Encrypted GRE Tunnel with IPSEC

(Frades) #21

i tried to use the tunnel ip address on set peer, it didnt work, put the phys address again on set peer, then i tried to use now the tunnel ip address on isakmp pre-shared key, still didnt work, so i tried both set peer and isakmp preshared key to use tunnel ip address, still didnt work. im just troubleshooting, trying to find out if this will work using tunnel ip address…

here’s the summary of what i’ve done

- HQ and Branch router# set peer
-HQ and Branch router#crypto isakmp key PASS address

Not working
- HQ and Branch router# set peer
-HQ and Branch router#crypto isakmp key PASS address

Not working
- HQ and Branch router# set peer
-HQ and Branch router#crypto isakmp key PASS address

Not working
- HQ and Branch router# set peer
-HQ and Branch router#crypto isakmp key PASS address

so, overall, we must use physical address on both to get it working… or am i doing something wrong? that i cant get it to work using tunnel ip address? im just tinkering.

(Rene Molenaar) #22

Hi John,

Using the tunnel address as the peer won’t work, in this example I’m using IPsec to protect the tunnel itself. You should use any other IP address on the remote router…a physical address or a loopback will work (if you have a route for the loopback).


(Frades) #23

thanks for clarification rene!

(Don D) #24

Just noticed you didn’t mentioned the hashing algorithm on the ike tunnel. So the efault will be md5 or sha?



(Rene Molenaar) #25

Hi Don,

I should have included it, by default it’s SHA:

HQ# show crypto isakmp sa detail 
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

1001           ACTIVE aes  sha    psk  5  00:58:42     
       Engine-id:Conn-id =  SW:1



(Victor R) #26


Since we are trying to protect the GRE tunnel why don’t we apply the crypto map to the GRE tunnel itself like we do with DMVPN?

Thank you

(Rene Molenaar) #27

Hi Victor,

That would also work. Crypto-maps are the “old” way of configuring IPsec and the crypto profiles are the “new” way of doing it.


(aicha m) #28

i configure my tunnel and everything and i have the ping between the 2 ends but when i check the status of my tunnel it shows “down”

(aicha m) #29

i configure my tunnel and everything is set bur when was trying to ping
ping is not successful and my tunnel status is down.any solution for that ?

(Rene Molenaar) #30

Hi Aicha,

I would start by disabling IPsec, make sure your GRE tunnel is working 100% first. Check if both routers are able to reach the other’s tunnel IP address. Your GRE tunnel should be up/up.

When that works, see if you can get IPsec to work.


(Mithun M) #31

Hi Rene,

Thank you very much for this informative post.

I would like to know whether IPSEC over GRE and IPSEC tunnel mode are the same or not.

If so, shouldn’t we see the tunnel ip addresses as dst and src ip addresses in the captures?


(Rene Molenaar) #32

Hi Mithun,

These are not the same. Take a look at this picture from my IPsec lesson:

When we use IPsec tunnel mode, we encapsulate the original IP packet and put an AH or ESP header and new IP header in front of it. IPsec only supports unicast packets.

GRE also encapsulates IP packets and it supports multicast traffic. It adds a GRE header in front of the original IP packet and then a new IP header. You can see this in this capture file:

GRE Encapsulated ICMP Capture

GRE and IPsec tunnel mode both encapsulate IP packets. GRE doesn’t offer any encryption though.

When we combine GRE and IPsec, normally we use IPsec transport mode. GRE has already added a new IP header so there’s no need for IPsec to do it again. That’s why you can use transport mode.

Hope this helps :slight_smile:


(LER-SAK P) #33

Hi Rene,

I try to change

crypto ipsec transform-set TRANS ah-sha-hmac   
 mode transport

.why in wireshark capture it still tunnel mode?

Thank you.

(Lazaros Agapides) #34

Hello LER-SAK.

Are you sure that you have applied the transform set? If you still have problems, please share the relevant portions of your configuration at both ends of the VPN .

I hope this has been helpful.


(LER-SAK P) #35

Hi Lazaros,

Thank for your reply. I still have problem, the configuration was follow Rene just at transform-set that I changed to ah-sha to see the packet, and the project is in attachments.

Thank you

BASIC-Encryption-Tunnel-with-IPsec.rar (40.0 KB)

(Lazaros Agapides) #36

Hello again LER-SAK.

Keep in mind that even if you manually set up the transport mode, it will only function as transport mode when the traffic to be encrypted is to or from the endpoints of the tunnel, such as routing updates from one router, destined to the other router.

However, traffic that is being transferred between PCs behind the routers will still end up using tunnel mode even if we configure transport mode.

More specifically:

Host A ----------------Router1----------Internet-------------Router2----------------Host B

If we have transport mode configured between Router1 and Router2, communication between Router1 and Router2 should be transport mode. However, if host A pings to host B for example, Router1 converts the packet to tunnel mode EVEN IF you have configured transport mode.

I hope this has been helpful!


(Sean C) #37

I have an interesting dilemma. I have a router that does not support IPSEC, however it is behind an ASA. I want to encrypt GRE Tunnel with the Cisco ASA. I have the L2L working between the loopbacks and have described interesting traffic as “permit ip” between the loopbacks. They ping each other. The gre tunnel still doesn’t come up. Am I barking up the wrong tree? It’s driving me crazy.

(Sina S) #38

Hi Rene,

Awesome GRE-IPSEC lab.

Just had quick question im finding it impossible to remember all those commands.

How do you remember all these commands on the top of your head?.


(Networklessons Admin) split this topic #39

19 posts were merged into an existing topic: Encrypted GRE Tunnel with IPSEC

(Rene Molenaar) #40

@Sean it is possible to encrypt GRE traffic on your ASAs where the routers are sitting behind your ASAs. What kind of access-list are you using to match your GRE traffic? You should use something like this:

access-list GRE extended permit gre host x.x.x.x host y.y.y.y

Where x.x.x.x and y.y.y.y are the IP addresses of your routers that are used to establish the GRE tunnel.

@Sina the more you do it, the easier it becomes. Some stuff like L2/L3 I do often enough to keep everything fresh in my memory. Other things (like IPsec) I also have to look up sometimes. It’s best to keep something like a notebook for yourself with notes/examples so that you can quickly look up something. Evernote works well for this.