Cisco Tunnel GRE

Juan Jose Diaz Antuña

 

Los tuneles GRE permiten enrutar a traves del tunel formando un tunel virtual con dos interfaces virtuales tunnel. Para formar el tunel ademas de definir los parametros tipicos de IPSEC como son:

IKE Phase 1:  isakmp policy

Autenticacion con PreShare

IKE Phase 2: transform set, crypto map y lista ACL trafico interesante.

En el interfaz tunnel defino la ip del mismo, asi como los extremos del tunnel, es decir el nombre del interfaz fisico por el que salgo y la ip del interfaz al que llego.

ciscovpn

Ejemplo de configuracion del POD1  en GRE:

!

hostname Router1

!

boot-start-marker

boot-end-marker

!

enable password cisco

!

no aaa new-model

!

resource policy

!

memory-size iomem 15

no network-clock-participate slot 1

no network-clock-participate wic 0

ip subnet-zero

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.0.1.1 10.0.1.12

!

ip dhcp pool POD1_INSIDE

network 10.0.1.0 255.255.255.0

default-router 10.0.1.2

!

!

no ip ips deny-action ips-interface

no ip domain lookup

!

no ftp-server write-enable

!

!

!

username sdm privilege 15 password 0 sdm

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco1234 address 172.30.2.2

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to172.30.2.2

set peer 172.30.2.2

set transform-set ESP-3DES-SHA

match address 100

!

!

!

interface Tunnel0

ip address 172.16.1.1 255.255.255.0

ip mtu 1420

tunnel source FastEthernet0/1

tunnel destination 172.30.2.2

tunnel path-mtu-discovery

crypto map SDM_CMAP_1

!

interface FastEthernet0/0

description inside

ip address 10.0.1.2 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

description outside

ip address 172.30.1.2 255.255.255.0

duplex auto

speed auto

crypto map SDM_CMAP_1

!

router eigrp 1

network 10.0.0.0

network 172.16.1.0 0.0.0.255

network 172.30.0.0

no auto-summary

no eigrp log-neighbor-changes

!

ip classless

!

ip http server

ip http authentication local

no ip http secure-server

!

access-list 100 remark SDM_ACL Category=4

access-list 100 permit gre host 172.30.1.2 host 172.30.2.2

access-list 100 remark LAN to LAN

access-list 100 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255

!

!

control-plane

!

!

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

password cisco

login local

transport input telnet ssh

!

!

end