In this article we will configure GRE/IPSEC tunnels. These are used in cases where there is a desire to run routing protocols across a VPN connection. This article is useful for CCNP (ISCW) and CCSP studies.

First we will create our ISAKMP Policy, then we will create a key and associate it with a peer, next we build our Transform Set, then the ACL with traffic to be encrypted, followed by the Crypto Map and finally to the Tunnel interface configuration.

Here’s our ISAKMP Policy:

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5

We set the encryption to an AES 256 bit key, use pre-shared authentication (keys) and Diffie-Hellman Group 5.

Next we create a key and associate it with a peer:

crypto isakmp key  Sup3rS3cr3tK3y address

Now we build the Transform Set:

crypto ipsec transform-set secure_transform esp-aes esp-sha-hmac

Next we make our ACL:

ip access-list extended GRE_IPSEC_TRAFFIC
 permit gre host host

This is catching GRE traffic from (us, the source) to (our peer, the destination).

Now we do the Crypto Map, which pulls all these things together:

crypto map MASTER_CRYPTO_MAP 10 ipsec-isakmp
 set peer
 set transform-set secure_transform
 match address GRE_IPSEC_TRAFFIC

This sets the peer, picks a Transform Set and specifies the traffic to be encrypted. A new entry will need to be made for each peer (MASTER_CRYPTO_MAP 20, 30, etc).

We also need to apply this to an interface:

interface FastEthernet0/0

Finally we configure the Tunnel interface:

interface Tunnel100
 ip address
 ip mtu 1400
 tunnel source int FastEthernet0/0
 tunnel destination

We specified a Tunnel IP address, set the MTU to be GRE friendly, then configured the Tunnel source and destination.

That should do it. It can look overwhelming at first, but it isn’t so bad once you do it a few times. I will probably make a new post at some point which will tie this in with some routing protocols.


Colby Glass has been in IT since 2002. He is currently a Systems Engineer (presales) with a Cisco Gold partner and holds the CCNP R/S, CCNP DC, CCDP, CCIP, JNCIA-ER.

More Posts