Cisco GRE over IPSec and Straight IPSec on same Interface

TestMonkey
TestMonkey used Ask the Experts™
on
I have a number of remote offices configured with GRE over IPSec and it works perfectly.  However today when setting up a IPSec only tunnel, it wouldnt work, looking into it it would seem that the new IPSec tunnel seems to go over my GRE Tunnels.  

How can I configure a IPSec only tunnel on an interface that has GRE over IPSec Tunnels?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
if you use GRE tunnel it is GRE over IPSEC, if you definied it on your utside interface it is IPSEC

Author

Commented:
Thanks for the help

No, what Im saying is I have more than one GRE over IPSec tunnel, they are fine, however whenever I goto build an IPSec only tunnel (no gre), Cisco Configuration Professional Complains about the other end not being GRE, but I didnt ask for the tunnel to be GRE in the first place, so each time I goto build a IPSec tunnel it throws an error about this being a GRE Tunnel and if not remove the ACL association from the interface, problem is its all under the same interface

Author

Commented:
Ok so in Cisco Configuration Professional, if I remove all Site to Site VPN Profiles and I delete the Tunnel0 and Tunnel1 interface, the IPSec only VPN then works as expected, however having both, the IPSec only tries to associate itself with the two GRE Tunnel0/1 interfaces

How can I avoid this?
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
better way if you use CLI

Author

Commented:
Yeah everytime I do that I break it and need to reload the router

What commands state DO NOT USE THE GRE TUNNELS THIS IS JUST IPSEC TO IPSEC ONLY lol

CCP is good but annoying
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
ok... use it....

Author

Commented:
Thats the problem though when I build the tunnel using CCP, it complains that the if the this is not a greoipsec remove it from the associated interface, but the IPSEC Policy can only be applied to one interface at a time according to this

Confusing :(
Head of IT Security Division
Top Expert 2010
Commented:
please show the config

Author

Commented:
This is what CCP is adding to the configuration (the config is below this).  Everytime I add this the tunnel and CCP complains that the tunnel isnt GRE capable, and its its a GREoIPSEC i should remove SDM_CMAP_1 from the interface, yet if i remove that off the interface it removes all VPN Tunnels.  Second Part I notice is that it creates tunnels to each remote site as well, they are labled GRE tunnels

access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 2.2.2.2 0.0.0.15 3.3.3.3 0.0.0.15
no access-list 102
access-list 102 remark CCP_ACL Category=2
access-list 102 deny gre host 9.9.9.9 host 6.6.6.6
access-list 102 deny gre host 9.9.9.9 host 7.7.7.7
access-list 102 remark IPSec Rule
access-list 102 deny ip 2.2.2.2 0.0.0.15 3.3.3.3 0.0.0.15
access-list 102 permit ip 2.2.2.0 0.0.0.255 any
crypto ipsec transform-set TestingIPSecOnly esp-md5-hmac esp-3des
 mode tunnel
 exit
crypto map SDM_CMAP_1 3 ipsec-isakmp
 description Tunnel to111.111.111.111
 set transform-set TestingIPSecOnly
 set peer 111.111.111.111
 match address 103
 exit
crypto isakmp policy 3
 authentication pre-share
 encr 3des
 hash md5
 group 1
 lifetime 86400
 exit
crypto isakmp key **** address 111.111.111.111








