Site-to-site VPN with GRE over IPSec

Hello...

I'm fairly new to site-to-site VPN technology. I've done a few of them between two PIX firewalls with fairly good success.

I now have 2 new Cisco routers, a 2821 with IOS Firewall/VPN and a 2811 with IOS Firewall/VPN. I created a site-to-site VPN tunnel using IPSec between these and although the tunnel came up, a lot of things weren't working after that. I traced the problem to the fact that since I'm using EIGRP on the routers, I needed to establish a GRE over IPSec tunnel in order for the routing updates to still pass.

I now have a need to create a site-to-site VPN between that 2821 and another site that has a 2801 with basic IP IOS and a PIX 506. A basic diagram would look something like this:

(2821 router)(2801 router)-(PIX506)

So that 2801 is between the WAN connection and the PIX.

From all of the research I've done, it doesn't appear that I can create a GRE over IPSec tunnel starting from the 2821 and ending at the PIX since the PIX doesn't support termination of GRE over IPSec tunnels.

However, I'm afraid that if I establish just a straight IPSec tunnel between the 2821 and the PIX 506, that I will lose my EIGRP routing updates between these two sites like I did when I had the IPSec tunnel between the 2821 and the 2811.

I guess I was thinking I might need to build a GRE tunnel between the 2821 and 2801 and THEN establish an IPSec tunnel between the 2821 and the PIX 506 so that those EIGRP updates can still get through.

Hopefully all of this makes sense. Anyone have any thoughts on this? Is what I'm trying to do even possible given the equipment that I have?

Thanks for any suggestions/pointers/etc.

Daniel

Reply to
Daniel
Loading thread data ...

The following link might be relevant to what you are trying to do

formatting link
Cisco da Gama
formatting link

Reply to
ciscodagama

Cisco da Gama...

Thanks for the link. That page certainly does provide some good information.

However, that page doesn't talk about establishing a GRE over IPSec tunnel when a PIX Firewall is involved.

Do you know if it's possible to terminate a GRE over IPSec tunnel on a PIX? From everything that I've read in the past few days, it doesn't seem to be possible but I'm just not sure.

Thanks... Daniel

Reply to
Daniel

Sorry, I don't have any experience with the PIX. Hopefully someone else on the group will know the answer ...

Cisco da Gama

formatting link

Reply to
ciscodagama

Hello, Daniel! You wrote on Wed, 22 Feb 2006 14:46:19 -0600:

D> However, that page doesn't talk about establishing a GRE over D> IPSec tunnel when a PIX Firewall is involved.

D> Do you know if it's possible to terminate a GRE over IPSec tunnel D> on a PIX? From everything that I've read in the past few days, it D> doesn't seem to be possible but I'm just not sure.

I think you need to put one more router into your setup - behind the PIX. IPSec from 2821 will go through 2801 and be terminated on PIX. GRE will go through PIX and terminate on router behind it.

With best regards, Andrey.

Reply to
Andrey Tarasov

Definitely not on PIX 6.x, and I'm pretty sure I didn't see the facility appear in the 7.x documentation.

Reply to
Walter Roberson

ACK. Searched for it a few days before for our PIX 515E on 7.x without any luck :-(

Regards Markus

Reply to
Markus Marquardt

Thanks for the responses so far - I do appreciate it!

I was hoping not to have to add any more equipment to the mix, so I guess if adding a second router behind the PIX would work, I might explore just adding more memory and whatever else is necessary on the 2801 and purchase the IOS firewall code for it instead of getting a second router.

I guess what I really need to know is if I were to just establish an IPSec tunnel between the 2821 and the PIX 506, would my EIGRP routing updates still be passed between the 2821 and the 2801 without the presence of GRE?

I suppose I'll just try that first and see what happens.

Thanks again for all of the posts. Daniel

Reply to
Danie

You MUST use GRE to pass EIGRP since EIGRP use multicast hellos and IPSEC does not support multicast

Reply to
Merv

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.