GRE over IPSEC tunnel example-config tra due router

13.12 2019 | by massimiliano

Step di configurazione di un tunnel GRE over IPSEC tra due router 1. Creare un tunnel interface (l’indirizzo IP […]

Step di configurazione di un tunnel GRE over IPSEC tra due router

1. Creare un tunnel interface (l’indirizzo IP del tunnel in entrambi i router debbono essere sulla stessa subnet) e configurare poi il tunnel-source ed il tunnel-destination sotto la tunnel interface

interface Tunnel0
ip address 192.168.16.1 255.255.255.0
tunnel source
tunnel destination

2. Configurazione isakmp policies:

crypto isakmp policy 1
authentication pre-share

3. Configurazione pre-share keys:

crypto isakmp key cisco123 address < remote outside interface IP with 32 bit subnet mask >

4. Configurazione transform-set:

crypto ipsec transform-set strong esp-3des esp-md5-hmac

5. Creare una ACL che permette il traffico via GRE di transitare dalla interface outside del router locale verso l’ inteface outside del router remoto:

access-list 100 permit gre host < local outside interface ip > host < remote outside interface IP >

6. Configurazione crypto map con associazione transform set ed ACL alla crypto map; definizione peer address sotto la crypto map:

crypto map vpn 10 ipsec-isakmp
set peer < ip address >
set transform-set strong

match address 100

7. Associazione crypto map alla interface fisica (outside) (cisco ios software release 12.2.15 or later); in caso contrario la crypto map deve essere applicata al tunnel interface cosi come l’interfaccia fisica

interface fa0/0
ip address < ip-address >
half-duplex
crypto map vpn

8. Configurazione del NAT bypass se necessario:

access-list 175 deny ip < local private network > < subnet mask > < remote private network > < subnet mask >
access-list 175 permit ip < local private network > < subnet mask > any

route-map nonat permit 10
match ip address 175
exit

ip nat inside source route-map nonat interface < outside interface name > overload