CREATING A CISCO GRE TUNNEL:
R1(config)# interface Tunnel0
R1(config-if)# ip address 10.12.12.1 255.255.255.0
R1(config-if)# ip mtu 1400
R1(config-if)# ip tcp adjust-mss 1360
R1(config-if)# tunnel source 15.1.1.1
R1(config-if)# tunnel destination 25.2.2.2
ROUTING NETWORKS THROUGH THE GRE TUNNEL:
R1(config)#route eigrp 1
R1(config-router)#no auto-summary
R1(config-router)#10.0.0.0 0.255.255.255
R1(config-router)#end
SECURING THE GRE TUNNEL WITH IPSEC:
(GRE is not protected or encrypted so we use IPSec)
CONFIGURE ISAKMP (IKE) – (ISAKMP PHASE 1):
R1(config)# crypto isakmp policy 7
R1(config-isakmp)# encr aes 256
R1(config-isakmp)# hash sha256
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 5
R1(config-isakmp)# lifetime 5000
Create PSK:
R1(config)# crypto isakmp key cisco123 address 0.0.0.0
CREATE IPSEC TRANSFORM (ISAKMP PHASE 2 POLICY):
R1(config)# crypto ipsec transform-set TS esp-aes 128 esp-sha384-hmac
R1(cfg-crypto-trans)# mode tunnel
(Old way was using crypto map and use an ACL for interesting traffic, but the new way is to use VTIs (VIrtual Tunnel Interface). Default mode for the tunnel is GRE but we will change it to IPSec and apply IPSec profile we created)
Create IPSec Profile :
R1(config)# crypto ipsec profile protect-gre
R1(ipsec-profile)# set security-association lifetime seconds 86400
R1(ipsec-profile)# set transform-set TS
Apply it to the tunnel:
R1(config)# interface Tunnel 0
R1(config-if)# tunnel protection ipsec profile protect-gre
Verification Commands:
show run int tun 0
show ip route
show eigrp interfaces
show crypto isakmp policy
show crypto isakmp key
show crypto engine connections active
show crypto isakmp sa
show crypto ipsec sa
show crypto session
Network and CyberSecurity Professional 