A tutorial on how to create a GRE tunnel between two sites via internet and how to secure the tunnel using IPSec VPN technologies, IPSec, isakmp, crypto-map, crypto map
Dear Doug, thank you so much for a great video, you mentioned and configured everything we need to know for GRE, IPSEC, ISAKMP and much more. I really appreciate your time and your video. You should be here in Toronto / Canada for a great Networking Instructor we don't have. I paid a lot of money to go to the Networking College, but never ever got what I expected , (just wasting money and time to be certified in Toronto). THANKS AGAIN AND GOD BLESS, Mike
Thank you so so much for your great video and explanation it really really helped me understand and get a project done. You are a superb teacher and I love your method of teaching and explaining as you go along on screen. THANK YOU!
Perfect and excellent, some new stuff. We are very great full to you to spent time on it. I like the way you talk and explanation. If you put some more light on Diffe, transform sets, isakmp will be great.
Great lab, thanks for using a "clear" mic. Issue I'm running into is, I dont see my OSPF routes? I see the neighbors come up but when I do a sho ip route, there are NO OSPF routes . ALsho shouldn't you be able to ping your loop back interfaces form the remote route, being that they are now routed through the tunnel via ospf?
I've been having a little trouble creating a GRE tunnel, much less setting up IPSec. I've got the subnets set up and I have OSPF enabled with the networks added on the appropriate routers, but I can't get past the "ISP". I can successfully ping from each router to the "ISP", but I can't ping each of the routers to each other. I have the appropriate "public" IPs for the destinations. I'm trying to figure out what I'm forgetting/missing. Any tips?
There is a mistake in this config, The access list used for the IPsec Tunnel should be local to remote, not remote to local. I confirmed this with Gns3, Phase 2 won't finish unless you put the local network first and remote second.Otherwise, great video.
Sure, The correct ACL is as follows: R3: permit gre host 172.168.3.2 host 172.168.2.1 (Local network first then, remote) R1:: permit gre host 172.168.2.1 host 172.168.3.2
Great video Doug! I do have a question though and excuse me if this has been asked before.. How do you simulate the ISP in Dynamips/GNS3? I'd like to give this lab a go. Again, great tutorial!
Why do you have to apply the crypto map to both the physical and the tunnel interface? I labbed it, and it seems it also works if I apply the crypto map only to the physical interface. On the other hand, if I apply it only to the tunnel interface, traffic still goes through, but nothing gets encrypted. As long as it's applied to the physical interface, it makes no difference whether I apply it to the tunnel interface too or not... What am I missing?
In releases before Cisco IOS Release 12.2(13)T crypto maps had to be applied to both physical and logical interfaces. In later IOS versions crypto maps only need to be applied only to the physical interface, reference Cisco Point-to-Point GRE over IPsec Design Guide.
hi, i know u have asked this question 2 years ago :), i am just playing with ipsec--gre , the answer to your question is ACL, that is why when you apply it only to tunnel interfaces and test ,it doesnt match anything so nothing is encrypted, if you just tweak it abit and add extra Acl line to current Acl that what exactly you needs to match to be encrypted. Examle, you only want your 192.168.1.0 network to be encrypted when its talking to 10.1.1.0 network only so just add it to exisiting R1 ip access-list extended IPSEC-TRAFFIC permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 R2 ip access-list extended IPSEC-TRAFFIC permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 now remove the crypto map from your physical interfaces and just apply it onto tunnels, you should see traffic encrypted when packets comes from 192 to 10 network and vice-versa. Regards!
Great vid, thanks. Has anyone tried this in packet tracer? when I create my trans-set it doesn't go into (cfg-crypto-trans) mode for me, also, I can't apply my crypto map to the tunnel interface.
I think what you missed is that both routers R1 and R2 have default routes pointing to internet and OSPF is used between R1 and R2 over the GRE tunnel emulating Intranet edge routers. On GNS3 all you need is to have "ip route 0.0.0.0 0.0.0.0 fa0/0" configured on R1 and R2 with fa0/0 interfaces on R1 and R2 connected to R3 acting as the ISP.
