Configuring IPSec to GRE

This chapter describes how to configure the IPSec to GRE, IPSec to GRE+IPSec, and the PE to PE Encryption service models for the Cisco Network-Based IPSec VPN Release 1.5 .

Configuring the IPSec to GRE Service Model

The IPSec to GRE model is useful when the service provider has a IP backbone but still wants to provide VPN-like functionality. Remote sites and clients terminate as in the IPSec to IPSec model, however they are then encapsulated into GRE and forwarded to a customer headend router that is the other endpoint for GRE.

GRE also lets you run a routing protocol on per-VRF basis with the headend customer router. The GRE tunnels towards the headend can also be encrypted. The packets traveling from remote clients and sites are decrypted, routed to the GRE tunnel interface where they are encapsulated with the GRE header, and then the GRE packet is encrypted by IPSec to provide secure connectivity across the IP backbone.

Before You Begin

The procedures provided here are specific to configuring IPSec to IPSec with one box and are based on the following assumptions:

1. That the following setup and configuration tasks have already been completed:

Setup of the core IP/MPLS network.
Setup of the customer VPN
Configuration of the links between the PE and the CE.
Customer-specific information is complete.
That you have a good understanding of the architecture and features you are using and that you have selected the means you will use to implement those features (for example, which of several strategies you will use for address management or for user authentication and authorization).

IPSec to GRE Integration Configuration Checklist

This section deals with configuring the router to function as the IPSec aggregator.

Procedures for competing each task are described in the sections that follow. If you are viewing this document online, you can click on highlighted text to get details on the procedure.

Table 5-1 IPSec to GRE Configuration Checklist

Task 1: Configure Authentication and Authorization Lists for Clients to RADIUS

Task 2: Configure the VRFs

Task 3: Enable CEF Switching

Task 4: Configure the Keyring

Task 5: Configure ISAKMP Policy for Phase 1 Negotiations

Task 6: Configure DPD Keepalives

Task 7: Configure Client Group Definition for Local Authorization

Task 8: Configure ISAKMP Profile for VPN Sites

Task 9: Configure Dynamic VRF Association for VPN Sites

Task 10: Configure ISAKMP Profile for VPN Clients

Task 11: Configure Dynamic VRF Association for VPN Clients

Task 12: Configure XAUTH, Group Authorization, and Mode-Config

Task 13: Configure the Transform Set

Task 14: Configure Dynamic Crypto Map and Apply Transform Set

Task 15: Configure ISAKMP Client Profile Reference

Task 16: Configure Client RRI

Task 17: Configure Static Crypto Map for Sites

Task 18: Configure ISAKMP Site Profile Reference

Task 19: Configure Dynamic Crypto Map for Clients

Task 20: Configure GRE Tunnel to HQ

Task 21: Configure Internet-Facing Interface and Corresponding Crypto Maps

Task 22: Configure the IGP Used In Core

Task 23: Configure Pool to Distribute IP Addresses to VPN Clients

Task 24: Configure the Global Default Route

Task 25: Configure Static VPN Routes if not using IGP within the VPN

Task 26: Configure the Crypto Access List to Define Traffic to be Encrypted

IPSec to GRE Configuration Task List

Typical IPSec to GRE configuration tasks are shown below. See IPSec to GRE Configuration Sample.

Task 1: Configure Authentication and Authorization Lists for Clients to RADIUS

	Command	Purpose
Step 1	aaa authentication login	Set authentication, authorization, and accounting (AAA) authentication at login.
Step 2	aaa authorization	Set parameters that restrict user access to a network.

Task 2: Configure the VRFs

	Command	Purpose
Step 1	ip vrf	Configure a VPN routing and forwarding (VRF) routing table.
Step 2	rd route-distinguisher	Create routing and forwarding tables for a VRF.

Task 3: Enable CEF Switching

	Command	Purpose
	ip cef	Enable CEF switching.

Task 4: Configure the Keyring

	Command	Purpose
Step 1	crypto keyring keyring-name [vrf fvrf]	Configure a new keyring for the shared secret keys to be used during Internet Key Exchange (IKE) authentication.
Step 2	pre-shared-key {address address [mask] \| hostname hostname} key key	Configure the addressed preshared key to be used during IKE authentication.

Task 5: Configure ISAKMP Policy for Phase 1 Negotiations

	Command	Purpose
Step 1	crypto isakmp policy priority	Configure an IKE policy.
Step 2	encryption {des \| 3des \| aes \| aes 192 \| aes 256}	Specify the encryption algorithm within an IKE policy.
Step 3	authentication {rsa-sig \| rsa-encr \| pre-share}	Specify the authentication method within an IKE policy.

Task 6: Configure DPD Keepalives

	Command	Purpose
	crypto isakmp keepalive secs retries	Allow the gateway to send dead peer detection (DPD) messages to the router.

Task 7: Configure Client Group Definition for Local Authorization

	Command	Purpose
Step 1	crypto isakmp client configuration group {group-name \| default}	Specify which group's policy profile will be defined.
Step 2	key name	Configure the IKE preshared key for group policy attribute definition.
Step 3	pool (name)	Configure a local pool address.

Task 8: Configure ISAKMP Profile for VPN Sites

	Command	Purpose
	crypto isakmp profile profile-name	Define an ISAKMP profile for a VPN.

Task 9: Configure Dynamic VRF Association for VPN Sites

	Command	Purpose
Step 1	vrf name	Associate the on-demand address pool with a VRF name.
Step 2	keyring keyring-name	Associate a keyring with an ISAKMP profile.
Step 3	match identity address address [mask] [fvrf]	Match an acceptable Phase 1 identity from a peer to a particular ISAKMP profile.

Task 10: Configure ISAKMP Profile for VPN Clients

	Command	Purpose
	crypto isakmp profile profile-name	Define an ISAKMP profile for a VPN.

Note You can configure the Remote sites to match each peer using sequence numbers in the crypto map definition.You can match the peer on IP address or the hostname. The IP address match list for traffic to be encrypted is also defined for each peer. In case of VPN clients, the dynamic profile defined earlier is used to match the clients.

Task 11: Configure Dynamic VRF Association for VPN Clients

	Command	Purpose
Step 1	vrf name	Associate the on-demand address pool with a VRF name. See vrf for information on using this command.
Step 2	match identity group-name	Match an acceptable Phase 1 identity from a peer to a Unity group.

Task 12: Configure XAUTH, Group Authorization, and Mode-Config

	Command	Purpose
Step 1	client authentication list list-name	Configure IKE extended authentication (Xauth) on your router. The list-name must match the list-name defined during AAA configuration
Step 2	isakmp authorization list list-name	Configure group authorization IKE querying of AAA for tunnel attributes in aggressive mode.
Step 3	client configuration address [initiate \| respond]	Configure IKE mode configuration (Mode-Config).

