In this tutorial, I want to share the steps you need to take to configure GRE over IPSec in Cisco IOS devices. I am using the same network diagram as in the tutorial which explains how to configure the GRE tunnel between Cisco routers.
When using the GRE protocol, the data sent between the routers is not encrypted and you can see its content in a packet capture. To mitigate this issue, you can configure GRE over IPSec. This way the payload will be encrypted and you can send the data over the Internet without any problem.
Table of Contents
This is the network diagram that I use in this lab.
Configure the IKEv1 phase 1
After configuring the GRE tunnel (for step-by-step instructions, check this link), you need to define a crypto isakmp policy.
Define a crypto isakmp policy
Inside the policy, you need to select the encryption algorithm, the authentication method, the hash algorithm and the Diffie-Hellman group. Also, you can change the default lifetime for the security association.
Router SiteA#
SiteA#conf term
Enter configuration commands, one per line. End with CNTL/Z.
SiteA(config)#crypto isakmp policy 1
SiteA(config-isakmp)#?
ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults
SiteA(config-isakmp)#encryption ?
3des Three key triple DES
aes AES - Advanced Encryption Standard.
des DES - Data Encryption Standard (56 bit keys).
SiteA(config-isakmp)#encryption aes
SiteA(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature
SiteA(config-isakmp)#authentication pre-share
SiteA(config-isakmp)#group ?
1 Diffie-Hellman group 1 (768 bit)
14 Diffie-Hellman group 14 (2048 bit)
15 Diffie-Hellman group 15 (3072 bit)
16 Diffie-Hellman group 16 (4096 bit)
19 Diffie-Hellman group 19 (256 bit ecp)
2 Diffie-Hellman group 2 (1024 bit)
20 Diffie-Hellman group 20 (384 bit ecp)
21 Diffie-Hellman group 21 (521 bit ecp)
24 Diffie-Hellman group 24 (2048 bit, 256 bit subgroup)
5 Diffie-Hellman group 5 (1536 bit)
SiteA(config-isakmp)#group 14
SiteA(config-isakmp)#hash ?
md5 Message Digest 5
sha Secure Hash Standard
sha256 Secure Hash Standard 2 (256 bit)
sha384 Secure Hash Standard 2 (384 bit)
sha512 Secure Hash Standard 2 (512 bit)
SiteA(config-isakmp)#hash sha256
SiteA(config-isakmp)#lifetime ?
<60-86400> lifetime in seconds
SiteA(config-isakmp)#lifetime 86400
SiteA(config-isakmp)#Add a similar configuration to your second router.
Router SiteB#
SiteB#conf term
Enter configuration commands, one per line. End with CNTL/Z.
SiteB(config)#crypto isa
SiteB(config)#crypto isakmp policy 1
SiteB(config-isakmp)#encryption aes
SiteB(config-isakmp)#authentication pre-share
SiteB(config-isakmp)#group 14
SiteB(config-isakmp)#hash sha256
SiteB(config-isakmp)#
Define the pre-shared key and the remote peer address
Next, you need to specify the pre-shared key and the IP address of the remote peer.
Router SiteA#
SiteA(config)#
SiteA(config)#crypto isakmp key cisco address 152.10.20.2
SiteA(config)#Router SiteB#
SiteB(config)#
SiteB(config)#crypto isakmp key cisco address 152.10.10.2
SiteB(config)#Configure IKEv1 phase 2
Starting with this step, you will configure the details for IKEv1 phase 2.
Create the IPSec transform-set
You need to create the IPSec transform-set for both routers.
Router SiteA#
SiteA(config)#crypto ipsec transform-set ?
WORD Transform set tag
SiteA(config)#crypto ipsec transform-set VPNSET ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
ah-sha256-hmac AH-HMAC-SHA256 transform
ah-sha384-hmac AH-HMAC-SHA384 transform
ah-sha512-hmac AH-HMAC-SHA512 transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-gcm ESP transform using GCM cipher
esp-gmac ESP transform using GMAC cipher
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth
SiteA(config)#crypto ipsec transform-set VPNSET esp-aes ?
