Encrypted GRE Tunnel with IPSEC

ReneMolenaar · December 26, 2016, 5:54pm

This topic is to discuss the following lesson:

ReneMolenaar · April 12, 2013, 5:06pm

Nice man, a quick & easy way to show off IPsec in Wireshark, love it!

system · May 22, 2013, 12:20pm

Exclent Artical…

system · August 7, 2013, 8:17am

Good one.

system · June 4, 2014, 9:46am

great write up…
just one question… can you apply crypto map to the tunnel interface? what is the difference between that, and applying it on the interface (f0/0) itself?
thanks!

hamid_saffarzadeh_88 · June 21, 2014, 4:20am

Better than 1 hour boring INE training.

ReneMolenaar · June 25, 2014, 7:47am

Thanks Hamid

ReneMolenaar · June 25, 2014, 9:07am

It has to be on the physical interface, not the virtual one.

system · June 27, 2014, 1:42pm

Very nice , i learnt Gre , +Gre over ipsec and now going to find DMVPN ;
Thanks and very good stuff ,
But you are toooooooo fast , when u configure , please slow down ,

ReneMolenaar · August 6, 2014, 11:42am

Hi Hammad,

I think you watched some of my GNS3Vault videos? In future videos I will slow down…I’ve heard it a couple of times before hehe.

Rene

valero.lionel · November 5, 2014, 8:50pm

Thank you for the post, so i have to keep in mind :

- peer of crypto map : ip of the tunnel destination
- crypto map is applied on the tunnel physical interface

ReneMolenaar · November 6, 2014, 11:24am

Hi Lionel,

That’s right. It’s also possible to use virtual tunnel interfaces instead of the crypto map. If you want, I can create an example for this.

Rene

mdbetar · April 20, 2015, 6:58pm

Hello Rene,
In a word, excellent.
Is there any constrains about policy number (must match HQ_10=Branch_10) and MAP number ?

ReneMolenaar · April 22, 2015, 1:50pm

Glad to hear you like it!

The policy number and route-map numbers are local, in this example it won’t matter what value(s) you choose.

Rene

lkhanna2012 · July 10, 2015, 8:07pm

Rene

Can you explain basics - what do transform set, ISAKAMP, crypto map do?
Where do we link these together in the config?

ReneMolenaar · July 13, 2015, 2:08pm

Hi Lokesh,

I’ll write an in-depth post about this. In short, IPsec uses IKE (Internet Key Exchange) to create a secure tunnel.

This secure tunnel is only used for 1 thing…to negotiate the parameters for the IPsec tunnel. IKE is configured with the “crypto isakmp policy” command.

The IPsec tunnel is actually used for data, it’s configured with the crypto ipsec transform-set command.

The crypto-map is where we put everything together…it’s where we specify the remote peer, the traffic we want to encrypt (ACL) and the IPsec tunnel parameters with the transform-set.

Hope this short answer gives you an idea, I’ll create something that helps to visualize all this.

Rene

johnfrades · July 28, 2015, 9:54am

hi Rene,excellent lesson, but some of the security protocols you enter i cant seem to fully understand on how they actually works. DOes this include in CCNP exam? especially the meaning of the commands you put there in.

ReneMolenaar · July 29, 2015, 4:36pm

Hi John,

You are right, in this lesson I really focuses on the configuration but didn’t explain exactly how IPsec works. This week, I intend to write a long post that explains it in detail…that should explain everything

Rene

johnfrades · September 25, 2015, 6:40am

so i tried to use the tunnel ip address in crypto map set peer but it didnt work. so on configuring, only the physical address will work? on crypto map set peer and the configuring on the isakmp pre-shared key.

ReneMolenaar · September 26, 2015, 1:08pm

Hi John,

Which exact IP address did you try? the “set peer” IP address has to be an IP address of the router on the remote side.

Rene