2.1 GRE/GRE over IPSec/SVTI class practicals

Do the basic configuration

R1:

interface FastEthernet0/0

ip address 1.1.1.1 255.255.255.0

no shut

interface Loopback0

ip address 10.1.1.1 255.255.255.255

ip route 2.2.2.0 255.255.255.0 1.1.1.3

R3:

interface FastEthernet0/0

ip address 1.1.1.3 255.255.255.0

interface FastEthernet0/1

ip address 2.2.2.3 255.255.255.0

R2:

interface FastEthernet0/0

ip address 2.2.2.2 255.255.255.0

interface Loopback0

ip address 10.2.2.2 255.255.255.255

ip route 1.1.1.0 255.255.255.0 2.2.2.3

Generic Routing Encapsulation

R1:

interface Tunnel0

ip address 172.16.1.1 255.255.255.0

tunnel source 1.1.1.1

tunnel destination 2.2.2.2

tunnel mode gre ip

end

R1#sh interfaces tunnel 0

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Internet address is 172.16.1.1/24

MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 1.1.1.1, destination 2.2.2.2

Tunnel protocol/transport GRE/IP

R2:

interface Tunnel1

ip address 172.16.1.2 255.255.255.0

tunnel source 2.2.2.2

tunnel destination 1.1.1.1

tunnel mode gre ip

R2#sh interfaces tunnel 1

Tunnel1 is up, line protocol is up

Hardware is Tunnel

Internet address is 172.16.1.2/24

MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 2.2.2.2, destination 1.1.1.1

Tunnel protocol/transport GRE/IP

Form EIGRP neighborship between R1 and R2 and advertise the loopbacks in EIGRP.

R1:

router eigrp 12

network 10.1.1.1 0.0.0.0

network 172.16.1.0 0.0.0.255

no auto-summary

R2:

router eigrp 12

network 10.2.2.2 0.0.0.0

network 172.16.1.0 0.0.0.255

no auto-summary

%DUAL-5-NBRCHANGE: IP-EIGRP(0) 12: Neighbor 172.16.1.1 (Tunnel1) is up: new adjacency

GRE over IPSEC

R1:

crypto isakmp policy 5

authentication pre-share

crypto isakmp key cisco address 2.2.2.2

crypto ipsec transform-set TSET ah-md5-hmac

crypto ipsec profile PROF1

set transform-set TSET

interface Tunnel0

tunnel protection ipsec profile PROF1

end

R2:

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco address 1.1.1.1

crypto ipsec transform-set TSET ah-md5-hmac

crypto ipsec profile IPSECPROF

set transform-set TSET

interface Tunnel1

tunnel protection ipsec profile IPSECPROF

end

We can notice here that two IP headers are same. If we change the propagation mode from tunnel to transport, it'll eliminate one IP Header by which we can save 20 bytes.

R1:

crypto ipsec transform-set TSET ah-md5-hmac

mode transport

R2:

crypto ipsec transform-set TSET ah-md5-hmac

mode transport

Static Virtual Tunnel Interface (SVTI)

R1:

interface tunnel 0

tunnel mode ipsec ipv4

crypto ipsec transform-set TSET ah-md5-hmac

mode tunnel

R1#show interfaces tunnel 0

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Internet address is 172.16.1.1/24

MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 1.1.1.1, destination 2.2.2.2

Tunnel protocol/transport IPSEC/IP

R2:

interface tunnel 1

tunnel mode ipsec ipv4

crypto ipsec transform-set TSET ah-md5-hmac

mode tunnel

R2#show interfaces tunnel 0

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Internet address is 172.16.1.2/24

MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 2.2.2.2, destination 1.1.1.1

Tunnel protocol/transport IPSEC/IP