Cisco Labs – Network Security (4) – GRE VPN tunnel using pre-shared keys on Router


During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul4 4.4.8a IOS task definition


  • Site to site GRE VPN tunnel using pre-share keys will be initialized on Router.
  • Router3 will only pass traffic to site routers. It simulates internet.
  • Only traffic from LAN 1 and LAN 2 will be encrypted.
  • Use OSPF routing protocol.
  • Clear and reinitialize VPN tunnel.
  • Do not forget to have configuration erased before startup and check if IOS is compatible with needed features.

Required time

3 hours

Theoretical background

Here will be short theoretical background for solving this task.





ifconfig INT7 netmask
route add default gw dev INT7


ifconfig INT8 netmask
route add default gw dev INT8


1) interface settings + OSPF

R18@ostrava(config)#hostname Router1
Router1(config)#interface INT1
Router1(conf-if)#duplex half
Router1(conf-if)#ip address
Router1(conf-if)#no shutdown

Router1(config)#interface INT2
Router1(conf-if)#duplex half
Router1(conf-if)#ip address
Router1(conf-if)#no shutdown

Router1(config)#router ospf 1
Router1(config-router)#network area 0

Router1(config)#interface tunnel 0	    						;set up of virtual tunnel interface
Router1(conf-if)#ip address	    				;virtual tunnel ip address
Router1(conf-if)#tunnel source	    					;tunnel source interface IP address
Router1(conf-if)#tunnel destination	    					;tunnel destination interface IP address
Router1(conf-if)#tunnel mode gre ip	    						;set tunnel mode to GRE over IP
R19@ostrava(config)#hostname Router2
Router2(config)#interface INT3
Router2(conf-if)#ip address
Router2(conf-if)#duplex half
Router2(conf-if)#no shutdown

Router2(config)#interface INT4
Router2(conf-if)#ip address
Router2(conf-if)#duplex half
Router2(conf-if)#no shutdown

Router2(config)#router ospf 1
Router2(config-router)#network area 0

Router2(config)#interface tunnel 0
Router2(conf-if)#ip address
Router2(conf-if)#tunnel source 
Router2(conf-if)#tunnel destination
Router2(conf-if)#tunnel mode gre ip
R4@ostrava(config)#hostname Router3
Router3(config)#interface INT5
Router3(conf-if)#ip address
Router3(conf-if)#no shutdown

Router3(config)#interface INT6
Router3(conf-if)#ip address
Router3(conf-if)#no shutdown

Router3(config)#router ospf 1
Router3(config-router)#network area 0
Router3(config-router)#network area 0

2a) VPN tunnel settings phase 1 IKE/ISAKMP

Policy must be the same on both ends of tunnel (priority could be different)

Router1(config)#Crypto isakmp policy 10	    						;set up encryption policy
Router1(config-isakmp)#encryption 3des
Router1(config-isakmp)#hash sha
Router1(config-isakmp)#group 2
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#lifetime 1000	    						;set timeout for first phase (tunnel initialisation)
Router2(config)#Crypto isakmp policy 10    
Router2(config-isakmp)#encryption 3des
Router2(config-isakmp)#hash sha
Router2(config-isakmp)#group 2
Router2(config-isakmp)#authentication pre-share   
Router2(config-isakmp)#lifetime 1000

2b) VPN tunnel settings phase 2 IPSEC

Router1(config)#access-list 101 permit gre host host	    	;permit traffic to be encapsulated via GRE
Router1(config)#crypto isakmp key PRESHAREDKEY address	    		;define preshared key for GRE tunnel
Router1(config)#crypto ipsec transform-set TRSETGRERouter1 esp-des esp-md5-hmac	    	;define transform set for GRE tunnel
Router1(cfg-crypto-trans)#crypto map CRYPTOMAPRouter1 10 ipsec-isakmp
Router1(config-crypto-map)#match address 101	    					;crypto map section will be applied to this access-list traffic
Router1(config-crypto-map)#set peer	    					;this is opposite site of virtual tunnel
Router1(config-crypto-map)#set transform-set TRSETGRERouter1
Router1(config)#ip route tunnel 0	    			;specify traffic to be passed thru GRE tunnel
Router1(config)#interface INT2	    							;apply tunnel to this interface
Router1(conf-if)#crypto map CRYPTOMAPRouter1

Apply analogical settings to other side of the tunnel.

Router2(config)#access-list 101 permit gre host host 
Router2(config)#crypto isakmp key PRESHAREDKEY address
Router2(config)#crypto ipsec transform-set TRSETGRERouter2 esp-des esp-md5-hmac
Router2(cfg-crypto-trans)#crypto map CRYPTOMAPRouter2 10 ipsec-isakmp
Router2(config-crypto-map)#match address 101
Router2(config-crypto-map)#set peer
Router2(config-crypto-map)#set transform-set TRSETGRERouter2
Router2(config)#ip route tunnel 0
Router2(config)#interface INT3
Router2(conf-if)#crypto map CRYPTOMAPRouter2

3) Access list on Router3 to enable only needed traffic

Router3(config)#access-list 101 permit ospf any any
Router3(config)#access-list 101 permit esp host host
Router3(config)#access-list 101 permit udp host host eq isakmp
Router3(config)#interface INT5
Router3(conf-if)#ip access-group 101 in

Function test

F1)Turn on debug

Router1 to see if tunnel had been initialized properly

Router1#debug crypto isakmp
Router1#debug crypto ipsec

F2)Initialize tunnel


Picture shows result of commands from F1 and F2 sections.



F2)Initialize tunnel

F3)delete tunnel

Router1#clear crypto isakmp	    							;clear tunnel initialisation configuration
Router1#clear crypto sa				      					;clear existing tunnels
Router1#clear crypto session				    				;delete all existing tunnels and sessions

Picture shows result of commands from F1 and F2 sections.



F4)reinitialize tunnel from other side

Use ping . Take a look on DST and SRC address. It depends on from which router a tunnel was initialized.

If SPI is mismatched, please refer to exercise 4.4.7, where this command is refferenced further: crypto isakmp invalid-spi-recovery .

Optional tasks

  • Define more transform sets to be able to select which could be fit to the other site of the tunnel.
  • Define different encryption and hashing algorithms – see point 2a.
  • Add one more router to topology and create another tunnel to this router.

Two or more tunnels to different locations and peers:

This will be accomplished by adding:

  • New policy section with definition of needed settings.
  • New access list.
  • New or existing transform set must be added to new crypto map.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s