Justin, You could try the following:
crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco address j.j.j.j ! ! crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac ! crypto map vpn 10 ipsec-isakmp set peer j.j.j.j set transform-set 3dessha set pfs group1 match address remote ! ip access-list extended remote permit gre host y.y.y.y host z.z.z.z ! interface tunnel0 ip address x.x.x.x tunnel source y.y.y.y tunnel destination z.z.z.z ! interface WAN ip address y.y.y.y crypto map vpn ! router eigrp 1 network x.x.x.x network LAN Where j.j.j.j is the ASA address and z.z.z.z is your router behind it. -Luan ---------------------------------------------------------------------------- ------------------------------------------------------------------------- Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net ---------------------------------------------------------------------------- ------------------------------------------------------------------------ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin Shore Sent: Friday, September 19, 2008 5:04 PM To: 'Cisco-nsp' Subject: [c-nsp] GRE over IPSec I'm trying to figure out if a router can push a GRE tunnel over top of an IPSec tunnel that's originated on the same router, through an ASA terminating the other end of the IPSec tunnel and to another IOS router behind the ASA. I've seen this done with an ASA at both sites in front of the local router but I've never seen it done with the router originating the IPsec tunnel. Is this possible? Any tips on how to accomplish this? I'm thinking that the tunnel destination should be IOS router at the remote site which should also match the ACL for traffic to a given destination (the remote end of the tunnel). I'm not sure what the order of operations would be though so I'm not sure if the GRE tunnel would end up in the IPSec tunnel. I want to deploy 800-series wifi routers at remote sites (COs, large cabinets, etc) and have them VPN back to our HQ's ASAs and a second backup site. I'd like to run a routing protocol out to them to give them 2 paths into our network over hte 2 tunnels, preferably OSPF in this case. My thought was a simple pair of GRE tunnels through the IPSec tunnels. I could always place an IOS router at the HQ and use it to terminate IPSec-encrypted GRE tunnels. That would add more cost though. I already have one at the backup site though. Suggestions? Thanks Justin _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
