Comments on: Passing non-IP Traffic over IPSEC VPN using GRE over IPSEC http://www.networkstraining.com/passing-non-ip-traffic-over-ipsec-vpn-using-gre-over-ipsec/ IP Networks Training and Tutorials Tue, 07 Feb 2012 15:03:08 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Blog Admin http://www.networkstraining.com/passing-non-ip-traffic-over-ipsec-vpn-using-gre-over-ipsec/comment-page-1/#comment-2189 Blog Admin Mon, 06 Jun 2011 04:42:16 +0000 http://www.networkstraining.com/?p=255#comment-2189 Alex, Individual IP addresses will NOT appear in the routing table. Only the whole subnet appears in the table. As long as you can reach individual IP addresses by pinging them from the other local network, this means you are ok. Alex,

Individual IP addresses will NOT appear in the routing table. Only the whole subnet appears in the table. As long as you can reach individual IP addresses by pinging them from the other local network, this means you are ok.

]]> By: Alex http://www.networkstraining.com/passing-non-ip-traffic-over-ipsec-vpn-using-gre-over-ipsec/comment-page-1/#comment-2188 Alex Sun, 05 Jun 2011 23:04:45 +0000 http://www.networkstraining.com/?p=255#comment-2188 very helpful indeed. Thanx for posting. It really helped me to create gre over ipsec via internet using a cisco 887 and 877. My issue is that even though local networks (192.168.1.0 on one side and 192.168.2.0 on the other) are visible on both routing tables, nodes (all in the same workgroup) are not visible. used RIP and/or static route. I can however ping every node from one network to the other. very helpful indeed. Thanx for posting. It really helped me to create gre over ipsec via internet using a cisco 887 and 877. My issue is that even though local networks (192.168.1.0 on one side and 192.168.2.0 on the other) are visible on both routing tables, nodes (all in the same workgroup) are not visible. used RIP and/or static route. I can however ping every node from one network to the other.

]]> By: José Dias http://www.networkstraining.com/passing-non-ip-traffic-over-ipsec-vpn-using-gre-over-ipsec/comment-page-1/#comment-1952 José Dias Fri, 18 Mar 2011 22:41:10 +0000 http://www.networkstraining.com/?p=255#comment-1952 Hi Sunny, You may use L2TPv3 do emulate vlan5 over a IPv4 cloud. Regards. Hi Sunny,

You may use L2TPv3 do emulate vlan5 over a IPv4 cloud.

Regards.

]]> By: Blog Admin http://www.networkstraining.com/passing-non-ip-traffic-over-ipsec-vpn-using-gre-over-ipsec/comment-page-1/#comment-1814 Blog Admin Thu, 24 Feb 2011 11:16:25 +0000 http://www.networkstraining.com/?p=255#comment-1814 liaz, Why your WAN interface is Vlan2? If its a 877 (ADSL over POTS), the WAN interface isn't an ATM / ADSL port? Check out this because the problem is on the WAN port I believe. liaz,

Why your WAN interface is Vlan2? If its a 877 (ADSL over POTS), the WAN interface isn’t an ATM / ADSL port? Check out this because the problem is on the WAN port I believe.

