This documentation has been moved
Configuring VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links
Download this chapter
Configuring VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit LinksConfiguring VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links
Download the complete book
Performance Routing Configuration Guide, Cisco IOS Release 15.1M&TPerformance Routing Configuration Guide, Cisco IOS Release 15.1M&T (PDF - 3 MB)
 Feedback

Table Of Contents

Configuring VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links

Finding Feature Information

Contents

Prerequisites for Configuring VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links

Restrictions for Configuring VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links

Information About Configuring VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links

VPN IPsec/GRE Tunnel Interface Optimization

Protection of Route Prefixes with IPsec over GRE Tunnels

Configuration of GRE Tunnel Interfaces As PfR-Managed Exit Links

How to Configure VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links

Configuring PfR to Monitor and Control IPsec VPN Prefixes over GRE Tunnels

Restrictions

Configuration Examples for Configuring VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links

Example: Configuring PfR to Monitor and Control GRE/IPsec VPN Prefixes

Where to Go Next

Additional References

Related Documents

Technical Assistance

Feature Information for Configuring VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links


Configuring VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links

First Published: March 19, 2010
Last Updated: July 21, 2010

This module documents a Performance Routing (PfR) solution that describes how to configure IP security (IPsec)/Generic Routing Encapsulation (GRE) tunnel interfaces as PfR-managed exit links. The VPN IPsec/GRE Tunnel Optimization solution supports only network-based IPsec Virtual Private Networks (VPNs).

PfR provides automatic route optimization and load distribution for multiple connections between networks. PfR is an integrated Cisco IOS solution that allows you to monitor IP traffic flows and then define policies and rules based on prefix performance, link load distribution, link bandwidth monetary cost, and traffic type. PfR provides active and passive monitoring systems, dynamic failure detection, and automatic path correction. Deploying PfR enables intelligent load distribution and optimal route selection in an enterprise network.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links" section.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for Configuring VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links

Restrictions for Configuring VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links

Information About Configuring VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links

How to Configure VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links

Configuration Examples for Configuring VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links

Where to Go Next

Additional References

Feature Information for Configuring VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links

Prerequisites for Configuring VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links

Before implementing VPN IPsec/GRE tunnel interfaces as PfR-managed exit links you need to understand how PfR works and how to set up PfR network components. See the "Understanding Performance Routing," "Configuring Basic Performance Routing," and "Configuring Advanced Performance Routing," modules for more details. For a list of other PfR feature modules, see the "Related Documents" section.

Cisco Express Forwarding (CEF) must be enabled on all participating routers.

Routing protocol peering or static routing is configured in the PfR-managed network.

Standard Cisco PfR border router and master controller configurations are completed.

Restrictions for Configuring VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links

Cisco IOS PfR supports the optimization of prefixes that are routed over IPsec/GRE tunnel interfaces. Only GRE and multipoint GRE VPN tunnels are supported.

Information About Configuring VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links

VPN IPsec/GRE Tunnel Interface Optimization

Protection of Route Prefixes with IPsec over GRE Tunnels

VPN IPsec/GRE Tunnel Interface Optimization

Cisco IOS PfR supports the optimization of prefixes that are routed over IPsec/GRE tunnel interfaces. The VPN tunnel interface is configured as PfR external interfaces on the master controller. Figure 1 shows a PfR-managed network that is configured to optimize VPN traffic. Cisco IOS PfR is deployed at the central office and remote offices.

Figure 1 Cisco IOS PfR Network Optimized for VPN Routing

This enhancement allows you to configure two-way VPN optimization. A master controller and border router process are enabled on each side of the VPN. Each site maintains a separate master controller database. VPN routes can be dynamically learned through the tunnel interfaces or can be configured. Prefix and exit link policies are configured for VPN prefixes through a standard Cisco IOS PfR configuration.

Protection of Route Prefixes with IPsec over GRE Tunnels

The IPsec-to-GRE model allows a service provider to provide VPN services over the IP backbone. Both the central and remote VPN clients terminate according to the IPsec-to-IPsec model. Prefixes are encapsulated using GRE tunnels. The GRE packet is protected by IPsec. The encapsulated prefixes are forwarded from the central VPN site to a customer headend router that is the other endpoint for GRE. The IPsec-protected GRE packets provide secure connectivity across the IP backbone of the service provider network.

For more information about configuring IPsec over GRE tunnels, see the Dynamic Multipoint IPsec VPNs (Using Multipoint GRE/NHRP to Scale IPsec VPNs) document published at the following URL:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml

Configuration of GRE Tunnel Interfaces As PfR-Managed Exit Links

GRE tunnel interfaces on the border routers are configured as PfR external interfaces on the master controller. At least two external tunnel interfaces must be configured on separate physical interfaces in a PfR-managed network. These interfaces can be configured on a single border router or multiple border routers. Internal interfaces are configured normally using a physical interface that is on the border router and is reachable by the master controller.

