HomeНаука и техникаRelated VideosMore From: Doug Suida

IPsec over a GRE tunnel

551 ratings | 103488 views
A tutorial on how to create a GRE tunnel between two sites via internet and how to secure the tunnel using IPSec VPN technologies, IPSec, isakmp, crypto-map, crypto map
Html code for embedding videos on your blog
Text Comments (99)
Deepak S (6 months ago)
where that 4.2.2.2(ping) network is?
gaad45 (7 months ago)
superb :) thanks
bluerfoot (1 year ago)
based on this one tutorial I sure wish you were still doing cisco vids, great job.
ITsupportian (1 year ago)
Good video - I have a question though, How do you configure when you have an ASA firewall behind the router?
Hieu Tran (2 years ago)
excellent tutorial, many thanks
Ray (2 years ago)
There is a mistake in this config, The access list used for the IPsec Tunnel should be local to remote, not remote to local. I confirmed this with Gns3, Phase 2 won't finish unless you put the local network first and remote second.Otherwise, great video.
Ray (2 years ago)
Sure, The correct ACL is as follows: R3: permit gre host 172.168.3.2 host 172.168.2.1 (Local network first then, remote) R1:: permit gre host 172.168.2.1 host 172.168.3.2
Hieu Tran (2 years ago)
@Raymond A: Can you please more specify and take an example for this case?
Colbert Philippe (2 years ago)
Not a network professiona but I have one question: Are both routers the same or from the same company? Could you have done the same if the routers were from different brands?
NETWizzJbirk (2 years ago)
Yes as Raymond said, but you have to match ALL of the Crypto parameters, agreed upon keys, etc.
Ray (2 years ago)
Yes, IPsec is universal. Cisco to Juniper, Cisco to Fortigate.. ext. No issues
Ishmael Kargbo (2 years ago)
Explicit Tutorial... Thank Doug !
Samuel Quirk (2 years ago)
Thanks for the video
Ivan Abibe (2 years ago)
Great video, thanks
Alexei Tsapaev (2 years ago)
why do we have to apply the crypto-map twice?
300096586 (2 years ago)
R3(config-if)#crypto map VPN_MAP % NOTE: crypto map is configured on tunnel interface. Currently only GDOI crypto map is supported on tunnel interface.
300096586 (2 years ago)
I got an error doing that on the tunnel. My router output saying it only supports x type of map. It wouldn't work sourcing traffic from LAN to LAN. I removed it. It works fine now. Verification shows encrypted packets. If the tunnel screws things up, I would suggest applying it just on the outgoing interface
Aali Raza (2 years ago)
Hi i am beginner in VPN my question is before creating GRE tunnel both router should connected via VPN IPSEC ? or create grp tunnel along with VPN?
300096586 (2 years ago)
you would want to make sure you can ping from end to end before any tunnel or VPN configuration. If that fails, you'll never figure out why your VPN doesn't work. Then do VPN. I would worry about tunnel after. Getting VPN to work in the first place is really what you want.
ዓውዲ Research (2 years ago)
Excellent tutorial
Juma Pope (3 years ago)
Great Video!!
willow klan (3 years ago)
don`t you need to use an "permit ip any any" after the ACL you configured on the GRE? otherwise the only traffic that will be allowed to flow through these physical interfaces would be GRE traffic and only to a specific destination on the other side... you DO need to use those interfaces for regular internet traffic too, don`t you?
willow klan (3 years ago)
+Keith Buckley thanks a-lot bro. got it now.
Ragu G (3 years ago)
Guys.. Help me to understand  it is IPsec over a GRE Tunnel or GRE over IPsec tunnel ??
victor melo (3 years ago)
+Ragu G It's GRE over IPSec Tunnel. For more information visit http://ccnp300-101.blogspot.com
Rohit Verma (3 years ago)
Very useful video. thank you
Tamas (3 years ago)
Why do you have to apply the crypto map to both the physical and the tunnel interface? I labbed it, and it seems it also works if I apply the crypto map only to the physical interface. On the other hand, if I apply it only to the tunnel interface, traffic still goes through, but nothing gets encrypted. As long as it's applied to the physical interface, it makes no difference whether I apply it to the tunnel interface too or not... What am I missing?
