Look what I found …

16 Mar, 2011

The beauty of GRE

Posted by: admin In: Switching & Routing

First of, I found this GREAT article at http://deepakarora1984.blogspot.com/2010/08/gre-tunnels-unleashed-making-breaking.html, it’s really good.

Thanks for explaining this for me Deepak.

GRE Tunnels Unleashed – Making , Breaking & Troubleshooting

Generic Routing Encapsulation (GRE) is a tunneling protocol
that can encapsulate a wide variety of network layer protocol
packet types inside an IP tunnels, creating a virtual point-to
-point link to various brands of routers at remote points over
an Internet Protocol (IP) internetwork.
It always kind of amazed me but in the beginning of my career in network I had lot of problems in understanding and configuring GRE tunnels.
Maybe the reason is that this topic is not very well documented on Cisco DOC cd – Atleast that’s what I think.
The problem for me was never to configure the tunnel itself but rather understanding how to choose tunnel source vs tunnel destination,
how GRE tunnels works from technology point of view, their benefits, their drawbacks,
understanding GRE keep-alive mechanism & what things can potentially cause problems with tunnels etc.
Some Tiny details before getting deeper:
GRE refers to IP protocol number type 47
RFC – 1702
Types – P2P, P2M (eg. – DMVPN – More Of a Security Topic)
So let’s begin with it and let me explain each of these things one by one.
1.) Why we need GRE tunnels in First place –
GRE tunnels are helpful for a network administrator in many ways actually. For example if you are running a routing protocol or may be static routing with your ISP.
But you don’t want ISP to see your internal network. So in that case with the help of Static Routing or IGP (that ISP is running too with you) you will
establish basic connectivity between your branches with help of ISP. Now later you can create tunnels between all branches with help of basic
connectivity you had established earlier and then you can run routing protocol over the tunnel & can exchange routes. Now technically once
GRE tunnel is established between your branch offices then ISP can’t see what data is traveling inside the tunnel….or in other words..your routes & data.
Another situation where we can probably use GRE tunnel is to pass OSPF LSAs through Stub/Totally Stub Area. For example once Area is configured as stub,
by default it will not allow you to create virtual link over it or to pass LSAs which it is supposed to block as Stub area but some how you need do these things….
I mean you get the idea…there are many other twists in Real world and CCIE lab exam where you can think of using tunnels…so basically a bandage which you can use in many situations.
There are many more reasons but these are most common one
2.) Requirements to Setup the tunnel:
The requirement to setup tunnel is very simple. All you need is the reach-ability between the two end points of the tunnel.
Usually you will see people using loopback interface as tunnel source address but technically you can choose any interface as source
at your side but destination will always be some ip address of other side and can’t be interface…that actually makes sense too as Local Router don’t know about what interfaces we have on the other side.
But one thing you should keep in mind while choosing any interface as source address is that by default it will pick the primary IP of the interface,
so in case you want to choose secondary IP then mention Secondary IP address specifically as source ip address.
3.) Drawbacks Of GRE tunnels :
There is only one major drawback of GRE tunnel and that is – it adds two extra headers to our original IP packet.
So those guys who are concerned with Bandwidth may have some issues.
However if you change the tunnel mode to ”IPIP” then you can reduce some overhead as ”IPIP” tunnel adds 1 header instead of 2 compare to ”GRE”. So that makes it more efficient.
Here is how process occurs for GRE
You can also use other method to prevent bandwidth like traditional TCP compression techniques or modern MQC based techniques.
Another drawback is that GRE tunnels are not very scalable solution. The default BW for GRE tunnels is just 9 Kbps with
MTU size 1514 byes, so your routing protocol may not follow the path you desire to, so watch out for such things in that case.
Enough theory I guess :-)
For rest of theoretical details I’ll post some URL for further reference.
Now lets create a GRE tunnel.
Here is the quick topology Diagram:-> Click on Image for better view
Step 1:
Establish the basic connectivity between tunnel source and destination points. In our case we will use
R1′s Lo0 interface as tunnel source and R3′s interface Lo0 (It’s IP Address) as our tunnel destination point.
To establish the reach-ability between these two end point we will be running OSPF with our ISP Router(R2).
So lets first establish basic connectivity between end point:
################
***R1***

!
en
!
conf t
!
no ip domain-lo
!
ho R1
!
int lo0
ip add 10.0.0.1 255.255.255.255
exit
!
int lo1
ip add 100.100.100.100 255.255.255.0
exit
!
int s0/0
ip add 12.12.12.1 255.255.255.0
no sh
exit
!
router ospf 1
router-id 1.1.1.1
net 10.0.0.1 0.0.0.0 a 0
net 12.12.12.1 0.0.0.0 a 0
exit
!

