the top of the section on the right. Step
5 Click the Create a secure GRE tunnel (GRE over
IPSec) radio button. Step 6 Click the Launch the
selected task button to start the wizard that will guide
you through the configuration steps. Once you launch the task,
the screen shown in Figure appears with a brief overview of GRE
and the benefits when GRE is combined with IPsec. Click
Next to move to the next configuration screen. The GRE
Tunnel Information page window appears. Continue these steps
for configuring the GRE tunnel: Step 1 Under Tunnel
Source, enter the GRE tunnel source IP address from a
configured interface or manually specify the source IP address.
This address must be a valid IP address configured on one of
the interfaces on the router. Under Tunnel Destination,
enter the tunnel destination IP address. Step 2 In the
IP address of the GRE tunnel section, define the inner
IP address and subnet mask that is applied to the virtual
point-to-point link. Step 3 Note that the Enable
path MTU discovery (PMTUD) button is enabled by default.
This setting lets the router determine the maximum transmission
unit (MTU) for the virtual interface. This is accomplished by
using the Internet Control Message Protocol (ICMP).
Note
ICMP unreachable message must be permitted by
all ACLs and firewalls in the path between the two tunnel
endpoints in order for PMTUD to work. Step 4 Click the
Next button to proceed to the next task.
Content
3.5 Configuring GRE Tunnels over IPsec
3.5.4 Backup GRE Tunnel Information To provide
resilience to the VPN, create a second GRE tunnel in case the
primary tunnel fails. The steps are show in Figure : Step
1 Check Create a backup secure GRE tunnel for
resilience. Step 2 Define the IP address of the
backup VPN peer in the available field. Step 3 In the
TunnelIP address section, define the inner IP address
and the subnet mask for the logical tunnel interface. Step
4 Click the Next button to proceed to the next
task.
Content 3.5 Configuring GRE
Tunnels over IPsec 3.5.5 Configuring VPN
Authentication After defining the GRE tunnel parameters,
the SDM wizard proceeds to configure IPsec-specific parameters.
This step ensures that both ends of the tunnel connect with the
same secret key: Step 1 Click the radio button for the
desired authentication method: - Pre-shared keys
- Digital certificates
Step 2 If you
choose pre-shared keys to provide authentication, then specify
a pre-shared secret. The secret should be long and random.
Content 3.5 Configuring GRE Tunnels over
IPsec 3.5.6 Configuring IKE Proposals At
this point, you can use a predefined IKE policy, or click the
Add button, shown in Figure , and enter the required
information to create a custom IKE policy. You can also modify
the existing policies by selecting an individual policy and
clicking the Edit button. When adding or editing an IKE policy,
define the required parameters that appear in the Add IKE
Policy window. Figure shows the window where you select the
required parameters for adding a custom IKE policy:
- IKE proposal priority
- Encryption algorithm (most
commonly 3DES or AES; you can also use Software Encryption
Algorithm [SEAL] to improve crypto performance on routers that
do not have hardware IPsec accelerators; DES is no longer
advised because it can be broken in a relatively short
time)
- HMAC (SHA-1 or MD5)
- Authentication
method (pre-shared secrets or digital certificates)
- DH
group (1, 2, or 5)
- IKE lifetime
When you
finish adding or editing IKE proposals, click the Next
button on the IKE proposals window to proceed to the next task.
Content 3.5 Configuring GRE Tunnels over
IPsec 3.5.7 Configuring the Transform Set
The window in Figure appears when you click Next on the
IKE proposals screen. This is where you configure an IPsec
transform set. When creating an IPsec transform set, you should
use the same set of algorithms as you used with the configured
IKE policy, following this procedure: Step 1 There is a
default IPsec transform set predefined by SDM that you can use.
If you choose to use the default, skip Step 2. You can also
create a new transform set. Step 2 If you want to use a
custom IPsec transform set, create the transform set by
clicking the Add button and specifying these
parameters: - Transform set name
- Encryption
algorithm
- HMAC
- Mode of operation
- Optional compression
Step 3 When you
finish adding sets, click the Next button to proceed to
the next task.
Content 3.5 Configuring
GRE Tunnels over IPsec 3.5.8 Routing
Information A GRE tunnel supports multicast across the
addressed point-to-point link. Static routing is typically used
for simple stub sites with a single GRE over IPsec tunnel.
Complex topologies with sites that use backup tunnels or have
multiple IP subnets require a routing protocol to dynamically
distribute routing information, detect failures, and reroute to
backup tunnels. The SDM wizard allows you to choose from three
options: - Static routing
- Dynamic routing using
Enhanced Interior Gateway Routing Protocol (EIGRP)
- Dynamic routing using Open Shortest Path First (OSPF)
Option 1: Static Routing
If you choose to
configure using static routing and then click Next, the
screen in Figure appears. In the first drop-down menu, disable
split tunneling by choosing the Tunnel all traffic
option. This option results in a default route pointing into
the tunnel. Unless more specific routes are in the routing
table all traffic will be sent through the tunnel.
Alternatively, you can choose the Do split tunneling
option from this drop-down menu and specify the IP address and
subnet mask of the destination that is reachable through the
tunnel. All other destinations are reachable by bypassing the
tunnel. Option 2: Dynamic Routing Using EIGRP
If you
choose to configure using dynamic routing using EIGRP and then
click Next, the screen in Figure appears. There are two
steps for configuring EIGRP across the tunnel: Step 1
Select an existing or define a new EIGRP autonomous system (AS)
number by clicking the appropriate button and entering the
number. Step 2 Define one or more local subnets (IP
address and wildcard mask) on which EIGRP will run and thus
advertise to EIGRP neighbors. Option 3: Dynamic Routing
Using OSPF
If you choose to configure using dynamic
routing using OSFP and then click Next, the screen in
Figure appears. There are three steps used to configure OSPF
across the tunnel: Step 1 Select an existing or define
a new OSPF process number by clicking the appropriate radio
button and entering the number. Step 2 Enter an OSPF
area number for the tunnels. Step 3 Enter the network
IP address, subnet mask, and area number of one or more local
subnets that you want to advertise to OSPF neighbors. Once you
have decided which option to use and entered the needed
information, click Next to complete the configuration.
Content 3.5 Configuring GRE
Tunnels over IPsec 3.5.9 Completing the
Configuration When you are finished configuring, the wizard
presents a summary of the configured parameters shown in
Figures and . Click the Back button to correct any
errors in the configuration. Click the Finish button to
complete the configuration.
Content 3.5
Configuring GRE Tunnels over IPsec 3.5.10
Testing, Monitoring and Troubleshooting GRE Tunnel
Configuration Test Tunnel Configuration and
Operation
After creating the GRE over IPsec