cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor

VPN over GRE (not GRE over VPN)

Netvanta 3430 - Enhanced at all locations

Layout:

central location - we'll call it #1  172.16.1

remote location - #2 172.16.2

remote location - #3 172.16.3

I can setup a VPN link (using the GUI) between location #1 and #2

When setting up the VPN between locations #1 and #3 - the connection fails with various errors:

CRYPTO_IKE.NEGOTIATION IkePrepIsakmpKeyMat: IkeGetPreSharedKey failed

CRYPTO_IKE.NEGOTIATION IkeMMConstructIDMsg: IkePrepareIsakmpKeyMat failed

CRYPTO_IKE.NEGOTIATION IkeKEWaitProcess: IkeMMConstructIDMsg failed

CRYPTO_IKE.NEGOTIATION IkeProcessData : IkeKEWaitProcess failed

I have tried changing the various options - but to no avail...

I am hoping that I can establish a GRE tunnel to this site - ( I will test this onsite later this week)

So now the question is how can I establish a "VPN" from Site #1 to #3 - and have the traffic route correctly.

I have tested a GRE tunnel (from #1 to my house) and can get it established - with a separate IP address subnet on the GRE tunnel - and can ping the two sides of the tunnel, but I cannot route traffic across the GRE  between the private LANs; I am assuming this is some sort of firewall issue - if this could work this would be fine (I understand the lack of security issue)...

But ideally having a secure connection would be best - so assuming that GRE can be established, can I create a VPN over the GRE and have it behave just like the already established VPN?

Or is there another way to solve this problem?

Paul

Labels (3)
0 Kudos
Reply
6 Replies
Highlighted
Contributor
Contributor

Re: VPN over GRE (not GRE over VPN)

Did you put an access policy on your GRE interface permitting traffic through the firewall?  Once FW is enabled on an AOS device, it applies across all interfaces.  You need separate policies to make sure your traffic gets through the interfaces. 

Are your routers all running the same version of firmware?

Can you attach a sample of your config?

0 Kudos
Reply
Highlighted
New Contributor

Re: VPN over GRE (not GRE over VPN)

Thanks for the reply

Unfortunately I a GUI handicapped - so I do need help putting down the access policy for the GRE interface since this isn't easily implemented through the GUI. 

Here is the config as requested (Homebase - central location):

! ADTRAN, Inc. OS version R10.6.0.E

! Boot ROM version 17.06.01.00

! Platform: NetVanta 3430, part number 1202820G1

!

!

hostname "Homebase"

enable password Password

!

clock timezone -5-Eastern-Time

!

ip subnet-zero

ip classless

ip routing

ipv6 unicast-routing

!

!

domain-name "Homebase.contoso.com"

domain-proxy

name-server 75.75.75.75 75.75.76.76

!

!

no auto-config

!

event-history on

no logging forwarding

logging forwarding priority-level info

no logging email

!

no service password-encryption

!

username "admin" password "Password"

!

banner motd #

                ****** Important Banner Message ******

Enable and Telnet passwords are configured to "password".

HTTP and HTTPS default username is "admin" and password is "password".

Please change them immediately.

The ethernet 0/1 interface is enabled with an address of 10.10.10.1

Telnet, HTTP, and HTTPS access are also enabled.

To remove this message, while in configuration mode type "no banner motd".

                ****** Important Banner Message ******

#

!

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

no dot11ap access-point-control

!

ip crypto

!

crypto ike policy 101

  initiate main

  respond anymode

  local-id address 1.2.3.177

  peer 2.3.4.106

  attribute 1

    encryption 3des

    hash md5

    authentication pre-share

!

crypto ike remote-id address 2.3.4.106 preshared-key keyonetwothree ike-policy 101 crypto map VPN 20 no-mode-config no-xauth

!

crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

  mode tunnel

!

crypto map VPN 20 ipsec-ike

  description Eastside

  match address VPN-20-vpn-selectors

  set peer 2.3.4.106

  set transform-set esp-3des-esp-md5-hmac

  reverse-route

  ike-policy 101

!

no ethernet cfm

!

interface eth 0/1

  description Inside

  ip address  172.16.1.254  255.255.255.0

  ip access-policy Private

  no shutdown

!

!

interface eth 0/2

  description Internet

  ip address  1.2.3.177  255.255.255.252

  ip mtu 1500

  ip access-policy Public

  crypto map VPN

  no rtp quality-monitoring

  no shutdown

!

interface tunnel 1 gre ip

  description HFTunnel

  ip address  172.16.0.1  255.255.255.252

  ip mtu 1400

  ip access-policy Private

  tunnel source 1.2.3.177

  tunnel destination 3.6.9.165

  tunnel key 12345678

  keepalive

  no shutdown

!

