Encrypted GRE Tunnel with IPSEC

(Rene Molenaar) #1

This topic is to discuss the following lesson:

(Rene Molenaar) #2

Nice man, a quick & easy way to show off IPsec in Wireshark, love it!

(system) #3

Exclent Artical…

(system) #4

Good one.

(system) #5

great write up…
just one question… can you apply crypto map to the tunnel interface? what is the difference between that, and applying it on the interface (f0/0) itself?

(hamid s) #6

Better than 1 hour boring INE training.

(Rene Molenaar) #7

Thanks Hamid :slight_smile:

(Rene Molenaar) #8

It has to be on the physical interface, not the virtual one.

(system) #9

Very nice , i learnt Gre , +Gre over ipsec and now going to find DMVPN ;
Thanks and very good stuff ,
But you are toooooooo fast , when u configure , please slow down ,

(Rene Molenaar) #10

Hi Hammad,

I think you watched some of my GNS3Vault videos? :slight_smile: In future videos I will slow down…I’ve heard it a couple of times before hehe.


(lionel v) #11

Thank you for the post, so i have to keep in mind :

- peer of crypto map : ip of the tunnel destination
- crypto map is applied on the tunnel physical interface

(Rene Molenaar) #12

Hi Lionel,

That’s right. It’s also possible to use virtual tunnel interfaces instead of the crypto map. If you want, I can create an example for this.


(Betar R) #13

Hello Rene,
In a word, excellent.
Is there any constrains about policy number (must match HQ_10=Branch_10) and MAP number ?

(Rene Molenaar) #14

Glad to hear you like it!

The policy number and route-map numbers are local, in this example it won’t matter what value(s) you choose.


(Lokesh K) #15


Can you explain basics - what do transform set, ISAKAMP, crypto map do?
Where do we link these together in the config?

(Rene Molenaar) #16

Hi Lokesh,

I’ll write an in-depth post about this. In short, IPsec uses IKE (Internet Key Exchange) to create a secure tunnel.

This secure tunnel is only used for 1 thing…to negotiate the parameters for the IPsec tunnel. IKE is configured with the “crypto isakmp policy” command.

The IPsec tunnel is actually used for data, it’s configured with the crypto ipsec transform-set command.

The crypto-map is where we put everything together…it’s where we specify the remote peer, the traffic we want to encrypt (ACL) and the IPsec tunnel parameters with the transform-set.

Hope this short answer gives you an idea, I’ll create something that helps to visualize all this.


(Frades) #17

hi Rene,excellent lesson, but some of the security protocols you enter i cant seem to fully understand on how they actually works. DOes this include in CCNP exam? especially the meaning of the commands you put there in.

(Rene Molenaar) #18

Hi John,

You are right, in this lesson I really focuses on the configuration but didn’t explain exactly how IPsec works. This week, I intend to write a long post that explains it in detail…that should explain everything :slight_smile:


(Frades) #19

so i tried to use the tunnel ip address in crypto map set peer but it didnt work. so on configuring, only the physical address will work? on crypto map set peer and the configuring on the isakmp pre-shared key.

(Rene Molenaar) #20

Hi John,

Which exact IP address did you try? the “set peer” IP address has to be an IP address of the router on the remote side.