1. build the GRE tunnel and tell EIGRP to pass thru the tunnel here
2. to encrypt the GRE tunnel with IPSEC here
sidenote: packets passing thru the GRE+IPSEC vpn tunnel will increase the packet’s size to greater than 1500, the solution provided here is
- Let the encrypting routers “tell” the hosts on the LAN to lower their packet sizes by lowering the MTU size using the command “ip tcp adjust-mss 1400″
- Increase the MTU size of the GRE tunnel from 1496 to 1500 by issuing “ip mtu 1500″
- add “keepalive” on the tunnel interface. to see if its up or down. Good hint when troubleshooting VPN issues to see if either ends have gone down and took the tunnel down with it.
!
interface Tunnel0 <<<<<<<<<<<<<<<<<<——— GRE tunnel
description GRE Tunnel to router R2
ip address 192.168.200.1 255.255.255.0
ip mtu 1500
ip tcp adjust-mss 1400
keepalive 10 3
tunnel source 12.34.56.2
tunnel destination 23.45.67.2
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key blindhog address 23.45.67.2 <<<<<<—— pre-shared key “blindhog”
!
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
description VPN from R1 to R2
set peer 23.45.67.2
set transform-set aes-sha
!
interface Serial0/0
description Internet Connection
ip address 12.34.56.2 255.255.255.252
serial restart-delay 0
crypto map vpn <<<<<<<<<<<<<<<<<<——— apply the IPSEC encryption
!
interface FastEthernet1/0
description R1 LAN
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
router eigrp 100 <<<<<<<<<<<<<<<—— routes to dynamically announce to other routers
network 192.168.1.0
network 192.168.200.0
network 192.168.201.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 12.34.56.1 <<<<<<—– catch all other routes and send unencrypted to neighbor
!
!
access-list 101 permit gre host 12.34.56.2 host 23.45.67.2 <<<<—- define the IPSEC tunnel across the GRE endpoints R1 to R2