Thanks for the video. Can you please make a video on site to site vpn over adsl? One site is the corporate network using ASA5500 router and the remote site has cisco router sitting behind the adsl modem and has static public IP.
Great tutorial. I would have liked to know what some of the terms were like the Diffe, transform sets, isakmp, etc. I guess that would be another video to explain what these different types of crypto are.
Hello, I am from the future! (2020 in particular) Make similar lab, it didnt work, untile: - had to remove crypto-map from tunnels and leave only on fast-ethernets; - had to permit ip in the ACL instead of gre; What gives?
You dont apply the crypto map to the tunnel. You apply it to the outbound physical interface's ip address. I have done it on Packet Tracer and you dont have to worry about the Crypto-trans mode. Just use the authentication preshare and encryption and it works just fine
Not a network professiona but I have one question: Are both routers the same or from the same company? Could you have done the same if the routers were from different brands?
You only need 4 routes on the three routers for it to work: R1: R1#sh ip route static 45.0.0.0/24 is subnetted, 1 subnets S 45.12.153.0 [1/0] via 162.27.193.2 WAN: C 45.12.153.0 is directly connected, FastEthernet0/1 162.27.0.0/30 is subnetted, 1 subnets C 162.27.193.0 is directly connected, FastEthernet0/0 R2: R2#sh ip route static 162.27.0.0/24 is subnetted, 1 subnets S 162.27.193.0 [1/0] via 45.12.153.2
don`t you need to use an "permit ip any any" after the ACL you configured on the GRE? otherwise the only traffic that will be allowed to flow through these physical interfaces would be GRE traffic and only to a specific destination on the other side... you DO need to use those interfaces for regular internet traffic too, don`t you?
Do the OSPF process ID # 's have to be identical to become neighbors or to function? I thought the process ID was locally significant to the router database. Great video! Loved it.
You have to apply static route on the 3rd router: (i'm using serial interfaces instead of FA) R3(config)#ip route 192.168.1.0 255.255.255.0 serial 0/0 R3(config)#ip route 162.27.193.130 255.255.255.255 serial 0/0 R3(config)#ip route 45.12.153.202 255.255.255.255 serial 0/1 R3(config)#ip route 10.1.1.0 255.255.255.0 serial 0/1
4.2.2.2 is the public DNS servers on the internet, he tested internet connectivity by pinging it.. its not configured on the router. would use the default route on the router.
Javier Cespedes You probably already know the answer, but yes its a GRE tunnel over IPsec tunnel. IPsec doesn't handle multicast or broadcast traffic. One of the benefits of GRE over IPsec as opposed to just using an IPsec tunnel by itself. is we can encapsulate a wider range of traffic into a GRE tunnel and then send it securely within an IPsec tunnel. Hope this was useful
+Roman Hoax sorry mate, but you are wrong. it is IPSEC over GRE. the gre tunnel comes first and than the ipsec tunnel comes "on top" of it to allow the security. the only reason we don`t use only ipsec is because it can`t forward broadcast. so we build a gre tunnel that encapsulates the broadcast with a unicast and THEN put on it an ipsec tunnel to secure that unicast traffic.
willow klan Semantics. my explanation is the exact same as yours. My wording is such that the GRE tunnel is sent over IPsec. Hence GRE over IPsec. I already explained the GRE tunnel comes first, it is then sent over IPsec. Semantics.
This is not IPsec over gre. This is gre over IPsec. In IPsec over gre case, all packet first encrypted and then passing through gre tunnel. Since IPsec can not encapsulate multicast, broadcast packet, this lead to routing protocol problems. By means of gre over IPsec, multicast and broadcast can be encapsulated using gre and then encrypted using IPsec.
This guy will miss you up if you try his technique with in a lab / home environment (GNS3 or lab equipment) what he DOES NOT EXPLAIN and you can WASTE hours trying to figure it out is that in a lab / home environment (GNS3 / home equipment) and not connected to an “Internet” connection, is that there has to be stable routing between the two networks before you crate the tunnel and set up the OSPF (processes 123). I spent hours with a flapping tunnel and trying to figure out why!