##########################
***R2***
!
en
!
conf t
!
no ip domain-lo
!
ho R2
!
int s0/0
ip add 12.12.12.2 255.255.255.0
ip ospf 1 a 0
no sh
exit
!
int s0/1
ip add 23.23.23.2 255.255.255.0
ip ospf 1 a 0
no sh
exit
!
##########################

***R3***

!
en
!
conf t
!
no ip domain-lo
!
int lo0
ip add 20.0.0.1 255.255.255.255
exit
!
int lo1
ip add 200.200.200.200 255.255.255.0
exit
!
int s0/0
ip add 23.23.23.3 255.255.255.0
no sh
exit
!
router ospf 1
router-id 3.3.3.3
net 20.0.0.1 0.0.0.0 a 0
net 23.23.23.3 0.0.0.0 a 0
exit
!

—-
So by this time our OSPF should be working fine and R1/R3′s Interface Lo0 should have reach-ability to each other.
Step 2:
In second step we will create a virtual tunnel interface and will assign it following things:
1. IP address
2. Tunnel Source
3. Tunnel Desitnation
Here is the quick config now:
***R1***
!
int tu 0
ip address 13.13.13.1 255.255.255.0
tunnel source Loopback0
tunnel destination 13.13.13.3
tunnel destination 20.0.0.1
keepalive 1 3 -> Optional
exit
!
***R3***
!
int tu 0
ip address 13.13.13.3 255.255.255.0
keepalive 1 3 -> Optional
tunnel source Loopback0
tunnel destination 10.0.0.1
exit
!
So by now your tunnel should have come up :-)
Step 3:
Now once tunnel is up and running we can can RUN our Organizational IGP over the tunnel to establish complete connectivity among all locations.
In our case Lo1 interface over R1/R3 represents their LAN segment and IGP we are running inside organization is EIGRP AS 100.
Lets configure EIGRP for Interface Lo1 on both routers along with enabling it over Tunnel interface.
***R1***
!
router eigrp 100
no au
net 100.100.100.100 0.0.0.0
net 13.13.13.1 0.0.0.0
exit
!
***R3***
!
router eigrp 100
no au
net 200.200.200.200 0.0.0.0
net 13.13.13.3 0.0.0.0
exit
!
################
Lets verify the routing tables as see if it’s working as expected:
R1(config-router)#do sh ip ro
Gateway of last resort is not set

D    200.200.200.0/24 [90/297372416] via 13.13.13.3, 00:01:38, Tunnel0
100.0.0.0/24 is subnetted, 1 subnets
C       100.100.100.0 is directly connected, Loopback1
20.0.0.0/32 is subnetted, 1 subnets
O       20.0.0.1 [110/129] via 12.12.12.2, 00:10:24, Serial0/0
23.0.0.0/24 is subnetted, 1 subnets
O       23.23.23.0 [110/128] via 12.12.12.2, 00:10:24, Serial0/0
10.0.0.0/32 is subnetted, 1 subnets
C       10.0.0.1 is directly connected, Loopback0
12.0.0.0/24 is subnetted, 1 subnets
C       12.12.12.0 is directly connected, Serial0/0
13.0.0.0/24 is subnetted, 1 subnets
C       13.13.13.0 is directly connected, Tunnel0

***********************************

R2(config-router)#do sh ip ro -> ISP Router Dont’s have info about Client’s EIGRP subnets
Gateway of last resort is not set

20.0.0.0/32 is subnetted, 1 subnets
O       20.0.0.1 [110/65] via 23.23.23.3, 00:11:33, Serial0/1
23.0.0.0/24 is subnetted, 1 subnets
C       23.23.23.0 is directly connected, Serial0/1
10.0.0.0/32 is subnetted, 1 subnets
O       10.0.0.1 [110/65] via 12.12.12.1, 00:12:01, Serial0/0
12.0.0.0/24 is subnetted, 1 subnets
C       12.12.12.0 is directly connected, Serial0/0

