Converged Wide
Area Networks
(ISCW)
ISCW-Mod3_L5
Configuring GRE
Tunnels over IPsec
Module 3 Lesson 5
ISCW-Mod3_L5
Module Introduction
Virtual private networks (VPNs) use advanced encryption
techniques and tunneling to permit organisations to establish
secure, end-to-end, private network connections over third-party
networks such as the Internet
Cisco offers a wide range of VPN products, including VPNoptimised routers, PIX security and Adaptive Security Appliances
(ASA), and dedicated VPN concentrators. These infrastructure
devices are used to create VPN solutions that meet the security
requirements of any organisation
This module explains fundamental terms associated with VPNs,
including the IP Security protocol, and Internet Key Exchange. It
then details how to configure various types of VPN, using various
currently available methods
ISCW-Mod3_L5
Objectives
At the completion of this fifth lesson, you will be able to:
Explain the requirement to use the GRE protocol
Describe GRE technology
Configure a GRE tunnel using SDM on IOS routers
Monitor and test the tunnel
ISCW-Mod3_L5
ISCW-Mod3_L5
ISCW-Mod3_L5
To provide resiliency
To assist in saving memory and CPU cycles in the router, by
reducing the number of SA that need to be set up
ISCW-Mod3_L5
ISCW-Mod3_L5
ISCW-Mod3_L5
ISCW-Mod3_L5
10
ISCW-Mod3_L5
11
ISCW-Mod3_L5
12
13
ISCW-Mod3_L5
14
2. Click the VPN icon in the vertical navigation bar to open the
VPN page
3. Choose the Site to Site VPN wizard in the menu
4. Click the Create Site to Site VPN tab at the top of the
section on the right
5. Click the Create a secure GRE tunnel (GRE over IPSec)
radio button
6. Click the Launch the selected task button to start the
wizard that will guide you through the configuration steps
ISCW-Mod3_L5
15
4.
2.
5.
6.
ISCW-Mod3_L5
16
ISCW-Mod3_L5
17
ISCW-Mod3_L5
18
1.
2.
3.
4.
ISCW-Mod3_L5
19
ISCW-Mod3_L5
20
1.
2.
3.
4.
ISCW-Mod3_L5
21
ISCW-Mod3_L5
22
1A
1B
2.
ISCW-Mod3_L5
23
IKE Proposals
You can now use a predefined IKE policy, or click the Add button and
enter the required information to create a custom IKE policy:
You can also modify the existing policies by selecting an individual policy and
clicking the Edit button
ISCW-Mod3_L5
24
IKE Proposals
ISCW-Mod3_L5
25
26
27
Transform Set
1.
2.
3.
ISCW-Mod3_L5
28
Static routing is typically used for simple stub sites with a single
GRE over IPsec tunnel. Complex topologies with sites that use
backup tunnels or have multiple IP subnets require a routing
protocol to dynamically distribute routing information, detect
failures, and reroute to backup tunnels.
ISCW-Mod3_L5
29
ISCW-Mod3_L5
30
Static Routing
If choosing to configure using static routing, select
static routing button and then click Next.
In the first drop-down menu, disable split tunneling by
choosing the Tunnel all traffic option. This option
results in a default route pointing into the tunnel. Unless
more specific routes are in the routing table all traffic
will be sent through the tunnel.
Alternatively, choose the Do split tunneling option
from this drop-down menu and specify the IP address
and subnet mask of the destination that is reachable
through the tunnel. All other destinations are reachable
by bypassing the tunnel.
ISCW-Mod3_L5
31
Static Routing
ISCW-Mod3_L5
32
ISCW-Mod3_L5
33
1.
2.
ISCW-Mod3_L5
34
ISCW-Mod3_L5
35
1.
2.
3.
ISCW-Mod3_L5
36
ISCW-Mod3_L5
37
ISCW-Mod3_L5
38
After creating the GRE over IPsec site-to-site tunnel, the tunnel status
can immediately be seen. A test can be run to determine the
configuration correctness of the tunnel, or generate a mirroring
configuration. The information in the mirror configuration is required to set
up the other end of the tunnel. The mirror configuration is useful if the
other router at the other end of the tunnel does not have SDM and CLI is
to be used to configure the tunnel.
7. Click the Start button and wait until the test is complete
8. For each failed task, the bottom part of the window shows the reason and
recommended actions to resolve the issue
ISCW-Mod3_L5
39
4.
5.
2.
6.
ISCW-Mod3_L5
40
Test Results
7.
ISCW-Mod3_L5
41
Use the Monitor page to view the status of the tunnel. To see all
IPsec tunnels, their parameters, and status, follow this procedure:
1. Click the Monitor icon in the top navigation bar of the SDM home
page.
2. Click the VPN Status icon in the vertical navigation bar.
3. Click the IPSec Tunnels tab.
Troubleshooting
Connect a terminal to the Cisco IOS router to use debugging
commands to troubleshoot VPN connectivity. Figure [5] shows the
syntax and an example of how to use the debug crypto isakmp
command
The debug crypto isakmp EXEC command displays detailed
information about the IKE Phase 1 and Phase 2 negotiation
processes
ISCW-Mod3_L5
42
3.
2.
ISCW-Mod3_L5
43
To display the settings used by current SAs, use the show crypto ipsec
sa command in EXEC mode. Non-zero encryption and decryption
statistics can indicate a working set of IPsec SA
router#
show interfaces
Use the show interfaces command to display statistics for all interfaces
that are configured on the router, including the tunnel interfaces
ISCW-Mod3_L5
44
ISCW-Mod3_L5
45
ISCW-Mod3_L5
46