128 128 bit keys.
192 192 bit keys.
256 256 bit keys.
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
ah-sha256-hmac AH-HMAC-SHA256 transform
ah-sha384-hmac AH-HMAC-SHA384 transform
ah-sha512-hmac AH-HMAC-SHA512 transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth
<cr> <cr>
SiteA(config)#crypto ipsec transform-set VPNSET esp-aes esp-sha
SiteA(config)#crypto ipsec transform-set VPNSET esp-aes esp-sha-
SiteA(config)#crypto ipsec transform-set VPNSET esp-aes esp-sha-hmac
SiteA(cfg-crypto-trans)#mode ?
transport transport (payload encapsulation) mode
tunnel tunnel (datagram encapsulation) mode
SiteA(cfg-crypto-trans)#mode transport
SiteA(cfg-crypto-trans)#exit
SiteA(config)#Router SiteB#
SiteB(config)#
SiteB(config)#crypto ipsec transform-set VPNSET esp-aes esp-sha-hmac
SiteB(cfg-crypto-trans)#mode transport
SiteB(cfg-crypto-trans)#exit
SiteB(config)#
Create the access-list to match the GRE traffic
You need to configure an access-list to match the GRE traffic.
Router SiteA#
SiteA(config)#ip access-list extended GRE-OVER-IPSEC
SiteA(config-ext-nacl)#permit gre any any
SiteA(config-ext-nacl)#exit
SiteA(config)#Router SiteB#
SiteB(config)#
SiteB(config)#ip access-list extended GRE-OVER-IPSEC
SiteB(config-ext-nacl)#permit gre any any
SiteB(config-ext-nacl)#exit
SiteB(config)#
Create the crypto map
Next, you need to create the crypto map which will glue together all the other configuration options added in the previous steps.
Router SiteA#
SiteA(config)#crypto map ?
WORD Crypto map tag
ipv6 IPv6 crypto map
SiteA(config)#crypto map VPN ?
<1-65535> Sequence to insert into crypto map entry
client Specify client configuration settings
gdoi Configure crypto map gdoi features
isakmp Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map
redundancy High availability options for this map
SiteA(config)#crypto map VPN 1 ipsec-is
SiteA(config)#crypto map VPN 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
SiteA(config-crypto-map)#match address GRE-OVER-IPSEC
SiteA(config-crypto-map)#ste tra
SiteA(config-crypto-map)#set tran
SiteA(config-crypto-map)#set transform-set ?
WORD Proposal tag
SiteA(config-crypto-map)#set transform-set VPNSET
SiteA(config-crypto-map)#set peer 152.10.20.2
SiteA(config-crypto-map)#exit
SiteA(config)#Router SiteB#
SiteB(config)#
SiteB(config)#crypto map VPN 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
SiteB(config-crypto-map)#match address GRE-OVER-IPSEC
SiteB(config-crypto-map)#set transform-set VPNSET
SiteB(config-crypto-map)#set peer 152.10.10.2
SiteB(config-crypto-map)#exit
SiteB(config)#
Apply the crypto map on the interface
The last step is to apply the crypto map on the interface facing the Internet. In my case, this is the interface gi0/0.
Router SiteA#
SiteA(config)#
SiteA(config)#int gi0/0
SiteA(config-if)#crypto map VPN
SiteA(config-if)#Router SiteB#
SiteB(config)#
SiteB(config)#int gi0/0
SiteB(config-if)#crypto map VPN
SiteB(config-if)#
Check the final configuration
After finishing the configuration, you need to check it to be sure that it is correct. For this, you need to use the following show commands.
