Subscribe RSS 2.0 feed. Leave a response, or Trackback from your own site.

32 Responses to 'Passing non-IP Traffic over IPSEC VPN using GRE over IPSEC'

1. Mario - March 27th, 2009 at 5:31 am

   Hi,

   Haven’t you forgotten to add the PIM details on the various interfaces so the multicast receivers at SITE B can send a “join” for the multicast stream available at SITE A?

   I’d appreciate if you could reply with your comment.

   Regards,
   Mario

2. BlogAdmin - March 27th, 2009 at 12:41 pm

   Hello Mario, thanks for your comment.

   Yes, indeed you are correct. If you are using GRE over IPSEC with a multicast Server on one site and multicast clients on the other site, then you will need to add on both the Tunnel Interfaces and the Ethernet Interfaces facing the LAN (for both site routers) the following commands:

   interface Tunnel0
   ip pim dense-mode
   

   interface FastEthernet0/0
   ip pim dense-mode
   

   Hope this clarified your question

3. Sunny - April 29th, 2009 at 9:30 am

   Is it possible to route VLAN traffic over IPSec using GRE?

   E.g. LAN A vlan 5 can talk to LAN B vlan 5

   Many thanks

4. BlogAdmin - April 29th, 2009 at 10:28 am

   Hello Sunny,

   Thanks for your question. No, you can not do that over IPSEC/GRE tunnels. For this to work you need some sort of Layer 2 VPN (such as MPLS Layer 2 VPN like martini link). The Service Providers usually offer such a Layer 2 connectivity over their MPLS infrastructure.

   Thanks

   Harris

5. Rick - July 24th, 2009 at 10:41 pm

   Is there a way to run GRE over IPSec when using the Cisco VPN Client to connect to an ASA 5505?

   We have a remote PC that can “see” a bank of IP Radios through the VPN, which is passing IP and UDP traffic, but your post suggests we may need the GRE setup you describe in order for everything to work.

   I appreciate your taking time to post this information, and to field our question–it’s been a TON of effort to get as far as we are!

   Rick

6. BlogAdmin - July 25th, 2009 at 5:28 am

   Hello Rick,

   If the IP Radios send traffic as multicast, then you will need GRE over IPSEC. However, this functionality (GRE over IPSEC) is not supported on Cisco VPN clients. You could install a small cisco router on the remote site in order to configure GRE over IPSEC. However, keep in mind also that ASA does not support termination of GRE tunnels.

7. Rick - July 28th, 2009 at 4:05 pm

   Thank you for your prompt and informative reply. I am working with customer service to purchase your book now!

   Regarding my current project, however…can you recommend a “small Cisco router” for the remote site?

   It sounds like another ASA 5505 will not work…is that correct?

   The IP Radios “do” send traffic as multicast…and it is the RTP/RTCP traffic that is not currently being sent across the VPN.

   This is our local Emergency Management Agency (EMA), so the “remote sites” are typically mobile units out in the field during a disaster…thus, we had hoped the Cisco VPN “client” would suffice.

   I will look forward to digesting your book for this and future projects, and really appreciate your taking time to help!

   Rick

8. BlogAdmin - July 30th, 2009 at 1:08 am

   Hello Rick,

   A possible small Cisco router for supporting your scenario and which supports GRE over IPSEC is the 800 series (look at the 871 for example). As I mentioned before, another ASA 5505 will not work because it does not support GRE.

   Have a nice day and thank you for purchasing my ebook.

   Harris

9. guest - August 8th, 2009 at 5:59 pm

   Hey,

   Just wanted to let you know that you do not need that NAT exemption for private to private networks because of a few things:
   1. ip nat inside is NOT applied to the tunnel interface.
   2. 192.168.2.0 will be routes through a locally connected(NON NAT OUTSIDE) interface so the adress swap and port mapping will never take place.

   Just wanted to clarify what you had.

10. Nagaraj - October 7th, 2009 at 1:38 pm

    Is this still true with virtual tunnel interface (VTI)? Since IPSec can be exposed as logical interface (VTI), multicast routing updates can also be carried in ipsec tunnel. If that is the case do we still need GRE tunnel to carry routing updates (multicast packets)?

    Thanks,
    Nagaraj

11. BlogAdmin - October 9th, 2009 at 4:40 pm

    To be honest I haven’t tried the scenario your are describing. In my opinion, you will still need GRE even if you use VTI. The problem with the multicast traffic and IPSEC is that IPSEC is a pure IP unicast technology and so it does not support multicast traffic, that is why we use GRE.

