Dear Doug, thank you so much for a great video, you mentioned and configured everything we need to know for GRE, IPSEC, ISAKMP and much more. I really appreciate your time and your video. You should be here in Toronto / Canada for a great Networking Instructor we don't have. I paid a lot of money to go to the Networking College, but never ever got what I expected , (just wasting money and time to be certified in Toronto). THANKS AGAIN AND GOD BLESS, Mike
Thank you so so much for your great video and explanation it really really helped me understand and get a project done. You are a superb teacher and I love your method of teaching and explaining as you go along on screen. THANK YOU!
Perfect and excellent, some new stuff. We are very great full to you to spent time on it. I like the way you talk and explanation. If you put some more light on Diffe, transform sets, isakmp will be great.
There is a mistake in this config, The access list used for the IPsec Tunnel should be local to remote, not remote to local. I confirmed this with Gns3, Phase 2 won't finish unless you put the local network first and remote second.Otherwise, great video.
Sure, The correct ACL is as follows: R3: permit gre host 172.168.3.2 host 172.168.2.1 (Local network first then, remote) R1:: permit gre host 172.168.2.1 host 172.168.3.2
I think what you missed is that both routers R1 and R2 have default routes pointing to internet and OSPF is used between R1 and R2 over the GRE tunnel emulating Intranet edge routers. On GNS3 all you need is to have "ip route 0.0.0.0 0.0.0.0 fa0/0" configured on R1 and R2 with fa0/0 interfaces on R1 and R2 connected to R3 acting as the ISP.
Great lab, thanks for using a "clear" mic. Issue I'm running into is, I dont see my OSPF routes? I see the neighbors come up but when I do a sho ip route, there are NO OSPF routes . ALsho shouldn't you be able to ping your loop back interfaces form the remote route, being that they are now routed through the tunnel via ospf?
You dont apply the crypto map to the tunnel. You apply it to the outbound physical interface's ip address. I have done it on Packet Tracer and you dont have to worry about the Crypto-trans mode. Just use the authentication preshare and encryption and it works just fine
Why do you have to apply the crypto map to both the physical and the tunnel interface? I labbed it, and it seems it also works if I apply the crypto map only to the physical interface. On the other hand, if I apply it only to the tunnel interface, traffic still goes through, but nothing gets encrypted. As long as it's applied to the physical interface, it makes no difference whether I apply it to the tunnel interface too or not... What am I missing?
In releases before Cisco IOS Release 12.2(13)T crypto maps had to be applied to both physical and logical interfaces. In later IOS versions crypto maps only need to be applied only to the physical interface, reference Cisco Point-to-Point GRE over IPsec Design Guide.
hi, i know u have asked this question 2 years ago :), i am just playing with ipsec--gre , the answer to your question is ACL, that is why when you apply it only to tunnel interfaces and test ,it doesnt match anything so nothing is encrypted, if you just tweak it abit and add extra Acl line to current Acl that what exactly you needs to match to be encrypted. Examle, you only want your 192.168.1.0 network to be encrypted when its talking to 10.1.1.0 network only so just add it to exisiting R1 ip access-list extended IPSEC-TRAFFIC permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 R2 ip access-list extended IPSEC-TRAFFIC permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 now remove the crypto map from your physical interfaces and just apply it onto tunnels, you should see traffic encrypted when packets comes from 192 to 10 network and vice-versa. Regards!
I've been having a little trouble creating a GRE tunnel, much less setting up IPSec. I've got the subnets set up and I have OSPF enabled with the networks added on the appropriate routers, but I can't get past the "ISP". I can successfully ping from each router to the "ISP", but I can't ping each of the routers to each other. I have the appropriate "public" IPs for the destinations. I'm trying to figure out what I'm forgetting/missing. Any tips?
Great tutorial. I would have liked to know what some of the terms were like the Diffe, transform sets, isakmp, etc. I guess that would be another video to explain what these different types of crypto are.
You only need 4 routes on the three routers for it to work: R1: R1#sh ip route static 45.0.0.0/24 is subnetted, 1 subnets S 45.12.153.0 [1/0] via 162.27.193.2 WAN: C 45.12.153.0 is directly connected, FastEthernet0/1 162.27.0.0/30 is subnetted, 1 subnets C 162.27.193.0 is directly connected, FastEthernet0/0 R2: R2#sh ip route static 162.27.0.0/24 is subnetted, 1 subnets S 162.27.193.0 [1/0] via 45.12.153.2
Hello, I am from the future! (2020 in particular) Make similar lab, it didnt work, untile: - had to remove crypto-map from tunnels and leave only on fast-ethernets; - had to permit ip in the ACL instead of gre; What gives?
Great video Doug! I do have a question though and excuse me if this has been asked before.. How do you simulate the ISP in Dynamips/GNS3? I'd like to give this lab a go. Again, great tutorial!
Do the OSPF process ID # 's have to be identical to become neighbors or to function? I thought the process ID was locally significant to the router database. Great video! Loved it.
Thanks for the video. Can you please make a video on site to site vpn over adsl? One site is the corporate network using ASA5500 router and the remote site has cisco router sitting behind the adsl modem and has static public IP.
This is not IPsec over gre. This is gre over IPsec. In IPsec over gre case, all packet first encrypted and then passing through gre tunnel. Since IPsec can not encapsulate multicast, broadcast packet, this lead to routing protocol problems. By means of gre over IPsec, multicast and broadcast can be encapsulated using gre and then encrypted using IPsec.
Not a network professiona but I have one question: Are both routers the same or from the same company? Could you have done the same if the routers were from different brands?
Great vid, thanks. Has anyone tried this in packet tracer? when I create my trans-set it doesn't go into (cfg-crypto-trans) mode for me, also, I can't apply my crypto map to the tunnel interface.
You have to apply static route on the 3rd router: (i'm using serial interfaces instead of FA) R3(config)#ip route 192.168.1.0 255.255.255.0 serial 0/0 R3(config)#ip route 162.27.193.130 255.255.255.255 serial 0/0 R3(config)#ip route 45.12.153.202 255.255.255.255 serial 0/1 R3(config)#ip route 10.1.1.0 255.255.255.0 serial 0/1
don`t you need to use an "permit ip any any" after the ACL you configured on the GRE? otherwise the only traffic that will be allowed to flow through these physical interfaces would be GRE traffic and only to a specific destination on the other side... you DO need to use those interfaces for regular internet traffic too, don`t you?
Javier Cespedes You probably already know the answer, but yes its a GRE tunnel over IPsec tunnel. IPsec doesn't handle multicast or broadcast traffic. One of the benefits of GRE over IPsec as opposed to just using an IPsec tunnel by itself. is we can encapsulate a wider range of traffic into a GRE tunnel and then send it securely within an IPsec tunnel. Hope this was useful
+Roman Hoax sorry mate, but you are wrong. it is IPSEC over GRE. the gre tunnel comes first and than the ipsec tunnel comes "on top" of it to allow the security. the only reason we don`t use only ipsec is because it can`t forward broadcast. so we build a gre tunnel that encapsulates the broadcast with a unicast and THEN put on it an ipsec tunnel to secure that unicast traffic.
willow klan Semantics. my explanation is the exact same as yours. My wording is such that the GRE tunnel is sent over IPsec. Hence GRE over IPsec. I already explained the GRE tunnel comes first, it is then sent over IPsec. Semantics.
4.2.2.2 is the public DNS servers on the internet, he tested internet connectivity by pinging it.. its not configured on the router. would use the default route on the router.
This guy will miss you up if you try his technique with in a lab / home environment (GNS3 or lab equipment) what he DOES NOT EXPLAIN and you can WASTE hours trying to figure it out is that in a lab / home environment (GNS3 / home equipment) and not connected to an “Internet” connection, is that there has to be stable routing between the two networks before you crate the tunnel and set up the OSPF (processes 123). I spent hours with a flapping tunnel and trying to figure out why!