]]> By: liaz http://www.networkstraining.com/passing-non-ip-traffic-over-ipsec-vpn-using-gre-over-ipsec/comment-page-1/#comment-1809 liaz Wed, 23 Feb 2011 13:16:58 +0000 http://www.networkstraining.com/?p=255#comment-1809 Hi, i applied the configuration as mentioned on 2 cisco 877 in a lab. I am missing something because it doesn't work. Actually, i used 3 cisco's 877, 2 for site a and B and 1 acts as internet router. i can ping the external ip's but no vpn or gre tunnel is up... here are the configs: SITE A ------ service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SITE-A ! boot-start-marker boot-end-marker ! enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ! no aaa new-model ip subnet-zero ! !— This is the IPsec configuration. ! crypto isakmp policy 10 authentication pre-share crypto isakmp key testkey123 address 200.200.200.1 ! crypto ipsec transform-set ESPDES-TS esp-des esp-md5-hmac ! crypto map myvpn 10 ipsec-isakmp ! set peer 200.200.200.1 set transform-set ESPDES-TS match address 101 ! !— This is one end of the GRE tunnel. ! interface Tunnel0 ip address 10.0.0.1 255.255.255.0 !— Associate the tunnel with the physical outside interface. tunnel source FastEthernet0/1 tunnel destination 200.200.200.1 !— Attach the IPSEC crypto map to the GRE tunnel. crypto map myvpn !— This is the internal network. interface VLAN 1 ip address 192.168.1.1 255.255.255.0 ip nat inside !— This is the external interface and one end of the GRE tunnel. interface VLAN 2 ip address 100.100.100.1 255.255.255.0 ip nat outside crypto map myvpn !— Define the NAT pool. ip nat pool NATPOOL 100.100.100.2 100.100.100.20 netmask 255.255.255.0 ip nat inside source route-map nonat pool NATPOOL overload ip classless ip route 0.0.0.0 0.0.0.0 100.100.100.254 !— Force the private network traffic into the tunnel. ip route 192.168.2.0 255.255.255.0 10.0.0.2 !— All traffic that enters the GRE tunnel is encrypted by IPsec. access-list 101 permit gre host 100.100.100.1 host 200.200.200.1 !— Use access list in route-map to address what to NAT. access-list 175 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 175 permit ip 192.168.1.0 0.0.0.255 any route-map nonat permit 10 match ip address 175 end Site B: ------- service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SITE-B ! boot-start-marker boot-end-marker ! enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ! no aaa new-model ip subnet-zero ! !— This is the IPsec configuration. ! crypto isakmp policy 10 authentication pre-share crypto isakmp key testkey123 address 100.100.100.1 ! crypto ipsec transform-set ESPDES-TS esp-des esp-md5-hmac ! crypto map myvpn 10 ipsec-isakmp ! set peer 100.100.100.1 set transform-set ESPDES-TS match address 101 ! !— This is one end of the GRE tunnel. ! interface Tunnel0 ip address 10.0.0.2 255.255.255.0 !— Associate the tunnel with the physical outside interface. tunnel source FastEthernet0/1 tunnel destination 100.100.100.1 !— Attach the IPSEC crypto map to the GRE tunnel. crypto map myvpn !— This is the internal network. interface vlan 1 ip address 192.168.2.1 255.255.255.0 ip nat inside !— This is the external interface and one end of the GRE tunnel. interface vlan 25 ip address 200.200.200.1 255.255.255.0 ip nat outside crypto map myvpn !— Define the NAT pool. ip nat pool NATPOOL 200.200.200.2 200.200.200.20 netmask 255.255.255.0 ip nat inside source route-map nonat pool NATPOOL overload ip classless ip route 0.0.0.0 0.0.0.0 200.200.200.254 !— Force the private network traffic into the tunnel. ip route 192.168.1.0 255.255.255.0 10.0.0.1 !— All traffic that enters the GRE tunnel is encrypted by IPsec. access-list 101 permit gre host 200.200.200.1 host 100.100.100.1 !— Use access list in route-map to address what to NAT. access-list 175 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 175 permit ip 192.168.2.0 0.0.0.255 any route-map nonat permit 10 match ip address 175 end Hi, i applied the configuration as mentioned on 2 cisco 877 in a lab.
I am missing something because it doesn’t work.
Actually, i used 3 cisco’s 877, 2 for site a and B and 1 acts as internet router.
i can ping the external ip’s but no vpn or gre tunnel is up…
here are the configs:

SITE A
——

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SITE-A
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
ip subnet-zero
!
!— This is the IPsec configuration.
!
crypto isakmp policy 10
authentication pre-share

crypto isakmp key testkey123 address 200.200.200.1
!
crypto ipsec transform-set ESPDES-TS esp-des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
!
set peer 200.200.200.1
set transform-set ESPDES-TS
match address 101
!
!— This is one end of the GRE tunnel.
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.0

!— Associate the tunnel with the physical outside interface.
tunnel source FastEthernet0/1
tunnel destination 200.200.200.1

!— Attach the IPSEC crypto map to the GRE tunnel.
crypto map myvpn

!— This is the internal network.

interface VLAN 1
ip address 192.168.1.1 255.255.255.0
ip nat inside

!— This is the external interface and one end of the GRE tunnel.

interface VLAN 2
ip address 100.100.100.1 255.255.255.0
ip nat outside
crypto map myvpn

!— Define the NAT pool.

ip nat pool NATPOOL 100.100.100.2 100.100.100.20 netmask 255.255.255.0
ip nat inside source route-map nonat pool NATPOOL overload
ip classless

ip route 0.0.0.0 0.0.0.0 100.100.100.254

!— Force the private network traffic into the tunnel.

ip route 192.168.2.0 255.255.255.0 10.0.0.2

!— All traffic that enters the GRE tunnel is encrypted by IPsec.
access-list 101 permit gre host 100.100.100.1 host 200.200.200.1

!— Use access list in route-map to address what to NAT.

access-list 175 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 permit ip 192.168.1.0 0.0.0.255 any

route-map nonat permit 10
match ip address 175

end

Site B:
——-

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SITE-B
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
ip subnet-zero
!
!— This is the IPsec configuration.
!
crypto isakmp policy 10
authentication pre-share

crypto isakmp key testkey123 address 100.100.100.1
!
crypto ipsec transform-set ESPDES-TS esp-des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
!
set peer 100.100.100.1
set transform-set ESPDES-TS
match address 101
!
!— This is one end of the GRE tunnel.
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.0

