GRE over IPSec with EIGRP to Route Through Two Remote Sites Configuration Example

Introduction

Let's consider the scenario when our company has two sites. They are equally big and some users require accessing other network devices directly by using its local IPs, or maybe you even have to replicate domain controllers over this tunnel. Let's say you want to access OWA and not too often check some shared files. The reason why I said not too often is because this will create some serious traffic over internet, if file is big.
Cisco GRE-Based VPN is the best choice for use, because it supports routing, QoS, Multicast and also non-IP protocols. You can configure it using SDM or CLI. The main downside is that this configuration is not multivendor. So both routers has to be Cisco routers with IOS that support VPN.

Refer here for differences between VPNs:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure0900aecd80582078.pdf

Network Diagram

Please check the diagram before you start to read further.


Components Used

- 2 Cisco routers 3745 running Cisco IOS (C3745-ADVIPSERVICESK9-M), Version 12.4(9)T1
- 2 Windows XP
- 1 Windows Server 2003 Enterprise


Configuration

This process has 3 steps:
- Configure the Generic Routing Encapsulation (GRE) Tunnels
- Configure Encryption for the GRE Tunnels
- Configure the Routing Protocol

Configure the GRE Tunnels

R1:
interface Tunnel0
ip address 172.31.0.1 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.2

R2:
interface Tunnel0
ip address 172.31.0.2 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.1

Check if you can ping by interface IP and by Tunnel IPs.

R2#ping 172.31.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
R2#ping 172.16.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/16/48 ms

R1#ping 172.16.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#ping 172.31.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Configure the Encryption for the GRE Tunnels

First create a access list to define which traffic to encypt:

R1:

access-list 100 permit gre host 172.16.0.1 host 172.16.0.2

R2:

access-list 100 permit gre host 172.16.0.2 host 172.16.0.1

Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy, an ISAKMP key, and an IPSec transform set. The ISAKMP policy, key, and IPSec transform set must match on both sides of a single tunnel.

R1 & R2:

crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport

Configure the crypto map

R1:

crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.2
set transform-set strong
match address 100

R2:
crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.1
set transform-set strong
match address 100


Apply on BOTH:

R1 & R2:
interface FastEthernet0/1
crypto map vpn

interface Tunnel0
crypto map vpn


Enable EIGRP

R1:

router eigrp 60
network 172.31.0.0
network 192.168.0.0 0.0.255.255
auto-summary
no eigrp log-neighbor-changes

R2:
router eigrp 60
network 10.0.0.0
network 172.31.0.0
auto-summary
no eigrp log-neighbor-changes

Full config

R1:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$JZ2K$15BvDKP555bzNmcnoxc2D.
!
!
aaa session-id common
!
resource policy
!
memory-size iomem 5
ip cef
!
!
username cisc0 privilege 15 password 0 cisc0
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.2
set transform-set strong
match address 100
!
!
!
!
!
interface Tunnel0
ip address 172.31.0.1 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.2
crypto map vpn
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.1 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
router eigrp 60
network 172.31.0.0
network 192.168.0.0 0.0.255.255
auto-summary
no eigrp log-neighbor-changes
!
!
!
access-list 100 permit gre host 172.16.0.1 host 172.16.0.2
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
alias exec s show ip inter brief
alias exec sr show run
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password v
transport input telnet ssh
!
!
!
!
end


R2:
Building configuration...

Current configuration : 1412 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$aIoH$XR1H76kiRYuPGtAV07ST3.
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.1
set transform-set strong
match address 100
!
!
!
!
!
interface Tunnel0
ip address 172.31.0.2 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.1
crypto map vpn
!
interface FastEthernet0/0
ip address 10.0.0.2 255.0.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.2 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
router eigrp 60
network 10.0.0.0
network 172.31.0.0
auto-summary
no eigrp log-neighbor-changes
!
!
!
ip http server
no ip http secure-server
ip nat inside source list 10 interface FastEthernet0/1 overload
!
access-list 100 permit gre host 172.16.0.2 host 172.16.0.1
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
alias exec s show ip inter brief
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

This post is based on:
GRE over IPSec with EIGRP to Route Through a Hub and Multiple Remote Sites Configuration

Other Examples:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

cisco show running-configuration filter

Tired of having to scroll through your whole running-configuration just to read one line at the very end? Cisco has an in built command filter that allows you to specify more accurately what information you want from the running configurations, and mastering these commands not only makes you look like you know what you are doing ,they could save you lots of time and frustration having to look through irrelevant information.

