Passing non-IP Traffic over IPSEC VPN using GRE over IPSEC

Comments

1. Mario says

   March 27, 2009 at 5:31 am

   Hi,

   Haven’t you forgotten to add the PIM details on the various interfaces so the multicast receivers at SITE B can send a “join” for the multicast stream available at SITE A?

   I’d appreciate if you could reply with your comment.

   Regards,
   Mario

2. BlogAdmin says

   March 27, 2009 at 12:41 pm

   Hello Mario, thanks for your comment.

   Yes, indeed you are correct. If you are using GRE over IPSEC with a multicast Server on one site and multicast clients on the other site, then you will need to add on both the Tunnel Interfaces and the Ethernet Interfaces facing the LAN (for both site routers) the following commands:

   interface Tunnel0
   ip pim dense-mode
   

   interface FastEthernet0/0
   ip pim dense-mode
   

   Hope this clarified your question

3. Sunny says

   April 29, 2009 at 9:30 am

   Is it possible to route VLAN traffic over IPSec using GRE?

   E.g. LAN A vlan 5 can talk to LAN B vlan 5

   Many thanks

4. BlogAdmin says

   April 29, 2009 at 10:28 am

   Hello Sunny,

   Thanks for your question. No, you can not do that over IPSEC/GRE tunnels. For this to work you need some sort of Layer 2 VPN (such as MPLS Layer 2 VPN like martini link). The Service Providers usually offer such a Layer 2 connectivity over their MPLS infrastructure.

   Thanks

   Harris

5. Rick says

   July 24, 2009 at 10:41 pm

   Is there a way to run GRE over IPSec when using the Cisco VPN Client to connect to an ASA 5505?

   We have a remote PC that can “see” a bank of IP Radios through the VPN, which is passing IP and UDP traffic, but your post suggests we may need the GRE setup you describe in order for everything to work.

   I appreciate your taking time to post this information, and to field our question–it’s been a TON of effort to get as far as we are!

   Rick

6. BlogAdmin says

   July 25, 2009 at 5:28 am

   Hello Rick,

   If the IP Radios send traffic as multicast, then you will need GRE over IPSEC. However, this functionality (GRE over IPSEC) is not supported on Cisco VPN clients. You could install a small cisco router on the remote site in order to configure GRE over IPSEC. However, keep in mind also that ASA does not support termination of GRE tunnels.

7. Rick says

   July 28, 2009 at 4:05 pm

   Thank you for your prompt and informative reply. I am working with customer service to purchase your book now!

   Regarding my current project, however…can you recommend a “small Cisco router” for the remote site?

   It sounds like another ASA 5505 will not work…is that correct?

   The IP Radios “do” send traffic as multicast…and it is the RTP/RTCP traffic that is not currently being sent across the VPN.

   This is our local Emergency Management Agency (EMA), so the “remote sites” are typically mobile units out in the field during a disaster…thus, we had hoped the Cisco VPN “client” would suffice.

   I will look forward to digesting your book for this and future projects, and really appreciate your taking time to help!

   Rick

8. BlogAdmin says

   July 30, 2009 at 1:08 am

   Hello Rick,

   A possible small Cisco router for supporting your scenario and which supports GRE over IPSEC is the 800 series (look at the 871 for example). As I mentioned before, another ASA 5505 will not work because it does not support GRE.

   Have a nice day and thank you for purchasing my ebook.

   Harris

9. guest says

   August 8, 2009 at 5:59 pm

   Hey,

   Just wanted to let you know that you do not need that NAT exemption for private to private networks because of a few things:
   1. ip nat inside is NOT applied to the tunnel interface.
   2. 192.168.2.0 will be routes through a locally connected(NON NAT OUTSIDE) interface so the adress swap and port mapping will never take place.

   Just wanted to clarify what you had.

10. Nagaraj says

    October 7, 2009 at 1:38 pm

    Is this still true with virtual tunnel interface (VTI)? Since IPSec can be exposed as logical interface (VTI), multicast routing updates can also be carried in ipsec tunnel. If that is the case do we still need GRE tunnel to carry routing updates (multicast packets)?

    Thanks,
    Nagaraj

11. BlogAdmin says

    October 9, 2009 at 4:40 pm

    To be honest I haven’t tried the scenario your are describing. In my opinion, you will still need GRE even if you use VTI. The problem with the multicast traffic and IPSEC is that IPSEC is a pure IP unicast technology and so it does not support multicast traffic, that is why we use GRE.

12. Harris says

    January 19, 2010 at 8:47 am

    Is it possible to have the same subnet on both sites and do bridging (sending layer 2 frames between the two sites) over the VPN?

13. BlogAdmin says

    January 19, 2010 at 9:04 am

    No, unfortunately this is not possible using GRE over IPSEC. You can look into L2TP for this scenario or even MPLS Layer2 VPN from a service provider.