Task 13: Configure the Transform Set

	Command	Purpose
	crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]	Define the transform set.

Task 14: Configure Dynamic Crypto Map and Apply Transform Set

	Command	Purpose
Step 1	crypto dynamic-map dynamic-map-name dynamic-seq-num	Create a dynamic crypto map entry and enter the crypto map configuration command mode.
Step 2	set transform-set transform-set-name	Specify which transform sets can be used with the crypto map entry.

Task 15: Configure ISAKMP Client Profile Reference

	Command	Purpose
	set isakmp-profile profile-name	Set the ISAKMP profile name for client.

Task 16: Configure Client RRI

	Command	Purpose
	reverse-route [remote-peer]	Create source proxy information for a crypto map entry through RRI.

Task 17: Configure Static Crypto Map for Sites

	Command	Purpose
Step 1	crypto map map-name seq-num [ipsec-isakmp]	Create a crypto map entry that uses IKE to establish the IPSec SAs for protecting the traffic specified by this crypto map entry.
Step 2	set peer {hostname \| ip-address}	Specify an IP Security peer in a crypto map entry.
Step 3	set transform-set transform-set-name	Specify which transform sets can be used with the crypto map entry.

Task 18: Configure ISAKMP Site Profile Reference

	Command	Purpose
Step 1	set isakmp-profile profile-name	Set the ISAKMP profile name reference.
Step 2	match identity address address [mask] [fvrf]	Match an acceptable Phase 1 identity from a peer to a particular ISAKMP profile.

Task 19: Configure Dynamic Crypto Map for Clients

	Command	Purpose
	crypto map map-name seq-num [ipsec-isakmp]	Create a crypto map entry that uses IKE to establish the IPSec SAs for protecting the traffic specified by this crypto map entry.

Task 20: Configure GRE Tunnel to HQ

	Command	Purpose
Step 1	interface type	Configure an interface type and enter interface configuration mode.
Step 2	ip vrf forwarding vrf-name	Associate a VRF instance with an interface or subinterface.
Step 3	ip address ip-address mask	Set an IP address for an interface.
Step 4	tunnel source {ip-address \| type number}	Set source address for a tunnel interface.
Step 5	tunnel destination {hostname \| ip-address}	Specify the destination for a tunnel interface.

Task 21: Configure Internet-Facing Interface and Corresponding Crypto Maps

	Command	Purpose
Step 1	interface type	Configure a loopback interface (emulates an interface that is always up).
Step 2	ip address ip-address mask	Set an IP address for an interface.
Step 3	encapsulation dot1q vlan-id [native]	Enable IEEE 802.1Q encapsulation of traffic on a specified subinterface in a virtual LAN (VLAN).
Step 4	crypto map map-name	Apply a previously defined crypto map set to an interface.

Note Each interface services one VPN as the IPSec tunnel endpoint for both the sites and clients.

Task 22: Configure the IGP Used In Core

	Command	Purpose
Step 1	router ospf process-id	Configure an OSPF routing process.
Step 2	log-adjacency-changes	Generate a log message.
Step 3	network ip-address wildcard-mask area area-id	Configure the interfaces on which OSPF runs and to define the area ID for those interfaces.

Task 23: Configure Pool to Distribute IP Addresses to VPN Clients

	Command	Purpose
	ip local pool {default \| pool-name low-ip-address [high-ip-address]}	Configure a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface.

Task 24: Configure the Global Default Route

	Command	Purpose
	ip route network-number network-mask {ip-address \| interface-name} [distance] [name name]	Establish static routes and define the next hop for large-scale dial-out.

Task 25: Configure Static VPN Routes if not using IGP within the VPN

	Command	Purpose
	ip route vrf vrf-name prefix mask [next-hop-address] [interface {interface-number}] [global] [distance] [permanent] [tag tag]	Establish static routes for a VRF instance.

Task 26: Configure the Crypto Access List to Define Traffic to be Encrypted

	Command	Purpose
	access-list access-list-number {deny \| permit} source [source-wildcard] [log]	Configure a standard IP access list.

IPSec to GRE Configuration Sample

Figure 5-1 illustrates the following IPSec to GRE configuration.

Figure 5-1
IPSec to GRE Configuration

 
pe1#sh run

 
Building configuration...

 
Current configuration : 3783 bytes

!

 
version 12.2

 
service timestamps debug datetime msec

 
service timestamps log datetime msec

 
no service password-encryption

!

 
hostname pe1

 
enable password cisco

!

 
username cisco password 0 cisco

 
aaa new-model

Step 1 Configure authentication and authorization lists for clients to RADIUS.

 
aaa authentication login localist local

 
aaa authorization network localist local

 
aaa session-id common

 
ip subnet-zero

 
no ip domain lookup

Step 2 Configure VRFs.

 
ip vrf vpn1

 
 rd 100:1

Step 3 Enable CEF switching.

 
ip cef

Step 4 Configure keyring.

 
crypto keyring vpn1			

 
  pre-shared-key address 20.1.1.1 key cisco123

Step 5 Configure ISAKMP policy for Phase 1 negotiations.

 
crypto isakmp policy 1

 
 authentication pre-share

 
 group 2

!

 
crypto isakmp policy 2

 
 encr 3des

 
 authentication pre-share

Step 6 Configure DPD keepalives.

 
crypto isakmp keepalive 30

 
crypto isakmp xauth timeout 30

Step 7 Configure client group for local authorization.

 
crypto isakmp client configuration group ezvpn 

 
 key cisco123

 
 pool hw-pool

Step 8 Configure ISAKMP profile for VPN sites.

 
crypto isakmp profile vpn1

Step 9 Configure dynamic VRF association for sites.

 
   vrf vpn1		 

 
   keyring vpn1

 
   match identity address 20.1.1.1 255.255.255.255

Step 10 Configure ISAKMP profile for VPN clients.

 
crypto isakmp profile vpn1-ez	

Step 11 Configure dynamic VRF association for VPN clients.

 
   vrf vpn1					 

 
   match identity group ezvpn

Step 12 Configure XAUTH, group authorization, and mode-config.

 
   client authentication list localist

 
   isakmp authorization list localist

 
   client configuration address respond

Step 13 Configure the transform set.

 
crypto ipsec transform-set tset1 esp-3des esp-sha-hmac

Step 14 Configure dynamic crypto map and apply transform set.

 
crypto dynamic-map dyna 1

 
 set security-association idle-time 3600

 
 set transform-set tset1

Step 15 Configure ISAKMP client profile reference.

 
 set isakmp-profile vpn1-ez

Step 16 Configure client RRI.

 
 reverse-route			 

Step 17 Configure static map for a site.

 
crypto map vpn 10 ipsec-isakmp	 

 
 set peer 20.1.1.1

 
 set transform-set tset1

Step 18 Configure ISAKMP site profile reference.

