Open in app

Sign in

Write

Sign in

GRE over IPSec in Cisco IOS

Shahriar EV
Binvoke
Published in
2 min readSep 17, 2017

Cisco GRE over IPSEC

[caption id=”” align=”alignnone” width=”626"]

gre/ipsec diagram[/caption]

In the following is a sample configuration for GRE/IPSEC in Cisco IOS devices. you can tailor this to your needs (changing encryption algorithms, IP addresses etc), just remember to make sure they are the same on both sides (except for IP of course).

In later posts we will discover how to do this scenario in other platforms like Cisco ASA and StrongSWAN on Linux.

The best guide for learning how IPSec works: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-77.pdf

R1(config)# interface Tunnel0
R1(config-if)# ip address 172.16.0.1 255.255.255.0
##better performance when packets not fragmeted##
R1(config-if)# ip mtu 1400
R1(config-if)# ip tcp adjust-mss 1360
R1(config-if)# tunnel source 1.1.1.10
R1(config-if)# tunnel destination 2.2.2.10
R1(config)# ip route 192.168.2.0 255.255.255.0 172.16.0.2
R1(config)# crypto isakmp policy 1R1(config-isakmp)# encr 3desR1(config-isakmp)# hash md5R1(config-isakmp)# authentication pre-shareR1(config-isakmp)# group 2R1(config-isakmp)# lifetime 86400R1(config)# crypto isakmp key CISCO address 2.2.2.10R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmacR1(cfg-crypto-trans)# mode transportR1(config)# crypto ipsec profile protect-greR1(ipsec-profile)# set security-association lifetime seconds 86400R1(ipsec-profile)# set transform-set TSR1(config)# interface Tunnel 0R1(config-if)# tunnel protection ipsec profile protect-greR2(config)# interface Tunnel0
R2(config-if)# ip address 172.16.0.2 255.255.255.0
R2(config-if)# ip mtu 1400
R2(config-if)# ip tcp adjust-mss 1360
R2(config-if)# tunnel source 2.2.2.10
R2(config-if)# tunnel destination 1.1.1.10R2(config)# ip route 192.168.1.0 255.255.255.0 172.16.0.1R2(config)# crypto isakmp policy 1R2(config-isakmp)# encr 3desR2(config-isakmp)# hash md5R2(config-isakmp)# authentication pre-shareR2(config-isakmp)# group 2R2(config-isakmp)# lifetime 86400R2(config)# crypto isakmp key CISCO address 1.1.1.10R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmacR2(cfg-crypto-trans)# mode transportR2(config)# crypto ipsec profile protect-greR2(ipsec-profile)# set security-association lifetime seconds 86400R2(ipsec-profile)# set transform-set TSR2(config)# interface Tunnel 0R2(config-if)# tunnel protection ipsec profile protect-gre
Network
Cisco
Gre
IOS

--

--

Shahriar EV
Binvoke

Written by Shahriar EV

13 Followers
Editor for

A Binvoke Developer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams