Configure a GRE IPsec site to site VPN Tunnel between 2 Cisco Routers

by | Dec 8, 2014 | Cisco, Networking | 0 comments

gns3 topology2

Step 1: IKE/ISAKMP configuration

Our first task in creating an IPsec tunnel is specifying an Internet Key Exchange (IKE) policy. IKE relies on ISAKMP to establish an initial secure channel over which the IPsec tunnel can be negotiated. An IKE policy determines the attributes of the ISAKMP session, including the encryption type and hashing methods.

crypto isakmp policy 1
encryption 3des
authentication pre-share
group 2

You can run this show command to check the encryption settings of the policy:

R1#show crypto isakmp policy

Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit

next we define a pre-shared key. The key is a string of text used to initialize the IKE tunnel, configured identically on both routers:

crypto isakmp key B8PhgA8Aod address  94.67.50.2 no-xauth

You can run this show command to verify the key association:

R1#show crypto isakmp sa

isakmp

Step 2: Create GRE Tunnel

interface tunnel6
Description R1 to R2
ip address 10.0.0.25 255.255.255.252
ip virtual re-assembly
cdp enable
tunnel source 8.8.5.2
tunnel destination 94.67.50.2

We can enable CDP (Cisco Discovery Protocol) to see if the connection is made to the remote end

Configure the router at the other end with inverse settings

Step 3: IPSec configuration

Once our IKE policy has been setup we can move on to defining an IPsec transform set. The transform set defines the parameters of the IPsec security associations which will carry the actual data.

Unlike defining an IKE policy, which provides a default for all attributes, we must explicitly state the encryption and hash type we want to use with our transform set. Our example will implement ESP encapsulation with 3DES encryption and SHA-1 authentication. Within transform set configuration, we have the option to select tunnel or transport mode; tunnel mode is the default.

crypto ipsec transform-set Test esp-3des esp-sha-hmac

R1#show crypto ipsec transform-set
Transform set Test: { esp-3des esp-sha-hmac }
will negotiate = { Tunnel, },

Now that we have our IPsec transform set created, we can reference it from an IPsec profile to be applied to a tunnel interface:

crypto ipsec profile TestVPN
set transform-set Test

R1#show crypto ipsec profile

profile

Our last step is to convert the tunnel interfaces on routers 1 and 2 to IPsec operation. First we change the tunnel mode from GRE to IPsec for IPv4, then apply our IPsec profile:

Int tunnel6
tunnel mode ipsec ipv4
tunnel protection ipsec profile TestVPN

R2#show crypto engine connections active

engine

R1#show crypto ipsec sa

show sa

If you are having any issues you can clear the security association with this command:

clear crypto sa peer 94.67.50.2

Further diagrams and reading:

main mode

key terms

ike exchange phase 1

ike exchange phase 2

https://learningnetwork.cisco.com/docs/DOC-2457
http://packetlife.net/blog/2008/jul/14/ipsec-quick-and-dirty/
http://www.ciscopress.com/articles/article.asp?p=25477

Submit a Comment

Your email address will not be published. Required fields are marked *

We use cookies to give you the best online experience. By agreeing you accept the use of cookies in accordance with our cookie policy.

I accept I decline
Cookie Policy
Privacy Settings saved!
Privacy Settings

When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. Control your personal Cookie Services here.

Necessary Privacy Center Privacy Policy Cookie Policy
These cookies are necessary for the website to function and cannot be switched off in our systems.
Technical Cookies
In order to use this website we use the following technically required cookies
  • wordpress_test_cookie
  • wordpress_logged_in_
  • wordpress_sec
Decline all Services
Accept all Services