# GRE over IPsec


Topology

[PC-1]----[ROUTER-1]----[ROUTER-2]----[PC-2]

[PC-1] eth0: 192.168.1.1/24

[ROUTER-1] fa0/1: 192.168.1.254/24
[ROUTER-1] fa0/0: 12.12.12.1/24
[ROUTER-1] tu0: 12.0.0.1/24

[ROUTER-2] tu0: 12.0.0.2/24
[ROUTER-2] fa0/0: 12.12.12.2/24
[ROUTER-2) fa0/1: 192.168.2.254/24

[PC-2] eth0: 192.168.2.1/24

Using static crypto maps

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.2
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# ip access-list extended CRYPTO_ACL
ROUTER-1(config-ext-nacl)# permit gre host 12.12.12.1 host 12.12.12.2
ROUTER-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-1(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
ROUTER-1(config-crypto-map)# set peer 12.12.12.2
ROUTER-1(config-crypto-map)# match address CRYPTO_ACL
ROUTER-1(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-1(config-crypto-map)# set pfs group2
ROUTER-1(config)# interface fa0/0
ROUTER-1(config-if)# crypto map CRYPTO_MAP
ROUTER-1(config-if)# ip nat outside
ROUTER-1(config)# interface fa0/1
ROUTER-1(config-if)# ip nat inside
ROUTER-1(config)# interface tu0
ROUTER-1(config-if)# ip address 12.0.0.1 255.255.255.0
ROUTER-1(config-if)# tunnel source fa0/0
ROUTER-1(config-if)# tunnel destination 12.12.12.2
ROUTER-1(config)# ip route 192.168.2.0 255.255.255.0 12.0.0.2
ROUTER-1(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.2
ROUTER-1(config)# ip access-list extended ACL_NAT
ROUTER-1(config-ext-nacl)# permit ip any any
ROUTER-1(config)# ip nat inside source list ACL_NAT interface fa0/0 overload
ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.1
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# ip access-list extended CRYPTO_ACL
ROUTER-2(config-ext-nacl)# permit gre host 12.12.12.2 host 12.12.12.1
ROUTER-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-2(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
ROUTER-2(config-crypto-map)# set peer 12.12.12.1
ROUTER-2(config-crypto-map)# match address CRYPTO_ACL
ROUTER-2(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-2(config-crypto-map)# set pfs group2
ROUTER-2(config)# interface fa0/0
ROUTER-2(config-if)# crypto map CRYPTO_MAP
ROUTER-2(config-if)# ip nat outside
ROUTER-2(config)# interface fa0/1
ROUTER-2(config-if)# ip nat inside
ROUTER-2(config)# interface tu0
ROUTER-2(config-if)# ip address 12.0.0.2 255.255.255.0
ROUTER-2(config-if)# tunnel source fa0/0
ROUTER-2(config-if)# tunnel destination 12.12.12.1
ROUTER-2(config)# ip route 192.168.1.0 255.255.255.0 12.0.0.1
ROUTER-2(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.1
ROUTER-2(config)# ip access-list extended ACL_NAT
ROUTER-2(config-ext-nacl)# permit ip any any
ROUTER-2(config)# ip nat inside source list ACL_NAT interface fa0/0 overload

Using profiles

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.2
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-1(config)# crypto ipsec profile PROFILE
ROUTER-1(config-profile)# set transform-set TRANSFORM_SET
ROUTER-1(config-profile)# set pfs group2
ROUTER-1(config)# interface fa0/0
ROUTER-1(config-if)# ip nat outside
ROUTER-1(config)# interface fa0/1
ROUTER-1(config-if)# ip nat inside
ROUTER-1(config)# interface tu0
ROUTER-1(config-if)# ip address 12.0.0.1 255.255.255.0
ROUTER-1(config-if)# tunnel source fa0/0
ROUTER-1(config-if)# tunnel destination 12.12.12.2
ROUTER-1(config-if)# tunnel protection ipsec profile PROFILE
ROUTER-1(config)# ip route 192.168.2.0 255.255.255.0 12.0.0.2
ROUTER-1(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.2
ROUTER-1(config)# ip access-list extended ACL_NAT
ROUTER-1(config-ext-nacl)# permit ip any any
ROUTER-1(config)# ip nat inside source list ACL_NAT interface fa0/0 overload
ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.1
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-2(config)# crypto ipsec profile PROFILE
ROUTER-2(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-2(config-crypto-map)# set pfs group2
ROUTER-2(config)# interface fa0/0
ROUTER-2(config-if)# ip nat outside
ROUTER-2(config)# interface fa0/1
ROUTER-2(config-if)# ip nat inside
ROUTER-2(config)# interface tu0
ROUTER-2(config-if)# ip address 12.0.0.2 255.255.255.0
ROUTER-2(config-if)# tunnel source fa0/0
ROUTER-2(config-if)# tunnel destination 12.12.12.1
ROUTER-2(config-if)# tunnel protection ipsec profile PROFILE
ROUTER-2(config)# ip route 192.168.1.0 255.255.255.0 12.0.0.1
ROUTER-2(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.1
ROUTER-2(config)# ip access-list extended ACL_NAT
ROUTER-2(config-ext-nacl)# permit ip any any
ROUTER-2(config)# ip nat inside source list ACL_NAT interface fa0/0 overload

No comments: