A tutorial on how to create a GRE tunnel between two sites via internet and how to secure the tunnel using IPSec VPN technologies, IPSec, isakmp, crypto-map, crypto map
Dear Doug, thank you so much for a great video, you mentioned and configured everything we need to know for GRE, IPSEC, ISAKMP and much more. I really appreciate your time and your video. You should be here in Toronto / Canada for a great Networking Instructor we don't have. I paid a lot of money to go to the Networking College, but never ever got what I expected , (just wasting money and time to be certified in Toronto). THANKS AGAIN AND GOD BLESS, Mike
Hello, I am from the future! (2020 in particular) Make similar lab, it didnt work, untile: - had to remove crypto-map from tunnels and leave only on fast-ethernets; - had to permit ip in the ACL instead of gre; What gives?
There is a mistake in this config, The access list used for the IPsec Tunnel should be local to remote, not remote to local. I confirmed this with Gns3, Phase 2 won't finish unless you put the local network first and remote second.Otherwise, great video.
Sure, The correct ACL is as follows: R3: permit gre host 172.168.3.2 host 172.168.2.1 (Local network first then, remote) R1:: permit gre host 172.168.2.1 host 172.168.3.2
This is not IPsec over gre. This is gre over IPsec. In IPsec over gre case, all packet first encrypted and then passing through gre tunnel. Since IPsec can not encapsulate multicast, broadcast packet, this lead to routing protocol problems. By means of gre over IPsec, multicast and broadcast can be encapsulated using gre and then encrypted using IPsec.
Great vid, thanks. Has anyone tried this in packet tracer? when I create my trans-set it doesn't go into (cfg-crypto-trans) mode for me, also, I can't apply my crypto map to the tunnel interface.
Why do you have to apply the crypto map to both the physical and the tunnel interface? I labbed it, and it seems it also works if I apply the crypto map only to the physical interface. On the other hand, if I apply it only to the tunnel interface, traffic still goes through, but nothing gets encrypted. As long as it's applied to the physical interface, it makes no difference whether I apply it to the tunnel interface too or not... What am I missing?
In releases before Cisco IOS Release 12.2(13)T crypto maps had to be applied to both physical and logical interfaces. In later IOS versions crypto maps only need to be applied only to the physical interface, reference Cisco Point-to-Point GRE over IPsec Design Guide.
hi, i know u have asked this question 2 years ago :), i am just playing with ipsec--gre , the answer to your question is ACL, that is why when you apply it only to tunnel interfaces and test ,it doesnt match anything so nothing is encrypted, if you just tweak it abit and add extra Acl line to current Acl that what exactly you needs to match to be encrypted. Examle, you only want your 192.168.1.0 network to be encrypted when its talking to 10.1.1.0 network only so just add it to exisiting R1 ip access-list extended IPSEC-TRAFFIC permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 R2 ip access-list extended IPSEC-TRAFFIC permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 now remove the crypto map from your physical interfaces and just apply it onto tunnels, you should see traffic encrypted when packets comes from 192 to 10 network and vice-versa. Regards!
This guy will miss you up if you try his technique with in a lab / home environment (GNS3 or lab equipment) what he DOES NOT EXPLAIN and you can WASTE hours trying to figure it out is that in a lab / home environment (GNS3 / home equipment) and not connected to an “Internet” connection, is that there has to be stable routing between the two networks before you crate the tunnel and set up the OSPF (processes 123). I spent hours with a flapping tunnel and trying to figure out why!
I've been having a little trouble creating a GRE tunnel, much less setting up IPSec. I've got the subnets set up and I have OSPF enabled with the networks added on the appropriate routers, but I can't get past the "ISP". I can successfully ping from each router to the "ISP", but I can't ping each of the routers to each other. I have the appropriate "public" IPs for the destinations. I'm trying to figure out what I'm forgetting/missing. Any tips?
Great lab, thanks for using a "clear" mic. Issue I'm running into is, I dont see my OSPF routes? I see the neighbors come up but when I do a sho ip route, there are NO OSPF routes . ALsho shouldn't you be able to ping your loop back interfaces form the remote route, being that they are now routed through the tunnel via ospf?
