Let's consider the scenario when our company has two sites. They are equally big and some users require accessing other network devices directly by using its local IPs, or maybe you even have to replicate domain controllers over this tunnel. Let's say you want to access OWA and not too often check some shared files. The reason why I said not too often is because this will create some serious traffic over internet, if file is big.
Cisco GRE-Based VPN is the best choice for use, because it supports routing, QoS, Multicast and also non-IP protocols. You can configure it using SDM or CLI. The main downside is that this configuration is not multivendor. So both routers has to be Cisco routers with IOS that support VPN.
Refer here for differences between VPNs:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure0900aecd80582078.pdf
Network Diagram
Please check the diagram before you start to read further.
Components Used
- 2 Cisco routers 3745 running Cisco IOS (C3745-ADVIPSERVICESK9-M), Version 12.4(9)T1
- 2 Windows XP
- 1 Windows Server 2003 Enterprise
Configuration
This process has 3 steps:
- Configure the Generic Routing Encapsulation (GRE) Tunnels
- Configure Encryption for the GRE Tunnels
- Configure the Routing Protocol
Configure the GRE Tunnels
R1:
interface Tunnel0
ip address 172.31.0.1 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.2
R2:
interface Tunnel0
ip address 172.31.0.2 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.1
Check if you can ping by interface IP and by Tunnel IPs.
R2#ping 172.31.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
R2#ping 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/16/48 ms
R1#ping 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#ping 172.31.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Configure the Encryption for the GRE Tunnels
First create a access list to define which traffic to encypt:
R1:
access-list 100 permit gre host 172.16.0.1 host 172.16.0.2
R2:
access-list 100 permit gre host 172.16.0.2 host 172.16.0.1
Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy, an ISAKMP key, and an IPSec transform set. The ISAKMP policy, key, and IPSec transform set must match on both sides of a single tunnel.
R1 & R2:
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
Configure the crypto map
R1:
crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.2
set transform-set strong
match address 100
R2:
crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.1
set transform-set strong
match address 100
Apply on BOTH:
R1 & R2:
interface FastEthernet0/1
crypto map vpn
interface Tunnel0
crypto map vpn
Enable EIGRP
R1:
router eigrp 60
network 172.31.0.0
network 192.168.0.0 0.0.255.255
auto-summary
no eigrp log-neighbor-changes
R2:
router eigrp 60
network 10.0.0.0
network 172.31.0.0
auto-summary
no eigrp log-neighbor-changes
Full config
R1:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$JZ2K$15BvDKP555bzNmcnoxc2D.
!
!
aaa session-id common
!
resource policy
!
memory-size iomem 5
ip cef
!
!
username cisc0 privilege 15 password 0 cisc0
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.2
set transform-set strong
match address 100
!
!
!
!
!
interface Tunnel0
ip address 172.31.0.1 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.2
crypto map vpn
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.1 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
router eigrp 60
network 172.31.0.0
network 192.168.0.0 0.0.255.255
auto-summary
no eigrp log-neighbor-changes
!
!
!
access-list 100 permit gre host 172.16.0.1 host 172.16.0.2
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
alias exec s show ip inter brief
alias exec sr show run
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password v
transport input telnet ssh
!
!
!
!
end
R2:
Building configuration...
Current configuration : 1412 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$aIoH$XR1H76kiRYuPGtAV07ST3.
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.1
set transform-set strong
match address 100
!
!
!
!
!
interface Tunnel0
ip address 172.31.0.2 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.1
crypto map vpn
!
interface FastEthernet0/0
ip address 10.0.0.2 255.0.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.2 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
router eigrp 60
network 10.0.0.0
network 172.31.0.0
auto-summary
no eigrp log-neighbor-changes
!
!
!
ip http server
no ip http secure-server
ip nat inside source list 10 interface FastEthernet0/1 overload
!
access-list 100 permit gre host 172.16.0.2 host 172.16.0.1
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
alias exec s show ip inter brief
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
This post is based on:
GRE over IPSec with EIGRP to Route Through a Hub and Multiple Remote Sites Configuration
Other Examples:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml
No comments:
Post a Comment