************************************

R3(config-router)#do sh ip ro
Gateway of last resort is not set

C    200.200.200.0/24 is directly connected, Loopback1
100.0.0.0/24 is subnetted, 1 subnets
D       100.100.100.0 [90/297372416] via 13.13.13.1, 00:03:33, Tunnel0
20.0.0.0/32 is subnetted, 1 subnets
C       20.0.0.1 is directly connected, Loopback0
23.0.0.0/24 is subnetted, 1 subnets
C       23.23.23.0 is directly connected, Serial0/0
10.0.0.0/32 is subnetted, 1 subnets
O       10.0.0.1 [110/129] via 23.23.23.2, 00:12:13, Serial0/0
12.0.0.0/24 is subnetted, 1 subnets
O       12.12.12.0 [110/128] via 23.23.23.2, 00:12:13, Serial0/0
13.0.0.0/24 is subnetted, 1 subnets
C       13.13.13.0 is directly connected, Tunnel0

So congratulations on building GRE P2P tunnel successfully :-)
#####################################
Now One Important thing you should always remember while building GRE tunnels is that -
Tunnel Source and Destination should always be learned outside the tunnel and not from inside the tunnel….confused ?
Let me show it to you guys.
Right now Tunnel Source and Destinations (Which are Lo0 of R1/R3) are learned via ospf and inside the tunnel we are running EIGRP.
But say if I enable EIGRP on Lo0 over R1 & R2 then by means of Basic routing fundamental, EIGRP will start advertising the Lo0 interfaces
on both routers and soon router will update it’s routing table and will install EIGRP routes for Lo0s. Because EIGRP has less AD compare to OSPF.
Now we are learning Tunnel Source & Destination From Tunnel itself which leads us to chicken & egg problem. :-)

so lets first introduce this problem and see how we can fix it.

#####################################################

R1

!
router eigrp 100
net 10.0.0.1 0.0.0.0
exit
!

#####################################################

R3

!
router eigrp 100
net 20.0.0.1 0.0.0.0
exit
!

As soon as we do this, we will start seeing following error messages on screen:

#####################################################

R3(config-router)#
*Mar  1 00:19:47.735: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive
routing
*Mar  1 00:19:48.735: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, change
d state to down
*Mar  1 00:19:48.875: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 13.13.13.1 (Tunnel
0) is down: interface down!

####################################################

soon after:

*Mar  1 00:20:49.747: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, change
d state to up
*Mar  1 00:20:54.131: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 13.13.13.1 (Tunnel
0) is up: new adjacency
*Mar  1 00:20:55.747: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive
routing
*Mar  1 00:20:56.747: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, change
d state to down
*Mar  1 00:20:56.851: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 13.13.13.1 (Tunnel
0) is down: interface down
######################################################

So basically what you will notice is tunnel is coming up and going down , up and down…..

Also you will notice that it’s telling you about route recursion issue. Earlier route for tunnel source and destination was re-cursing to

OSPF next hop but now it sees as EIGRP next hop pointing to tunnel itself…so it recognizes Chicken and Egg problem and bounce

the tunnel assuming that there is a routing issue and bouncing tunnel may solve it :-)

To solve this problem there are many ways actually.

e.g. – Roll back to previous config, Filter tunnel source & destination IPs from the protocol running over tunnel using AD or ACL or Prefix-List etc.

Here is how I fixed it by filtering tunnel Source & Destination IPs using a distribute list:

R1

!
access-list 100 deny ip ho 13.13.13.3 20.0.0.0 0.255.255.255 log
access-l 100 permit ip any any log
!
router eigrp 100
distribute-list 100 in Tunnel0
exit
!
######################################################

R3

!
access-list 100 deny ip ho 13.13.13.1 10.0.0.0 0.255.255.255 log
access-l 100 permit ip any any log
!
router eigrp 100
distribute-list 100 in Tunnel0
exit
!

And sure enough this will solve the problem:

Just as a side note in case you are new with distribute list – In the ACL, the first portion defined after host keyword is next hop IP address

from which we are assuming to receive update and second portion is actual network which we need to filter. In my example

I filter the entire network though of that range but can go as much specific as you want.

And here is some more if you want to add encryption over the GRE link so that your ISP goes blind.

