Sponsored Links
IPSEC VPN is a great technology for encrypting and securing communications between networks. The only drawback is that IPSEC supports ONLY pure IP unicast traffic and nothing else. If you want to securely pass multicast or non-IP traffic between sites then IPSEC alone will not work. Fortunately Cisco routers support the GRE protocol (Generic Routing Encapsulation) which is a tunneling protocol that can encapsulate a variety of network layer packet types into a GRE tunnel. GRE therefore can encapsulate multicast traffic, routing protocols (OSPF, EIGRP etc) packets, and other non-IP traffic inside a point-to-point tunnel. The downside of GRE is that it’s not as secure as IPSEC. Now, by using GRE over IPSEC, we can have the best of both technologies: Security and support for many network protocols. Some applications of using GRE over IPSEC are the following:
- Pass multicast traffic from a video server of one site to another site over the Internet.
- Pass routing protocol updates (multicast traffic) between sites working in an IPSEC VPN topology.
- Running Novel IPX between IPSEC VPN sites.
- Use load balancing with a routing protocol between IPSEC VPN sites.
Configuration example
Below we will describe a configuration example between two Cisco routers running GRE over IPSEC via the Internet.
From the diagram above, we have two private LAN networks 192.168.1.0/24 and 192.168.2.0/24 and we want to send non-IP traffic between them (e.g multicast video server traffic from Site-A to Site-B or any other non-IP non-unicast traffic). For each router we have a static Public IP address on the FE0/1 outside interface (100.100.100.1 and 200.200.200.1) over which we will set up the IPSEC tunnel. The GRE tunnels will be running between two private IP addresses (10.0.0.1 and 10.0.0.2) configured on each router (with the interface Tunnel command). The scenario also involves NAT for general internet access of the local networks.
SITE-A
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SITE-A
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
ip subnet-zero
!
!— This is the IPsec configuration.
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key testkey123 address 200.200.200.1
!
crypto ipsec transform-set ESPDES-TS esp-des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
!
set peer 200.200.200.1
set transform-set ESPDES-TS
match address 101
!
!— This is one end of the GRE tunnel.
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
!— Associate the tunnel with the physical outside interface.
tunnel source FastEthernet0/1
tunnel destination 200.200.200.1
!— Attach the IPSEC crypto map to the GRE tunnel.
crypto map myvpn
!— This is the internal network.
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
!— This is the external interface and one end of the GRE tunnel.
interface FastEthernet0/1
ip address 100.100.100.1 255.255.255.0
ip nat outside
crypto map myvpn
!— Define the NAT pool.
ip nat pool NATPOOL 100.100.100.2 100.100.100.20 netmask 255.255.255.0
ip nat inside source route-map nonat pool NATPOOL overload
ip classless
ip route 0.0.0.0 0.0.0.0 100.100.100.254
!— Force the private network traffic into the tunnel.
ip route 192.168.2.0 255.255.255.0 10.0.0.2
!— All traffic that enters the GRE tunnel is encrypted by IPsec.
access-list 101 permit gre host 100.100.100.1 host 200.200.200.1
!— Use access list in route-map to address what to NAT.
access-list 175 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 permit ip 192.168.1.0 0.0.0.255 any
route-map nonat permit 10
match ip address 175
end
SITE-B
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SITE-B
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
ip subnet-zero
!
!— This is the IPsec configuration.
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key testkey123 address 100.100.100.1
!
crypto ipsec transform-set ESPDES-TS esp-des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
!
set peer 100.100.100.1
set transform-set ESPDES-TS
match address 101
!
!— This is one end of the GRE tunnel.
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.0
!— Associate the tunnel with the physical outside interface.
tunnel source FastEthernet0/1
tunnel destination 100.100.100.1
!— Attach the IPSEC crypto map to the GRE tunnel.
crypto map myvpn
!— This is the internal network.
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
ip nat inside
!— This is the external interface and one end of the GRE tunnel.
interface FastEthernet0/1
ip address 200.200.200.1 255.255.255.0
ip nat outside
crypto map myvpn
!— Define the NAT pool.
ip nat pool NATPOOL 200.200.200.2 200.200.200.20 netmask 255.255.255.0
ip nat inside source route-map nonat pool NATPOOL overload
ip classless
ip route 0.0.0.0 0.0.0.0 200.200.200.254
!— Force the private network traffic into the tunnel.
ip route 192.168.1.0 255.255.255.0 10.0.0.1
!— All traffic that enters the GRE tunnel is encrypted by IPsec.
access-list 101 permit gre host 200.200.200.1 host 100.100.100.1
!— Use access list in route-map to address what to NAT.