Dear Doug, thank you so much for a great video, you mentioned and configured everything we need to know for GRE, IPSEC, ISAKMP and much more. I really appreciate your time and your video. You should be here in Toronto / Canada for a great Networking Instructor we don't have. I paid a lot of money to go to the Networking College, but never ever got what I expected , (just wasting money and time to be certified in Toronto). THANKS AGAIN AND GOD BLESS, Mike
best tut on the subject period. Thank-You
Excellent video!! Easily one of the best tutorials out there. Please make more of these. They are priceless to many of us.
Thank you so so much for your great video and explanation it really really helped me understand and get a project done.
You are a superb teacher and I love your method of teaching and explaining as you go along on screen.
THANK YOU!
Doug, You have simplified the subject. Excellent tutorial.
Thanks Doug for the videos.... very clear and accurate. Easy to understand.
Hats off to you Doug. Thanks for a well explained demo.
Excellent video, clear and concise and great audio too. Many thanks to you!
crystal clear - great job Doug!
Super demonstration.Thanks for your time and effort to put this together.
Thank YOU very much! It's truly useful demonstration!
based on this one tutorial I sure wish you were still doing cisco vids, great job.
Awesome video, and very detailed. You the MAN!!!!
I am new to networking... super tech. Thank you much for putting this video together
Gr8 work Doug...Nice tutorial.. Very helpful...
Explicit Tutorial... Thank Doug !
Great tutorial. I will start using gre-ipsec instead of just an ipsec vpn to make dual-wan redundancy easier.
Perfect and excellent, some new stuff. We are very great full to you to spent time on it.
I like the way you talk and explanation. If you put some more light on Diffe, transform sets, isakmp will be great.
Well done mate, excellent video and thanks for sharing.
Great video, just what I needed
Great lab, thanks for using a "clear" mic. Issue I'm running into is, I dont see my OSPF routes? I see the neighbors come up but when I do a sho ip route, there are NO OSPF routes . ALsho shouldn't you be able to ping your loop back interfaces form the remote route, being that they are now routed through the tunnel via ospf?
Excellent work, this will help a lot. Many thanks
excellent tutorial, many thanks
Good video - I have a question though, How do you configure when you have an ASA firewall behind the router?
Have I learnt something new? Absolutely !!!!
Thnx
Thx great tutorial, really appreciated!!
Thanks for your sharing. Really Thanks !
Very useful video. thank you
Thanks a lot for this video!! It really helped me a lot! :)
Thanks! Works great on my lab.
Wow, Excellent..... . Thanks a lot for making this video.
Great video, really helpful! thanks!
Thank You.. great explanation.
Excellent tutorial
very informative...Thanks for such a good video...
super helpful. thanks!!
thank you sir. helpful
Great video, thanks
Thank you so much!!
Hi i am beginner in VPN my question is before creating GRE tunnel both router should connected via VPN IPSEC ?
or create grp tunnel along with VPN?
Awesome video and tutorial
I've been having a little trouble creating a GRE tunnel, much less setting up IPSec. I've got the subnets set up and I have OSPF enabled with the networks added on the appropriate routers, but I can't get past the "ISP". I can successfully ping from each router to the "ISP", but I can't ping each of the routers to each other. I have the appropriate "public" IPs for the destinations. I'm trying to figure out what I'm forgetting/missing. Any tips?
When you create a crypto isakmp policy 1 when do that policy is use because I don't see that you match it on the crypto map.
Very helpful , thanks a lot !!!
There is a mistake in this config, The access list used for the IPsec Tunnel should be local to remote, not remote to local.
I confirmed this with Gns3, Phase 2 won't finish unless you put the local network first and remote second.Otherwise, great video.
@Raymond A: Can you please more specify and take an example for this case?
Sure, The correct ACL is as follows:
R3: permit gre host 172.168.3.2 host 172.168.2.1
(Local network first then, remote)
R1:: permit gre host 172.168.2.1 host 172.168.3.2
Love it..great job
have to apply the map to the serial interface ?
Thanks for the video
Excellent Video
Great Video!!
Nice tutorial, very basic...good job.
Good video..thumbs up!!!