Dear Doug, thank you so much for a great video, you mentioned and configured everything we need to know for GRE, IPSEC, ISAKMP and much more. I really appreciate your time and your video. You should be here in Toronto / Canada for a great Networking Instructor we don't have. I paid a lot of money to go to the Networking College, but never ever got what I expected , (just wasting money and time to be certified in Toronto). THANKS AGAIN AND GOD BLESS, Mike
I am new to networking... super tech. Thank you much for putting this video together
Thanks Doug for the videos.... very clear and accurate. Easy to understand.
best tut on the subject period. Thank-You
Excellent video!! Easily one of the best tutorials out there. Please make more of these. They are priceless to many of us.
Thank you so so much for your great video and explanation it really really helped me understand and get a project done.
You are a superb teacher and I love your method of teaching and explaining as you go along on screen.
THANK YOU!
Have I learnt something new? Absolutely !!!!
Thnx
Doug, You have simplified the subject. Excellent tutorial.
Excellent video, clear and concise and great audio too. Many thanks to you!
Hats off to you Doug. Thanks for a well explained demo.
Perfect and excellent, some new stuff. We are very great full to you to spent time on it.
I like the way you talk and explanation. If you put some more light on Diffe, transform sets, isakmp will be great.
Super demonstration.Thanks for your time and effort to put this together.
Thank YOU very much! It's truly useful demonstration!
Gr8 work Doug...Nice tutorial.. Very helpful...
There is a mistake in this config, The access list used for the IPsec Tunnel should be local to remote, not remote to local.
I confirmed this with Gns3, Phase 2 won't finish unless you put the local network first and remote second.Otherwise, great video.
@Raymond A: Can you please more specify and take an example for this case?
Sure, The correct ACL is as follows:
R3: permit gre host 172.168.3.2 host 172.168.2.1
(Local network first then, remote)
R1:: permit gre host 172.168.2.1 host 172.168.3.2
Great tutorial. I will start using gre-ipsec instead of just an ipsec vpn to make dual-wan redundancy easier.
based on this one tutorial I sure wish you were still doing cisco vids, great job.
Awesome video, and very detailed. You the MAN!!!!
crystal clear - great job Doug!
Explicit Tutorial... Thank Doug !
Thanks for your sharing. Really Thanks !
I think what you missed is that both routers R1 and R2 have default routes pointing to internet and OSPF is used between R1 and R2 over the GRE tunnel emulating Intranet edge routers. On GNS3 all you need is to have "ip route 0.0.0.0 0.0.0.0 fa0/0" configured on R1 and R2 with fa0/0 interfaces on R1 and R2 connected to R3 acting as the ISP.
Great lab, thanks for using a "clear" mic. Issue I'm running into is, I dont see my OSPF routes? I see the neighbors come up but when I do a sho ip route, there are NO OSPF routes . ALsho shouldn't you be able to ping your loop back interfaces form the remote route, being that they are now routed through the tunnel via ospf?
Wonderful Video, Good Explanation, Can you please explain the ISP Part, How do you configure the Internet in this Protocol Diagram?😇
Excellent work, this will help a lot. Many thanks
Very useful video. thank you
I'll keep following your other post.
super helpful. thanks!!
Good video - I have a question though, How do you configure when you have an ASA firewall behind the router?
Wow, Excellent..... . Thanks a lot for making this video.
Great video, just what I needed
Nice tutorial, very basic...good job.
excellent tutorial, many thanks
Excellent tutorial
Well done mate, excellent video and thanks for sharing.
very informative...Thanks for such a good video...
Excellent Video
Awesome video and tutorial
You dont apply the crypto map to the tunnel. You apply it to the outbound physical interface's ip address. I have done it on Packet Tracer and you dont have to worry about the Crypto-trans mode. Just use the authentication preshare and encryption and it works just fine
Why do you have to apply the crypto map to both the physical and the tunnel interface? I labbed it, and it seems it also works if I apply the crypto map only to the physical interface. On the other hand, if I apply it only to the tunnel interface, traffic still goes through, but nothing gets encrypted. As long as it's applied to the physical interface, it makes no difference whether I apply it to the tunnel interface too or not... What am I missing?
