In this article we will configure GRE/IPSEC tunnels. These are used in cases where there is a desire to run routing protocols across a VPN connection. This article is useful for CCNP (ISCW) and CCSP studies.

First we will create our ISAKMP Policy, then we will create a key and associate it with a peer, next we build our Transform Set, then the ACL with traffic to be encrypted, followed by the Crypto Map and finally to the Tunnel interface configuration.

Here’s our ISAKMP Policy:

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5

We set the encryption to an AES 256 bit key, use pre-shared authentication (keys) and Diffie-Hellman Group 5.

Next we create a key and associate it with a peer:

crypto isakmp key  Sup3rS3cr3tK3y address 5.5.5.5

Now we build the Transform Set:

crypto ipsec transform-set secure_transform esp-aes esp-sha-hmac

Next we make our ACL:

ip access-list extended GRE_IPSEC_TRAFFIC
 permit gre host 4.4.4.4 host 5.5.5.5

This is catching GRE traffic from 4.4.4.4 (us, the source) to 5.5.5.5 (our peer, the destination).

Read more...