GRE OVER IPSEC
​
Moving ahead of IPSEC and GRE which we discussed in our previous article, we will combine both GRE and IPSEC. We will have the tunnel but this time anything will be encrypted that goes into it. Now the dynamic routing would run , but its messages will be encrypted.
​
Let the dynamic routing run ! but encrypted !!
On R1
1. Configure phase I
​
Crypto isakmp policy 10
auth pre-share
hash md5
group 2
encryption 3 des
crypto isakmp key cisco111 address 192.1.20.3
​
2. Configure phase II
​
crypto ipsec transform-set TSET esp-3des esp-sha
​
##In L2L IPSEC we had a crypto map which used to call the transform set but in gre over IPsec we will need a profile which will be later called on the tunnel interface.##
​
3. Configure an IPSEC profile and attach the transform-set to it.
​
crypto ipsec profile NETWORKWITHME
set transform-set TSET
​
4. Assign the IPSEC profile to the Tunnel Interface.
​
crypto map ABC 10 ipsec-isakmp
match address 101 (##Not Required, any traffic through the tunnel will be encrypted##)
set peer 192.168.20.3 (##Not Required,already mentioned in tunnel interface as tunnel destination##)
set transform-set TSET (##Not Required,As I have already linked in step3.##)
So the replacing above commands we will use below commands
​
Interface tunnel 1
tunnel protection ipsec profile NETWORKWITHME
tunnel source fa 0/0
tunnel destination 192.1.20.3
​
​
GRE Over IPSec PACKET LOOK and SIZE
==================================================================
ESP | 192.1.10.1 | 192.1.20.3 | GRE | 192.1.10.1 | 192.1.20.3 | EIGRP | 192.168.1.1 | 224.0.0.10 | DATA |
==================================================================
​
IPSEC Header = 52 Bytes
​
​
​
​
​
​
​
R1#sh crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 192.1.10.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.1.10.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.1.20.3/255.255.255.255/47/0)
current_peer 192.1.20.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 65, #pkts encrypt: 65, #pkts digest: 65
#pkts decaps: 64, #pkts decrypt: 64, #pkts verify: 64
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
local crypto endpt.: 192.1.10.1, remote crypto endpt.: 192.1.20.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xEA342C31(3929287729)
inbound esp sas:
spi: 0x54322F5(88285941)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4418386/3323)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xEA342C31(3929287729)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4418386/3323)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