There are mainly three widely used filter in the running config. BEGIN, EXCLUDE and INCLUDE. We can see this issuing the show running-configuration (sh run since we're trying to save time here) followed by the vertical bar key (|). We hit the question mark to see our options.

R1#sh run | ?
append Append redirected output to URL (URLs supporting append operation
only)
begin Begin with the line that matches
exclude Exclude lines that match
include Include lines that match
redirect Redirect output to URL
section Filter a section of output
tee Copy output to URL

The begin command filters through the configuration until it hits the first line that matches whatever word you put in after. Having an understanding of how lines are expressed in the configuration comes in handy when choosing what to type in.

As an example, here is the running-configuration of a router I am currently working on


R1#sh run
Building configuration...

Current configuration : 1238 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
username R2 password 0 lanwan
!
!
!
interface Serial0/0
no ip address
encapsulation frame-relay
serial restart-delay 0
no dce-terminal-timing-enable
no frame-relay inverse-arp
frame-relay lmi-type ansi
!
interface Serial0/0.2 point-to-point
ip address 10.0.12.1 255.255.255.0
no cdp enable
frame-relay interface-dlci 102
!
interface Serial0/1
ip address 10.1.12.1 255.255.255.0
encapsulation ppp
serial restart-delay 0
no dce-terminal-timing-enable
ppp authentication chap
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface FastEthernet1/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
ip http server
!
ip route 192.168.2.0 255.255.255.0 Serial0/0.2
!
!
no cdp run
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end

If we only wanted informatin on the configured static routes, using the begin command we can filter to the exact line.

R1#sh run | begin ip route
ip route 192.168.2.0 255.255.255.0 Serial0/0.2
!
!
no cdp run
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end

and we see that this begins the display with the first line that has the words "ip route"

We can use the include command to only display lines that have the words "ip route"

R1#sh run | include ip route
ip route 192.168.2.0 255.255.255.0 Serial0/0.2

This is much more succint output and gives a much neater and pleasing to the eye display.

The Exclude command eliminates all the lines that have the word you put in. For example, if you wanted to remove all the lines that have the word "line".

R1#sh run | exclude line
Building configuration...

Current configuration : 1238 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
username R2 password 0 lanwan
!
!
!
interface Serial0/0
no ip address
encapsulation frame-relay
serial restart-delay 0
no dce-terminal-timing-enable
no frame-relay inverse-arp
frame-relay lmi-type ansi
!
interface Serial0/0.2 point-to-point
ip address 10.0.12.1 255.255.255.0
no cdp enable
frame-relay interface-dlci 102
!
interface Serial0/1
ip address 10.1.12.1 255.255.255.0
encapsulation ppp
serial restart-delay 0
no dce-terminal-timing-enable
ppp authentication chap
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface FastEthernet1/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
ip http server
!
ip route 192.168.2.0 255.255.255.0 Serial0/0.2
!
!
no cdp run
!
control-plane
!
!
exec-timeout 0 0
logging synchronous
!
!
end

Personally , I prefer the BEGIN and INCLUDE commands as they are more effective. Further more the output of the EXCLUDE command leaves some information hanging and that may be a bit confusing.

Etherchannel in a Nutshell: Understanding and Configuring the Cisco Technology

Ever feel like your internet connection isn’t as fast as you think it could be? Along with that, shouldn’t there be a way to create fault tolerance between your computers and the internet in the case that one of your cables happens to go bad? Fortunately for you, there is a way to kill two birds with one stone. It’s called EtherChannel, an easily-configurable technology used primarily on Cisco switches.

Etherchannel allows the grouping of multiple, physical Ethernet links into one logical link. This provides both increased bandwidth as well as fault tolerance between your routers, switches, servers, hosts, etc. Each Etherchannel can consist of between two and eight Fast Ethernet, Gigabit, or 10 Gigabit Ethernet channels. This means that, depending on how many Ethernet links you create, you can create multiplied bandwidth as well as fault tolerance without losing connection on your newly created, grouped Ethernet link.

For example, let’s say you have two Cisco switches, both which have four Gigabit Ethernet ports. You have already established connectivity using one Gigabit port on each switch, but users are saying it is taking them too long to transport large, necessary files to each other. Each of our switches has 3 additional Gigabit Ethernet ports, but unfortunately all they are doing right now is collecting dust. Creating 3 additional physical Gigabit Ethernet links allow us to group these all together into one logical link using Etherchannel to multiple our original Gigabit speed by four AND create backup links at the same time in case one of them fails! So in essence, our previous bandwidth of 1 Gbps is now 4 Gbps including fault tolerance!!!

For additional information on the subject, please refer to the following links:

Cisco EtherChannel Technology

Configuring EtherChannel