Perfect and excellent, some new stuff. We are very great full to you to spent time on it. I like the way you talk and explanation. If you put some more light on Diffe, transform sets, isakmp will be great.
Do the OSPF process ID # 's have to be identical to become neighbors or to function? I thought the process ID was locally significant to the router database. Great video! Loved it.
Great video Doug! I do have a question though and excuse me if this has been asked before.. How do you simulate the ISP in Dynamips/GNS3? I'd like to give this lab a go. Again, great tutorial!
Not a network professiona but I have one question: Are both routers the same or from the same company? Could you have done the same if the routers were from different brands?
Thank you so so much for your great video and explanation it really really helped me understand and get a project done. You are a superb teacher and I love your method of teaching and explaining as you go along on screen. THANK YOU!
don`t you need to use an "permit ip any any" after the ACL you configured on the GRE? otherwise the only traffic that will be allowed to flow through these physical interfaces would be GRE traffic and only to a specific destination on the other side... you DO need to use those interfaces for regular internet traffic too, don`t you?
4.2.2.2 is the public DNS servers on the internet, he tested internet connectivity by pinging it.. its not configured on the router. would use the default route on the router.
You have to apply static route on the 3rd router: (i'm using serial interfaces instead of FA) R3(config)#ip route 192.168.1.0 255.255.255.0 serial 0/0 R3(config)#ip route 162.27.193.130 255.255.255.255 serial 0/0 R3(config)#ip route 45.12.153.202 255.255.255.255 serial 0/1 R3(config)#ip route 10.1.1.0 255.255.255.0 serial 0/1
You only need 4 routes on the three routers for it to work: R1: R1#sh ip route static 45.0.0.0/24 is subnetted, 1 subnets S 45.12.153.0 [1/0] via 162.27.193.2 WAN: C 45.12.153.0 is directly connected, FastEthernet0/1 162.27.0.0/30 is subnetted, 1 subnets C 162.27.193.0 is directly connected, FastEthernet0/0 R2: R2#sh ip route static 162.27.0.0/24 is subnetted, 1 subnets S 162.27.193.0 [1/0] via 45.12.153.2
You dont apply the crypto map to the tunnel. You apply it to the outbound physical interface's ip address. I have done it on Packet Tracer and you dont have to worry about the Crypto-trans mode. Just use the authentication preshare and encryption and it works just fine
Thanks for the video. Can you please make a video on site to site vpn over adsl? One site is the corporate network using ASA5500 router and the remote site has cisco router sitting behind the adsl modem and has static public IP.
I think what you missed is that both routers R1 and R2 have default routes pointing to internet and OSPF is used between R1 and R2 over the GRE tunnel emulating Intranet edge routers. On GNS3 all you need is to have "ip route 0.0.0.0 0.0.0.0 fa0/0" configured on R1 and R2 with fa0/0 interfaces on R1 and R2 connected to R3 acting as the ISP.
Javier Cespedes You probably already know the answer, but yes its a GRE tunnel over IPsec tunnel. IPsec doesn't handle multicast or broadcast traffic. One of the benefits of GRE over IPsec as opposed to just using an IPsec tunnel by itself. is we can encapsulate a wider range of traffic into a GRE tunnel and then send it securely within an IPsec tunnel. Hope this was useful
+Roman Hoax sorry mate, but you are wrong. it is IPSEC over GRE. the gre tunnel comes first and than the ipsec tunnel comes "on top" of it to allow the security. the only reason we don`t use only ipsec is because it can`t forward broadcast. so we build a gre tunnel that encapsulates the broadcast with a unicast and THEN put on it an ipsec tunnel to secure that unicast traffic.
willow klan Semantics. my explanation is the exact same as yours. My wording is such that the GRE tunnel is sent over IPsec. Hence GRE over IPsec. I already explained the GRE tunnel comes first, it is then sent over IPsec. Semantics.
Great tutorial. I would have liked to know what some of the terms were like the Diffe, transform sets, isakmp, etc. I guess that would be another video to explain what these different types of crypto are.