version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret
enable password
!
aaa new-model
!
!
 --More--         aaa authentication login default local
 --More--         aaa authentication login ciscocp_vpn_xauth_ml_1 group radius local
 --More--         aaa authentication login ciscocp_vpn_xauth_ml_2 local
 --More--         aaa authentication login ciscocp_vpn_xauth_ml_3 local
 --More--         aaa authorization exec default local
 --More--         !
 --More--         !
 --More--         !
 --More--         !
 --More--         !
 --More--         aaa session-id common
 --More--         !
 --More--         !
 --More--         !
 --More--         !
 --More--         !
 --More--         crypto pki trustpoint TP-self-signed-3311578924
 --More--          enrollment selfsigned
 --More--          subject-name cn=IOS-Self-Signed-Certificate-3311578924
 --More--          revocation-check none
 --More--          rsakeypair TP-self-signed-3311578924
 --More--         !
 --More--         !
 --More--         crypto pki certificate chain TP-self-signed-3311578924
 --More--          certificate self-signed 01
 --More--           30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
 --More--           31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
 --More--           69666963 6174652D 33333131 35373839 3234301E 170D3039 31323237 31383336
 --More--           31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
 --More--           4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33313135
 --More--           37383932 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
 --More--           8100D08A F9383374 2B2F36DF 1D9F93F2 A2B8BD02 62D0B2DE ED1622DE 4D64254D
 --More--           345BF789 ACC956A6 47D38B24 50578F71 B517BF9C 6FBD6752 02690B0E A3236D59
 --More--           CA9AEB30 EB97C45E 77FE4588 E74F5E76 34D5251A 9C4188CD 9CAE8350 308E43B3
 --More--           9BDDCED4 CC11D57A 701E8FC8 F0FCA380 41AB07CF 80C74FAD 90BD1CD4 21AA0C38
 --More--           92B90203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
 --More--           551D1104 1D301B82 1942726F 76616461 48512E42 726F7661 6461534A 2E6C6F63
 --More--           616C301F 0603551D 23041830 1680141B A75FBC7B D0AD331D 19989FC7 DD9A7728
 --More--           1116C830 1D060355 1D0E0416 04141BA7 5FBC7BD0 AD331D19 989FC7DD 9A772811
 --More--           16C8300D 06092A86 4886F70D 01010405 00038181 00019392 A76B66EE D101EF5A
 --More--           6051E434 8625325A 456D8061 3BA7C7F1 D50A6CB4 CCB7C24D D86BAE30 F97D9170
 --More--           12725E3D 8F9DCB73 B6AFBED6 B394AF82 3C0ADB79 6BC513BA A9BC9385 8448931C
 --More--           11B55797 7B7674D8 2D192CE4 2A806BBE E755C5B0 9E523CDB F62BE00E 93C4D0D0
 --More--           7C7114B7 672738CD CB6715F5 9CF004E2 A424E31B 0B
 --More--                 quit
 --More--         dot11 syslog
 --More--         ip source-route
 --More--         !
 --More--         !
 --More--         ip cef
 --More--         !
 --More--         !
 --More--         no ip domain lookup
 --More--         ip domain name DOMAIN
 --More--         no ipv6 cef
 --More--         !
 --More--         multilink bundle-name authenticated
 --More--         !
 --More--         !
 --More--         !
 --More--         !
 --More--         !
 --More--         !
 --More--         !
 --More--         !
 --More--         !
 --More--         !
 --More--         voice-card 0
 --More--         !
 --More--         !
 --More--         !
 --More--         license
 --More--         !
 --More--         redundancy
 --More--         !
 --More--         !
 --More--         ip ssh time-out 60
 --More--         ip ssh authentication-retries 2
 --More--         ip ssh version 1
 --More--         !
 --More--         !
 --More--         crypto isakmp policy 1
 --More--          encr 3des
 --More--          authentication pre-share
 --More--          group 2
 --More--         !
 --More--         crypto isakmp policy 2
 --More--          encr aes 256
 --More--          authentication pre-share
 --More--         crypto isakmp key password address 111.111.111.111
 --More--         crypto isakmp key password address 222.222.222.222
 --More--         !
 --More--         !
 --More--         !
 --More--         crypto map SDM_CMAP_1 1 ipsec-isakmp
 --More--          description Tunnel to111.111.111.111
 --More--          set peer 111.111.111.111
 --More--          set transform-set toremote1
 --More--          match address 100
 --More--         crypto map SDM_CMAP_1 2 ipsec-isakmp
 --More--          description Tunnel to222.222.222.222
 --More--          set peer 222.222.222.222
 --More--          set transform-set toremote2
 --More--          match address 101
 --More--         !
 --More--         !
 --More--         !
 --More--         !
 --More--         !
 --More--         !
 --More--         interface Tunnel0
 --More--          ip address 999.999.999.999 255.255.255.255
 --More--          ip mtu 1420
 --More--          tunnel source GigabitEthernet0/0
 --More--          tunnel destination 111.111.111.111
 --More--          tunnel path-mtu-discovery
 --More--          crypto map SDM_CMAP_1
 --More--          !
 --More--         !
 --More--         interface Tunnel1
 --More--          ip address 888.888.888.888 255.255.255.255
 --More--          ip mtu 1420
 --More--          tunnel source GigabitEthernet0/0
 --More--          tunnel destination 222.222.222.222
 --More--          tunnel path-mtu-discovery
 --More--          crypto map SDM_CMAP_1
 --More--          !
 --More--         !
 --More--         interface GigabitEthernet0/0
 --More--          description Outside Interface
 --More--          ip address 333.333.333.333 255.255.255.255
 --More--          ip nat outside
 --More--          ip virtual-reassembly
 --More--          duplex auto
 --More--          speed auto
 --More--          crypto map SDM_CMAP_1
 --More--          !
 --More--         !
 --More--         interface GigabitEthernet0/1
 --More--          description Inside Interface
 --More--          ip address 444.444.444.444 255.255.255.255
 --More--          ip nat inside
 --More--          ip virtual-reassembly
 --More--          duplex auto
 --More--          speed auto
 --More--          !
 --More--         !
 --More--         interface FastEthernet1/0
 --More--          !
 --More--         !
 --More--         interface FastEthernet1/1