 
 set isakmp-profile vpn1		 

 
 match address 101

Step 19 Configure dynamic crypto map for clients.

 
crypto map vpn 1000 ipsec-isakmp dynamic dyna 

Step 20 Configure GRE tunnel to HQ.

 
interface Tunnel1		 

 
 ip vrf forwarding vpn1

 
 ip address 11.1.1.1 255.255.255.0

 
 tunnel source 125.1.10.2

 
 tunnel destination 40.1.1.2

!

 
interface FastEthernet2/0

 
 no ip address

 
 duplex auto

 
 speed auto

Step 21 Configure Internet-facing interface and corresponding crypto maps.

 
interface FastEthernet2/0.1		 

 
 encapsulation dot1Q 10

 
 ip address 30.1.1.2 255.255.255.0

 
 crypto map vpn

!

 
interface FastEthernet2/1

 
 no ip address

 
 duplex auto

 
 speed auto

!

 
interface FastEthernet2/1.1

 
 encapsulation dot1Q 10

 
 ip address 125.1.10.2 255.255.255.0

Step 22 Configure the IGP used in the core.

 
router ospf 1

 
 log-adjacency-changes

 
 network 125.1.10.0 0.0.0.255 area 0

Step 23 Configure the pool to distribute IP addresses to VPN clients.

 
ip local pool hw-pool 192.168.1.1 192.168.1.254

 
ip classless

Step 24 Configure global default route.

 
ip route 0.0.0.0 0.0.0.0 FastEthernet2/0.1 30.1.1.1

Step 25 Configure static VPN routes if not using an IGP within the VPN.

 
ip route vrf vpn1 101.1.1.0 255.255.255.0 30.1.1.1 global

 
ip route vrf vpn1 101.1.2.0 255.255.255.0 Tunnel1

Step 26 Configure the crypto access list to define the traffic to be encrypted.

 
access-list 101 permit ip 101.1.2.0 0.0.0.255 101.1.1.0 0.0.0.255

Configuring IPSec to GRE+IPSec Service Model

The difference between the IPSec to GRE configuration and the IPSec to GRE+IPSec configuration is that in the IPSec to GRE configuration the GRE tunnel is not encrypted and in the IPSec to GRE+IPSec configuration the GRE tunnel is encrypted.

Before You Begin

The procedures provided here are specific to configuring IPSec to GRE+IPSec and are based on the following assumptions:

That the following setup and configuration tasks have already been completed:
Setup of the core MPLS network.
Setup of the customer VPN
Configuration of the links between the PE and the CE.
Customer-specific information is complete.
That you have a good understanding of the architecture and features you are using and that you have selected the means you will use to implement those features (for example, which of several strategies you will use for address management or for user authentication and authorization).

IPSec to GRE+IPSec Integration Configuration Checklist

This section deals with configuring the router to function as both the IPSec aggregator and the PE router.

Procedures for competing each task are described in the sections that follow. If you are viewing this document online, you can click on highlighted text to get details on the procedure.

Table 5-2 IPSec to GRE +IPSec Configuration Checklist

Task 1: Configure Authentication and Authorization Lists for Clients to RADIUS

Task 2: Configure the VRFs

Task 3: Configure the Keyring

Task 4: Configure ISAKMP Policy for Phase 1 Negotiations

Task 5: Configure DPD Keepalives

Task 6: Configure Client Group Definition for Local Authorization

Task 7: Configure ISAKMP Profile for VPN Sites

Task 8: Configure Dynamic VRF Association for VPN Sites

Task 9: Configure ISAKMP Profile for VPN Clients

Task 10: Configure Dynamic VRF Association for VPN Clients

Task 11: Configure XAUTH, Group Authorization, and Mode-Config

Task 12: Configure the Transform Set

Task 13: Configure GRE Tunnel Encryption Profile

Task 14: Configure ISAKMP Site Profile Reference

Task 15: Configure Dynamic Crypto Map and Apply Transform Set

Task 16: Configure ISAKMP Client Profile Reference

Task 17: Configure Client RRI

Task 18: Configure Static Crypto Map for Sites

Task 19: Configure ISAKMP Site Profile Reference

Task 20: Configure Dynamic Crypto Map for Clients

Task 21: Configure GRE Tunnel to Customer Site

Task 22: Configure IPSec Profile to be Used

Task 23: Configure Internet-Facing Interface and Corresponding Crypto Maps

Task 24: Configure Interface Towards IP Backbone

Task 25: Configure IGP Used in the Core

Task 26: Configure Pool Used to Distribute IP Addresses to VPN Clients

Task 27: Configure Global Default Route

Task 28: Configure Static VPN Routes if not using IGP within the VPN

Task 29: Configure the Crypto Access List to Define Traffic to be Encrypted

IPSec to GRE+IPSec Configuration Tasks

Typical IPSec to GRE+IPSec configuration tasks are shown below. See IPSec to GRE+IPSec Configuration Sample.

Task 1: Configure Authentication and Authorization Lists for Clients to RADIUS

	Command	Purpose
Step 1	aaa authentication login	Set authentication, authorization, and accounting (AAA) authentication at login.
Step 2	aaa authorization	Set parameters that restrict user access to a network.
Step 3	aaa session-id [common \| unique]	Specify whether the same session ID will be used for each AAA accounting service type within a call or whether a different session ID will be assigned to each accounting service type.

Task 2: Configure the VRFs

	Command	Purpose
Step 1	ip vrf	Configure a VRF routing table.
Step 2	rd route-distinguisher	Create routing and forwarding tables for a VRF.

Task 3: Configure the Keyring

	Command	Purpose
Step 1	crypto keyring keyring-name [vrf fvrf]	Configure a new keyring for the shared secret keys to be used during IKE authentication.
Step 2	pre-shared-key {address address [mask] \| hostname hostname} key key	Configure the addressed preshared key to be used during IKE authentication.

Task 4: Configure ISAKMP Policy for Phase 1 Negotiations

	Command	Purpose
Step 1	crypto isakmp policy priority	Configure an IKE policy.
Step 2	encryption {des \| 3des \| aes \| aes 192 \| aes 256}	Specify the encryption algorithm within an IKE policy.
Step 3	authentication {rsa-sig \| rsa-encr \| pre-share}	Specify the authentication method within an IKE policy.

Task 5: Configure DPD Keepalives

	Command	Purpose
	crypto isakmp keepalive secs retries	Allow the gateway to send dead peer detection (DPD) messages to the router.

Task 6: Configure Client Group Definition for Local Authorization

	Command	Purpose
Step 1	crypto isakmp client configuration group {group-name \| default}	Specify which group's policy profile will be defined.
Step 2	key name	Configure the IKE preshared key for group policy attribute definition.
Step 3	pool (name)	Configure a local pool address.