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

ip access-list extended self

  remark Traffic to NetVanta

  permit ip any  any     log

!

ip access-list extended VPN-20-vpn-selectors

  permit ip 172.16.1.0 0.0.0.255  172.16.2.0 0.0.0.255

!

ip access-list extended web-acl-10

  remark RDP33891

  permit tcp any  host 172.16.1.254 eq 33891   log

!

ip access-list extended web-acl-11

  remark RDP33892

  permit tcp any  host 1.2.3.177 eq 33892   log

!

ip access-list extended web-acl-13

  remark PPTPVPN

  permit gre any  host 1.2.3.177     log

  permit tcp any  host 1.2.3.177 eq 1723   log

!

ip access-list extended web-acl-7

  remark RDP33894

  permit tcp any  host 1.2.3.177 eq 33894   log

!

ip access-list extended web-acl-8

  remark RDP33893

  permit tcp any  host 1.2.3.177 eq 33893   log

!

ip access-list extended wizard-remote-access

  remark do not hand edit this ACL

  permit icmp any  any  echo   log

  permit tcp any  any eq https   log

!

ip policy-class Private

  allow list VPN-20-vpn-selectors stateless

  allow list self self

  nat source list wizard-ics interface eth 0/2 overload

!

ip policy-class Public

  allow reverse list VPN-20-vpn-selectors stateless

  allow list wizard-remote-access self

  nat destination list web-acl-7 address 172.16.1.4 port 3389

  nat destination list web-acl-8 address 172.16.1.3 port 3389

  nat destination list web-acl-10 address 172.16.1.1 port 3389

  nat destination list web-acl-11 address 172.16.1.2 port 3389

  nat destination list web-acl-13 address 172.16.1.4

!

ip route 0.0.0.0 0.0.0.0 1.2.3.178

ip route 172.16.3.0 255.255.255.0 172.16.1.30

ip route 172.16.4.0 255.255.255.0 172.16.0.2

!

no tftp server

no tftp server overwrite

http server

http secure-server

no snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

ip sip udp 5060

ip sip tcp 5060

!

line con 0

  login

  password Password

!

line telnet 0 4

  login

  password Password

  no shutdown

line ssh 0 4

  login local-userlist

  no shutdown

!

sntp server us.pool.ntp.org version 3

!

ntp source ethernet 0/2

!

end

Again what I need to do is get subnets 172.16.1.x connected/routing to 172.16.3.x (172.16.2.x works via the VPN put in place by the wizard).

Thanks,

Paul

0 Kudos
Reply
Highlighted
Contributor
Contributor

Re: VPN over GRE (not GRE over VPN)

Apologies for a slow response to your reply.

If I understand correctly... 

IPSec VPN is up - Site 1 to Site 2.

IPSec VPN will not work - Site 1 to Site 3

As an alternative, you wish to use a GRE tunnel - Site 1 to Site 3. 

Your GRE tunnel config looks correct and since you are anchoring to your WAN port, which is firewalled, you may need to allow GRE through the public access policy.  You have the ACL for that but I see that it is applied as a NAT destination in the public policy, which means you are forwarding any GRE packets to 172.16.1.4.  I believe you want it configured like this:

ip policy-class Public

allow reverse list VPN-20-vpn-selectors stateless

  allow list wizard-remote-access self

allow list web-acl-13 self

  nat destination list web-acl-7 address 172.16.1.4 port 3389

  nat destination list web-acl-8 address 172.16.1.3 port 3389

  nat destination list web-acl-10 address 172.16.1.1 port 3389

  nat destination list web-acl-11 address 172.16.1.2 port 3389

Also, once your GRE tunnel comes up, you will just need a route for the 3 network.  Right now I see that route is "ip route 172.16.3.0 255.255.255.0 172.16.1.30" but if the 3 network is on the other side of the GRE tunnel then the route should be "ip route 172.16.3.0 255.255.255.0 172.16.0.2".

If I am understanding your needs correctly, then I believe this change in your configuration should work.

0 Kudos
Reply
Highlighted
New Contributor

Re: VPN over GRE (not GRE over VPN)

Thanks for the reply - I will test this out and report back.

Paul

0 Kudos
Reply
Highlighted
Contributor
Contributor

Re: VPN over GRE (not GRE over VPN)

Hi Paul, have you had any success with your configuration?

0 Kudos
Reply
Highlighted
Anonymous
Not applicable

Re: VPN over GRE (not GRE over VPN)

-

I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Noor

0 Kudos
Reply