14. JKL says

    March 18, 2010 at 6:40 pm

    Hi. You said that this is not possible on ASA5505. Any other workaround possible for ASA? I have such problem just right now and not a clue how to make it work.
    Many thanks.

15. BlogAdmin says

    March 19, 2010 at 1:43 am

    If you are trying to pass OSPF over the IPSEC tunnel, then you can do it without GRE. See the following link

    Otherwise you can get a small 800 series router that supports GRE

16. JKL says

    March 19, 2010 at 3:47 am

    I need to enable multicast traffic betwen 2 ASA’s. Will that do the trick?

    Thanks.

17. BlogAdmin says

    March 19, 2010 at 4:36 am

    If you don’t have IPSEC between them but normal IP routing then it will work. I assumed that you have IPSEC between the ASA.

18. JKL says

    March 22, 2010 at 10:37 am

    I do have IPSEC. I have site-to-site vpn between the ASA. No way to enable multicast?

19. BlogAdmin says

    March 23, 2010 at 12:39 pm

    You can not pass multicast inside IPSec since IPSEc supports only IP unicast traffic

20. dokafe says

    June 8, 2010 at 9:50 pm

    Which of the following is a method for handling non-IP traffic in VPN?
    a) GRE
    b) SSL
    c) TLS
    d) All of the above

21. Blog Admin says

    June 9, 2010 at 4:08 pm

    Is this a quiz question ? :)

    Well the answer is a) GRE

22. dokafe says

    June 19, 2010 at 2:12 am

    uuuuuuuuuuu are so kind

    yep bro

    love ur help

23. Enzo says

    November 4, 2010 at 3:35 pm

    Hi;

    Is possible enable GRE with adsl connection, i need work with dynamic IP using PAT (Port address translation), I try with port asignation, but no work

24. Blog Admin says

    November 4, 2010 at 7:05 pm

    GRE has problems with NAT (especially PAT). No it will not work.

25. Hiraman says

    January 9, 2011 at 3:02 am

    I have set this up on my LAB without NAT.
    Both network can reach each other other the tunnel.
    But my question is how can we verify whether encryption is happening or not.
    I used “sh crypto iskamp sa” and “sh crypto ipsec sa”
    They didn’t show any output.

26. Hiraman says

    January 9, 2011 at 3:20 am

    I enabled ip cache flow command on the Internet router.
    I saw GRE packets passing through.
    My question is that are GRE packets visible to ISP.

    Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
    ——– Flows /Sec /Flow /Pkt /Sec /Flow /Flow
    GRE 8 0.0 7 108 0.0 3.4 15.4
    Total: 8 0.0 7 108 0.0 3.4 15.4

    SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

    SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
    Se1 200.200.200.1 Se0 100.100.100.1 2F 0000 0000 5
    Se0 100.100.100.1 Se1 200.200.200.1 2F 0000 0000 5
    R3#

27. Blog Admin says

    January 12, 2011 at 7:52 pm

    GRE packets are visible but the carried traffic within the GRE tunnel is encrypted by ipsec.

28. liaz says

    February 23, 2011 at 1:16 pm

    Hi, i applied the configuration as mentioned on 2 cisco 877 in a lab.
    I am missing something because it doesn’t work.
    Actually, i used 3 cisco’s 877, 2 for site a and B and 1 acts as internet router.
    i can ping the external ip’s but no vpn or gre tunnel is up…
    here are the configs:

    SITE A
    ——

    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname SITE-A
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    !
    no aaa new-model
    ip subnet-zero
    !
    !— This is the IPsec configuration.
    !
    crypto isakmp policy 10
    authentication pre-share

    crypto isakmp key testkey123 address 200.200.200.1
    !
    crypto ipsec transform-set ESPDES-TS esp-des esp-md5-hmac
    !
    crypto map myvpn 10 ipsec-isakmp
    !
    set peer 200.200.200.1
    set transform-set ESPDES-TS
    match address 101
    !
    !— This is one end of the GRE tunnel.
    !
    interface Tunnel0
    ip address 10.0.0.1 255.255.255.0

    !— Associate the tunnel with the physical outside interface.
    tunnel source FastEthernet0/1
    tunnel destination 200.200.200.1

    !— Attach the IPSEC crypto map to the GRE tunnel.
    crypto map myvpn

    !— This is the internal network.

    interface VLAN 1
    ip address 192.168.1.1 255.255.255.0
    ip nat inside

    !— This is the external interface and one end of the GRE tunnel.

    interface VLAN 2
    ip address 100.100.100.1 255.255.255.0
    ip nat outside
    crypto map myvpn

    !— Define the NAT pool.

    ip nat pool NATPOOL 100.100.100.2 100.100.100.20 netmask 255.255.255.0
    ip nat inside source route-map nonat pool NATPOOL overload
    ip classless

    ip route 0.0.0.0 0.0.0.0 100.100.100.254

    !— Force the private network traffic into the tunnel.