Nasir Khan (4 months ago)
hi, i know u have asked this question 2 years ago :), i am just playing with ipsec--gre , the answer to your question is ACL, that is why when you apply it only to tunnel interfaces and test ,it doesnt match anything so nothing is encrypted, if you just tweak it abit and add extra Acl line to current Acl that what exactly you needs to match to be encrypted. Examle, you only want your 192.168.1.0 network to be encrypted when its talking to 10.1.1.0 network only so just add it to exisiting R1 ip access-list extended IPSEC-TRAFFIC permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 R2 ip access-list extended IPSEC-TRAFFIC permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 now remove the crypto map from your physical interfaces and just apply it onto tunnels, you should see traffic encrypted when packets comes from 192 to 10 network and vice-versa. Regards!
Ray Valadez (6 months ago)
In releases before Cisco IOS Release 12.2(13)T crypto maps had to be applied to both physical and logical interfaces. In later IOS versions crypto maps only need to be applied only to the physical interface, reference Cisco Point-to-Point GRE over IPsec Design Guide.
300096586 (2 years ago)
I dunno if you see this but it only works for the physical interface for me too. I tried on the tunnel and got this error: R3(config-if)#crypto map VPN_MAP % NOTE: crypto map is configured on tunnel interface. Currently only GDOI crypto map is supported on tunnel interface. Anyway, connection failed when sourcing from LAN interface. I removed it and kept on the physical interface and know it works fine meanwhile OSPF state is maintained. The video is 5 years old now. Perhaps it was router he was using then. I dunno.
dvijendra varma (3 years ago)
thank you sir. helpful
Galo Campaña (3 years ago)
Thank you so much!!
reddypraveen (3 years ago)
ospf process id is only locally significant , only the area,hello,dead need to match.
Ken Cheng (1 year ago)
reddypraveen the network too, unless you're using ip6
im noob (3 years ago)
can you help me bro? +Doug Suida
Mike ko (3 years ago)
Perfect and excellent, some new stuff. We are very great full to you to spent time on it. I like the way you talk and explanation. If you put some more light on Diffe, transform sets, isakmp will be great.
ANTHONY BOOTH (3 years ago)
if you don't have a static IP then what do you do? contact the FONE COMPANY and GET ONE!!! (or three)
Javier Cespedes (3 years ago)
Great Tutorial!  BTW is not GRE over IPSEC tunnel?
Roman Hoax (3 years ago)
+willow klan Semantics. my explanation is the exact same as yours. My wording is such that the GRE tunnel is sent over IPsec. Hence GRE over IPsec. I already explained the GRE tunnel comes first, it is then sent over IPsec. Semantics. 
willow klan (3 years ago)
+Roman Hoax sorry mate, but you are wrong. it is IPSEC over GRE. the gre tunnel comes first and than the ipsec tunnel comes "on top" of it to allow the security. the only reason we don`t use only ipsec is because it can`t forward broadcast. so we build a gre tunnel that encapsulates the broadcast with a unicast and THEN put on it an ipsec tunnel to secure that unicast traffic.
Roman Hoax (3 years ago)
+Javier Cespedes You probably already know the answer, but yes its a GRE tunnel over IPsec tunnel. IPsec doesn't handle multicast or broadcast traffic. One of the benefits of GRE over IPsec as opposed to just using an IPsec tunnel by itself. is we can encapsulate a wider range of traffic into a GRE tunnel and then send it securely within an IPsec tunnel. Hope this was useful
Laura Dencer (3 years ago)
Great tutorial.   I would have liked to know what some of the terms were like the Diffe, transform sets, isakmp, etc.  I guess that would be another video to explain what these different types of crypto are.
