Can't find what you need?


• Ask the Community
• Create a Case
Reset Search
 

 

Article

How to Configure XSR IPsec Over GRE VPN Between Central Site and Two Remote Sites

« Go Back

Information

 
TitleHow to Configure XSR IPsec Over GRE VPN Between Central Site and Two Remote Sites
Objective
Configure a central site router and two remote site routers to support a VPN tunnel between the central site router and each of the remote site routers.
Environment
  • XSR at central site
  • XSR at each of two remote sites
  • Static IP addresses on all WAN ports
  • Firmware version 7.6 with VPN or higher

 
Procedure
Step 1:
For all routers:
Configure the master encryption key – if already done skip this step and go on to Step 2:
 
XSR(config)#crypto key master generate
 
  New key is 4703 3d35 5475 121b
             24a8 bf03 32ab 6647
             292f b41b cd69 d53f
 
 
XSR(config)#<186>Nov 17 16:20:19 XSR PLATF: Master Key is replaced and existing secure files are removed.
XSR(config)#
 
Step 2:
For the central site router, Configure two single-line ACLs, each listing the local host first, the remote host second:
 
XSR(config)#access-list 111 permit gre  host 172.18.10.2 host 172.20.10.2
XSR(config)#access-list 112 permit gre  host 172.18.10.2 host 172.30.10.2  
 
Step 3:
Configure the ISAKMP Proposal (same proposal can be used for both VPN tunnels):
 
XSR(config)#crypto isakmp proposal AuthProp
XSR(config-isakmp)#authentication pre-share
 
XSR(config-isakmp)#crypto isakmp peer 0.0.0.0 0.0.0.0
XSR(config-isakmp-peer)#proposal AuthProp
 
 
Step 4:
Configure the Phase 2 Transform set (Same transform set can be used for both VPN tunnels):
 
XSR(config-isakmp-peer)#crypto ipsec transform-set phase2 esp-3des esp-sha-hmac
XSR(cfg-crypto-tran)#no set security-association lifetime kilobytes
 
Step 5:
Configure the Crypto Maps for each of the two VPN tunnels:
 
XSR(cfg-crypto-tran)#crypto map client 112
XSR(config-crypto-m)#set transform-set phase2
XSR(config-crypto-m)#match address 112
XSR(config-crypto-m)#set peer 172.30.10.2
XSR(config-crypto-m)#set security-association level per-host
 
XSR(config-crypto-m)#crypto map client 111 
XSR(config-crypto-m)#set transform-set phase2
XSR(config-crypto-m)#match address 111
XSR(config-crypto-m)#set peer 172.20.10.2
XSR(config-crypto-m)#set security-association level per-host
 
Step 6:
If not already done, configure the local interfaces.  Be certain to add the crypto map name to the WAN interface:
 
XSR(config-crypto-m)#interface FastEthernet1
XSR(config-if<F1>)#ip address 172.16.10.1 255.255.255.0
XSR(config-if<F1>)#no shutdown
 
XSR(config-if<F1>)#interface FastEthernet2
XSR(config-if<F2>)#crypto map client
XSR(config-if<F2>)#ip address 172.18.10.2 255.255.255.0
XSR(config-if<F2>)#ip nat source assigned overload
XSR(config-if<F2>)#no shutdown
 
Step 7:
 Configure the VPN interfaces for each of the two VPN tunnels:
 
XSR(config-if<F2>)#interface Vpn1 point-to-point
XSR(config-int-vpn)#tunnel "Remote1"
XSR(config-tms-tunnel)#set protocol gre
XSR(config-tms-tunnel)#set active
XSR(config-tms-tunnel)#set peer 172.20.10.2
XSR(config-tms-tunnel)#ip address 192.168.168.1 255.255.255.252
XSR(config-int-vpn)#
 
XSR(config-int-vpn)#interface Vpn2 point-to-point
XSR(config-int-vpn)#tunnel "Remote2"
XSR(config-tms-tunnel)#set protocol gre
XSR(config-tms-tunnel)#set active
XSR(config-tms-tunnel)#set peer 172.30.10.2
XSR(config-tms-tunnel)#ip address 192.168.168.5 255.255.255.252
XSR(config-int-vpn)#
 
