Creating a GRE Tunnel with IPSEC
For the purpose of this KB Article, there will be three Sites with the Public IP Address 172.16.25.2, 172.16.86.2, and 172.16.140.2, they will be behind ISP routers.
Lets site you are a nationwide organization with a Headquarters in Rochester MI. You have a site in Jacksonville, NC and a site in San Diego, CA – you need to establish a basic VPN with these sites using just a Cisco Router – Lets go over the fundamentals.
On each router you have clients behind GE 0/0, your public facing (WAN) port is GE 0/1, and your Network has NAT in place.
Ultimately, you will need one router, the one at your HQ/Data-center to act as the HUB router, and the rest of the routers in the VPN will act as spokes.
Lets take a Look at the Running Config:
HUB ROUTER (R1)
hostname R1
!
! (Specifies the Diffie-Hellman group identifier)
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
!
! (Specifies the Key that will be used and the
! addresses that will be allowed to connect to it.
! In this case 0.0.0.0 was used to allow any
! device to attempt connection.)
crypto isakmp key 123456789 address 0.0.0.0
!
!(Allows recovery of out of Sync SA)
crypto isakmp invalid-spi-recovery
!
! (Specifies acceptable protocols)
crypto ipsec transform-set THEVPN esp-des esp-md5-hmac
mode tunnel
!
! (Creates map of peers the IPSec can be
! preformed with. The Peers will need to be
! modified with your "SPOKE" router's public IP)
crypto map VPN1 1 ipsec-isakmp
set peer 172.16.86.2
set peer 172.16.140.2
set transform-set THEVPN
set pfs group2
match address 110
!
! (This is the instantiation of your tunnel interface)
interface Tunnel0
description Multipoint Primary
ip address 10.0.0.1 255.255.255.0
no ip redirects
no ip split-horizon eigrp 1
! (NAT is required)
ip nat inside
! (The Authentication is confirming the
! Identity of other spoke routers)
ip nhrp authentication SeCrEtKeY
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
no ip virtual-reassembly in
! (This is the outside facing source of
! the tunnel)
tunnel source GigabitEthernet0/1
! (This is the Tunnel type)
tunnel mode gre multipoint
!
!
interface GigabitEthernet0/0
description LAN
ip address 10.1.1.1 255.255.255.0
no ip route-cache
ip access-group 115 in
ip nat inside
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
description WAN
ip address 172.16.25.2 255.255.255.248
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
! (This is what creates the IPSec Tunnel)
crypto map VPN1
!
ip forward-protocol nd
!
! (You may have your NAT setup diffently, it
! should not affect how your tunnel operates)
ip nat inside source route-map PRI-WAN int GigabitrE 0/1 over
ip route profile
ip route 0.0.0.0 0.0.0.0 172.16.25.1
! (This is where you will route your traffic to other
! sites from.)
ip route 10.2.0.0 255.255.0.0 10.0.0.2
ip route 10.3.0.0 255.255.0.0 10.0.0.3
!
route-map PRI-WAN permit 10
match ip address 100
match interface GigabitEthernet0/1
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
! (You will need the first address to be your local WAN
! IP Address, the second address is the spoke router.
! This is important because it limits what hosts can attempt
! GRE connections with your site)
access-list 110 permit gre host 172.16.25.2 host 172.16.86.2
access-list 110 permit gre host 172.16.25.2 host 172.16.140.2
access-list 115 permit ip any any
access-list 115 deny ip any any
!
end
SPOKE ROUTER (R2)
hostname R1
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
!
crypto isakmp key 123456789 address 0.0.0.0
!
crypto isakmp invalid-spi-recovery
!
crypto ipsec transform-set THEVPN esp-des esp-md5-hmac
mode tunnel
!
! (This router's "HUB" public IP)
crypto map VPN1 1 ipsec-isakmp
set peer 172.16.25.2
set transform-set THEVPN
set pfs group2
match address 110
!
interface Tunnel0
description TO HQ
ip address 10.0.0.2 255.255.255.0
no ip redirects
ip nhrp authentication SeCrEtKeY
! (This will be the Tunnel's IP and WAN's
! IP on your HUB router)
ip nhrp map 10.0.0.1 172.16.25.2
ip nhrp map multicast 172.16.25.2
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 10.0.0.1
ip nhrp cache non-authoritative
tunnel source FastEthernet0/1
tunnel mode gre multipoint
crypto map VPN1
!
!
interface GigabitEthernet0/0
description LAN
ip address 10.2.1.1 255.255.255.0
no ip route-cache
ip access-group 115 in
ip nat inside
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
description WAN
ip address 172.16.86.2 255.255.255.248
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
! (This is what creates the IPSec Tunnel)
crypto map VPN1
!
ip forward-protocol nd
!
ip nat inside source route-map PRI-WAN int GigabitE 0/1 over
ip route profile
ip route 0.0.0.0 0.0.0.0 172.16.86.1
! (This is where you will route your traffic to the HUB to
! be processed or forwarded to other sites.)
ip route 10.0.0.0 255.0.0.0 10.0.0.1
!
route-map PRI-WAN permit 10
match ip address 100
match interface GigabitEthernet0/1
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
! (You will need the first address to be your local WAN
! IP Address, the second address is the HUB router)
access-list 110 permit gre host 172.16.86.2 host 172.16.25.2
access-list 115 permit ip any any
access-list 115 deny ip any any
!
end
The only Major Variable at play in this are your
- ISAKMP KEY: 123456789
- You will really want to change this before going into production
- PEERS
- These will need to be updated to the corresponding routers for production
- IP NHRP MAP
- This will need to be updated to your HUB router’s WAN IP and TUNNEL IP
- ACCESS-LIST 110 PERMIT GRE HOST W.X.Y.Z host W.X.Y.Z
- This will need to be updated to your router’s Hub and Spoke Addresses.
Any questions, comments? Post them!