 --More--          switchport access vlan 2
 --More--          !
 --More--         !
 --More--         interface FastEthernet1/2
 --More--          shutdown
 --More--          !
 --More--         !
 --More--         interface FastEthernet1/3
 --More--          shutdown
 --More--          !
 --More--         !
 --More--         interface FastEthernet1/4
 --More--          shutdown
 --More--          !
 --More--         !
 --More--         interface FastEthernet1/5
 --More--          shutdown
 --More--          !
 --More--         !
 --More--         interface FastEthernet1/6
 --More--          shutdown
 --More--          !
 --More--         !
 --More--         interface FastEthernet1/7
 --More--          shutdown
 --More--          !
 --More--         !
 --More--         interface FastEthernet1/8
 --More--          shutdown
 --More--          !
 --More--         !
 --More--         interface FastEthernet1/9
 --More--          shutdown
 --More--          !
 --More--         !
 --More--         interface FastEthernet1/10
 --More--          shutdown
 --More--          !
 --More--         !
 --More--         interface FastEthernet1/11
 --More--          shutdown
 --More--          !
 --More--         !
 --More--         interface FastEthernet1/12
 --More--          shutdown
 --More--          !
 --More--         !
 --More--         interface FastEthernet1/13
 --More--          shutdown
 --More--          !
 --More--         !
 --More--         interface FastEthernet1/14
 --More--          shutdown
 --More--          !
 --More--         !
 --More--         interface FastEthernet1/15
 --More--          shutdown
 --More--          !
 --More--         !
 --More--         interface GigabitEthernet1/0
 --More--          shutdown
 --More--          !
 --More--         !
 --More--         interface Vlan1
 --More--          description Old DMZ
 --More--          ip address 555.555.555.555 255.255.255.255
 --More--          !
 --More--         !
 --More--         interface Vlan2
 --More--          description New DMZ
 --More--          ip address 666.666.666.666 255.255.255.255
 --More--          !
 --More--         !
 --More--         !
 --More--         router eigrp 1
 --More--          network 111111111
 --More--          network 111111111
 --More--          network 111111111
 --More--          network 111111111
 --More--          network 111111111
 --More--         !
 --More--         ip local pool pool1 111111111 111111111
 --More--         ip local pool pool2 111111111 111111111
 --More--         ip forward-protocol nd
 --More--         ip http server
 --More--         ip http authentication local
 --More--         ip http secure-server
 --More--         !
 --More--         !
 --More--         ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
 --More--         ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 permanent
 --More--         !
 --More--         access-list 1 remark CCP_ACL Category=2
 --More--         access-list 1 permit 1.1.1.0 0.0.0.255
 --More--         access-list 100 remark CCP_ACL Category=4
 --More--         access-list 100 permit gre host 111.111.111.111 host 111.111.111.111
 --More--         access-list 101 remark CCP_ACL Category=4
 --More--         access-list 101 permit gre host 111.111.111.111 host 111.111.111.111
 --More--         access-list 102 remark CCP_ACL Category=2
 --More--         access-list 102 deny   gre host 111.111.111.111 host 111.111.111.111
 --More--         access-list 102 deny   gre host 111.111.111.111 host 111.111.111.111
 --More--         access-list 102 permit ip 1.1.1.0 0.0.0.255 any
 --More--         !
 --More--         !
 --More--         !
 --More--         !
 --More--         route-map SDM_RMAP_1 permit 1
 --More--          match ip address 102
 --More--         !
 --More--         !
 --More--         radius-server host 1.1.1.1 auth-port 1645 acct-port 1646
 --More--         !
 --More--         control-plane
 --More--          !
 --More--         !
 --More--         !
 --More--         !
 --More--         mgcp fax t38 ecm
 --More--         mgcp behavior g729-variants static-pt
 --More--         !
 --More--         !
 --More--         !
 --More--         !
 --More--         !
 --More--         line con 0
 --More--          exec-timeout 5 0
 --More--          logging synchronous
 --More--         line aux 0
 --More--         line vty 0 4
 --More--          exec-timeout 5 0
 --More--          transport input telnet ssh
 --More--         !
 --More--         scheduler allocate 20000 1000
 --More--         !
 --More--         webvpn gateway gateway_1
 --More--          ip address 1.1.1.1 port 443  
 --More--          http-redirect port 80
 --More--          ssl trustpoint TP-self-signed-3311578924
 --More--          inservice
 --More--          !
 --More--         webvpn gateway gateway_2
 --More--          ip address 2.2.2.2 port 443  
 --More--          http-redirect port 80
 --More--          ssl trustpoint TP-self-signed-3311578924
 --More--          inservice
 --More--          !
 --More--         webvpn install svc flash:/webvpn/anyconnect-win-2.3.2016-k9.pkg sequence 1
 --More--          !
 --More--         webvpn context full tunnel
 --More--          secondary-color white
 --More--          title-color #CCCC66
 --More--          text-color black
 --More--          ssl authenticate verify all
 --More--          !
 --More--          !
 --More--          policy group policy_1
 --More--            functions svc-enabled
 --More--            svc address-pool "fulltunnelVPN"
 --More--            svc keep-client-installed
 --More--            svc split include 1.1.1.1 1.1.1.1
 --More--            svc dns-server primary 111.111.111.111
 --More--          default-group-policy policy_1
 --More--          aaa authentication list ciscocp_vpn_xauth_ml_3
 --More--          gateway gateway_2
 --More--          inservice
 --More--         !
 --More--         end
 --More--         

Author

Commented:
thoughts?
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
why did you configured ipsec both tunnel and outside leg?

Author

Commented:
Thats the point I didnt seems like CCP is going it on its own

Author

Commented:
Do u mean why I created a GRE tunnel between remote offices over IPSec?

Author

Commented:
I think you wanted the GRE questions under this question

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial