence to abort. Sending 100, 
#100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds: Packet sent with a source address of #192.168.101.1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
#Success rate is 100 percent (100/100), 
#round-trip min/avg/max = 1/5/40 ms 

R2#ping 192.168.101.1 source fastEthernet 0/0 repeat 100 
#Type escape sequence to abort. 
#Sending 100, 
#100-byte ICMP Echos to 192.168.101.1, 
#timeout is 2 seconds: 
#Packet sent with a source address of 192.168.102.1 
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
#Success rate is 100 percent (100/100), round-trip min/avg/max = 1/4/48 ms 

R1#sh crypto ipsec sa No SAs found 
R2#sh crypto ipsec sa No SAs found 
R1 crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 
lifetime 1800 
exit 
crypto isakmp key shiva add 102.1.1.100 
crypto ipsec transform-set t-set esp-aes esp-sha-hmac mode tunnel 
exit 
crypto ipsec profile shiva set transform-set t-set int t0 tunnel protection ipsec profile shiva do sh hist R1(config-if)# *Mar 1 00:06:55.835: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /101.1.1.100, src_addr= 102.1.1.100, prot= 47 
R1(config-if)# *Mar 1 00:07:25.859: %OSPF-5-ADJCHG: Process 100, Nbr 192.168.102.1 on Tunnel0 from FULL to DOWN, Neighbor Down: Dead timer expired

R2

crypto isakmp policy 1 
authentication pre-share encryption aes hash sha group 5 lifetime 1800 
exit 
crypto isakmp key shiva add 101.1.1.100 crypto ipsec transform-set t-set esp-aes esp-sha-hmac mode tunnel exit 
crypto ipsec profile shiva set transform-set t-set exit interface tunnel 0 tunnel protection ipsec profile shiva 
R1#ping 192.168.102.1 source fastEthernet 0/0 repeat 100 Type escape sequence to abort. 
#Sending 100, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds: Packet sent with a source address of 192.168.101.1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
#Success rate is 100 percent (100/100), 
#round-trip min/avg/max = 48/62/80 ms
 
R2#ping 192.168.101.1 source f0/0 repeat 100 Type escape sequence to abort. 
#Sending 100, 100-byte ICMP Echos to 192.168.101.1, 
#timeout is 2 seconds: 
#Packet sent with a source address of 192.168.102.1 #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! #Success rate is 100 percent (100/100), 
#round-trip min/avg/max = 44/61/80 ms 

#R1#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 101.1.1.100 102.1.1.100 QM_IDLE 1001 0 ACTIVE IPv6 Crypto ISAKMP SA 
#R1#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, 
#local addr 101.1.1.100 protected vrf: (none) local ident (addr/mask/prot/port): (101.1.1.100/255.255.255.255/47/0) 
#remote ident (addr/mask/prot/port): (102.1.1.100/255.255.255.255/47/0) 
#current_peer 102.1.1.100 port 500 PERMIT, flags={origin_is_acl,} 
#pkts encaps: 218, 
#pkts encrypt: 218, 
#pkts digest: 218 
#pkts decaps: 218, 
#pkts decrypt: 218, 
#pkts verify: 218 
#pkts compressed: 0, 
#pkts decompressed: 0 
#pkts not compressed: 0, 
#pkts compr. failed: 0 
#pkts not decompressed: 0, 
#pkts decompress failed: 0 
#send errors 9, 
#recv errors 0 local crypto endpt.: 101.1.1.100, 
#remote crypto endpt.: 102.1.1.100 path mtu 1500, 
#ip mtu 1500, 
#ip mtu idb Serial0/0 current outbound spi: 0x4180C433(1098957875) 
#inbound esp sas: spi: 0x75735F2(123155954) 
#transform: esp-aes esp-sha-hmac , 
#in use settings ={Tunnel, } conn id: 1, flow_id: SW:1, 
#crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4555042/3502) 
#IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x4180C433(1098957875) 
#transform: esp-aes esp-sha-hmac , 
#in use settings ={Tunnel, } conn id: 2, flow_id: SW:2, 
#crypto map: Tunnel0-head-0 
#sa timing: remaining key lifetime (k/sec): (4555041/3501) 
#IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: 
R2#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 101.1.1.100 102.1.1.100 #QM_IDLE 1001 0 
#ACTIVE IPv6 Crypto ISAKMP SA 
#R2#sh crypto ipsec sa interface: Tunnel0 
#Crypto map tag: Tunnel0-head-0, 
#local addr 102.1.1.100 protected vrf: (none) local ident (addr/mask/prot/port): (102.1.1.100/255.255.255.255/47/0) 
#remote ident (addr/mask/prot/port): (101.1.1.100/255.255.255.255/47/0) 
#current_peer 101.1.1.100 port 500 PERMIT, 
#flags={origin_is_acl,} 
#pkts encaps: 221, 
#pkts encrypt: 221, 
#pkts digest: 221 
#pkts decaps: 222, 
#pkts decrypt: 222, 
#pkts verify: 222 
#pkts compressed: 0, 
#pkts decompressed: 0 
#pkts not compressed: 0, 
#pkts compr. failed: 0 
#pkts not decompressed: 0, 
#pkts decompress failed: 0 
#send errors 0, 
#recv errors 0 
#local crypto endpt.: 102.1.1.100, 
#remote crypto endpt.: 101.1.1.100 path mtu 1500, 
#ip mtu 1500, 
#ip mtu idb Serial0/0 
#current outbound spi: 0x75735F2(123155954) 
#inbound esp sas: spi: 0x4180C433(1098957875) 
#transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: SW:1, 
#crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4501054/3467) 
#IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x75735F2(123155954) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: SW:2, 
#crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4501054/3465) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:

Quick Links

Contact Us






Register for Free Demo Session - I-Medita

I-Medita

I-Medita is an ISO 9001:2015 certified Professional Training Company. I-Medita is India's Most Trusted Networking Training Company. We help in providing industry oriented skill training to networking enthusiasts and professionals to kick-start their career in Networking domains. Our efforts are to keep momentum with the Industry technological demands and diversifying universe of knowledge.

You Might Also Like:

Types of VPN-Virtual Private Network

Types of VPN-Virtual Private Network

How to Configure IOS Site-Site With Self Signature

How to Configure IOS Site-Site With Self Signature

Site to Site Virtual Private Network Configuration

Site to Site Virtual Private Network Configuration

1 Comment

  1. Tarun
    Tarun on September 24, 2018 at 10:17 pm

    Please post a blog on ssl vpn. M very confused in remote vpn , ssl vpn , ike v1 and Ike v2 , what is ssl vpn with ike v1 and v3 . Please post brief theory on it.

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Register for Free Demo Session