Task 7: Configure ISAKMP Profile for VPN Sites

	Command	Purpose
	crypto isakmp profile profile-name	Define an ISAKMP profile for a VPN.

Task 8: Configure Dynamic VRF Association for VPN Sites

	Command	Purpose
Step 1	vrf name	Associate the on-demand address pool with a VRF name.
Step 2	keyring keyring-name	Associate a keyring with an ISAKMP profile.
Step 3	match identity address address [mask] [fvrf]	Match an acceptable Phase 1 identity from a peer to a particular ISAKMP profile.

Task 9: Configure ISAKMP Profile for VPN Clients

	Command	Purpose
	crypto isakmp profile profile-name	Define an ISAKMP profile for a VPN.

Task 10: Configure Dynamic VRF Association for VPN Clients

	Command	Purpose
Step 1	vrf name	Associate the on-demand address pool with a VRF name. See vrf for information on using this command.
Step 2	match identity group-name	Match an acceptable Phase 1 identity from a peer to a Unity group.

Task 11: Configure XAUTH, Group Authorization, and Mode-Config

	Command	Purpose
Step 1	client authentication list list-name	Configure IKE extended authentication (Xauth) on your router. The list-name must match the list-name defined during AAA configuration
Step 2	isakmp authorization list list-name	Configure group authorization IKE querying of AAA for tunnel attributes in aggressive mode.
Step 3	client configuration address [initiate \| respond]	Configure IKE mode configuration (Mode-Config).

Task 12: Configure the Transform Set

	Command	Purpose
	crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]	Define the transform set.

Task 13: Configure GRE Tunnel Encryption Profile

	Command	Purpose
Step 1	crypto ipsec profile	Configure IPSec profile.
Step 2	set transform-set transform-set-name	Specify which transform sets can be used with the crypto map entry.

Task 14: Configure ISAKMP Site Profile Reference

	Command	Purpose
	set isakmp-profile profile-name	Set the ISAKMP profile name for client.

Task 15: Configure Dynamic Crypto Map and Apply Transform Set

	Command	Purpose
Step 1	crypto dynamic-map dynamic-map-name dynamic-seq-num	Create a dynamic crypto map entry and enter the crypto map configuration command mode.
Step 2	set transform-set transform-set-name	Specify which transform sets can be used with the crypto map entry.

Task 16: Configure ISAKMP Client Profile Reference

	Command	Purpose
	set isakmp-profile profile-name	Set the ISAKMP profile name for client.

Task 17: Configure Client RRI

	Command	Purpose
	reverse-route [remote-peer]	Create source proxy information for a crypto map entry through RRI.

Task 18: Configure Static Crypto Map for Sites

	Command	Purpose
Step 1	crypto map map-name seq-num [ipsec-isakmp]	Create a crypto map entry that uses IKE to establish the IPSec SAs for protecting the traffic specified by this crypto map entry.
Step 2	set peer {hostname \| ip-address}	Specify an IP Security peer in a crypto map entry.
Step 3	set transform-set transform-set-name	Specify which transform sets can be used with the crypto map entry.

Task 19: Configure ISAKMP Site Profile Reference

	Command	Purpose
Step 1	set isakmp-profile profile-name	Set the ISAKMP profile name reference.
Step 2	match identity address address [mask] [fvrf]	Match an acceptable Phase 1 identity from a peer to a particular ISAKMP profile.

Task 20: Configure Dynamic Crypto Map for Clients

	Command	Purpose
	crypto map map-name seq-num [ipsec-isakmp]	Create a crypto map entry that uses IKE to establish the IPSec SAs for protecting the traffic specified by this crypto map entry.

Task 21: Configure GRE Tunnel to Customer Site

	Command	Purpose
Step 1	interface type	Configure an interface type and enter interface configuration mode.
Step 2	ip vrf forwarding vrf-name	Associate a VRF instance with an interface or subinterface.
Step 3	ip address ip-address mask	Set an IP address for an interface.
Step 4	tunnel source {ip-address \| type number}	Set source address for a tunnel interface.
Step 5	tunnel destination {hostname \| ip-address}	Specify the destination for a tunnel interface.

Task 22: Configure IPSec Profile to be Used

	Command	Purpose
	tunnel protection ipsec-profile name	Associate a tunnel interface with an IPSec profile.

Task 23: Configure Internet-Facing Interface and Corresponding Crypto Maps

	Command	Purpose
Step 1	interface type	Configure a loopback interface (emulates an interface that is always up).
Step 2	ip address ip-address mask	Set an IP address for an interface.
Step 3	encapsulation dot1q vlan-id [native]	Enable IEEE 802.1Q encapsulation of traffic on a specified subinterface in a virtual LAN (VLAN).
Step 4	crypto map map-name	Apply a previously defined crypto map set to an interface.

Note Each interface services one VPN as the IPSec tunnel endpoint for both the sites and clients.

Task 24: Configure Interface Towards IP Backbone

	Command	Purpose
Step 1	interface type	Configure a loopback interface (emulates an interface that is always up).
Step 2	encapsulation dot1q vlan-id [native]	Enable IEEE 802.1Q encapsulation of traffic on a specified subinterface in a virtual LAN (VLAN).
Step 3	ip address ip-address mask	Set an IP address for an interface.

Task 25: Configure IGP Used in the Core

	Command	Purpose
Step 1	router ospf process-id	Configure an OSPF routing process.
Step 2	log-adjacency-changes	Generate a log message.
Step 3	network ip-address wildcard-mask area area-id	Configure the interfaces on which OSPF runs and to define the area ID for those interfaces.

Task 26: Configure Pool Used to Distribute IP Addresses to VPN Clients

	Command	Purpose
	ip local pool {default \| pool-name low-ip-address [high-ip-address]}	Configure a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface.

Task 27: Configure Global Default Route

	Command	Purpose
	ip route network-number network-mask {ip-address \| interface-name} [distance] [name name]	Establish static routes and define the next hop for large-scale dial-out.

Task 28: Configure Static VPN Routes if not using IGP within the VPN

	Command	Purpose
	ip route vrf vrf-name prefix mask [next-hop-address] [interface {interface-number}] [global] [distance] [permanent] [tag tag]	Establish static routes for a VPN routing and forwarding (VRF) instance.

Task 29: Configure the Crypto Access List to Define Traffic to be Encrypted

	Command	Purpose
	access-list access-list-number {deny \| permit} source [source-wildcard] [log]	Configure a standard IP access list.

IPSec to GRE+IPSec Configuration Sample

Figure 5-2 illustrates the following IPSec to GRE+IPSec configuration.

Figure 5-2
IPSec to GRE Configuration

 
pe1#sh run

 
Building configuration...