Step 8:
Configure static routes for Default Gateway and to each of the remote LAN Subnets
 
XSR(config-int-vpn)#ip route 0.0.0.0 0.0.0.0 172.18.10.1
XSR(config)#ip route 172.21.10.0 255.255.255.0 192.168.168.1
XSR(config)#ip route 172.22.10.0 255.255.255.0 192.168.168.1
 
 
Step 9:
 Configure the AAA User for each of the remote sites:
 
XSR(config)#aaa user 172.20.10.2
XSR(aaa-user)#password S3cr3t
 
XSR(aaa-user)#aaa user 172.30.10.2
XSR(aaa-user)#password S3cr3t
 
XSR(aaa-user)#exit
XSR(config)#exit
XSR#
 
 
To configure each of the remote site routers follow the same 9 step process as above, changing only the variables:
 
Remote Site 1.

Step 1:
Configure the master encryption key – if already done skip this step and go on to Step 2:
 
XSR(config)#crypto key master generate
 
 New key is c548 09af 1f31 f708
             c2c1 f5d1 224a ad89
             7704 021f a668 4c57
 
XSR(config)#<186>Nov 17 16:20:19 XSR PLATF: Master Key is replaced and existing secure files are removed.
XSR(config)#
 
 
Step 2:
Configure one single-line ACLs to identify the end points of the VPN tunnel,  the local host is listed first, the central site host is listed second:
 
XSR(config)#access-list 111 permit gre host 172.20.10.2 host 172.18.10.2
 
 
Step 3:
Configure the ISAKMP Proposal
 
XSR(config)#crypto isakmp proposal AuthProp
XSR(config-isakmp)#authentication pre-share
 
XSR(config-isakmp)#crypto isakmp peer 0.0.0.0 0.0.0.0
XSR(config-isakmp-peer)#proposal AuthProp
 
 
Step 4:
Configure the Phase 2 Transform set:
 
XSR(config-isakmp-peer)#crypto ipsec transform-set phase2 esp-3des esp-sha-hmac
XSR(cfg-crypto-tran)#no set security-association lifetime kilobytes
 
 
Step 5:
Configure the Crypto Map for the  VPN tunnel:
 
XSR(config-crypto-m)#crypto map client 111 
XSR(config-crypto-m)#set transform-set phase2
XSR(config-crypto-m)#match address 111
XSR(config-crypto-m)#set peer 172.18.10.2
XSR(config-crypto-m)#set security-association level per-host
 
 
Step 6:
If not already done, configure the local interfaces.  Be certain to add the crypto map name to the WAN interface:
 
XSR(config-crypto-m)#interface FastEthernet1
XSR(config-if<F1>)#ip address 172.21.10.1 255.255.255.0
XSR(config-if<F1>)#no shutdown
XSR(config-if<F1>)#
XSR(config-if<F1>)#interface FastEthernet2
XSR(config-if<F2>)#crypto map client
XSR(config-if<F2>)#ip address 172.20.10.2 255.255.255.0
XSR(config-if<F2>)#ip nat source assigned overload
XSR(config-if<F2>)#no shutdown
 
 
Step 7:
Configure the VPN interfaces for each of the two VPN tunnels:
 
XSR(config-if<F2>)#interface Vpn1 point-to-point
XSR(config-int-vpn)#tunnel "To_Central"
XSR(config-tms-tunnel)#set protocol gre
XSR(config-tms-tunnel)#set active
XSR(config-tms-tunnel)#set peer 172.18.10.2
XSR(config-tms-tunnel)#ip address 192.168.168.2 255.255.255.252
XSR(config-int-vpn)#
 
 
Step 8:
Configure static routes for Default Gateway and to the central site LAN Subnet:
 
XSR(config-int-vpn)#ip route 0.0.0.0 0.0.0.0 172.20.10.1
XSR(config)#ip route 172.16.10.0 255.255.255.0 192.168.168.1
 