Mohamed Khan (3 years ago)
Excellent Video
Dinesh NK (3 years ago)
Gr8 work Doug...Nice tutorial.. Very helpful...
alrobi87 (3 years ago)
crystal clear - great job Doug!
Greg Aspenson (4 years ago)
Great video, just what I needed
Jake Cle (4 years ago)
Awesome video, and very detailed. You the MAN!!!!
alreid12345 (4 years ago)
Thank you so so much for your great video and explanation it really really helped me understand and get a project done. You are a superb teacher and I love your method of teaching and explaining as you go along on screen. THANK YOU!
Thomas Garrett (4 years ago)
Thanks for the video!  Quick question: Why do you apply the crypto map to the tunnel interface?  Doesn't the map basically say "encrypt any gre traffic matching these ip addresses"?  As I understand it, the GRE traffic is traveling the physical interfaces, so applying the crypto amp to the tunnel interface does nothing.
pervin raja (4 years ago)
Good video..thumbs up!!!
Barackuse (4 years ago)
Great lab, thanks for using a "clear" mic.  Issue I'm running into is, I dont see my OSPF routes?  I see the neighbors come up but when I do a sho ip route, there are NO OSPF routes .  ALsho shouldn't you be able to ping your loop back interfaces form the remote route, being that they are now routed through the tunnel via ospf?
simposymo (4 years ago)
best tut on the subject period. Thank-You
deepa pannu (4 years ago)
Good Lab , although it don't tell what is have to match on both sides and what is locally significant only
David Gomez (4 years ago)
When you create a crypto isakmp policy 1 when do that policy is use because I don't see that you match it on the crypto map.
Leonard F Reid (4 years ago)
Do the OSPF process ID # 's  have to be identical to become neighbors or to function?  I thought the process ID was locally significant to the router database.  Great video!  Loved it.
300096586 (2 years ago)
It is good to have as much consistency as possible anyway for troubleshooting, and etc. You know process 1 and process 1 belong in the same networks as opposed to process 1 and process 54353821
irfan (4 years ago)
Process ID may not be the same,.Neighbours should be in same Area, same network, Timers to be identical.
David Gomez (4 years ago)
Process ID does not matter on OSPF.
Satish Puri (5 years ago)
Can any body help to find out, that where he has configure the IP add 4.2.2.2.
Satish Puri (5 years ago)
Thank u so much YOGESH for guiding me..
Yogesh N (5 years ago)
4.2.2.2 is the public DNS servers on the internet, he tested internet connectivity by pinging it.. its not configured on the router. would use the default route on the router.
Maxsat25 (5 years ago)
Thank YOU very much! It's truly useful demonstration!
tasosptl (5 years ago)
Well done mate, excellent video and thanks for sharing.
danerdavis (5 years ago)
Great tutorial. I will start using gre-ipsec instead of just an ipsec vpn to make dual-wan redundancy easier.
Muhammad Khan (5 years ago)
Hats off to you Doug. Thanks for a well explained demo.
Great video Doug! I do have a question though and excuse me if this has been asked before.. How do you simulate the ISP in Dynamips/GNS3? I'd like to give this lab a go. Again, great tutorial!
Qlimax (5 years ago)
Thanks! Works great on my lab.
celald (5 years ago)
Hi Ezek, I have the same challenge. Did you found a solution? We fighting since 2 weeks to solve :(( Regards, Celal
jsullivan80 (5 years ago)
Good one
Vi Vo (5 years ago)
very useful. Thank a lot!!
Geet Tendulkar (5 years ago)
Thank You.. great explanation.
jose saenz (5 years ago)
pretty straightforward, e x c e l e n t e !
