IPSEC/GRE VPN Tunnel and OSPF Configuration

Configuring an IPsec GRE (Generic Routing Encapsulation) VPN tunnel with OSPF (Open Shortest Path First) involves several steps. In this example, we’ll configure a basic IPsec GRE VPN tunnel between two routers and enable OSPF routing over the tunnel. For this example, we’ll assume Router A and Router B are the two endpoints of the VPN tunnel.

Assumptions:

• The routers are directly connected to the public internet.
• IPsec is used to secure the GRE tunnel.
• OSPF is used for dynamic routing over the tunnel.

Router A Configuration:

1. Configure GRE Tunnel Interface:
   bashCopy code

   RouterA(config)# interface Tunnel0
RouterA(config-if)# ip address 192.168.1.1 255.255.255.0
RouterA(config-if)# tunnel source <public-interface>
RouterA(config-if)# tunnel destination <RouterB-public-IP>

2. Configure OSPF:
   bashCopy code

   RouterA(config)# router ospf 1
RouterA(config-router)# network 192.168.1.0 0.0.0.255 area 0

3. Configure IPsec:
   bashCopy code

   RouterA(config)# crypto isakmp policy 10
RouterA(config-isakmp)# encryption aes
RouterA(config-isakmp)# hash sha
RouterA(config-isakmp)# group 5
RouterA(config-isakmp)# authentication pre-share
RouterA(config-isakmp)# exitRouterA(config)# crypto isakmp key <shared-secret> address <RouterB-public-IP>

   RouterA(config)# crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac
   RouterA(cfg-crypto-trans)# mode tunnel
   RouterA(cfg-crypto-trans)# exit

   RouterA(config)# crypto map MY_CRYPTO_MAP 10 ipsec-isakmp
   RouterA(config-crypto-map)# set peer <RouterB-public-IP>
   RouterA(config-crypto-map)# set transform-set MY_TRANSFORM_SET
   RouterA(config-crypto-map)# match address 100

   The ACL (access list) is referenced in the crypto map configuration and should be created:

   bashCopy code

   RouterA(config)# access-list 100 permit gre host 192.168.1.1 host <RouterB-public-IP>


Router B Configuration:

1. Configure GRE Tunnel Interface:
   bashCopy code

   RouterB(config)# interface Tunnel0
RouterB(config-if)# ip address 192.168.1.2 255.255.255.0
RouterB(config-if)# tunnel source <public-interface>
RouterB(config-if)# tunnel destination <RouterA-public-IP>

2. Configure OSPF:
   bashCopy code

   RouterB(config)# router ospf 1
RouterB(config-router)# network 192.168.1.0 0.0.0.255 area 0

3. Configure IPsec:
   bashCopy code

   RouterB(config)# crypto isakmp policy 10
RouterB(config-isakmp)# encryption aes
RouterB(config-isakmp)# hash sha
RouterB(config-isakmp)# group 5
RouterB(config-isakmp)# authentication pre-share
RouterB(config-isakmp)# exitRouterB(config)# crypto isakmp key <shared-secret> address <RouterA-public-IP>

   RouterB(config)# crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac
   RouterB(cfg-crypto-trans)# mode tunnel
   RouterB(cfg-crypto-trans)# exit

   RouterB(config)# crypto map MY_CRYPTO_MAP 10 ipsec-isakmp
   RouterB(config-crypto-map)# set peer <RouterA-public-IP>
   RouterB(config-crypto-map)# set transform-set MY_TRANSFORM_SET
   RouterB(config-crypto-map)# match address 100

   The ACL (access list) is referenced in the crypto map configuration and should be created:

   bashCopy code

   RouterB(config)# access-list 100 permit gre host 192.168.1.2 host <RouterA-public-IP>


Verification:

1. Verify GRE Tunnel:
   bashCopy code

   RouterA# show interface Tunnel0
RouterB# show interface Tunnel0

2. Verify OSPF Neighbors:
   bashCopy code

   RouterA# show ip ospf neighbor
RouterB# show ip ospf neighbor

3. Verify IPsec Status:
   bashCopy code

   RouterA# show crypto isakmp sa
RouterA# show crypto ipsec sa
RouterB# show crypto isakmp sa
RouterB# show crypto ipsec sa


Remember to replace placeholders like <RouterA-public-IP>, <RouterB-public-IP>, and <shared-secret> with your actual IP addresses and shared secret. Additionally, adapt the configurations to match the specific requirements of your network. Always refer to the documentation for your specific router model and software version for accurate and detailed information.