 
Step 9:
Configure the AAA User for the central site:
 
XSR(config)#aaa user 172.18.10.2
XSR(aaa-user)#password S3cr3t
 
XSR(aaa-user)#exit
XSR(config)#exit
XSR#
 

Remote Site 2:
Step 1:
Configure the master encryption key – if already done skip this step and go on to Step 2:
 
XSR(config)#crypto key master generate
 
  New key is 4bb2 7593 2cb5 e65f
             bdf3 a645 9e31 4add
             096b 2889 4e6d 3c7b
 
XSR(config)#<186>Nov 17 16:20:19 XSR PLATF: Master Key is replaced and existing secure files are removed.
XSR(config)#
 
Step 2:
Configure one single-line ACLs to identify the end points of the VPN tunnel,  the local host is listed first, the central site host is listed second:
 
XSR(config)#access-list 111 permit gre host 172.30.10.2 host 172.18.10.2
 
Step 3:
Configure the ISAKMP Proposal
 
XSR(config)#crypto isakmp proposal AuthProp
XSR(config-isakmp)#authentication pre-share
 
XSR(config-isakmp)#crypto isakmp peer 0.0.0.0 0.0.0.0
XSR(config-isakmp-peer)#proposal AuthProp
 
 
Step 4:
Configure the Phase 2 Transform set:
 
XSR(config-isakmp-peer)#crypto ipsec transform-set phase2 esp-3des esp-sha-hmac
XSR(cfg-crypto-tran)#no set security-association lifetime kilobytes
 
Step 5:
Configure the Crypto Map for the  VPN tunnel:
 
XSR(config-crypto-m)#crypto map client 111 
XSR(config-crypto-m)#set transform-set phase2
XSR(config-crypto-m)#match address 111
XSR(config-crypto-m)#set peer 172.18.10.2
XSR(config-crypto-m)#set security-association level per-host
 

Step 6:
If not already done, configure the local interfaces.  Be certain to add the crypto map name to the WAN interface:
 
XSR(config-crypto-m)#interface FastEthernet1
XSR(config-if<F1>)#ip address 172.22.10.1 255.255.255.0
XSR(config-if<F1>)#no shutdown
XSR(config-if<F1>)#
XSR(config-if<F1>)#interface FastEthernet2
XSR(config-if<F2>)#crypto map client
XSR(config-if<F2>)#ip address 172.30.10.2 255.255.255.0
XSR(config-if<F2>)#ip nat source assigned overload
XSR(config-if<F2>)#no shutdown
 

Step 7:
Configure the VPN interfaces for each of the two VPN tunnels:
 
XSR(config-if<F2>)#interface Vpn1 point-to-point
XSR(config-int-vpn)#tunnel "To_Central"
XSR(config-tms-tunnel)#set protocol gre
XSR(config-tms-tunnel)#set active
XSR(config-tms-tunnel)#set peer 172.18.10.2
XSR(config-tms-tunnel)#ip address 192.168.168.6 255.255.255.252
XSR(config-int-vpn)#
 
 
Step 8:
Configure the static routes for Default Gateway and to the central site LAN Subnet:
 
XSR(config-int-vpn)#ip route 0.0.0.0 0.0.0.0 172.30.10.1
XSR(config)#ip route 172.16.10.0 255.255.255.0 192.168.168.5
 
 
Step 9:
Configure the AAA User for the central site:
 
XSR(config)#aaa user 172.18.10.2
XSR(aaa-user)#password S3cr3t
 
XSR(aaa-user)#exit
XSR(config)#exit
XSR#
Additional notes
  • This can be made into a fully-meshed start topology allowing each of the remote to contact the other directly by adding a seconf VPN interface to each remote site then adding the appropriate static routes.
  • The static routes can be elliminated if using RIP, RIP2, or OSPF.  Treat each of the VPN subnets as a separate IP addressable segment and configure the dynamic routing as appropriate.
  • For troubleshooting add logging buffered debug to the configuration on each of the non-connecting routers then review show logging history to find the VPN negotiation failures.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255