Router SiteA#
SiteA#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard 2 (256 bit)
authentication method: Pre-Shared Key
Diffie-Hellman group: #14 (2048 bit)
lifetime: 86400 seconds, no volume limit
SiteA#
SiteA#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 152.10.20.2 cisco
SiteA#
SiteA#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
152.10.20.2 152.10.10.2 QM_IDLE 1030 ACTIVE
IPv6 Crypto ISAKMP SA
SiteA#Router SiteB#
SiteB#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard 2 (256 bit)
authentication method: Pre-Shared Key
Diffie-Hellman group: #14 (2048 bit)
lifetime: 86400 seconds, no volume limit
SiteB#
SiteB#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 152.10.10.2 cisco
SiteB#
SiteB#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
152.10.20.2 152.10.10.2 QM_IDLE 1030 ACTIVE
IPv6 Crypto ISAKMP SA
SiteB#
Router SiteA#
SiteA#show crypto ipsec security-association
Security association lifetime: 4608000 kilobytes/3600 seconds
SiteA#show crypto ipsec tra
SiteA#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set VPNSET: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
SiteA#Router SiteB#
SiteB#show crypto ipsec security-association
Security association lifetime: 4608000 kilobytes/3600 seconds
SiteB#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set VPNSET: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
SiteB#
Check the connectivity between the end hosts
The final step is to check the connectivity between the end hosts. I will run a ping from ClientA to ClientB.
ClientA:
ClientA:~$ ping -c 4 192.168.20.10
PING 192.168.20.10 (192.168.20.10): 56 data bytes
64 bytes from 192.168.20.10: seq=1 ttl=42 time=37.772 ms
64 bytes from 192.168.20.10: seq=2 ttl=42 time=25.899 ms
64 bytes from 192.168.20.10: seq=3 ttl=42 time=26.552 ms
--- 192.168.20.10 ping statistics ---
4 packets transmitted, 3 packets received, 25% packet loss
round-trip min/avg/max = 25.899/30.074/37.772 ms
ClientA:~$ ClientB:
ClientB:~$ ping -c 2 192.168.10.10
PING 192.168.10.10 (192.168.10.10): 56 data bytes
64 bytes from 192.168.10.10: seq=0 ttl=42 time=26.124 ms
64 bytes from 192.168.10.10: seq=1 ttl=42 time=27.700 ms
--- 192.168.10.10 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 26.124/26.912/27.700 ms
ClientB:~$ 
Now you can check IPSec SA (security association) and confirm that the packets are being encrypted and decrypted and the traffic is going through the IPSec tunnel.
Router SiteA#
SiteA#show crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: VPN, local addr 152.10.10.2
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
current_peer 152.10.20.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 152.10.10.2, remote crypto endpt.: 152.10.20.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xAA02B88D(2852305037)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xDCDBE833(3705399347)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9, flow_id: SW:9, sibling_flags 80004040, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4172617/3384)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xAA02B88D(2852305037)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 10, flow_id: SW:10, sibling_flags 80004040, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4172617/3384)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
SiteA#Router SiteB#
SiteB#show crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: VPN, local addr 152.10.20.2
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
current_peer 152.10.10.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 152.10.20.2, remote crypto endpt.: 152.10.10.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xDCDBE833(3705399347)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xAA02B88D(2852305037)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9, flow_id: SW:9, sibling_flags 80000040, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4180276/3320)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDCDBE833(3705399347)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 10, flow_id: SW:10, sibling_flags 80000040, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4180276/3320)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
SiteB#You can also capture some packets and confirm via the Wireshark that the payload is encrypted.
Here is the confirmation from the Wireshark.
That’s it! You have learned how to configure GRE over IPSec on Cisco routers. If you found this blog post helpful, please like and subscribe for more Cisco networking tutorials. Thank you for reading it!
Processing…
Success! You're on the list.
Whoops! There was an error and we couldn't process your subscription. Please reload the page and try again.
[…] In this tutorial, I would like to share the steps you need to take to configure a dynamic Site-to-Site VPN between AWS and a Cisco router. If you are looking for step-by-step instructions on how to configure a VPN between two Cisco routers, check this post. […]
[…] In this tutorial, I would like to share the steps you need to take to configure a static Site-to-Site VPN between AWS and a Cisco router. If you are looking for step-by-step instructions on how to configure a VPN between two Cisco routers, check this post. […]