Ezek Wise (5 years ago)
Thanks for the video. Can you please make a video on site to site vpn over adsl? One site is the corporate network using ASA5500 router and the remote site has cisco router sitting behind the adsl modem and has static public IP.
bronzedpete (5 years ago)
You only need 4 routes on the three routers for it to work: R1: R1#sh ip route static 45.0.0.0/24 is subnetted, 1 subnets S 45.12.153.0 [1/0] via 162.27.193.2 WAN: C 45.12.153.0 is directly connected, FastEthernet0/1 162.27.0.0/30 is subnetted, 1 subnets C 162.27.193.0 is directly connected, FastEthernet0/0 R2: R2#sh ip route static 162.27.0.0/24 is subnetted, 1 subnets S 162.27.193.0 [1/0] via 45.12.153.2
Minh Truong (5 years ago)
Love it..great job
seruwagi ashie (5 years ago)
need a cert big up cisco
Sam Nash (5 years ago)
Super demonstration.Thanks for your time and effort to put this together.
István Kelemen (5 years ago)
You have to apply static route on the 3rd router: (i'm using serial interfaces instead of FA) R3(config)#ip route 192.168.1.0 255.255.255.0 serial 0/0 R3(config)#ip route 162.27.193.130 255.255.255.255 serial 0/0 R3(config)#ip route 45.12.153.202 255.255.255.255 serial 0/1 R3(config)#ip route 10.1.1.0 255.255.255.0 serial 0/1
keefe23 (5 years ago)
Awesome video and tutorial
M Salim Olime (6 years ago)
I think what you missed is that both routers R1 and R2 have default routes pointing to internet and OSPF is used between R1 and R2 over the GRE tunnel emulating Intranet edge routers. On GNS3 all you need is to have "ip route 0.0.0.0 0.0.0.0 fa0/0" configured on R1 and R2 with fa0/0 interfaces on R1 and R2 connected to R3 acting as the ISP.
netking23 (6 years ago)
Excellent video!! Easily one of the best tutorials out there. Please make more of these. They are priceless to many of us.
Russell Barker (6 years ago)
You dont apply the crypto map to the tunnel. You apply it to the outbound physical interface's ip address. I have done it on Packet Tracer and you dont have to worry about the Crypto-trans mode. Just use the authentication preshare and encryption and it works just fine
Ranjeet Badhe (6 years ago)
Doug, You have simplified the subject. Excellent tutorial.
Ricardo Velazquez (6 years ago)
There is not enough characters to really complain about this video!
Ricardo Velazquez (6 years ago)
This guy will miss you up if you try his technique with in a lab / home environment (GNS3 or lab equipment) what he DOES NOT EXPLAIN and you can WASTE hours trying to figure it out is that in a lab / home environment (GNS3 / home equipment) and not connected to an “Internet” connection, is that there has to be stable routing between the two networks before you crate the tunnel and set up the OSPF (processes 123). I spent hours with a flapping tunnel and trying to figure out why!
chellacool86 (6 years ago)
Thanks a lot for this video!! It really helped me a lot! :)
justamusta (6 years ago)
Excellent video, clear and concise and great audio too. Many thanks to you!
Mohammad Hossain (6 years ago)
Wow, Excellent..... . Thanks a lot for making this video.
binman20 (6 years ago)
Excellent work, this will help a lot. Many thanks
Kuato (6 years ago)
Great vid, thanks. Has anyone tried this in packet tracer? when I create my trans-set it doesn't go into (cfg-crypto-trans) mode for me, also, I can't apply my crypto map to the tunnel interface.
akojib (6 years ago)
This is a great tutorial thanks doing it. Would you have the configs for the internet router? I would like to duplicate this setup in my GNS3. Thanks!
Anthony Cook (6 years ago)
Great video, really helpful! thanks!
Wacław Woźniak (6 years ago)
Very helpful , thanks a lot !!!
Akash Gupta (6 years ago)
a real good work
nikki (7 years ago)
very informative...Thanks for such a good video...
Ajey Shetty (7 years ago)
too good
Elmer John B. Cuntapay (7 years ago)
I'll keep following your other post.
Elmer John B. Cuntapay (7 years ago)
Nice tutorial, very basic...good job.
veganath (7 years ago)
Thx great tutorial, really appreciated!!

Would you like to comment?

Join YouTube for a free account, or sign in if you are already a member.