Date created: Sunday, January 22, 2017 10:29:55 AM. Last modified: Saturday, August 17, 2019 7:41:17 AM

GRE over IPSEC over DSL

In this example config tunnels are set up between the CPE and LNS that use IPSEC for the transport so that each VRF tunneled between CPE and LNS is protected, such as in the case that a third party DSL tail circuit provider is used. These are VTIs (virtual tunnel interfaces) and implement IPSec tunnel mode, its not actually GREoIPSEC, that requires a GRE tunnel with transport mode IPSec and a crypto map):

! A standard CPE ADSL and PPP config:
interface ATM0/0/0
 no ip address
 load-interval 30
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1


interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
 no ip route-cache
 load-interval 30
 dialer pool 1
 dialer-group 1
 ntp disable
 keepalive 2
 ppp authentication chap callin
 ppp chap hostname test@test.net
 ppp chap password 0 test
 no cdp enable
! The ADSL profile is as follows
ip:ip-unnumbered=Loopback10
ip:route=10.255.255.255 255.255.255.255
ip:vrf-id=OFF-NET-ADSL
! The CPE GRE and IPSEC config is as follows

crypto keyring ADSL-KEY
  ! This is the LNS Lo10 IP address the Tunnels are sourced from
  ! on the LNS side and the loopback and the PPP session are
  ! terminated on:
  pre-shared-key address 55.55.55.55 key safewordhere
!
crypto isakmp policy 10
 authentication pre-share
!
crypto isakmp profile ADSL-ISAKMP
   keyring ADSL-KEY
   match identity address 55.55.55.55 255.255.255.255
   local-address Loopback0
!
crypto ipsec transform-set ADSL-SET esp-3des esp-md5-hmac
 mode tunnel
!
no crypto ipsec nat-transparency udp-encapsulation
!
crypto ipsec profile ADSL-ROUTERS
 set transform-set ADSL-SET


! Repeat this part for each VRF with a new Tunnel interface
! and new Loopback on the CPE as the source, can re-use the same
! loopback on the LNS as the CPE looback varies:

ip vrf TEST
 rd 65000:1234
 route-target export 65000:1234
 route-target import 65000:1234
!
interface Loopback0
 ip address 10.255.255.255 255.255.255.255
!
interface Tunnel0
 ip vrf forwarding TEST
 ip address 1.1.1.2 255.255.255.252
 ip mtu 1446
 ip tcp adjust-mss 1350
 tunnel source Loopback0
 tunnel mode ipsec ipv4
 tunnel destination 55.55.55.55
 tunnel protection ipsec profile ADSL-ROUTERS
!
! The LNS config is the same as the CPE except that we accept a
! range of source IPs (10/8), which is the CPE loopback range,
! as the source/dest of the IPSEC tunnels:
interface Loopback10
 ip vrf forwarding OFF-NET-ADSL
 ip address 55.55.55.55 255.255.255.255
!
crypto keyring ADSL-KEY vrf OFF-NET-ADSL
  pre-shared-key address 10.0.0.0 255.0.0.0 key safewordhere
!
crypto isakmp policy 10
 authentication pre-share
!
crypto isakmp profile ADSL-ISAKMP
   vrf OFF-NET-ADSL
   keyring ADSL-KEY
   match identity address 10.0.0.0 255.0.0.0 OFF-NET-ADSL
   local-address Loopback10
!
crypto ipsec transform-set ADSL-SET esp-3des esp-md5-hmac
!
no crypto ipsec nat-transparency udp-encapsulation
!
crypto ipsec profile ADSL-ROUTERS
 set transform-set ADSL-SET
!
interface Tunnel9999
 description Test Tunnel
 ip vrf forwarding TEST
 ip address 1.1.1.1 255.255.255.252
 ip mtu 1446
 ip tcp adjust-mss 1350
 tunnel source Loopback10
 tunnel mode ipsec ipv4
 tunnel destination 10.255.255.255
 tunnel vrf OFF-NET-ADSL
 tunnel protection ipsec profile ADSL-ROUTERS shared ! Note, this is "shared" on the LNS
 ! due to the hub and spoke topology.