Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide

OL-5332-01

Chapter 7

Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

Configure a GRE Tunnel

Configure a GRE Tunnel

Perform these steps to configure a GRE tunnel, beginning in global configuration mode:

Step 2

crypto map

map-name

Example:

Router(config-if)#

crypto map

static-map

Router(config-if)#

Applies the crypto map to the interface.

See the

Cisco IOS Security Command Reference

for more detail about this command.

Step 3

exit

Example:

Router(config-if)#

exit

Router(config)#

Enters global configuration mode.

Command or Action

Purpose

Command or Action

Purpose

Step 1

interface

type number

Example:

Router(config)#

interface

tunnel 1

Router(config-if)#

Creates a tunnel interface and enters interface

configuration mode.

Step 2

ip address

subnet mask

Example:

Router(config-if)#

ip address

10.62.1.193

255.255.255.255

Router(config-if)#

Assigns an address to the tunnel.

Step 3

tunnel source

interface-type number

Example:

Router(config-if)#

tunnel source

fastethernet 0

Router(config-if)#

Specifies the source endpoint of the router for the

GRE tunnel.

Step 4

tunnel destination

default-gateway-ip-address

Example:

Router(config-if)#

tunnel destination

192.168.101.1

Router(config-if)#

Specifies the destination endpoint of the router for

the GRE tunnel.

Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide

OL-5332-01

Chapter 7

Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

Configuration Example

Configuration Example

The following configuration example shows a portion of the configuration file for a VPN using a GRE

tunnel scenario described in the preceding sections.

!

aaa new-model

!

aaa authentication login rtr-remote local

aaa authorization network rtr-remote local

aaa session-id common

!

username cisco password 0 cisco

!

interface tunnel 1

ip address 10.62.1.193 255.255.255.252

Step 5

crypto map

map-name

Example:

Router(config-if)#

crypto map

static-map

Router(config-if)#

Assigns a crypto map to the tunnel.

Note

Dynamic routing or static routes to the

tunnel interface must be configured to

establish connectivity between the sites.

See the

Cisco IOS Security Configuration

Guide

for details.

Step 6

exit

Example:

Router(config-if)#

exit

Router(config)#

Exits interface configuration mode, and returns to

global configuration mode.

Step 7

ip access-list {standard | extended}

access-list-name

Example:

Router(config)#

ip access-list extended

vpnstatic1

Router(config-acl)#

Enters ACL configuration mode for the named

ACL that is used by the crypto map.

Step 8

permit

protocol

source source-wildcard

destination destination-wildcard

Example:

Router(config-acl)#

permit

gre host

192.168.100.1 host 192.168.101.1

Router(config-acl)#

Specifies that only GRE traffic is permitted on the

outbound interface.

Step 9

exit

Example:

Router(config-acl)#

exit

Router(config)#

Returns to global configuration mode.

Command or Action

Purpose

Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide

OL-5332-01

Chapter 7

Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

Configuration Example

tunnel source fastethernet 0

tunnel destination interface 192.168.101.1

ip route 20.20.20.0 255.255.255.0 tunnel 1

crypto isakmp policy 1

encryption 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group rtr-remote

key secret-password

dns 10.50.10.1 10.60.10.1

domain company.com

pool dynpool

!

crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac

!

crypto ipsec security-association lifetime seconds 86400

!

crypto dynamic-map dynmap 1

set transform-set vpn1

reverse-route

!

crypto map static-map 1 ipsec-isakmp dynamic dynmap

crypto map dynmap isakmp authorization list rtr-remote

crypto map dynmap client configuration address respond

!

! Defines the key association and authentication for IPSec tunnel.

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key cisco123 address 200.1.1.1

!

!

! Defines encryption and transform set for the IPSec tunnel.

crypto ipsec transform-set set1 esp-3des esp-md5-hmac

!

! Associates all crypto values and peering address for the IPSec tunnel.

crypto map to_corporate 1 ipsec-isakmp

set peer 200.1.1.1

set transform-set set1

match address 105

!

!

! VLAN 1 is the internal interface

interface vlan 1

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip inspect firewall in ! Inspection examines outbound traffic.

crypto map static-map

no cdp enable

!

! FE4 is the outside or Internet-exposed interface

interface fastethernet 4

ip address 210.110.101.21 255.255.255.0

! acl 103 permits IPSec traffic from the corp. router as well as

! denies Internet-initiated traffic inbound.

ip access-group 103 in

ip nat outside

no cdp enable

crypto map to_corporate ! Applies the IPSec tunnel to the outside interface.

Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide

OL-5332-01

Chapter 7

Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

Configuration Example

!

! Utilize NAT overload in order to make best use of the

! single address provided by the ISP.

ip nat inside source list 102 interface Ethernet1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 210.110.101.1

no ip http server

!

!

! acl 102 associated addresses used for NAT.

access-list 102 permit ip 10.1.1.0 0.0.0.255 any

! acl 103 defines traffic allowed from the peer for the IPSec tunnel.

access-list 103 permit udp host 200.1.1.1 any eq isakmp

access-list 103 permit udp host 200.1.1.1 eq isakmp any

access-list 103 permit esp host 200.1.1.1 any

! Allow ICMP for debugging but should be disabled because of security implications.

access-list 103 permit icmp any any

access-list 103 deny ip any any ! Prevents Internet-initiated traffic inbound.

! acl 105 matches addresses for the IPSec tunnel to or from the corporate network.

access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255

no cdp run

Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide

OL-5332-01

Chapter 7

Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

Configuration Example