In releases before Cisco IOS Release 12.2(13)T crypto maps had to be applied to both physical and logical interfaces. In later IOS versions crypto maps only need to be applied only to the physical interface, reference Cisco Point-to-Point GRE over IPsec Design Guide.
hi, i know u have asked this question 2 years ago :),
i am just playing with ipsec--gre ,
the answer to your question is ACL, that is why when you apply it only to tunnel interfaces and test ,it doesnt match anything so nothing is encrypted,
if you just tweak it abit and add extra Acl line to current Acl that what exactly you needs to match to be encrypted.
Examle, you only want your 192.168.1.0 network to be encrypted when its talking to 10.1.1.0 network only so just add it to exisiting
R1
ip access-list extended IPSEC-TRAFFIC
permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
R2
ip access-list extended IPSEC-TRAFFIC
permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
now remove the crypto map from your physical interfaces and just apply it onto tunnels,
you should see traffic encrypted when packets comes from 192 to 10 network and vice-versa.
Regards!
Good video..thumbs up!!!
I've been having a little trouble creating a GRE tunnel, much less setting up IPSec. I've got the subnets set up and I have OSPF enabled with the networks added on the appropriate routers, but I can't get past the "ISP". I can successfully ping from each router to the "ISP", but I can't ping each of the routers to each other. I have the appropriate "public" IPs for the destinations. I'm trying to figure out what I'm forgetting/missing. Any tips?
Very helpful , thanks a lot !!!
Thanks! Works great on my lab.
Great tutorial. I would have liked to know what some of the terms were like the Diffe, transform sets, isakmp, etc. I guess that would be another video to explain what these different types of crypto are.
Hi i am beginner in VPN my question is before creating GRE tunnel both router should connected via VPN IPSEC ?
or create grp tunnel along with VPN?
Great video, thanks
You only need 4 routes on the three routers for it to work:
R1:
R1#sh ip route static
45.0.0.0/24 is subnetted, 1 subnets
S 45.12.153.0 [1/0] via 162.27.193.2
WAN:
C 45.12.153.0 is directly connected, FastEthernet0/1
162.27.0.0/30 is subnetted, 1 subnets
C 162.27.193.0 is directly connected, FastEthernet0/0
R2:
R2#sh ip route static
162.27.0.0/24 is subnetted, 1 subnets
S 162.27.193.0 [1/0] via 45.12.153.2
When you create a crypto isakmp policy 1 when do that policy is use because I don't see that you match it on the crypto map.
Thank You.. great explanation.
Hello, I am from the future! (2020 in particular)
Make similar lab, it didnt work, untile:
- had to remove crypto-map from tunnels and leave only on fast-ethernets;
- had to permit ip in the ACL instead of gre;
What gives?
Great video Doug! I do have a question though and excuse me if this has been asked before.. How do you simulate the ISP in Dynamips/GNS3? I'd like to give this lab a go.
Again, great tutorial!
really u good explainier
Great video, really helpful! thanks!
Great Video!!
Do the OSPF process ID # 's have to be identical to become neighbors or to function? I thought the process ID was locally significant to the router database. Great video! Loved it.
Process ID does not matter on OSPF.
Process ID may not be the same,.Neighbours should be in same Area, same network, Timers to be identical.
Love it..great job
Thanks for the video
the best!!!
Thanks for the video. Can you please make a video on site to site vpn over adsl? One site is the corporate network using ASA5500 router and the remote site has cisco router sitting behind the adsl modem and has static public IP.
This is not IPsec over gre. This is gre over IPsec. In IPsec over gre case, all packet first encrypted and then passing through gre tunnel. Since IPsec can not encapsulate multicast, broadcast packet, this lead to routing protocol problems. By means of gre over IPsec, multicast and broadcast can be encapsulated using gre and then encrypted using IPsec.
Good Lab , although it don't tell what is have to match on both sides and what is locally significant only
Not a network professiona but I have one question: Are both routers the same or from the same company? Could you have done the same if the routers were from different brands?
