Routing
Routing

vpn between M series and Cisco (Gre over IPSEC)

08.30.14   |  
‎08-30-2014 02:55 AM

struggling to  create VPN between M7i and cisco router. need to create GRE over IPSEC vpn and run OSPF over it (next-hop style prefered) . the VPN and GRE endpoint needs to be phycial IP on the link and vpn and gre endpoint should be same (not different or loopback addresses)

Thanks

 

2 REPLIES
Routing

Re: vpn between M series and Cisco (Gre over IPSEC)

08.30.14   |  
‎08-30-2014 05:24 PM

Maybe a good thing would be show a configuration of what you have done so far. If you have any logs, errors etc.Have you already configured the VPN and just having issues with tunnneling the OSPF packets over gr tunnel? Without any details, it seems as if someone would have to make up a complete configuration and post it here. There are several available in the forums already. If teh VPN is not configured then OSPF is secondary. If VPN is configured and working, tunneling OSPF packets over gr over IPSec is quite easy, just 3 simple steps.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Routing

Re: vpn between M series and Cisco (Gre over IPSEC)

08.31.14   |  
‎08-31-2014 08:14 AM

Here is an example config, but this is done with IPSEC between physical ip address and GRE between loopback interfaces.this also claims that config is different when IPSEC and gre both originate at same phycial ip address.

 

===================================================================================

To configure a GRE tunnel, which will be encapsulated within IPSec,
you configure an IPSec tunnel and then a GRE tunnel. The exact
details depend on whether you will be using the same IP address for
both the GRE and IPSec tunnel endpoints. It is slightly more
straightforward if you use different addresses, so I will use that as
an example.

In this case, we have two routers (aptly named juniper and cisco),
configured with the following addresses:

juniper
ISP interface: 172.17.37.4
lo0.0: 192.168.37.1

cisco
ISP interface: 172.17.38.4
loopback0: 192.168.38.1

We will use the ISP interfaces as the endpoints for the IPSec tunnel
and use the loopback interfaces as the endpoints for the GRE tunnel.

On the Juniper side, we'll start by configuring the IPSec tunnel, as follows:

[edit interfaces]
user at juniper# show sp-0/0/0
unit 0 {
family inet;
}
unit 1 {
family inet;
service-domain outside;
}
unit 2 {
family inet;
service-domain inside;
}

[edit security]
user at juniper# show
service-set gre-vpn {
next-hop-service {
inside-service-interface sp-0/0/0.2;
outside-service-interface sp-0/0/0.1;

}
ipsec-vpn-options {
local-gateway 172.17.37.4;
}
ipsec-vpn-rules vpn-to-cisco;
}
ipsec-vpn {
rule vpn-to-cisco {
term gre-tunnel {
from {
source-address {
192.168.37.1/32;
}
destination-address {
192.168.38.1/32;
}
}
then {
remote-gateway 172.17.38.4;
dynamic {
ike-policy main_mode_ike_policy;
ipsec-policy dynamic_ipsec_policy;
}
}
}
match-direction output;
}
ipsec {
proposal cisco_compat {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm des-cbc;
}
policy dynamic_ipsec_policy {
perfect-forward-secrecy {
keys group1;
}
proposals cisco_compat;
}
}
ike {
proposal cisco-compat {
authentication-method pre-shared-keys;
authentication-algorithm md5;
dh-group group1;
encryption-algorithm des-cbc;
}
policy main_mode_ike_policy {
proposals cisco-compat;
pre-shared-key ascii-text use-a-really-secure-key;

}
}
establish-tunnels immediately;
}

 


[edit]
user at juniper# show interfaces gr-0/0/0
unit 0 {
tunnel {
source 192.168.37.1;
destination 192.168.38.1;
}
family inet {
address 192.168.25.129/30;
}
}

 


[edit routing-options]
user at juniper# show static
route 192.168.38.1/32 next-hop sp-0/0/0.2;

 


[edit]
user at juniper# show protocols ospf
area 0.0.0.0 {
interface gr-0/0/0.0;
}

 

CISCO ROUTER CONFIG




crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key test address 172.17.37.4
crypto isakmp keepalive 10 2 periodic

!
!
crypto ipsec transform-set esp_des_set esp-des esp-md5-hmac
!
!
crypto map gre-to-juniper 1 ipsec-isakmp
set peer 172.17.37.4
set transform-set esp_des_set
set pfs group1
match address 110

access-list 110 permit ip host 192.168.38.1 host 192.168.37.1

interface tunnel1
ip address 192.168.25.130 255.255.255.252
tunnel mode gre ip
tunnel destination 192.168.37.1
tunnel source 192.168.38.1

interface fa0/1
crypto map gre-to-juniper

router ospf 1
network 192.168.25.128 0.0.0.3 area 0