Great video Doug! I do have a question though and excuse me if this has been asked before.. How do you simulate the ISP in Dynamips/GNS3? I'd like to give this lab a go.
Again, great tutorial!
I'll keep following your other post.
very useful. Thank a lot!!
superb :) thanks
why do we have to apply the crypto-map twice?
Why do you have to apply the crypto map to both the physical and the tunnel interface? I labbed it, and it seems it also works if I apply the crypto map only to the physical interface. On the other hand, if I apply it only to the tunnel interface, traffic still goes through, but nothing gets encrypted. As long as it's applied to the physical interface, it makes no difference whether I apply it to the tunnel interface too or not... What am I missing?
In releases before Cisco IOS Release 12.2(13)T crypto maps had to be applied to both physical and logical interfaces. In later IOS versions crypto maps only need to be applied only to the physical interface, reference Cisco Point-to-Point GRE over IPsec Design Guide.
hi, i know u have asked this question 2 years ago :),
i am just playing with ipsec--gre ,
the answer to your question is ACL, that is why when you apply it only to tunnel interfaces and test ,it doesnt match anything so nothing is encrypted,
if you just tweak it abit and add extra Acl line to current Acl that what exactly you needs to match to be encrypted.
Examle, you only want your 192.168.1.0 network to be encrypted when its talking to 10.1.1.0 network only so just add it to exisiting
R1
ip access-list extended IPSEC-TRAFFIC
permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
R2
ip access-list extended IPSEC-TRAFFIC
permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
now remove the crypto map from your physical interfaces and just apply it onto tunnels,
you should see traffic encrypted when packets comes from 192 to 10 network and vice-versa.
Regards!
Great vid, thanks.
Has anyone tried this in packet tracer? when I create my trans-set it doesn't go into (cfg-crypto-trans) mode for me, also, I can't apply my crypto map to the tunnel interface.
I think what you missed is that both routers R1 and R2 have default routes pointing to internet and OSPF is used between R1 and R2 over the GRE tunnel emulating Intranet edge routers. On GNS3 all you need is to have "ip route 0.0.0.0 0.0.0.0 fa0/0" configured on R1 and R2 with fa0/0 interfaces on R1 and R2 connected to R3 acting as the ISP.
This is a great tutorial thanks doing it. Would you have the configs for the internet router? I would like to duplicate this setup in my GNS3. Thanks!
Thanks for the video. Can you please make a video on site to site vpn over adsl? One site is the corporate network using ASA5500 router and the remote site has cisco router sitting behind the adsl modem and has static public IP.
Great tutorial. I would have liked to know what some of the terms were like the Diffe, transform sets, isakmp, etc. I guess that would be another video to explain what these different types of crypto are.
a real good work
really u good explainier
Hello, I am from the future! (2020 in particular)
Make similar lab, it didnt work, untile:
- had to remove crypto-map from tunnels and leave only on fast-ethernets;
- had to permit ip in the ACL instead of gre;
What gives?
Wonderful Video, Good Explanation, Can you please explain the ISP Part, How do you configure the Internet in this Protocol Diagram?😇
You dont apply the crypto map to the tunnel. You apply it to the outbound physical interface's ip address. I have done it on Packet Tracer and you dont have to worry about the Crypto-trans mode. Just use the authentication preshare and encryption and it works just fine
Not a network professiona but I have one question: Are both routers the same or from the same company? Could you have done the same if the routers were from different brands?
Yes, IPsec is universal. Cisco to Juniper, Cisco to Fortigate.. ext. No issues
Yes as Raymond said, but you have to match ALL of the Crypto parameters, agreed upon keys, etc.
where that 4.2.2.2(ping) network is?
You only need 4 routes on the three routers for it to work:
R1:
R1#sh ip route static
45.0.0.0/24 is subnetted, 1 subnets
S 45.12.153.0 [1/0] via 162.27.193.2
WAN:
C 45.12.153.0 is directly connected, FastEthernet0/1
162.27.0.0/30 is subnetted, 1 subnets
C 162.27.193.0 is directly connected, FastEthernet0/0
R2:
R2#sh ip route static
162.27.0.0/24 is subnetted, 1 subnets
S 162.27.193.0 [1/0] via 45.12.153.2
Hi Ezek,
I have the same challenge. Did you found a solution?
