IPSec over GRE Tunnel in CISCO Routers
March 3rd, 2010
One of the typical tasks it transforming routers table between two routers through public routers (for example via internet). So all data moving through public space has to be encrypted. And one of the best solution it use IPSec for encryption. However one of the disadvantage of IPSec it is working only with unicast traffic. Thereby, we will use GRE tunnel to transform broadcast and multicast traffic. Another word we will encapsulate multicast traffic into unicast and then encrypt it by IPSec.
One of the typical topology:
Let’s configure:
First of all create simple routing between routers.
R1:
R1#configure terminal
R1(config)#interface fastEthernet 1/0
R1(config-if)#ip address 10.0.1.1 255.255.255.0
//add gateway by default
R1(config)#ip route 0.0.0.0 0.0.0.0 10.0.1.2
R2:
R2#configure terminal
R2(config)#interface fastEthernet 1/0
R2(config-if)#ip address 10.0.2.1 255.255.255.0
R2(config)#ip route 0.0.0.0 0.0.0.0 10.0.2.2
Checking the connection between routers:
On the second stage we have to establish GRE tunnels:
R1(config)#interface tunnel 0
R1(config-if)#ip address 174.10.0.1 255.255.255.252
R1(config-if)#tunnel source fastEthernet 1/0
R1(config-if)#tunnel destination 10.0.2.1
R2(config)#interface tunnel 0
R2(config-if)#ip address 174.10.0.1 255.255.255.252
R2(config-if)#tunnel source fastEthernet 1/0
R2(config-if)#tunnel destination 10.0.1.1
Let’s check how it work.
On the third stage we will establish IPSec tunnel between routers:
R1:
R1(config)#crypto isakmp enable
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#encryption aes
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#hash sha
R1(config-isakmp)#exit
R1(config)#crypto isakmp key 0 cisco address 10.0.2.1
R1(config)#access-list 101 permit gre host 10.0.1.1 host 10.0.2.1
R1(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
R1(cfg-crypto-trans)#mode transport
R1(cfg-crypto-trans)#exit
R1(config)#crypto map GRE 10 ipsec-isakmp
R1(config-crypto-map)#match address 101
R1(config-crypto-map)#set transform-set IPSEC
R1(config-crypto-map)#set peer 10.0.2.1
R1(config-crypto-map)#exit
R1(config)#interface fastEthernet 1/0
R1(config-if)#crypto map GRE
For R2 we have to issue same configure command except ip address of peer. Change IP 10.0.2.1 to 10.0.1.1
Let’s check out IPSec tunnel:
Now we can easely transform EIGRP or OSPF data from one router to another. To check it in our example let’s add router process OSPF or EIGRP and add tunnel network to it and any other if iwe need.
In case of EIGRP we have add next command on both routers R1 and R2:
router eigrp 100
network 174.10.0.0 0.0.0.3
Categories: VPN