12. Harris - January 19th, 2010 at 8:47 am

    Is it possible to have the same subnet on both sites and do bridging (sending layer 2 frames between the two sites) over the VPN?

13. BlogAdmin - January 19th, 2010 at 9:04 am

    No, unfortunately this is not possible using GRE over IPSEC. You can look into L2TP for this scenario or even MPLS Layer2 VPN from a service provider.

14. JKL - March 18th, 2010 at 6:40 pm

    Hi. You said that this is not possible on ASA5505. Any other workaround possible for ASA? I have such problem just right now and not a clue how to make it work.
    Many thanks.

15. BlogAdmin - March 19th, 2010 at 1:43 am

    If you are trying to pass OSPF over the IPSEC tunnel, then you can do it without GRE. See the following link http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

    Otherwise you can get a small 800 series router that supports GRE

16. JKL - March 19th, 2010 at 3:47 am

    I need to enable multicast traffic betwen 2 ASA’s. Will that do the trick?

    Thanks.

17. BlogAdmin - March 19th, 2010 at 4:36 am

    If you don’t have IPSEC between them but normal IP routing then it will work. I assumed that you have IPSEC between the ASA.

18. JKL - March 22nd, 2010 at 10:37 am

    I do have IPSEC. I have site-to-site vpn between the ASA. No way to enable multicast?

19. BlogAdmin - March 23rd, 2010 at 12:39 pm

    You can not pass multicast inside IPSec since IPSEc supports only IP unicast traffic

20. dokafe - June 8th, 2010 at 9:50 pm

    Which of the following is a method for handling non-IP traffic in VPN?
    a) GRE
    b) SSL
    c) TLS
    d) All of the above

21. Blog Admin - June 9th, 2010 at 4:08 pm

    Is this a quiz question ?

    Well the answer is a) GRE

22. dokafe - June 19th, 2010 at 2:12 am

    uuuuuuuuuuu are so kind

    yep bro

    love ur help

23. Enzo - November 4th, 2010 at 3:35 pm

    Hi;

    Is possible enable GRE with adsl connection, i need work with dynamic IP using PAT (Port address translation), I try with port asignation, but no work

24. Blog Admin - November 4th, 2010 at 7:05 pm

    GRE has problems with NAT (especially PAT). No it will not work.

25. Hiraman - January 9th, 2011 at 3:02 am

    I have set this up on my LAB without NAT.
    Both network can reach each other other the tunnel.
    But my question is how can we verify whether encryption is happening or not.
    I used “sh crypto iskamp sa” and “sh crypto ipsec sa”
    They didn’t show any output.

26. Hiraman - January 9th, 2011 at 3:20 am

    I enabled ip cache flow command on the Internet router.
    I saw GRE packets passing through.
    My question is that are GRE packets visible to ISP.

    Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
    ——– Flows /Sec /Flow /Pkt /Sec /Flow /Flow
    GRE 8 0.0 7 108 0.0 3.4 15.4
    Total: 8 0.0 7 108 0.0 3.4 15.4

    SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

    SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
    Se1 200.200.200.1 Se0 100.100.100.1 2F 0000 0000 5
    Se0 100.100.100.1 Se1 200.200.200.1 2F 0000 0000 5
    R3#

27. Blog Admin - January 12th, 2011 at 7:52 pm

    GRE packets are visible but the carried traffic within the GRE tunnel is encrypted by ipsec.

28. liaz - February 23rd, 2011 at 1:16 pm

    Hi, i applied the configuration as mentioned on 2 cisco 877 in a lab.
    I am missing something because it doesn’t work.
    Actually, i used 3 cisco’s 877, 2 for site a and B and 1 acts as internet router.
    i can ping the external ip’s but no vpn or gre tunnel is up…
    here are the configs:

    SITE A
    ——

    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname SITE-A
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    !
    no aaa new-model
    ip subnet-zero
    !
    !— This is the IPsec configuration.
    !
    crypto isakmp policy 10
    authentication pre-share

    crypto isakmp key testkey123 address 200.200.200.1
    !
    crypto ipsec transform-set ESPDES-TS esp-des esp-md5-hmac
    !
    crypto map myvpn 10 ipsec-isakmp
    !
    set peer 200.200.200.1
    set transform-set ESPDES-TS
    match address 101
    !
    !— This is one end of the GRE tunnel.
    !
    interface Tunnel0
    ip address 10.0.0.1 255.255.255.0

