GRE over IPSec with Hub and Remote Sites

This topic is to discuss the following lesson:

https://networklessons.com/uncategorized/gre-ipsec-hub-remote-sites/

Hi Rene! Your articles are awesome!!! You are doing a great job! Thank you. I have a question about this article. In this topology we have three routers with interfaces in one subnet, what is the point of having gre tunnel in this topology? We can run ospf (or other protocol) without gre tunnel.

Hi Niko,

Thanks! I used a switch for simplicity, just imagine there’s not a switch in the middle but the routers are only connected to each other through the Internet…then you have a useful example.

Rene

Hey Rene, I like your articles, however, with regards to the Interfaces, i suppose in real life there will have to be public interfaces on the routers. My question is, can one use private addressing for the tunnel interface tunnels?

Hi Wilson,

That’s right, the interfaces facing the Internet will use public IP addresses but you can use private addresses on the tunnels. Nobody on the outside sees what the tunnel is encapsulating (if you have encryption).

Rene

Thanks Rene. Great work.

Hi Rene,

Good job on this course! Thank You! The questions I have, is how come the Crypto map is only on the physical interface? Why also apply the crypto map onto the tunnel interface?

Joey

Rene…typo on my last post…I meant "Why not also apply the crypto map onto the tunnel interface, in addition to applying the crypto map on the physical interface?

Joey

Rene…typo on my last post…I meant "can the crypto map be applied to both the tunnel interface and physical interface?

Joey

Hi Joey,

The crypto map is attached to a physical interface and we use an extended access-list to tell it what traffic to encrypt. All traffic that flows through the physical interface and matches the access-list will be encrypted.

The crypto profile is not attached to a physical interface but to a logical interface (tunnel), all traffic that flows through the tunnel interface will be encrypted. We don’t specify an access-list anymore.

So basically, the result is the same if you want to encrypt a tunnel.

The crypto-map is the “old” way and the profile is the “new” way of configuration. My first example could also be done with the ipsec profile.

Rene

Rene,

So, is the “old” way considered IKEv1? And, the “New” way is IKEv2?

Joey

Rene,

I see that IKEv2 is better, in terms of; requires less BW, supports EAP, built-in support for NAT traversal, built-in keep alive mechanism for tunnels (per you course material in IPSEC). I was curious on how to differentiate via command sets in deploying IKEv2 versus commands using IKEv1.

Joey

Hi Joey,

That’s right, if both of your devices support IKEv2 then there’s no reason to keep using IKEv1.

To configure it, you need to use the “crypto ikev2” command but it’s only supported on the ISR G2 devices like the Cisco 860, 880, 890, 1900, 2900 and 3900 series. I’ll see if I can create a tutorial for this. I do have one for the ASA if you are interested:

https://networklessons.com/security/cisco-asa-site-site-ikev2-ipsec-vpn/

Rene

Hi Rene,

Excellent!! Right on target Rene! Thank You!

A tutorial for configuring ikev2 on routers would be helpful. Especially with the inclusion of IKE and/or IPSEC profiles, and with Keyring.

Joey

Rene,

In setting up a site to multi site VPN Hub & Spokes, using an ISAKMP profile, is it necessary to use both a Keyring object (to be inserted in the isakmp profile) in addition to ; “crypto isakmp key 123456678 address 111.111.111.111”

Joey

Hi Joey,

It’s one or the other, the keyring is a replacement for the crypto isakmp key command where you can store all keys for different peers.

Rene

A quick question regarding the crypto ACLs

what if i configured the tunnel interface source/destination to a loopback. For example you created another loopback for each of the router. Let’s say R1 will have loopback 1 with ip of 11.11.11.11/32. What we will ocnfigure on the crypto ACL? Correct me if I’m wrong, the reason why you configured the crypto ACL with the host of 192.168.123.1(r1) destined to 192.168.123.2 and 192.168.123.3 is that they are the ones configured on the source/destination tunnels.

 

Thank you.

Hi Don,

It’s possible, it doesn’t matter what source/destination you pick for the tunnel interface as long as the routers know how to reach each other. If you add new loopback interfaces then you’ll need to add static routes pointing to each others loopback interface.

In the crypto ACL you then use the IP addresses of the loopback interfaces.

Rene

Hi, Rene.
I can’t gain ping between loopback 0 on R2 and loopback 0 on R3. Is it possible in this case?

Hi Mikhail,

It should be possible. Are you able to ping from R1 to the loopback of R2/R3?

It could be a routing or IPsec issue. It’s best to disable IPsec for now, make sure your routing is working 100% and then enable IPsec afterwards.

Rene