[c-nsp] GRE over IPSec

Luan Nguyen luan at netcraftsmen.net
Fri Sep 19 21:41:22 EDT 2008 

Justin,

You could try the following:

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address j.j.j.j
!
!
crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
 set peer j.j.j.j
 set transform-set 3dessha
 set pfs group1
 match address remote
!
ip access-list extended remote
 permit gre host y.y.y.y host z.z.z.z
!
interface tunnel0
ip address x.x.x.x
tunnel source y.y.y.y
tunnel destination z.z.z.z
!
interface WAN
ip address y.y.y.y
crypto map vpn
!
router eigrp 1
network x.x.x.x
network LAN

Where j.j.j.j is the ASA address and z.z.z.z is your router behind it.

-Luan

----------------------------------------------------------------------------
-------------------------------------------------------------------------
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net
----------------------------------------------------------------------------
------------------------------------------------------------------------



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Friday, September 19, 2008 5:04 PM
To: 'Cisco-nsp'
Subject: [c-nsp] GRE over IPSec

I'm trying to figure out if a router can push a GRE tunnel over top of 
an IPSec tunnel that's originated on the same router, through an ASA 
terminating the other end of the IPSec tunnel and to another IOS router 
behind the ASA.  I've seen this done with an ASA at both sites in front 
of the local router but I've never seen it done with the router 
originating the IPsec tunnel.  Is this possible?  Any tips on how to 
accomplish this?  I'm thinking that the tunnel destination should be IOS 
router at the remote site which should also match the ACL for traffic to 
a given destination (the remote end of the tunnel).  I'm not sure what 
the order of operations would be though so I'm not sure if the GRE 
tunnel would end up in the IPSec tunnel.

I want to deploy 800-series wifi routers at remote sites (COs, large 
cabinets, etc) and have them VPN back to our HQ's ASAs and a second 
backup site.  I'd like to run a routing protocol out to them to give 
them 2 paths into our network over hte 2 tunnels, preferably OSPF in 
this case.  My thought was a simple pair of GRE tunnels through the 
IPSec tunnels.  I could always place an IOS router at the HQ and use it 
to terminate IPSec-encrypted GRE tunnels.  That would add more cost 
though.  I already have one at the backup site though.

Suggestions?  Thanks
  Justin


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list