«

Is it possible to configure and crypto a gre tunnel using IPSEC?

I have two routers example.

HostA----(p1)RTRA(P0)--(IPSEC(GRE))--(P0)RTRB(P1)---HostB


I configured a GRE tunnel between the 0-Ports on RTRA and RTRB. Next I
want to encrypt the tunnel using IPSEC. I cannot use separate routers
to configure GRE and IPSEC. Has anyone set this up?

I can get the GRE tunnel working on ports-0 on both boxes but whenever
I encrypt the tunnel and the tunnel interface (ports-0) the GRE tunnel
shuts down. Also, if I configure the tunnel on ports-0 and move the
IPSEC interface to ports-1 (RTRA and RTRB) I am still not able to get
the tunnel working. Last question, when configuring the GRE tunnel I
want to have my RIP Routes use the tunnel to transport the updates so I
included a more specific default route is this the way to go? it seems
to work.

HELP!!

Casatirider

casatirider wrote:
> Is it possible to configure and crypto a gre tunnel using IPSEC?
>
> I have two routers example.
>
> HostA----(p1)RTRA(P0)--(IPSEC(GRE))--(P0)RTRB(P1)---HostB
>
>
> I configured a GRE tunnel between the 0-Ports on RTRA and RTRB. Next I
> want to encrypt the tunnel using IPSEC. I cannot use separate routers
> to configure GRE and IPSEC. Has anyone set this up?

Absolutely. There should be numerous examples on the cisco website.
Look in technology support and security then IPSEC. One article that is
particularly helpful in understanding this is the dmvpn paper located at

http://www.cisco.com/en/US/tech/tk58...8018983e.shtml

If the above wraps, and you cannot find it, go to cisco.com > technical
support > technology support > security > ipsec > general information >
dynamic multipoint vpn's. No kidding, it discusses exactly what you
want to do including dynamic routing. You can pull different sections
together to get the desired result.

All of what you want is actually building blocks of a dmvpn. Some of
the caveats are as follows.

1) prior to 12.2(13)T you must create a crypto map that encrypts gre
traffic. However, you must apply the map to both the physical interface
and the gre tunnel interface (I know this makes no sense).

2) 12.2(13)T or above, you only need to apply the crypto map to the
physical interface

3). In later versions, you can use a crypto profile bound to the gre
tunnel. Make sure it has the the proper tunnel source, or the phase 1
negotiation will assume nat-t and then fail.
>
> I can get the GRE tunnel working on ports-0 on both boxes but whenever
> I encrypt the tunnel and the tunnel interface (ports-0) the GRE tunnel
> shuts down. Also, if I configure the tunnel on ports-0 and move the
> IPSEC interface to ports-1 (RTRA and RTRB) I am still not able to get
> the tunnel working. Last question, when configuring the GRE tunnel I
> want to have my RIP Routes use the tunnel to transport the updates so I
> included a more specific default route is this the way to go? it seems
> to work.
>
> HELP!!
>
> Casatirider
>


--
-------------------------
Paul Stewart
Lexnet Inc.
Email address is in ROT13