Contents

Introduction
Prerequisites
Prerequisites
Components Used
Conventions
Network Diagram
Configure
Configure the GRE Tunnels
Configure the Encryption for the GRE Tunnels
Configure the Routing Protocol
Sample Configurations
Verify
Troubleshoot
Cisco Support Community – Featured Conversations
Related Information

Introduction

This document explains how to configure GRE over IPSec routing through a hub site to multiple remote sites. The Cisco 7206 router is the central site router, to which all the other sites connect through IPSec. The Cisco 2610, 3620, and 3640 routers are the remote routers. All sites are able to reach the main network behind the Cisco 7206 and all other remote sites through the tunnel to the main site, with routing updates taking place automatically via Enhanced Interior Gateway Routing Protocol (EIGRP).

Prerequisites

Prerequisites

This document was developed and tested using the software and hardware versions below.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco 7206 Router running Cisco IOS® Software Release 12.3(1) IK9S
  • Cisco 2621XM Router running Cisco IOS Software Release 12.3(1) IK9S
  • Cisco 3640 Router running Cisco IOS Software Release 12.3(1) IK9S
  • Cisco 3640 Router running Cisco IOS Software Release 12.3(1) IK9S

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.

Conventions

For more information on document conventions, see the Cisco Technical Tips Conventions.

Network Diagram

This document uses this network setup:

/image/gif/paws/17868/multirout.gif

Configure

This process guides you through configuring an IPSec tunnel to route through a hub and multiple remote sites. The process is separated into these three primary steps.

Configure the GRE Tunnels

Follow these steps to configure the GRE tunnels:

  1. Create a GRE tunnel from each remote site to the main office. Set up a tunnel interface on the Cisco 7206 router for each remote site.
    interface Tunnel0
 ip address 192.168.16.2 255.255.255.0
 tunnel source FastEthernet1/0
 tunnel destination 14.38.88.10
!
interface Tunnel1
 ip address 192.168.46.2 255.255.255.0
 tunnel source FastEthernet1/0
 tunnel destination 14.38.88.40
!
interface Tunnel2
 ip address 192.168.26.2 255.255.255.0
 tunnel source FastEthernet1/0
 tunnel destination 14.38.88.20

    The tunnel source for each tunnel is the FastEthernet1/0 interface, or the interface that is the Internet connection. The tunnel destination is the IP address of the remote router’s Internet interface. Each tunnel should have an IP address on a different, unused subnet.

  2. Configure the GRE tunnels on the Cisco 2610, 3620, and 3640 routers. The configurations are similar to the Cisco 7206 router.Cisco 2610 Router 
    interface Tunnel0
 ip address 192.168.16.1 255.255.255.0
 tunnel source Ethernet0/0
 tunnel destination 14.36.88.6

    Cisco 3620 Router 

    interface Tunnel0
 ip address 192.168.26.1 255.255.255.0
 tunnel source Ethernet1/0
 tunnel destination 14.36.88.6

    Cisco 3640 Router 

    interface Tunnel0
 ip address 192.168.46.1 255.255.255.0
 tunnel source Ethernet0/0
 tunnel destination 14.36.88.6

    Each remote router uses its local interface that connects to the Internet as the tunnel source. The remote routers correspond to the tunnel destination IP addresses in the configuration on the Cisco 7206 router. The tunnel destination IP address for each remote router corresponds to the IP address of the interface of the Cisco 7206 router that connects to the Internet. The IP address of the tunnel interface corresponds to an IP address on the same subnet as the tunnel interface of the Cisco 7206 router.

  3. Ensure that each remote router can ping the IP address of the tunnel destination and the main router’s corresponding tunnel interface.Also, ensure that each router is pingable from the central site router.

    Cisco 2610 Router 

    vpn2610#ping 14.36.88.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 14.36.88.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
vpn2610#ping 192.168.16.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms
vpn2610#

    Cisco 3620 Router 

    vpn3620#ping 14.38.88.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 14.38.88.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
vpn3620#ping 192.168.26.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.26.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/8 ms
vpn3620#

    Cisco 3640 Router 

    vpn3640#ping 14.36.88.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 14.36.88.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
vpn3640#ping 192.168.46.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.46.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms
vpn3640#

    Note: If not all routers can ping the central (hub) router, troubleshoot each connection as needed using these guidelines.