 
Current configuration : 4009 bytes

!

 
version 12.2

 
service timestamps debug datetime msec

 
service timestamps log datetime msec

 
no service password-encryption

!

 
hostname pe1

 
enable password cisco

!

 
username cisco password 0 cisco

 
aaa new-model

Step 1 Configure authentication and authorization lists for clients to RADIUS.

 
aaa authentication login localist local

 
aaa authorization network localist local

 
aaa session-id common

 
ip subnet-zero

 
no ip domain lookup

Step 2 Configure the VRFs.

 
ip vrf vpn1

 
 rd 100:1

Step 3 Configure keyring.

 
crypto keyring vpn1		

 
  pre-shared-key address 20.1.1.1 key cisco123

 
  pre-shared-key address 40.1.1.2 key cisco123

Step 4 Configure the ISAKMP policy for phase 1 negotiations.

 
crypto isakmp policy 1

 
 authentication pre-share

 
 group 2

!

 
crypto isakmp policy 2

 
 encr 3des

 
 authentication pre-share

Step 5 Configure DPD keepalives.

 
crypto isakmp keepalive 30

 
crypto isakmp xauth timeout 30

Step 6 Configure client group for local authorization.

 
crypto isakmp client configuration group ezvpn	

 
 key cisco123

 
 pool hw-pool

Step 7 Configure ISAKMP profile for VPN sites.

 
crypto isakmp profile vpn1			

Step 8 Configure dynamic VRF association for sites.

 
vrf vpn1			

 
   keyring vpn1

 
   match identity address 20.1.1.1 255.255.255.255

 
   match identity address 40.1.1.2 255.255.255.255

Step 9 Configure ISAKMP profile for VPN clients.

 
crypto isakmp profile vpn1-ez

Step 10 Configure dynamic VRF association for VPN clients.

 
   vrf vpn1					

 
   match identity group ezvpn

Step 11 Configure XAUTH, group authorization, and mode-config.

 
   client authentication list localist

 
   isakmp authorization list localist

 
   client configuration address respond

Step 12 Configure transform set.

 
crypto ipsec transform-set tset1 esp-3des esp-sha-hmac

Step 13 Configure GRE tunnel encryption profile.

 
crypto ipsec profile pe_to_hq				

 
 set transform-set tset1

Step 14 Configure ISAKMP site profile reference.

 
 set isakmp-profile vpn1				

Step 15 Configure dynamic crypto map and apply transform set.

 
crypto dynamic-map dyna 1

 
 set security-association idle-time 3600

 
 set transform-set tset1

Step 16 Configure ISAKMP client profile reference.

 
 set isakmp-profile vpn1-ez				

Step 17 Configure client RRI.

 
 reverse-route				

Step 18 Configure static map for a site.

 
crypto map vpn 10 ipsec-isakmp		 

 
 set peer 20.1.1.1

 
 set transform-set tset1

Step 19 Configure ISAKMP site profile reference.

 
 set isakmp-profile vpn1				 

 
 match address 101

Step 20 Configure dynamic crypto map for clients.

 
crypto map vpn 1000 ipsec-isakmp dynamic dyna	 

Step 21 Configure encrypted GRE tunnel to customer site.

 
interface Tunnel1				 

 
 ip vrf forwarding vpn1

 
 ip address 11.1.1.1 255.255.255.0

 
 tunnel source 125.1.10.2

 
 tunnel destination 40.1.1.2

Step 22 Configure IPSec profile to be used.

 
 tunnel protection ipsec profile pe_to_hq		

!

 
interface FastEthernet2/0

 
 no ip address

 
 duplex auto

 
 speed auto

Step 23 Configure internet-facing interface and corresponding crypto maps.

 
interface FastEthernet2/0.1				

 
 encapsulation dot1Q 10

 
 ip address 30.1.1.2 255.255.255.0

 
 crypto map vpn

!

 
interface FastEthernet2/1

 
 no ip address

 
 duplex auto

 
 speed auto

Step 24 Configure interface towards IP backbone.

 
interface FastEthernet2/1.1              		 

 
 encapsulation dot1Q 10

 
 ip address 125.1.10.2 255.255.255.0

Step 25 Configure IGP used in the core.

 
router ospf 1

 
 log-adjacency-changes

 
 network 99.1.1.1 0.0.0.0 area 0

 
 network 125.1.10.0 0.0.0.255 area 0

Step 26 Configure the pool to distribute IP addresses to VPN clients.

 
ip local pool hw-pool 192.168.1.1 192.168.1.254

 
ip classless

Step 27 Configure global default route.

 
ip route 0.0.0.0 0.0.0.0 FastEthernet2/0.1 30.1.1.1

Step 28 Configure static VPN routes if not using an IGP within the VPN.

 
ip route vrf vpn1 101.1.1.0 255.255.255.0 30.1.1.1 global

 
ip route vrf vpn1 101.1.2.0 255.255.255.0 Tunnel1

Step 29 Configure the crypto access list.

 
access-list 101 permit ip 101.1.2.0 0.0.0.255 101.1.1.0 0.0.0.255

Configuring PE to PE Encryption Service Model

In this configuration, a network of GRE tunnels is configured between all the PE devices. Only a single GRE tunnel is necessary between two PEs to service all the VPNs. This is because the VPN tag is maintained across the MPLS network.

Before You Begin

The procedures provided here are specific to configuring PE to PE Encryption and are based on the following assumptions:

That the following setup and configuration tasks have already been completed:
Setup of the core MPLS network.
Setup of the customer VPN
Configuration of the links between the PE and the CE.
Customer-specific information is complete.
That you have a good understanding of the architecture and features you are using and that you have selected the means you will use to implement those features (for example, which of several strategies you will use for address management or for user authentication and authorization).

PE to PE Encryption Configuration Checklist

This section deals with configuring the router to function as both the IPSec aggregator and the PE router.

Procedures for competing each task are described in the sections that follow. If you are viewing this document online, you can click on highlighted text to get details on the procedure.

