Knowledge Base

 
Reset Search
 

 

Article

NCOS: GRE over IPSec Tunnel between Cradlepoint and Cisco

« Go Back

Information

 
Content

NCOS: GRE over IPSec Tunnel between Cradlepoint and Cisco

Products Supported: AER31x0, AER2100, AER16x0, MBR1400v2, MBR1200B, IBR11x0, IBR6x0, IBR350 . Click here to identify your router.

NCOS: 6.0.x - for information on upgrading NCOS Versions, click here.


Quick Links

Summary

Cradlepoint Configuration

Cisco Configuration

Use Cases

Troubleshooting

Related Articles


Summary

This document outlines how to configure a GRE tunnel between a capable Cradlepoint and a Cisco utilizing IPSec transport mode for security.


Cradlepoint Configuration

IPSec Configuration

  • Step 1: Log into the router NCOS Page. For help with logging in please click here.
  • Step 2: Navigate to Networking > Tunnels > IPSec VPN.
  • Step 3: Click on Add to create a new IPSec Tunnel Policy.

User-added image

  • Step 4: Give the tunnel a Name for easy identification.
  • Step 5: Change Mode to Transport.
  • Step 6: Set Pre-Shared Key for the tunnel
    • Make sure to remember this key as it will be used on the Cisco as well.
  • Step 7: Change Initiation Mode to Always On
  • Step 8: Click Next.

User-added image

  • Step 9: The next screen is where you can bind the tunnel to a specific WAN if desired. In this scenario we won't be using WAN Binding for the tunnel.
  • Step 10: Click Next.

User-added image

  • Step 11: Specify the Public IP of the Cisco as the Remote Gateway.

User-added image

  • Step 12: Configure IKE Phase 1 Settings:

    • Set Key Lifetime to 86400
    • Set Encryption to only AES256
    • Set Hash to only SHA1
    • Set DH Groups to only Group 2
  • Step 13: Click Next

User-added image

  • Step: 14: Configure IKE Phase 2 Settings:

    • Turn off Perfect Forward Secrecy
    • Set Encryption to only AES256
    • Set Hash to only SHA1
  • Step 15: Click Next

User-added image

  • Step 16: Configure Dead Peer Detection as desired. In this article we will be using the default settings pictured below.

User-added image

  • Step 17: Click on Finish and OK. You will then be seeing your tunnel that is built.

Note: Make sure you enable the VPN Service on your device.

User-added image

GRE Configuration

We will now configure the GRE Tunnel on the Cradlepoint.

  • Step 1: Navigate to Networking > Tunnels > GRE.
  • Step 2: Click on Add to start building the tunnel configuration.
  • Step 3: Give your GRE Tunnel a Name.
  • Step 4: Set the Local Endpoint to 10.0.0.2 and the Remote Endpoint to 10.0.0.1 with a /30 for the Subnet Mask.
  • Step 5: Specify the Public IP of the Cisco for the Remote Gateway.

Note: if you are planning on using a Routing Protocol with this setup, make sure to check Multicast Enabled.

  • Step 6: Click Next

User-added image

  • Step 7: For Routes, add all of the networks located on the Cisco side of the tunnel.

User-added image

  • Step 8: Setup the GRE Keep-Alive as desired. In this article we will be using the default settings picture below.

User-added image

  • Step 9: Click Finish

Cisco Configuration

  • Step 1: Configure the physical interface with a public IP address.

    Router# configure terminal
    Router(config)# interface fastethernet0/0
    Router(config-if)# ip address 166.184.210.33 255.255.255.0
    Router(config-if)# no shut
    
  • Step 2: Configure a default Route.

    Router(config)# ip route 0.0.0.0 0.0.0.0 166.184.210.1
    
  • Step 3: Ping 4.2.2.2 to verify connectivity to the internet (you must type 'do' if you are anywhere other than enable mode)

  • Step 4: Configure an ISAKMP Policy (IKE Phase 1)

    Router# configure terminal
    Router(config)# crypto isakmp policy 1
    Router(config-isakmp)# authentication pre-share
    Router(config-isakmp)# encryption aes 256
    Router(config-isakmp)# hash sha
    Router(config-isakmp)# group 2
    Router(config-isakmp)# lifetime *86400* (optional, and 86400 is default on Cisco IOS)
    
  • Step 5: Configure Pre-Shared Key

    Router(config)# crypto isakmp key 1234 address 166.241.162.152
    
  • Step 6: Configure IPSec transform set (IKE Phase 2)

    Router(config)# crypto ipsec transform-set THESET esp-aes 256 esp-sha-hmac
    
  • Step 7: Configure crypto map

    Router(config)# crypto map THEMAP 10 ipsec-isakmp
    Router(config-crypto-map)# set peer 166.241.162.152
    Router(config-crypto-map)# set transform-set THESET
    Router(config-crypto-map)# match address 101 (Number of your ACL you have yet to create)
    
  • Step 8: Apply Crypto Map to physical outside interface

    Router(config) interface fastethernet0/0
    Router(config-if) crypto map THEMAP
    

GRE Configuration on Cisco

  • Step 9: Configure GRE tunnel interface with a private /30 and specify tunnel source and destination

    Router(config) interface tunnel 0
    Router(config-if)# ip address 10.0.0.1 255.255.255.252
    Router(config-if)# tunnel source 166.184.210.33
    Router(config-if)# tunnel destination 166.241.162.152
    
  • Step 10: Configure Routes to remote networks

    Router(config)# ip route 192.168.0.0 255.255.255.0 10.0.0.2
    
  • Step 11: Create ACLs to define traffic to encrypt (you need both public and tunnel IP entries)

    Router(config)# access-list 101 permit ip host 166.184.210.33 host 166.241.162.152
    Router(config)# access-list 101 permit ip host 10.0.0.1 host 10.0.0.2
    

Use Cases

User-added image


Troubleshooting

Cisco IPSec Show and Debug Commands

Show crypto isakmp sa (phase 1 SA) - Shows the security associations built between peers for phase 1

Show crypto ipsec sa (phase 2 SA) - Shows the IPSec security associations built between peers, for phase 2 (usually esp)

Show crypto engine connection active - Shows each phase 2 SA built and the amount of traffic sent

Debug crypto isakmp (phase 1)

Debug crypto ipsec (phase 2)


Related Articles/Links


Published Date: 07/14/2017

This article not have what you need? Not find what you were looking for? Think this article can be improved? Please let us know at suggestions@cradlepoint.com.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255