    • Can the remote router ping the hub router from public IP to public IP?
    • Is there any device blocking GRE between the two routers? (Firewall, access-list on router)
    • What does a show interface command show for the tunnel interface?

Configure the Encryption for the GRE Tunnels

Complete these steps to configure the encryption for the GRE tunnels:

  1. If the GRE tunnels come up, proceed with encrypting. First, create access lists to define the traffic for encryption.The access lists permit traffic from the local IP address on each router to the IP address on the opposite end. Use the show version command to display the software version the Cache Engine is running.
    7206:
access-list 130 permit gre host 14.36.88.6 host 14.38.88.40
access-list 140 permit gre host 14.36.88.6 host 14.38.88.20
access-list 150 permit gre host 14.36.88.6 host 14.38.88.10

2610:
access-list 120 permit gre host 14.38.88.10 host 14.36.88.6

3620:
access-list 110 permit gre host 14.38.88.20 host 14.36.88.6

3640:
access-list 100 permit gre host 14.38.88.40 host 14.36.88.6
  2. Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy, an ISAKMP key, and an IPSec transform set.The ISAKMP policy, key, and IPSec transform set must match on both sides of a single tunnel. Not all tunnels have to use the same policy, key, or transform set. In this example, all tunnels use the same policy, key, and transform set for simplicity.

    Cisco 7206 Router

    crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
 mode transport

    Cisco 2610 Router

    crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
 mode transport

    Cisco 3620 Router

    crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
 mode transport

    Cisco 3640 Router

    crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
 mode transport
  3. Configure the crypto map. The central site has a separate sequence number for each connection.Cisco 7206 Router
    crypto map vpn 10 ipsec-isakmp
 set peer 14.38.88.40
 set transform-set strong
 match address 130
crypto map vpn 20 ipsec-isakmp
 set peer 14.38.88.20
 set transform-set strong
 match address 140
crypto map vpn 30 ipsec-isakmp
 set peer 14.38.88.10
 set transform-set strong
 match address 150

    Cisco 2610 Router

    crypto map vpn 10 ipsec-isakmp
 set peer 14.36.88.6
 set transform-set strong
 match address 120

    Cisco 3620 Router

    crypto map vpn 10 ipsec-isakmp
 set peer 14.36.88.6
 set transform-set strong
 match address 110

    Cisco 3640 Router

    crypto map vpn 10 ipsec-isakmp
 set peer 14.36.88.6
 set transform-set strong
 match address 100
  4. Apply the crypto map. The map should be applied to the tunnel interface and the physical interface that the packets exit.Cisco 7206 Router
    interface Tunnel0
 crypto map vpn
interface Tunnel1
 crypto map vpn
interface Tunnel2
 crypto map vpn
interface FastEthernet1/0
 crypto map vpn

    Cisco 2610 Router

    interface Tunnel0
 crypto map vpn
interface Ethernet0/0
 crypto map vpn

    Cisco 3620 Router

    interface Tunnel0
 crypto map vpn
interface Ethernet1/0
 crypto map vpn

    Cisco 3640 Router

    interface Tunnel0
 crypto map vpn
interface Ethernet0/0
 crypto map vpn

Configure the Routing Protocol

To configure the routing protocol, configure all sites with the autonomous system number and instruct the routing protocol (EIGRP) to share routes. Only networks that are included in the network statements are shared with the other routers by the routing protocol. The autonomous system number must match in all routers that participate in the sharing of routes. In this example, networks that can be summarized into one network statement are used for simplicity.

Cisco 7206 Router

router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes

Cisco 2610 Router

router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes

Cisco 3620 Router

router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes

Cisco 3640 Router

router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes

Sample Configurations

This document uses these sample configurations:

Cisco 7206 Router 
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname sec-7206
!
aaa new-model
aaa authentication ppp default local
!
username cisco password 0 cisco
!
!
!
!
ip subnet-zero
ip cef
!
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
!
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
 mode transport
!
crypto map vpn 10 ipsec-isakmp
 set peer 14.38.88.40
 set transform-set strong
 match address 130
crypto map vpn 20 ipsec-isakmp
 set peer 14.38.88.20
 set transform-set strong
 match address 140
crypto map vpn 30 ipsec-isakmp
 set peer 14.38.88.10
 set transform-set strong
 match address 150
!
!
!
!
!
!
interface Tunnel0
 ip address 192.168.16.2 255.255.255.0
 tunnel source FastEthernet1/0
 tunnel destination 14.38.88.10
 crypto map vpn
!
interface Tunnel1
 ip address 192.168.46.2 255.255.255.0
 tunnel source FastEthernet1/0
 tunnel destination 14.38.88.40
 crypto map vpn
!
interface Tunnel2
 ip address 192.168.26.2 255.255.255.0
 tunnel source FastEthernet1/0
 tunnel destination 14.38.88.20
 crypto map vpn
!
interface FastEthernet0/0
 no ip address
 no ip mroute-cache
 shutdown
 media-type MII
 half-duplex
!
interface FastEthernet1/0
 ip address 14.36.88.6 255.255.0.0
 no ip mroute-cache
 half-duplex
 crypto map vpn
!
interface Virtual-Template1
 ip unnumbered FastEthernet1/0
 peer default ip address pool test
 ppp authentication ms-chap
!
router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes
!
ip local pool test 10.0.7.1 10.0.7.254
ip default-gateway 14.36.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 14.36.1.1
no ip http server
!
access-list 130 permit gre host 14.36.88.6 host 14.38.88.40
access-list 140 permit gre host 14.36.88.6 host 14.38.88.20
access-list 150 permit gre host 14.36.88.6 host 14.38.88.10
radius-server host 172.18.124.197 auth-port 1645 acct-port
1646 key cisco123
radius-server retransmit 3
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
!
end

sec-7206#

Cisco 2610 Router 
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vpn2610
!
!
ip subnet-zero
ip cef
!
!
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
 mode transport
!
crypto map vpn 10 ipsec-isakmp
 set peer 14.36.88.6
 set transform-set strong
 match address 120
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.10.1 255.255.255.0
!
interface Tunnel0
 ip address 192.168.16.1 255.255.255.0
 tunnel source Ethernet0/0
 tunnel destination 14.36.88.6
 crypto map vpn
!
interface Ethernet0/0
 ip address 14.38.88.10 255.255.0.0
 half-duplex
 crypto map vpn
!
interface Serial0/0
 no ip address
 shutdown
 no fair-queue
!
interface Ethernet0/1
 ip address dhcp
 half-duplex
!
interface Serial1/0
 no ip address
 shutdown
!
interface Serial1/1
 no ip address
 shutdown
!
interface Serial1/2
 no ip address
 shutdown
!
interface Serial1/3
 no ip address
 shutdown
!
interface Serial1/4
 no ip address
 shutdown
!
interface Serial1/5
 no ip address
 shutdown
!
interface Serial1/6
 no ip address
 shutdown
!
interface Serial1/7
 no ip address
 shutdown
!
router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 14.38.1.1
ip http server
!
access-list 120 permit gre host 14.38.88.10 host 14.36.88.6
!
dial-peer cor custom
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
line vty 5 15
 login
!
end

vpn2610#

Cisco 3620 Router 
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vpn3620
!
!
ip subnet-zero
ip cef
!
!
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
 mode transport
!
crypto map vpn 10 ipsec-isakmp
 set peer 14.36.88.6
 set transform-set strong
 match address 110
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.20.1 255.255.255.0
!
interface Tunnel0
 ip address 192.168.26.1 255.255.255.0
 tunnel source Ethernet1/0
 tunnel destination 14.36.88.6
 crypto map vpn
!
interface Ethernet1/0
 ip address 14.38.88.20 255.255.0.0
 half-duplex
 crypto map vpn
!
interface TokenRing1/0
 no ip address
 shutdown
 ring-speed 16
!
router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 14.38.1.1
ip http server
!
access-list 110 permit gre host 14.38.88.20 host 14.36.88.6
!
dial-peer cor custom
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
!
end

vpn3620#

Cisco 3640 Router 
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vpn3640
!
!
ip subnet-zero
ip cef
!
!
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
 mode transport
!
crypto map vpn 10 ipsec-isakmp
 set peer 14.36.88.6
 set transform-set strong
 match address 100
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.40.1 255.255.255.0
!
interface Tunnel0
 ip address 192.168.46.1 255.255.255.0
 tunnel source Ethernet0/0
 tunnel destination 14.36.88.6
 crypto map vpn
!
interface Ethernet0/0
 ip address 14.38.88.40 255.255.0.0
 half-duplex
 crypto map vpn
!
interface Ethernet0/1
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/0
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/1
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/3
 no ip address
 shutdown
 half-duplex
!
interface Ethernet3/0
 no ip address
 shutdown
 half-duplex
!
interface TokenRing3/0
 no ip address
 shutdown
 ring-speed 16
!
router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 14.38.1.1
ip http server
!
access-list 100 permit gre host 14.38.88.40 host 14.36.88.6
!
dial-peer cor custom
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
!
end

vpn3640#

Verify

This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

  • show ip route —Use this command to ensure that routes are learned through the routing protocol.