Yes, IPsec is universal. Cisco to Juniper, Cisco to Fortigate.. ext. No issues
Yes as Raymond said, but you have to match ALL of the Crypto parameters, agreed upon keys, etc.
thank you sir. helpful
Thanks a lot for this video!! It really helped me a lot! :)
superb :) thanks
Thx great tutorial, really appreciated!!
Great vid, thanks.
Has anyone tried this in packet tracer? when I create my trans-set it doesn't go into (cfg-crypto-trans) mode for me, also, I can't apply my crypto map to the tunnel interface.
have to apply the map to the serial interface ?
You have to apply static route on the 3rd router:
(i'm using serial interfaces instead of FA)
R3(config)#ip route 192.168.1.0 255.255.255.0 serial 0/0
R3(config)#ip route 162.27.193.130 255.255.255.255 serial 0/0
R3(config)#ip route 45.12.153.202 255.255.255.255 serial 0/1
R3(config)#ip route 10.1.1.0 255.255.255.0 serial 0/1
don`t you need to use an "permit ip any any" after the ACL you configured on the GRE? otherwise the only traffic that will be allowed to flow through these physical interfaces would be GRE traffic and only to a specific destination on the other side... you DO need to use those interfaces for regular internet traffic too, don`t you?
+Keith Buckley thanks a-lot bro. got it now.
Thank you so much!!
why do we have to apply the crypto-map twice?
a real good work
This is a great tutorial thanks doing it. Would you have the configs for the internet router? I would like to duplicate this setup in my GNS3. Thanks!
Great Tutorial!
BTW is not GRE over IPSEC tunnel?
Javier Cespedes You probably already know the answer, but yes its a GRE tunnel over IPsec tunnel. IPsec doesn't handle multicast or broadcast traffic.
One of the benefits of GRE over IPsec as opposed to just using an IPsec tunnel by itself. is we can encapsulate a wider range of traffic into a GRE tunnel and then send it securely within an IPsec tunnel.
Hope this was useful
+Roman Hoax sorry mate, but you are wrong. it is IPSEC over GRE. the gre tunnel comes first and than the ipsec tunnel comes "on top" of it to allow the security. the only reason we don`t use only ipsec is because it can`t forward broadcast. so we build a gre tunnel that encapsulates the broadcast with a unicast and THEN put on it an ipsec tunnel to secure that unicast traffic.
willow klan
Semantics. my explanation is the exact same as yours. My wording is such that the GRE tunnel is sent over IPsec. Hence GRE over IPsec. I already explained the GRE tunnel comes first, it is then sent over IPsec.
Semantics.
Guys.. Help me to understand it is IPsec over a GRE Tunnel or GRE over IPsec tunnel ??
+Ragu G It's GRE over IPSec Tunnel. For more information visit ccnp300-101.blogspot.com
ospf process id is only locally significant , only the area,hello,dead need to match.
reddypraveen the network too, unless you're using ip6
where that 4.2.2.2(ping) network is?
There is not enough characters to really complain about this video!
what you configured called GRE over IPSEC and not IPSEC over GRE !
Hi Ezek,
I have the same challenge. Did you found a solution?
We fighting since 2 weeks to solve :((
Regards,
Celal
This is NOT IPSEC over GRE , Is GRE over IPSEC !!!! False video
Hi. This is not IPsec over GRE, this is GRE over IPsec
2024 👍💯
Can any body help to find out, that where he has configure the IP add 4.2.2.2.
4.2.2.2 is the public DNS servers on the internet, he tested internet connectivity by pinging it.. its not configured on the router. would use the default route on the router.
Thank u so much YOGESH for guiding me..
too good
need a cert big up cisco
can you help me bro? Doug Suida
This guy will miss you up if you try his technique with in a lab / home environment (GNS3 or lab equipment) what he DOES NOT EXPLAIN and you can WASTE hours trying to figure it out is that in a lab / home environment (GNS3 / home equipment) and not connected to an “Internet” connection, is that there has to be stable routing between the two networks before you crate the tunnel and set up the OSPF (processes 123). I spent hours with a flapping tunnel and trying to figure out why!
very useful. Thank a lot!!