access-list 175 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 permit ip 192.168.2.0 0.0.0.255 any
route-map nonat permit 10
match ip address 175
end
Related posts:
- Lan-to-Lan IPSEC VPN between two Cisco Routers
- Cisco ASA QoS for VoIP Traffic
- Cisco SSL VPN and ASDM Configuration – Port Conflict
- VPN Config Generator-Software to create Cisco VPN Configurations
- Apple iPhone supports Cisco VPN Client
- Overview of Cisco ASA VPN Technologies
- Configuring NAT on Cisco IOS Routers
Sponsored Links
22 Responses to 'Passing non-IP Traffic over IPSEC VPN using GRE over IPSEC'
Leave a Reply
Configuration Tutorial For Cisco ASA 5500 Firewalls
With FREE ASA 5505 Configuration Tutorial Bonus
CLICK HERE TO DOWNLOAD EBOOKS
- August 2010 (4)
- July 2010 (4)
- June 2010 (6)
- May 2010 (4)
- April 2010 (7)
- March 2010 (5)
- February 2010 (6)
- January 2010 (6)
- December 2009 (6)
- November 2009 (3)
- October 2009 (4)
- September 2009 (4)
- August 2009 (2)
- July 2009 (4)
- June 2009 (4)
- May 2009 (3)
- April 2009 (4)
- March 2009 (5)
- February 2009 (3)
- January 2009 (3)
- December 2008 (5)
- November 2008 (7)
- October 2008 (6)
- September 2008 (7)
- August 2008 (6)
- July 2008 (6)
- June 2008 (3)
- May 2008 (6)
- April 2008 (6)
- March 2008 (4)
Hi,
Haven’t you forgotten to add the PIM details on the various interfaces so the multicast receivers at SITE B can send a “join” for the multicast stream available at SITE A?
I’d appreciate if you could reply with your comment.
Regards,
Mario
Hello Mario, thanks for your comment.
Yes, indeed you are correct. If you are using GRE over IPSEC with a multicast Server on one site and multicast clients on the other site, then you will need to add on both the Tunnel Interfaces and the Ethernet Interfaces facing the LAN (for both site routers) the following commands:
interface Tunnel0
ip pim dense-mode
interface FastEthernet0/0
ip pim dense-mode
Hope this clarified your question
Is it possible to route VLAN traffic over IPSec using GRE?
E.g. LAN A vlan 5 can talk to LAN B vlan 5
Many thanks
Hello Sunny,
Thanks for your question. No, you can not do that over IPSEC/GRE tunnels. For this to work you need some sort of Layer 2 VPN (such as MPLS Layer 2 VPN like martini link). The Service Providers usually offer such a Layer 2 connectivity over their MPLS infrastructure.
Thanks
Harris
Is there a way to run GRE over IPSec when using the Cisco VPN Client to connect to an ASA 5505?
We have a remote PC that can “see” a bank of IP Radios through the VPN, which is passing IP and UDP traffic, but your post suggests we may need the GRE setup you describe in order for everything to work.
I appreciate your taking time to post this information, and to field our question–it’s been a TON of effort to get as far as we are!
Rick
Hello Rick,
If the IP Radios send traffic as multicast, then you will need GRE over IPSEC. However, this functionality (GRE over IPSEC) is not supported on Cisco VPN clients. You could install a small cisco router on the remote site in order to configure GRE over IPSEC. However, keep in mind also that ASA does not support termination of GRE tunnels.
Thank you for your prompt and informative reply. I am working with customer service to purchase your book now!
Regarding my current project, however…can you recommend a “small Cisco router” for the remote site?
It sounds like another ASA 5505 will not work…is that correct?
The IP Radios “do” send traffic as multicast…and it is the RTP/RTCP traffic that is not currently being sent across the VPN.
This is our local Emergency Management Agency (EMA), so the “remote sites” are typically mobile units out in the field during a disaster…thus, we had hoped the Cisco VPN “client” would suffice.
I will look forward to digesting your book for this and future projects, and really appreciate your taking time to help!
Rick
Hello Rick,
A possible small Cisco router for supporting your scenario and which supports GRE over IPSEC is the 800 series (look at the 871 for example). As I mentioned before, another ASA 5505 will not work because it does not support GRE.
Have a nice day and thank you for purchasing my ebook.
Harris
Hey,
Just wanted to let you know that you do not need that NAT exemption for private to private networks because of a few things:
1. ip nat inside is NOT applied to the tunnel interface.
2. 192.168.2.0 will be routes through a locally connected(NON NAT OUTSIDE) interface so the adress swap and port mapping will never take place.
Just wanted to clarify what you had.
Is this still true with virtual tunnel interface (VTI)? Since IPSec can be exposed as logical interface (VTI), multicast routing updates can also be carried in ipsec tunnel. If that is the case do we still need GRE tunnel to carry routing updates (multicast packets)?
Thanks,
Nagaraj
To be honest I haven’t tried the scenario your are describing. In my opinion, you will still need GRE even if you use VTI. The problem with the multicast traffic and IPSEC is that IPSEC is a pure IP unicast technology and so it does not support multicast traffic, that is why we use GRE.
Is it possible to have the same subnet on both sites and do bridging (sending layer 2 frames between the two sites) over the VPN?
No, unfortunately this is not possible using GRE over IPSEC. You can look into L2TP for this scenario or even MPLS Layer2 VPN from a service provider.
Hi. You said that this is not possible on ASA5505. Any other workaround possible for ASA? I have such problem just right now and not a clue how to make it work.
Many thanks.
If you are trying to pass OSPF over the IPSEC tunnel, then you can do it without GRE. See the following link http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml
Otherwise you can get a small 800 series router that supports GRE
I need to enable multicast traffic betwen 2 ASA’s. Will that do the trick?
Thanks.
If you don’t have IPSEC between them but normal IP routing then it will work. I assumed that you have IPSEC between the ASA.
I do have IPSEC. I have site-to-site vpn between the ASA. No way to enable multicast?
You can not pass multicast inside IPSec since IPSEc supports only IP unicast traffic
Which of the following is a method for handling non-IP traffic in VPN?
a) GRE
b) SSL
c) TLS
d) All of the above
Is this a quiz question ?
Well the answer is a) GRE
uuuuuuuuuuu are so kind
yep bro
love ur help