Table 5-3 PE to PE Encryption Configuration Checklist

Task 1: Configure Authentication and Authorization Lists for Clients to RADIUS

Task 2: Configure the VRFs

Task 3: Enable CEF Switching

Task 4: Configure the Keyring

Task 5: Configure ISAKMP Policy for Phase 1 Negotiations

Task 6: Configure DPD Keepalives

Task 7: Configure Client Group Definition for Local Authorization

Task 8: Configure ISAKMP Profile for VPN Sites

Task 9: Configure Dynamic VRF Association for VPN Sites

Task 10: Configure ISAKMP Profile for VPN Clients

Task 11: Configure Dynamic VRF Association for VPN Clients

Task 12: Configure XAUTH, Group Authorization, and Mode-Config

Task 13: Configure ISAKMP Profile for PE to PE Tunnel

Task 14: Configure the Transform Set

Task 15: Configure PE to PE GRE Tunnel Encryption Profile

Task 16: Configure ISAKMP Site Profile Reference

Task 17: Configure Client RRI

Task 18: Configure Static Crypto Map for Sites

Task 19: Configure ISAKMP Site Profile Reference

Task 20: Configure Dynamic Crypto Map for Clients

Task 21: Configure PE to PE GRE Tunnel

Task 22: Turn on Tag-Switching

Task 23: Configure IPSec Profile to be Used

Task 24: Configure Internet-Facing Interface and Corresponding Crypto Maps

Task 25: Configure Interface Towards IP Backbone

Task 26: Configure IGP Used in the Core

Task 27: Configure PE Peering for VPN Routes

Task 28: Configure Pool Used to Distribute IP Addresses to VPN Clients

Task 29: Configure Global Default Route

Task 30: Configure Static VPN Routes if not using IGP within the VPN

Task 31: Configure the Crypto Access List to Define Traffic to be Encrypted

Configuring PE to PE Encryption

Typical PE to PE encryption configuration tasks are shown below. See PE to PE Encryption Configuration Sample.

Task 1: Configure Authentication and Authorization Lists for Clients to RADIUS

	Command	Purpose
Step 1	aaa authentication login	Set authentication, authorization, and accounting (AAA) authentication at login.
Step 2	aaa authorization	Set parameters that restrict user access to a network.
Step 3	aaa session-id [common \| unique]	Specify whether the same session ID will be used for each AAA accounting service type within a call or whether a different session ID will be assigned to each accounting service type.

Task 2: Configure the VRFs

	Command	Purpose
Step 1	ip vrf	Configure a VRF routing table.
Step 2	rd route-distinguisher	Create routing and forwarding tables for a VRF.

Task 3: Enable CEF Switching

	Command	Purpose
	ip cef	Enable CEF switching.

Task 4: Configure the Keyring

	Command	Purpose
Step 1	crypto keyring keyring-name [vrf fvrf]	Configure a new keyring for the shared secret keys to be used during IKE authentication.
Step 2	pre-shared-key {address address [mask] \| hostname hostname} key key	Configure the addressed preshared key to be used during IKE authentication.

Task 5: Configure ISAKMP Policy for Phase 1 Negotiations

	Command	Purpose
Step 1	crypto isakmp policy priority	Configure an IKE policy.
Step 2	encryption {des \| 3des \| aes \| aes 192 \| aes 256}	Specify the encryption algorithm within an IKE policy.
Step 3	authentication {rsa-sig \| rsa-encr \| pre-share}	Specify the authentication method within an IKE policy.

Task 6: Configure DPD Keepalives

	Command	Purpose
	crypto isakmp keepalive secs retries	Allow the gateway to send dead peer detection (DPD) messages to the router.

Task 7: Configure Client Group Definition for Local Authorization

	Command	Purpose
Step 1	crypto isakmp client configuration group {group-name \| default}	Specify which group's policy profile will be defined.
Step 2	key name	Configure the IKE preshared key for group policy attribute definition.
Step 3	pool (name)	Configure a local pool address.

Task 8: Configure ISAKMP Profile for VPN Sites

	Command	Purpose
	crypto isakmp profile profile-name	Define an ISAKMP profile for a VPN.

Task 9: Configure Dynamic VRF Association for VPN Sites

	Command	Purpose
Step 1	vrf name	Associate the on-demand address pool with a VRF name.
Step 2	keyring keyring-name	Associate a keyring with an ISAKMP profile.
Step 3	match identity address address [mask] [fvrf]	Match an acceptable Phase 1 identity from a peer to a particular ISAKMP profile.

Task 10: Configure ISAKMP Profile for VPN Clients

	Command	Purpose
	crypto isakmp profile profile-name	Define an ISAKMP profile for a VPN.

Task 11: Configure Dynamic VRF Association for VPN Clients

	Command	Purpose
Step 1	vrf name	Associate the on-demand address pool with a VRF name. See vrf for information on using this command.
Step 2	match identity group-name	Match an acceptable Phase 1 identity from a peer to a Unity group.

Task 12: Configure XAUTH, Group Authorization, and Mode-Config

	Command	Purpose
Step 1	client authentication list list-name	Configure IKE extended authentication (Xauth) on your router. The list-name must match the list-name defined during AAA configuration
Step 2	isakmp authorization list list-name	Configure group authorization IKE querying of AAA for tunnel attributes in aggressive mode.
Step 3	client configuration address [initiate \| respond]	Configure IKE mode configuration (Mode-Config).

Task 13: Configure ISAKMP Profile for PE to PE Tunnel

	Command	Purpose
	crypto isakmp profile profile-name	Define an ISAKMP profile for a VPN.

Task 14: Configure the Transform Set

	Command	Purpose
	crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]	Define the transform set.

Task 15: Configure PE to PE GRE Tunnel Encryption Profile

	Command	Purpose
Step 1	crypto ipsec profile	Configure IPSec profile.
Step 2	set transform-set transform-set-name	Specify which transform sets can be used with the crypto map entry.

Task 16: Configure ISAKMP Site Profile Reference

	Command	Purpose
	set isakmp-profile profile-name	Set the ISAKMP profile name for client.

Task 17: Configure Client RRI

	Command	Purpose
	reverse-route [remote-peer]	Create source proxy information for a crypto map entry through RRI.

Task 18: Configure Static Crypto Map for Sites

	Command	Purpose
Step 1	crypto map map-name seq-num [ipsec-isakmp]	Create a crypto map entry that uses IKE to establish the IPSec SAs for protecting the traffic specified by this crypto map entry.
Step 2	set peer {hostname \| ip-address}	Specify an IP Security peer in a crypto map entry.
Step 3	set transform-set transform-set-name	Specify which transform sets can be used with the crypto map entry.

Task 19: Configure ISAKMP Site Profile Reference

	Command	Purpose
Step 1	set isakmp-profile profile-name	Set the ISAKMP profile name reference.
Step 2	match identity address address [mask] [fvrf]	Match an acceptable Phase 1 identity from a peer to a particular isakmp profile.

Task 20: Configure Dynamic Crypto Map for Clients

	Command	Purpose
	crypto map map-name seq-num [ipsec-isakmp]	Create a crypto map entry that uses IKE to establish the IPSec SAs for protecting the traffic specified by this crypto map entry.

Task 21: Configure PE to PE GRE Tunnel

	Command	Purpose
Step 1	interface type	Configure an interface type and enter interface configuration mode.
Step 2	ip address ip-address mask	Set an IP address for an interface.

Task 22: Turn on Tag-Switching

	Command	Purpose
Step 1	tag-switching ip	Configure label switching of IPv4 packets on an interface.
Step 2	tunnel source {ip-address \| type number}	Set source address for a tunnel interface.
Step 3	tunnel destination {hostname \| ip-address}	Specify the destination for a tunnel interface.

Task 23: Configure IPSec Profile to be Used

	Command	Purpose
	tunnel protection ipsec-profile name	Associate a tunnel interface with an IPSec profile.

Task 24: Configure Internet-Facing Interface and Corresponding Crypto Maps

	Command	Purpose
Step 1	interface type	Configure a loopback interface (emulates an interface that is always up).
Step 2	ip address ip-address mask	Set an IP address for an interface.
Step 3	encapsulation dot1q vlan-id [native]	Enable IEEE 802.1Q encapsulation of traffic on a specified subinterface in a virtual LAN (VLAN).
Step 4	crypto map map-name	Apply a previously defined crypto map set to an interface.

Task 25: Configure Interface Towards IP Backbone

	Command	Purpose
Step 1	interface type	Configure a loopback interface (emulates an interface that is always up).
Step 2	encapsulation dot1q vlan-id [native]	Enable IEEE 802.1Q encapsulation of traffic on a specified subinterface in a virtual LAN (VLAN).
Step 3	ip address ip-address mask	Set an IP address for an interface.
Step 4	tag-switching ip	Configure label switching of IPv4 packets on an interface.

Task 26: Configure IGP Used in the Core

	Command	Purpose
Step 1	router ospf process-id	Configure an OSPF routing process.
Step 2	log-adjacency-changes	Generate a log message.
Step 3	network ip-address wildcard-mask area area-id	Configure the interfaces on which OSPF runs and to define the area ID for those interfaces.

Task 27: Configure PE Peering for VPN Routes

	Command	Purpose
Step 1	address-family vpnv4	Configure address family configuration mode for configuring routing sessions, such as BGP, that use standard Virtual Private Network (VPN) Version 4 address prefixes.
Step 2	neighbor ip address	Configure the neighboring border elements (BEs) that interact with the local BE for the purpose of obtaining addressing information and aiding inaddress resolution.

Task 28: Configure Pool Used to Distribute IP Addresses to VPN Clients

	Command	Purpose
Step 1	ip local pool {default \| pool-name low-ip-address [high-ip-address]}	Configure a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface.

Task 29: Configure Global Default Route

	Command	Purpose
	ip route network-number network-mask {ip-address \| interface-name} [distance] [name name]	Establish static routes and define the next hop for large-scale dial-out.

Task 30: Configure Static VPN Routes if not using IGP within the VPN

	Command	Purpose
	ip route vrf vrf-name prefix mask [next-hop-address] [interface {interface-number}] [global] [distance] [permanent] [tag tag]	Establish static routes for a VPN routing and forwarding (VRF) instance.

Task 31: Configure the Crypto Access List to Define Traffic to be Encrypted

	Command	Purpose
	access-list access-list-number {deny \| permit} source [source-wildcard] [log]	Configure a standard IP access list.

PE to PE Encryption Configuration Sample

Figure 5-3 illustrates the following PE to PE encryption configuration.

Figure 5-3
PE to PE Encryption Configuration

 
pe1#sh run

 
Building configuration...

 
Current configuration : 4459 bytes

!

 
version 12.2

 
service timestamps debug datetime msec

 
service timestamps log datetime msec

 
no service password-encryption

!

 
hostname pe1

 
enable password cisco

 
username cisco password 0 cisco

 
aaa new-model

Step 1 Configure authentication and authorization lists for clients to RADIUS.

 
aaa authentication login localist local

 
aaa authorization network localist local

 
aaa session-id common

 
ip subnet-zero

Step 2 Configure the VRFs.

 
ip vrf vpn1

 
 rd 100:1

 
 route-target export 100:1

 
 route-target import 100:1

Step 3 Enable CEF switching.

 
ip cef

 
mpls label protocol ldp

 
mpls ldp logging neighbor-changes

 
tag-switching ip default-route

!

 
Keyring/VPN

Step 4 Configure the keyring.

 
crypto keyring vpn1					 

 
  pre-shared-key address 20.1.1.1 key cisco123

 
  pre-shared-key address 40.1.1.2 key cisco123

 
crypto keyring gre

 
  pre-shared-key address 125.1.20.2 key cisco321

!

Step 5 Configure ISAKMP policy for Phase 1 negotiations.

 
crypto isakmp policy 1

 
 authentication pre-share

 
 group 2

!

 
crypto isakmp policy 2

 
 encr 3des

 
 authentication pre-share

Step 6 Configure DPD keepalives.

 
crypto isakmp keepalive 30

 
crypto isakmp xauth timeout 30

Step 7 Configure client group for local authorization.

 
crypto isakmp client configuration group ezvpn	

 
 key cisco123

 
 pool hw-pool

Step 8 Configure ISAKMP profile for VPN sites.

 
crypto isakmp profile vpn1	

Step 9 Configure dynamic VRF association for sites.

 
   vrf vpn1						

 
   keyring vpn1

 
   match identity address 20.1.1.1 255.255.255.255

 
   match identity address 40.1.1.2 255.255.255.255

Step 10 Configure ISAKMP profile for VPN clients.

 
crypto isakmp profile vpn1-ez

Step 11 Configure dynamic VRF association.

 
   vrf vpn1					 

 
   match identity group ezvpn

Step 12 Configure XAUTH, group authorization, and mode-config.

 
   client authentication list localist

 
   isakmp authorization list localist

 
   client configuration address respond

Step 13 Configure ISAKMP profile for PE-PE tunnel.

 
crypto isakmp profile gre			

 
   keyring gre

 
   match identity address 125.1.20.2 255.255.255.255

Step 14 Configure the transform set.

 
crypto ipsec transform-set tset1 esp-3des esp-sha-hmac

 
crypto ipsec transform-set tset2 esp-3des esp-sha-hmac

 
 mode transport

Step 15 Configure IPSec profile for PE-PE GRE tunnel.

 
crypto ipsec profile gre1			 

 
 set transform-set tset2

 
 set isakmp-profile gre

!

 
crypto dynamic-map dyna 1

 
 set security-association idle-time 3600

 
 set transform-set tset1

Step 16 Configure ISAKMP client profile reference.

 
 set isakmp-profile vpn1-ez	

Step 17 Configure client RRI.

 
 reverse-route						 

Step 18 Configure static map for a site.

 
crypto map vpn 10 ipsec-isakmp			

 
 set peer 20.1.1.1

 
 set transform-set tset1

Step 19 Configure ISAKMP site profile reference.

 
 set isakmp-profile vpn1			 

 
 match address 101

Step 20 Configure dynamic crypto map for clients.

 
crypto map vpn 1000 ipsec-isakmp dynamic dyna 

!

 
interface Loopback0

 
 ip address 99.1.1.1 255.255.255.255

Step 21 Configure PE-PE GRE tunnel.

