Posted on

Configure and Troubleshoot GRE VPN over IPsec with NAT device between

IPsec is a complex technology. It becomes more complicated when a router is placed in the path from a site to site GRE using IPsec VPN. In my production environment, a problem arose when I discovered that the site-to-site IPsec tunnel was not being created. It turned out that a firewall was performing NAT on public IP addresses. To understand the topology of IP addresses, I first created a diagram. Here is the topology diagram with masked IPs.

After creating the diagram, my objective was clear. The objective was to establish an IPsec GRE tunnel from STFV -VPN05 to HDR – B-R01. To achieve this objective, I used the step-by-step approach.
1. Configuring or verifying IP addresses
HDR-B-R01
Interface GigabitEthernet0/0
ip address 10.254.29.3 25.255.255.248
STXV-VPN05
Interface GigabitEthernet0/0
ip address 1×3.97.1×3.88 255.255.255.0
2. Configuring OR Verifying Routing
STFV-VPN05
Ip route 91.1xx.7.42 255.255.255.255 1×3.97.1×3.65 –Required reachability for public NATed
ip route 10.254.29.3 1×3.97.1×3.65
STFV-VPN05#ping 91.1xx.7.42
To abort, type escape sequence
Send 5, 100-byte ICMP echos to 91.1xx.7.42. Timeout is 2 seconds
!!!! !
100 percent success rate (5/5), round trip min/avg/max = 68%/76/80 ms
HDRBR01
ip route: 0.0.0.0 0.0.0.0 11.254.29.1
3. Verification of IPsec Phase 1 & Phase 2 Parameters
STFV-VPN05
Crypto isakmp policy 9
Hash md5
authentication pre-share
Group 2
crypto isakmp key address XXXX 91.1xx.7.42
Heidrun Proxy-ACL extended ip access-list
permit gre host 1×3.97.1×3.88 host 10.254.29.3
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
mode tunnel
crypto map MAP–TO-WORLD 10 ipsec_isakmp
Set peer 91.1xx.7.42
Set transform-set ESP–DES-MD5
Heidrun-Proxy ACL match address

HDRBR01
Policy 8 on crypto isakmp
Hash md5
authentication pre-share
Group 2
crypto isakmp key address 1×3.97.1×3.88

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
mode tunnel
ip access-list extended TFV-Proxy ACL
permit gre host 10.254.29.3 host1x3.97.1×3.88 –The proxy ACL must be inverted of the other end Proxy aCL
crypto map MAP–TO-FORUS 10 ipsec–isakmp
set peer 1×3.97.1×3.88
Set transform-set ESP–DES-MD5
Match address STFV -Proxy – ACL

4. Verifying OR Configuring GRE Tunnels
STFVVPN05
interface Tunnel10
ip address: 192.168.250.210.255.255.255.252
Tunnel source 1×3.97.1×3.88
tunnel destination 10.254.29.3 –IP address of the tunnel destination at the other end

HDRBR01
interface Tunnel0
ip address: 192.168.250.209/255.255.255.252
Tunnel source 10.254.29.3
tunnel destination 1×3.97.1×3.88

5. Verifying OR Applying Crypto Map to Physical Interface

STFVVPN05
Interface GigabitEthernet0/0
MAP-TO WORLD crypto map
HDRBR01
Interface GigabitEthernet0/0
MAP-TOF crypto map

6. Verifying the connectivity

HDRBR01#ping at 192.168.250.210 –Tunnel10 interface to STFVVPN05
To abort, type escape sequence
Send 5, 100-byte ICMP echos to 192.168.250.210. Timeout is 2 seconds
!!!! !
100 percent success rate (5/5), round trip min/avg/max = 150/164/180 ms
HDRBR01#sh sa crypto isakmp –Phase 1 it must be QM_IDLE
IPv4 Crypto ISAKMP SA
dst state conn-id status
1×3.97.1×3.88 10.254.29.3 QM_IDLE 10001 ACTIVE

IPv6 Crypto ISAKMP SA
HDRBR01#sh ipsec SA —Phase-2. The packets must be encapped and decapitated
interface: GigabitEthernet0/0
Crypto map tag: Map-TO-F, local Addr 10.254.29.3.
protected vrf: (none)
local ident (addr/mask/prot/port): (10.254.29.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (1×3.97.1×3.88/255.255.255.255/47/0)
current_peer