We fighting since 2 weeks to solve :((
Regards,
Celal
Good Lab , although it don't tell what is have to match on both sides and what is locally significant only
don`t you need to use an "permit ip any any" after the ACL you configured on the GRE? otherwise the only traffic that will be allowed to flow through these physical interfaces would be GRE traffic and only to a specific destination on the other side... you DO need to use those interfaces for regular internet traffic too, don`t you?
+Keith Buckley thanks a-lot bro. got it now.
ospf process id is only locally significant , only the area,hello,dead need to match.
reddypraveen the network too, unless you're using ip6
Do the OSPF process ID # 's have to be identical to become neighbors or to function? I thought the process ID was locally significant to the router database. Great video! Loved it.
Process ID does not matter on OSPF.
Process ID may not be the same,.Neighbours should be in same Area, same network, Timers to be identical.
You have to apply static route on the 3rd router:
(i'm using serial interfaces instead of FA)
R3(config)#ip route 192.168.1.0 255.255.255.0 serial 0/0
R3(config)#ip route 162.27.193.130 255.255.255.255 serial 0/0
R3(config)#ip route 45.12.153.202 255.255.255.255 serial 0/1
R3(config)#ip route 10.1.1.0 255.255.255.0 serial 0/1
too good
Can any body help to find out, that where he has configure the IP add 4.2.2.2.
4.2.2.2 is the public DNS servers on the internet, he tested internet connectivity by pinging it.. its not configured on the router. would use the default route on the router.
Thank u so much YOGESH for guiding me..
if you don't have a static IP then what do you do? contact the FONE COMPANY and GET ONE!!! (or three)
need a cert big up cisco
Guys.. Help me to understand it is IPsec over a GRE Tunnel or GRE over IPsec tunnel ??
+Ragu G It's GRE over IPSec Tunnel. For more information visit ccnp300-101.blogspot.com
can you help me bro? Doug Suida
Great Tutorial!
BTW is not GRE over IPSEC tunnel?
Javier Cespedes You probably already know the answer, but yes its a GRE tunnel over IPsec tunnel. IPsec doesn't handle multicast or broadcast traffic.
One of the benefits of GRE over IPsec as opposed to just using an IPsec tunnel by itself. is we can encapsulate a wider range of traffic into a GRE tunnel and then send it securely within an IPsec tunnel.
Hope this was useful
+Roman Hoax sorry mate, but you are wrong. it is IPSEC over GRE. the gre tunnel comes first and than the ipsec tunnel comes "on top" of it to allow the security. the only reason we don`t use only ipsec is because it can`t forward broadcast. so we build a gre tunnel that encapsulates the broadcast with a unicast and THEN put on it an ipsec tunnel to secure that unicast traffic.
willow klan
Semantics. my explanation is the exact same as yours. My wording is such that the GRE tunnel is sent over IPsec. Hence GRE over IPsec. I already explained the GRE tunnel comes first, it is then sent over IPsec.
Semantics.
2024 👍💯
There is not enough characters to really complain about this video!
This is not IPsec over gre. This is gre over IPsec. In IPsec over gre case, all packet first encrypted and then passing through gre tunnel. Since IPsec can not encapsulate multicast, broadcast packet, this lead to routing protocol problems. By means of gre over IPsec, multicast and broadcast can be encapsulated using gre and then encrypted using IPsec.
what you configured called GRE over IPSEC and not IPSEC over GRE !
Hi. This is not IPsec over GRE, this is GRE over IPsec
This is NOT IPSEC over GRE , Is GRE over IPSEC !!!! False video
This guy will miss you up if you try his technique with in a lab / home environment (GNS3 or lab equipment) what he DOES NOT EXPLAIN and you can WASTE hours trying to figure it out is that in a lab / home environment (GNS3 / home equipment) and not connected to an “Internet” connection, is that there has to be stable routing between the two networks before you crate the tunnel and set up the OSPF (processes 123). I spent hours with a flapping tunnel and trying to figure out why!