 
interface Tunnel1					

 
 ip address 11.1.1.1 255.255.255.252

Step 22 Turn on tag-switching.

 
 tag-switching ip					

 
 tunnel source FastEthernet2/1.1

 
 tunnel destination 125.1.20.2

Step 23 Configure IPSec profile reference.

 
 tunnel protection ipsec profile gre1			

!

 
interface FastEthernet2/0

 
 no ip address

 
 duplex auto

 
 speed auto

Step 24 Configure Internet-facing interface and corresponding crypto maps.

 
interface FastEthernet2/0.1

 
 encapsulation dot1Q 10

 
 ip address 30.1.1.2 255.255.255.0

 
 crypto map vpn

!

 
interface FastEthernet2/1

 
 no ip address

 
 duplex auto

 
 speed auto

Step 25 Configure interface towards IP backbone.

 
interface FastEthernet2/1.1

 
 encapsulation dot1Q 10

 
 ip address 125.1.10.2 255.255.255.0

 
 tag-switching ip

Step 26 Configure IGP used in the core.

 
router ospf 1

 
 log-adjacency-changes

 
 network 99.1.1.1 0.0.0.0 area 0

 
 network 125.1.10.0 0.0.0.255 area 0

!

 
router bgp 100

 
 no synchronization

 
 bgp log-neighbor-changes

 
 timers bgp 10 30

 
 neighbor 11.1.1.2 remote-as 100

 
 no auto-summary

Step 27 Configure PE peering for VPN routes.

 
 address-family vpnv4				 

 
 neighbor 11.1.1.2 activate

 
 neighbor 11.1.1.2 send-community both

 
 no auto-summary

 
 exit-address-family

!

 
 address-family ipv4 vrf vpn1

 
 redistribute static

 
 no auto-summary

 
 no synchronization

 
 exit-address-family

Step 28 Configure the pool to distribute IP addresses to VPN clients.

 
ip local pool hw-pool 192.168.1.1 192.168.1.254

 
ip classless

Step 29 Configure the global default route.

 
ip route 0.0.0.0 0.0.0.0 FastEthernet2/0.1 30.1.1.1

Step 30 Configure static VPN routes if not using IGP within the VPN.

 
ip route vrf vpn1 101.1.1.0 255.255.255.0 30.1.1.1 global

Step 31 Configure the crytpo access list.

 
access-list 101 permit ip 101.1.2.0 0.0.0.255 101.1.1.0 0.0.0.255

Table of Contents

IPSec to GRE Service Models

Configuring the IPSec to GRE Service Model

Before You Begin

IPSec to GRE Integration Configuration Checklist

IPSec to GRE Configuration Task List

Task 1: Configure Authentication and Authorization Lists for Clients to RADIUS

Task 2: Configure the VRFs

Task 3: Enable CEF Switching

Task 4: Configure the Keyring

Task 5: Configure ISAKMP Policy for Phase 1 Negotiations

Task 6: Configure DPD Keepalives

Task 7: Configure Client Group Definition for Local Authorization

Task 8: Configure ISAKMP Profile for VPN Sites

Task 9: Configure Dynamic VRF Association for VPN Sites

Task 10: Configure ISAKMP Profile for VPN Clients

Task 11: Configure Dynamic VRF Association for VPN Clients

Task 12: Configure XAUTH, Group Authorization, and Mode-Config

Task 13: Configure the Transform Set

Task 14: Configure Dynamic Crypto Map and Apply Transform Set

Task 15: Configure ISAKMP Client Profile Reference

Task 16: Configure Client RRI

Task 17: Configure Static Crypto Map for Sites

Task 18: Configure ISAKMP Site Profile Reference

Task 19: Configure Dynamic Crypto Map for Clients

Task 20: Configure GRE Tunnel to HQ

Task 21: Configure Internet-Facing Interface and Corresponding Crypto Maps

Task 22: Configure the IGP Used In Core

Task 23: Configure Pool to Distribute IP Addresses to VPN Clients

Task 24: Configure the Global Default Route

Task 25: Configure Static VPN Routes if not using IGP within the VPN

Task 26: Configure the Crypto Access List to Define Traffic to be Encrypted

IPSec to GRE Configuration Sample

Configuring IPSec to GRE+IPSec Service Model

Before You Begin

IPSec to GRE+IPSec Integration Configuration Checklist

IPSec to GRE+IPSec Configuration Tasks

Task 1: Configure Authentication and Authorization Lists for Clients to RADIUS

Task 2: Configure the VRFs

Task 3: Configure the Keyring

Task 4: Configure ISAKMP Policy for Phase 1 Negotiations

Task 5: Configure DPD Keepalives

Task 6: Configure Client Group Definition for Local Authorization

Task 7: Configure ISAKMP Profile for VPN Sites

Task 8: Configure Dynamic VRF Association for VPN Sites

Task 9: Configure ISAKMP Profile for VPN Clients

Task 10: Configure Dynamic VRF Association for VPN Clients

Task 11: Configure XAUTH, Group Authorization, and Mode-Config

Task 12: Configure the Transform Set

Task 13: Configure GRE Tunnel Encryption Profile

Task 14: Configure ISAKMP Site Profile Reference

Task 15: Configure Dynamic Crypto Map and Apply Transform Set

Task 16: Configure ISAKMP Client Profile Reference

Task 17: Configure Client RRI

Task 18: Configure Static Crypto Map for Sites

Task 19: Configure ISAKMP Site Profile Reference

Task 20: Configure Dynamic Crypto Map for Clients

Task 21: Configure GRE Tunnel to Customer Site

Task 22: Configure IPSec Profile to be Used

Task 23: Configure Internet-Facing Interface and Corresponding Crypto Maps

Task 24: Configure Interface Towards IP Backbone

Task 25: Configure IGP Used in the Core

Task 26: Configure Pool Used to Distribute IP Addresses to VPN Clients

Task 27: Configure Global Default Route

Task 28: Configure Static VPN Routes if not using IGP within the VPN

Task 29: Configure the Crypto Access List to Define Traffic to be Encrypted

IPSec to GRE+IPSec Configuration Sample

Configuring PE to PE Encryption Service Model

Before You Begin

PE to PE Encryption Configuration Checklist

Configuring PE to PE Encryption

Task 1: Configure Authentication and Authorization Lists for Clients to RADIUS

Task 2: Configure the VRFs

Task 3: Enable CEF Switching

Task 4: Configure the Keyring

Task 5: Configure ISAKMP Policy for Phase 1 Negotiations

Task 6: Configure DPD Keepalives

Task 7: Configure Client Group Definition for Local Authorization

Task 8: Configure ISAKMP Profile for VPN Sites

Task 9: Configure Dynamic VRF Association for VPN Sites