    !— Associate the tunnel with the physical outside interface.
    tunnel source FastEthernet0/1
    tunnel destination 200.200.200.1

    !— Attach the IPSEC crypto map to the GRE tunnel.
    crypto map myvpn

    !— This is the internal network.

    interface VLAN 1
    ip address 192.168.1.1 255.255.255.0
    ip nat inside

    !— This is the external interface and one end of the GRE tunnel.

    interface VLAN 2
    ip address 100.100.100.1 255.255.255.0
    ip nat outside
    crypto map myvpn

    !— Define the NAT pool.

    ip nat pool NATPOOL 100.100.100.2 100.100.100.20 netmask 255.255.255.0
    ip nat inside source route-map nonat pool NATPOOL overload
    ip classless

    ip route 0.0.0.0 0.0.0.0 100.100.100.254

    !— Force the private network traffic into the tunnel.

    ip route 192.168.2.0 255.255.255.0 10.0.0.2

    !— All traffic that enters the GRE tunnel is encrypted by IPsec.
    access-list 101 permit gre host 100.100.100.1 host 200.200.200.1

    !— Use access list in route-map to address what to NAT.

    access-list 175 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 175 permit ip 192.168.1.0 0.0.0.255 any

    route-map nonat permit 10
    match ip address 175

    end

    Site B:
    ——-

    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname SITE-B
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    !
    no aaa new-model
    ip subnet-zero
    !
    !— This is the IPsec configuration.
    !
    crypto isakmp policy 10
    authentication pre-share

    crypto isakmp key testkey123 address 100.100.100.1
    !
    crypto ipsec transform-set ESPDES-TS esp-des esp-md5-hmac
    !
    crypto map myvpn 10 ipsec-isakmp
    !
    set peer 100.100.100.1
    set transform-set ESPDES-TS
    match address 101
    !
    !— This is one end of the GRE tunnel.
    !
    interface Tunnel0
    ip address 10.0.0.2 255.255.255.0

    !— Associate the tunnel with the physical outside interface.
    tunnel source FastEthernet0/1
    tunnel destination 100.100.100.1

    !— Attach the IPSEC crypto map to the GRE tunnel.
    crypto map myvpn

    !— This is the internal network.

    interface vlan 1
    ip address 192.168.2.1 255.255.255.0
    ip nat inside

    !— This is the external interface and one end of the GRE tunnel.

    interface vlan 25
    ip address 200.200.200.1 255.255.255.0
    ip nat outside
    crypto map myvpn

    !— Define the NAT pool.

    ip nat pool NATPOOL 200.200.200.2 200.200.200.20 netmask 255.255.255.0
    ip nat inside source route-map nonat pool NATPOOL overload
    ip classless

    ip route 0.0.0.0 0.0.0.0 200.200.200.254

    !— Force the private network traffic into the tunnel.

    ip route 192.168.1.0 255.255.255.0 10.0.0.1

    !— All traffic that enters the GRE tunnel is encrypted by IPsec.
    access-list 101 permit gre host 200.200.200.1 host 100.100.100.1

    !— Use access list in route-map to address what to NAT.

    access-list 175 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 175 permit ip 192.168.2.0 0.0.0.255 any

    route-map nonat permit 10
    match ip address 175

    end

29. Blog Admin - February 24th, 2011 at 11:16 am

    liaz,

    Why your WAN interface is Vlan2? If its a 877 (ADSL over POTS), the WAN interface isn’t an ATM / ADSL port? Check out this because the problem is on the WAN port I believe.

30. José Dias - March 18th, 2011 at 10:41 pm

    Hi Sunny,

    You may use L2TPv3 do emulate vlan5 over a IPv4 cloud.

    Regards.

31. Alex - June 5th, 2011 at 11:04 pm

    very helpful indeed. Thanx for posting. It really helped me to create gre over ipsec via internet using a cisco 887 and 877. My issue is that even though local networks (192.168.1.0 on one side and 192.168.2.0 on the other) are visible on both routing tables, nodes (all in the same workgroup) are not visible. used RIP and/or static route. I can however ping every node from one network to the other.

32. Blog Admin - June 6th, 2011 at 4:42 am

    Alex,

    Individual IP addresses will NOT appear in the routing table. Only the whole subnet appears in the table. As long as you can reach individual IP addresses by pinging them from the other local network, this means you are ok.

Leave a Reply

Name

Email (will not be published)

Website