Cisco 7206 Router

sec-7206#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is 14.36.1.1 to network 0.0.0.0
C    192.168.46.0/24 is directly connected, Tunnel1
D    192.168.10.0/24 [90/297372416] via 192.168.16.1, 05:53:23, Tunnel0
D    192.168.40.0/24 [90/297372416] via 192.168.46.1, 05:53:23, Tunnel1
C    192.168.26.0/24 is directly connected, Tunnel2
D    192.168.20.0/24 [90/297372416] via 192.168.26.1, 05:53:21, Tunnel2
C    192.168.16.0/24 is directly connected, Tunnel0
     14.0.0.0/16 is subnetted, 1 subnets
C       14.36.0.0 is directly connected, FastEthernet1/0
S*   0.0.0.0/0 [1/0] via 14.36.1.1
sec-7206#

Cisco 2610 Router

vpn2610#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is 14.38.1.1 to network 0.0.0.0
D    192.168.46.0/24 [90/310044416] via 192.168.16.2, 05:53:55, Tunnel0
C    192.168.10.0/24 is directly connected, Loopback0
D    192.168.40.0/24 [90/310172416] via 192.168.16.2, 05:53:55, Tunnel0
D    192.168.26.0/24 [90/310044416] via 192.168.16.2, 05:53:55, Tunnel0
D    192.168.20.0/24 [90/310172416] via 192.168.16.2, 05:53:53, Tunnel0
C    192.168.16.0/24 is directly connected, Tunnel0
     14.0.0.0/16 is subnetted, 1 subnets
C       14.38.0.0 is directly connected, Ethernet0/0
S*   0.0.0.0/0 [1/0] via 14.38.1.1
vpn2610#

Cisco 3620 Router

vpn3620#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is 14.38.1.1 to network 0.0.0.0
D    192.168.46.0/24 [90/310044416] via 192.168.26.2, 05:54:15, Tunnel0
D    192.168.10.0/24 [90/310172416] via 192.168.26.2, 05:54:15, Tunnel0
D    192.168.40.0/24 [90/310172416] via 192.168.26.2, 05:54:15, Tunnel0
C    192.168.26.0/24 is directly connected, Tunnel0
C    192.168.20.0/24 is directly connected, Loopback0
D    192.168.16.0/24 [90/310044416] via 192.168.26.2, 05:54:15, Tunnel0
     14.0.0.0/16 is subnetted, 1 subnets
C       14.38.0.0 is directly connected, Ethernet1/0
S*   0.0.0.0/0 [1/0] via 14.38.1.1
vpn3620#

Cisco 3640 Router

vpn3640#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is 14.38.1.1 to network 0.0.0.0
C    192.168.46.0/24 is directly connected, Tunnel0
D    192.168.10.0/24 [90/310172416] via 192.168.46.2, 05:54:32, Tunnel0
C    192.168.40.0/24 is directly connected, Loopback0
D    192.168.26.0/24 [90/310044416] via 192.168.46.2, 05:54:32, Tunnel0
D    192.168.20.0/24 [90/310172416] via 192.168.46.2, 05:54:30, Tunnel0
D    192.168.16.0/24 [90/310044416] via 192.168.46.2, 05:54:32, Tunnel0
     14.0.0.0/16 is subnetted, 1 subnets
C       14.38.0.0 is directly connected, Ethernet0/0
S*   0.0.0.0/0 [1/0] via 14.38.1.1
vpn3640#
Tags: , ,

No Responses to "The beauty of GRE"

Comment Form

Categories

Archives

Search


  • No comments

About

This is my place. I can do whatever I want here.. Nice.. :-)
My idea is to publish some of the things I come across while searching for solutions that comes in handy in my line of work.
I hope someone out there will be interested..