    ip route 192.168.2.0 255.255.255.0 10.0.0.2

    !— All traffic that enters the GRE tunnel is encrypted by IPsec.
    access-list 101 permit gre host 100.100.100.1 host 200.200.200.1

    !— Use access list in route-map to address what to NAT.

    access-list 175 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 175 permit ip 192.168.1.0 0.0.0.255 any

    route-map nonat permit 10
    match ip address 175

    end

    Site B:
    ——-

    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname SITE-B
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    !
    no aaa new-model
    ip subnet-zero
    !
    !— This is the IPsec configuration.
    !
    crypto isakmp policy 10
    authentication pre-share

    crypto isakmp key testkey123 address 100.100.100.1
    !
    crypto ipsec transform-set ESPDES-TS esp-des esp-md5-hmac
    !
    crypto map myvpn 10 ipsec-isakmp
    !
    set peer 100.100.100.1
    set transform-set ESPDES-TS
    match address 101
    !
    !— This is one end of the GRE tunnel.
    !
    interface Tunnel0
    ip address 10.0.0.2 255.255.255.0

    !— Associate the tunnel with the physical outside interface.
    tunnel source FastEthernet0/1
    tunnel destination 100.100.100.1

    !— Attach the IPSEC crypto map to the GRE tunnel.
    crypto map myvpn

    !— This is the internal network.

    interface vlan 1
    ip address 192.168.2.1 255.255.255.0
    ip nat inside

    !— This is the external interface and one end of the GRE tunnel.

    interface vlan 25
    ip address 200.200.200.1 255.255.255.0
    ip nat outside
    crypto map myvpn

    !— Define the NAT pool.

    ip nat pool NATPOOL 200.200.200.2 200.200.200.20 netmask 255.255.255.0
    ip nat inside source route-map nonat pool NATPOOL overload
    ip classless

    ip route 0.0.0.0 0.0.0.0 200.200.200.254

    !— Force the private network traffic into the tunnel.

    ip route 192.168.1.0 255.255.255.0 10.0.0.1

    !— All traffic that enters the GRE tunnel is encrypted by IPsec.
    access-list 101 permit gre host 200.200.200.1 host 100.100.100.1

    !— Use access list in route-map to address what to NAT.

    access-list 175 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 175 permit ip 192.168.2.0 0.0.0.255 any

    route-map nonat permit 10
    match ip address 175

    end

29. Blog Admin says

    February 24, 2011 at 11:16 am

    liaz,

    Why your WAN interface is Vlan2? If its a 877 (ADSL over POTS), the WAN interface isn’t an ATM / ADSL port? Check out this because the problem is on the WAN port I believe.

30. José Dias says

    March 18, 2011 at 10:41 pm

    Hi Sunny,

    You may use L2TPv3 do emulate vlan5 over a IPv4 cloud.

    Regards.

31. Alex says

    June 5, 2011 at 11:04 pm

    very helpful indeed. Thanx for posting. It really helped me to create gre over ipsec via internet using a cisco 887 and 877. My issue is that even though local networks (192.168.1.0 on one side and 192.168.2.0 on the other) are visible on both routing tables, nodes (all in the same workgroup) are not visible. used RIP and/or static route. I can however ping every node from one network to the other.

32. Blog Admin says

    June 6, 2011 at 4:42 am

    Alex,

    Individual IP addresses will NOT appear in the routing table. Only the whole subnet appears in the table. As long as you can reach individual IP addresses by pinging them from the other local network, this means you are ok.

33. rah says

    November 23, 2014 at 10:59 am

    hi, very good scenario !
    but one question:
    what should we do if we have one firewall between vpn servers(R1) and internet connection in site A and on other site?
    it means for example in this scenari f0/1 has not a public ip address and has a private link to firewall. actually firewall has 2 link. first link to inside network (link between firewall and router) and another link with public ip address to ISP.

    Thanksss

34. Harris Andrea says

    November 23, 2014 at 5:50 pm

    Rah,
    I haven’t tested an exact scenario as you mention but I suggest two options:

    1) Configure a static NAT on the firewall so that its outside public IP will be translated to the private IP of f0/1 on router. Then configure the exact steps on the routers as the example above(i.e configure both IPSEC and GRE on the routers).
    2) Configure IPSEC on the firewall and GRE on the routers (this needs some deeper thinking!!).

35. Asir says

    April 2, 2019 at 5:37 am

    Hi,
    I have following scenario, do think it will work? I’m Site A.
    Site A and site B having different IP subnets
    Between two sites, I have two firewalls.
    I want the IPsec tunnel between the two firewalls, and the GRE from Site A router to Site B router.
    I have L3 & L2 switches between Site A router and Site A firewall.
    Should I NAT the IP at Site A firewall?

36. Harris Andrea says

    April 2, 2019 at 3:34 pm

    what do you mean exactly by NAT the IP? Static NAT or dynamic NAT? Which IP are you talking about?