Choose any of these login options:

How to Configure a Site-to-Site GRE Tunnel for Cisco Routers

To configure a site-to-site GRE tunnel, for Cisco routers, we use the cisco1941/k9 and cisco1921/k9 mostly, follow these steps, beginning in global configuration mode.
 
The Steps:
1. interface type number
Example:
Router(config)# interface tunnel 1
Router(config-if)#
 
2. ip address ip-address mask
Example:
Router(config-if)# 10.62.1.193
255.255.255.252
Router(config-if)#
 
3. tunnel source interface-type number
Example:
Router(config-if)# tunnel source
fastethernet 0
Router(config-if)#
 
4. tunnel destination default-gateway-ip-address
Example:
Router(config-if)# tunnel destination
192.168.101.1
Router(config-if)#
 
5. crypto map map-name
Example:
Router(config-if)# crypto map static-map
Router(config-if)#
 
6. exit
Example:
Router(config-if)# exit
Router(config)#
 
7. ip access-list {standard | extended} access-list-name
Example:
Router(config)# ip access-list extended
vpnstatic1
Router(config-acl)#
 
8. permit protocol source source-wildcard destination destination-wildcard
Example:
Router(config-acl)# permit gre host
192.168.100.1 host 192.168.101.1
Router(config-acl)#
 
9. exit
Example:
Router(config-acl)# exit
Router(config)#
 
 
Configuration Example
The following configuration example shows a portion of the configuration file for a site-to-site VPN
using a GRE tunnel as described in the preceding sections.
!
aaa new-model
!
aaa authentication login rtr-remote local
aaa authorization network rtr-remote local
aaa session-id common
!
username username1 password 0 password1
!
interface tunnel 1
ip address 10.62.1.193 255.255.255.252
tunnel source fastethernet 0
tunnel destination interface 192.168.101.1
ip route 20.20.20.0 255.255.255.0 tunnel 1
crypto isakmp policy 1
encryption 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group rtr-remote
key secret-password
dns 10.50.10.1 10.60.10.1
domain company.com
pool dynpool
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto ipsec security-association lifetime seconds 86400
!
crypto dynamic-map dynmap 1
set transform-set vpn1
reverse-route
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap
crypto map dynmap isakmp authorization list rtr-remote
crypto map dynmap client configuration address respond
!
! Defines the key association and authentication for IPsec tunnel.
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 200.1.1.1
!
!
! Defines encryption and transform set for the IPsec tunnel.
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
!
! Associates all crypto values and peering address for the IPsec tunnel.
crypto map to_corporate 1 ipsec-isakmp
set peer 200.1.1.1
set transform-set set1
match address 105
!
!
! VLAN 1 is the internal home network.
interface vlan 1
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip inspect firewall in ! Inspection examines outbound traffic.
crypto map static-map
no cdp enable
!
! FE4 is the outside or Internet-exposed interface
interface fastethernet 4
ip address 210.110.101.21 255.255.255.0
! acl 103 permits IPsec traffic from the corp. router as well as
! denies Internet-initiated traffic inbound.
ip access-group 103 in
ip nat outside
no cdp enable
crypto map to_corporate ! Applies the IPsec tunnel to the outside interface.
!
! Utilize NAT overload in order to make best use of the
! single address provided by the ISP.
ip nat inside source list 102 interface Ethernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 210.110.101.1
no ip http server
!
!
! acl 102 associated addresses used for NAT.
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
! acl 103 defines traffic allowed from the peer for the IPsec tunnel.
access-list 103 permit udp host 200.1.1.1 any eq isakmp
access-list 103 permit udp host 200.1.1.1 eq isakmp any
access-list 103 permit esp host 200.1.1.1 any
! Allow ICMP for debugging but should be disabled because of security implications.
access-list 103 permit icmp any any
access-list 103 deny ip any any ! Prevents Internet-initiated traffic inbound.
! acl 105 matches addresses for the IPsec tunnel to or from the corporate network.
access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
no cdp run

More topics for the Cisco router configuration:

How to configure ISDN Settings for Cisco router

How to Configure Dynamic Routes on Cisco Routers

How to Configure Static Routes on Cisco Routers

Default Configuration for Cisco Router

 



share on: Share it! Tweet it! Stumble it! Digg it! Email it!  |  Permalink  |  cisco2900router in Cisco router | Comment on this
Reader Comments

Post a Comment
Author:
Email:
(Optional)
  
cisco2900router
Reputation: 0 (0%)
Member Since:  Jan 2014
Last activity: 5/18/15, 12:38 am