Hello there I’m new to network lessons and hope to find some great wisdom here to point me in the right direction. Everything I’m discussing and asking about is not in a production environment and is used for labs only for learning and testing purposes. Thanks in advance for your assistance and feedback.
I’m wanting to find out what the requirements are for setting up GRE with IPSEC behind NAT ? I have 2 locations for this setup using the same equipment 2 x Cisco Router 2811. I want to establish a tunnel between the 2 sites for the purpose of allowing the 2 sites to communicate and once I test and ensure I have a secure tunnel I will then want to build servers at each end to allow for the 2 sites to communicate with domain controllers one site will become the forest the other site will be a child domain. I’m relatively new to the GRE and IPSEC tunnel stuff so I’m trying to understand GRE with IPSEC vs IPSEC with GRE as I see these terms flipped a lot and was wondering if there is a difference in the setup configs and if they do different tasks or handle things differently? The configs shown below is just a brief example of the network I would like to configure and need assistance with getting started on the configs as I don’t understand where to place specific IPs in my configs as your example shows a network that looks like its all internal and in the same location as my 2nd router is offsite.
Question 1: How to configure GRE with IPSEC behind NAT?
Question 2: How to add additional security with ACL or filtering traffic on router because of the use with public IPs?
Question 3: Is this setup sufficient to handle the communication of Windows servers at each of the sites i.e replication, kerberos etc.
Question 4: What ports or protocols would you open on firewall to allow this connection? VPN 1723 ? IPSEC 50, 51, 500 ISAKMP?
Question 5: Is there a timeout time for how long the tunnel stays up or a way to force a reconnection if it does disconnect ?
Question 6: I see that you have implemented OSPF for the purposes of identifying the networks to on another after the tunnel is established is this correct? So Site A connects to Site B is just to establish a path but the networks that reside on each side are unknown to one another even with the tunnel?
RTR A (Site 1)
Outside INT Fa0/1
Public IP 25.2.2.2 (for discussion purposes)
IP nat outside
int fa0/0
ip nat inside
ip add 172.16.1.1 255.255.255.0
int tunnel 1
10.1.1.2 255.255.255.0
RTR B(Site 2)
Outside INT Fa0/1
Public IP 27.2.2.2
Ip nat outside
INT Fa0/0
ip add 192.168.1.1 255.255.255.0
ip nat inside
int tunnel 1
10.10.1.1 255.255.255.0