Setting up a GRE Tunnel with IPSec

[LingaringBell]

I have never set up a GRE Tunnel before so I was hoping someone could look over my configs and tell me if I have grasped all the concepts correctly. What I want is for regular public internet traffic in each site to still be able to go out the T1, but then to route all the private traffic through the tunnel. Thanks for your help. Here are the two router configs:

hostname Site1
!
interface FastEthernet0
description Internal_Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nbar protocol-discovery
ip route-cache flow
speed auto
full-duplex
!
interface Serial0
description T1
ip address 39.99.202.254 255.255.255.252
ip access-group 107 in
ip verify unicast reverse-path
ip nat outside
ip nbar protocol-discovery
encapsulation ppp
ip route-cache flow
service-module t1 timeslots 1-24
crypto map myvpn
!
!
crypto isakmp policy 10
authentication pre-share

crypto isakmp key ciscokey address 39.114.7.214
!
!
crypto ipsec transform-set to_site2 esp-des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp

set peer 39.114.7.214
set transform-set to_site2
match address 101
!
!
!
!
!
interface Tunnel0

ip address 10.10.13.1 255.255.255.0

tunnel source Serial0

tunnel destination 39.114.7.214
!
!
!
ip nat pool ovrld 38.96.138.9 38.96.138.9 prefix-length 24
ip nat inside source list 7 pool ovrld overload
ip classless
ip route 0.0.0.0 0.0.0.0 39.99.202.253
ip route 192.168.2.0 255.255.0.0 10.10.13.2
!
!
!
access-list 7 permit 192.168.0.0 0.0.255.255
access-list 7 permit 10.10.13.0 0.0.0.255
access-list 101 permit gre host 39.99.202.254 host 39.114.7.214
access-list 107 permit gre host 39.114.7.214 host 39.99.202.254
access-list 107 permit esp host 39.114.7.214 host 39.99.202.254
access-list 107 permit udp host 39.114.7.214 eq isakmp host 39.99.202.254
access-list 107 permit tcp any any established
access-list 107 deny ip any any
dialer-list 1 protocol ip permit
!
!
!







hostname Site2
!
!
interface FastEthernet0
description Internal_Network
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
speed 100
full-duplex
!
!
interface Serial1
description T1
ip address 39.114.7.214 255.255.255.252
ip access-group 107 in
ip verify unicast reverse-path
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
service-module t1 timeslots 1-24
crypto map myvpn
!
!
!
crypto isakmp policy 10
authentication pre-share

crypto isakmp key ciscokey address 39.99.202.254
!
!
crypto ipsec transform-set to_site1 esp-des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp

set peer 39.99.202.254
set transform-set to_site1
match address 101
!
!
!
!
!
interface Tunnel0

ip address 10.10.13.2 255.255.255.0

tunnel source Serial1

tunnel destination 39.99.202.254
!
!
!
ip nat pool ovrld 39.114.7.214 39.114.7.214 prefix-length 24
ip nat inside source list 7 pool ovrld overload
ip route 0.0.0.0 0.0.0.0 39.114.7.213
ip route 192.168.1.0 255.255.0.0 10.10.13.1
!
!
!
access-list 7 permit 192.168.0.0 0.0.255.255
access-list 7 permit 10.10.13.0 0.0.0.255
access-list 101 permit gre host 39.114.7.214 host 39.99.202.254
access-list 107 permit gre host 39.99.202.254 host 39.114.7.214
access-list 107 permit esp host 39.99.202.254 host 39.114.7.214
access-list 107 permit udp host 39.99.202.254 eq isakmp host 39.114.7.214
access-list 107 permit tcp any any established
access-list 107 deny ip any any

 

[unclerico]

you have the general idea down. when i create VTI's I typically do it without crypto maps and employ a routing protocol, although static routes will work fine. here's the general idea:

crypto isakmp policy 10
 auth pre-share
 encr 3des
 group 2
 hash sha1

crypto isakmp key ****** address 0.0.0.0 0.0.0.0

crypto ipsec transform-set myset esp-3des esp-sha1-hmac

crypto ipsec profile ipsec_profile
 set transform-set myset

int tunnel0
 ip address 10.1.1.1 255.255.255.0
 tunnel source s0/0
 tunnel destination 1.1.1.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec_profile

int f0/0
 ip address 192.168.10.1 255.255.255.0

router ospf 1
 network 10.1.1.0 0.0.0.255 area 0
 network 192.168.10.0 0.0.0.255 area 0

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

Actually, Bell's setup is not a VTI, but just a GRE tunnel protected by IPSEC. I agree with Uncle, and to force the traffic through the tunnel you can use a routing protocol or static routes. Then the default route needs to be in place, so yes, Bell, you are right on the money. When you protect the tunnel with an IPSEC profile, it is just like using a crypto map...there really is no difference, except where you apply the crypto map or profile (outside interface for map, tunnel interface for profile). Using the profile and applying it to the tunnel interface is called a VTI.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[unclerico]

burt, you are absolutely correct. so i pulled a bloominthal and misspoke, only it wasn't about serving in vietnam it was about a vti lol.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

Ah, yes..."I served in Viet...uh, during Vietnam...sorry, folks, I, uh, just misspoke there."

Yesterday Obummer was supposed to have "gone down to Louisiana to lend his support..."---what, is he going to want it back?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[unclerico]

lol...be careful otherwise some SEIU thugs is comin' for you!!! obummer, love it

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)