!— Associate the tunnel with the physical outside interface.
tunnel source FastEthernet0/1
tunnel destination 100.100.100.1

!— Attach the IPSEC crypto map to the GRE tunnel.
crypto map myvpn

!— This is the internal network.

interface vlan 1
ip address 192.168.2.1 255.255.255.0
ip nat inside

!— This is the external interface and one end of the GRE tunnel.

interface vlan 25
ip address 200.200.200.1 255.255.255.0
ip nat outside
crypto map myvpn

!— Define the NAT pool.

ip nat pool NATPOOL 200.200.200.2 200.200.200.20 netmask 255.255.255.0
ip nat inside source route-map nonat pool NATPOOL overload
ip classless

ip route 0.0.0.0 0.0.0.0 200.200.200.254

!— Force the private network traffic into the tunnel.

ip route 192.168.1.0 255.255.255.0 10.0.0.1

!— All traffic that enters the GRE tunnel is encrypted by IPsec.
access-list 101 permit gre host 200.200.200.1 host 100.100.100.1

!— Use access list in route-map to address what to NAT.

access-list 175 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 permit ip 192.168.2.0 0.0.0.255 any

route-map nonat permit 10
match ip address 175

end

]]> By: Blog Admin http://www.networkstraining.com/passing-non-ip-traffic-over-ipsec-vpn-using-gre-over-ipsec/comment-page-1/#comment-1647 Blog Admin Wed, 12 Jan 2011 19:52:01 +0000 http://www.networkstraining.com/?p=255#comment-1647 GRE packets are visible but the carried traffic within the GRE tunnel is encrypted by ipsec. GRE packets are visible but the carried traffic within the GRE tunnel is encrypted by ipsec.

]]> By: Hiraman http://www.networkstraining.com/passing-non-ip-traffic-over-ipsec-vpn-using-gre-over-ipsec/comment-page-1/#comment-1633 Hiraman Sun, 09 Jan 2011 03:20:30 +0000 http://www.networkstraining.com/?p=255#comment-1633 I enabled ip cache flow command on the Internet router. I saw GRE packets passing through. My question is that are GRE packets visible to ISP. Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow GRE 8 0.0 7 108 0.0 3.4 15.4 Total: 8 0.0 7 108 0.0 3.4 15.4 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Se1 200.200.200.1 Se0 100.100.100.1 2F 0000 0000 5 Se0 100.100.100.1 Se1 200.200.200.1 2F 0000 0000 5 R3# I enabled ip cache flow command on the Internet router.
I saw GRE packets passing through.
My question is that are GRE packets visible to ISP.

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
——– Flows /Sec /Flow /Pkt /Sec /Flow /Flow
GRE 8 0.0 7 108 0.0 3.4 15.4
Total: 8 0.0 7 108 0.0 3.4 15.4

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Se1 200.200.200.1 Se0 100.100.100.1 2F 0000 0000 5
Se0 100.100.100.1 Se1 200.200.200.1 2F 0000 0000 5
R3#

]]> By: Hiraman http://www.networkstraining.com/passing-non-ip-traffic-over-ipsec-vpn-using-gre-over-ipsec/comment-page-1/#comment-1632 Hiraman Sun, 09 Jan 2011 03:02:54 +0000 http://www.networkstraining.com/?p=255#comment-1632 I have set this up on my LAB without NAT. Both network can reach each other other the tunnel. But my question is how can we verify whether encryption is happening or not. I used "sh crypto iskamp sa" and "sh crypto ipsec sa" They didn't show any output. I have set this up on my LAB without NAT.
Both network can reach each other other the tunnel.
But my question is how can we verify whether encryption is happening or not.
I used “sh crypto iskamp sa” and “sh crypto ipsec sa”
They didn’t show any output.

]]> By: Blog Admin http://www.networkstraining.com/passing-non-ip-traffic-over-ipsec-vpn-using-gre-over-ipsec/comment-page-1/#comment-810 Blog Admin Thu, 04 Nov 2010 19:05:19 +0000 http://www.networkstraining.com/?p=255#comment-810 GRE has problems with NAT (especially PAT). No it will not work. GRE has problems with NAT (especially PAT). No it will not work.

]]> By: Enzo http://www.networkstraining.com/passing-non-ip-traffic-over-ipsec-vpn-using-gre-over-ipsec/comment-page-1/#comment-809 Enzo Thu, 04 Nov 2010 15:35:30 +0000 http://www.networkstraining.com/?p=255#comment-809 Hi; Is possible enable GRE with adsl connection, i need work with dynamic IP using PAT (Port address translation), I try with port asignation, but no work Hi;

Is possible enable GRE with adsl connection, i need work with dynamic IP using PAT (Port address translation), I try with port asignation, but no work

]]>