How to Configure VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links

Configuring PfR to Monitor and Control IPsec VPN Prefixes over GRE Tunnels

Configuring PfR to Monitor and Control IPsec VPN Prefixes over GRE Tunnels

Perform this task to configure the IPsec VPN configuration over GRE tunnels. Initially the IPsec VPN is configured on a border router, and the tunnel interface is configured as a PfR-managed external interface on the master controller. In this task an IKE policy is defined, a transform set is configured, a crypto profile and a crypto map are defined, and a GRE tunnel is configured.

The GRE tunnel and IPsec protection in this task are configured on the border router. The configuration steps in this task show how to configure a single tunnel. At least two tunnels must be configured on border routers in a PfR-managed network. The IPsec configuration must be applied at each tunnel endpoint (the central and remote site).

Restrictions

Cisco IOS PfR supports only IPsec/GRE VPNs. No other VPN types are supported.

SUMMARY STEPS

1. enable

2. configure terminal

3. crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}

4. crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]

5. mode [tunnel | transport]

6. exit

7. crypto map map-name seq-num [ipsec-isakmp]

8. set peer {host-name [dynamic] [default] | ip-address [default]}

9. set transform-set transform-set-name [transform-set-name2...transform-set-name6]

10. match address [access-list-id | name]

11. exit

12. crypto ipsec profile name

13. set transform-set transform-set-name [transform-set-name2...transform-set-name6]

14. exit

15. crypto map map-name local-address interface-id

16. crypto isakmp key encryption-level key-string {address peer-address [mask] | hostname name} [no-xauth]

17. crypto isakmp keepalive seconds [retries] [periodic | on-demand]

18. crypto isakmp policy priority

19. encryption {des | 3des | aes | aes 192 | aes 256}

20. authentication {rsa-sig | rsa-encr | pre-share}

21. exit

22. interface type number [name-tag]

23. ip address ip-address mask [secondary]

24. crypto map map-name [redundancy standby-name]

25. exit

26. interface type number [name-tag]

27. ip address ip-address mask [secondary]

28. keepalive [period [retries]]

29. bandwidth {kbps | inherit [kbps]}

30. tunnel mode gre ip

31. tunnel source {ip-address | interface-type interface-number}

32. tunnel destination {host-name | ip-address}

33. tunnel protection ipsec profile name [shared]

34. exit

35. ip route prefix mask {ip-address | interface-type interface-number [ip-address]} [dhcp] [distance] [name] [permanent] [tag tag]

36. access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]

37. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}

Example:

Router(config)# crypto ipsec security-association lifetime kilobytes 530000000

Sets global lifetime values used when negotiating IPsec security associations.

The example sets volume of traffic, in kilobytes, that can pass between IPsec peers for this security association.

Step 4 

crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]

Example:

Router(config)# crypto ipsec transform-set VPN_1 esp-des esp-3des esp-sha-hmac

Enters crypto transform configuration mode to create or modify a transform set—an acceptable combination of security protocols and algorithms.

The example specifies 56-bit Data Encryption Standard (DES), 168-bit DES, or Secure Hash Algorithm (SHA) for authentication.

Step 5 

mode [tunnel | transport]

Example:

Router(cfg-crypto-trans)# mode transport

Sets the mode for the transform set.

The example sets the mode to transport. The default mode is tunnel. Under tunnel mode, the entire packet is protected. Under transport mode, only the payload is protected. Encapsulation is performed by GRE.

Step 6 

exit

Example:

Router(cfg-crypto-trans)# exit

Exits crypto transform configuration mode and enters global configuration mode.

Step 7 

crypto map map-name seq-num [ipsec-isakmp]

Example:

Router(config)# crypto map TUNNEL 10 ipsec-isakmp

Enters crypto map configuration mode to create or modify a crypto map.

The example creates a crypto map named TUNNEL and configures IKE to establish the security association.

Step 8  

set peer {host-name [dynamic] [default] | 
ip-address [default]}
Example:

Router(config-crypto-map)# set peer 10.4.9.81

Specifies the IPsec peer in the crypto map entry.

Step 9 

set transform-set transform-set-name [transform-set-name2...transform-set-name6]

Example:

Router(config-crypto-map)# set transform-set VPN_1

Specifies which transform sets can be used with the crypto map entry.

Specifies the transform set VPN_1, which was configured in Step 4.

Step 10 

match address [access-list-id | name]

Example:

Router(config-crypto-map)# match address 100

Specifies an extended access list to define IPsec peers for the crypto map entry.

The access list is defined in Step 36.

Step 11 

exit

Example:

Router(config-crypto-map)# exit

Exits crypto map configuration mode and enters global configuration mode.

Step 12 

crypto ipsec profile name

Example:

Router(config)# crypto ipsec profile PFR

Defines the IPsec parameters that are to be used for IPsec encryption between two IPsec routers and enters IPsec profile configuration mode.

The example creates a profile named PFR.

Step 13 

set transform-set transform-set-name [transform-set-name2...transform-set-name6]

Example:

Router(ipsec-profile)# set transform-set VPN_1

Specifies which transform sets can be used with the crypto map entry.

Specifies the transform set VPN_1, which was configured in Step 4.

Step 14 

exit

Example:

Router(ipsec-profile)# exit

Exits IPsec profile configuration mode and enters global configuration mode.

Step 15 

crypto map map-name local-address interface-id

Example:

Router(config)# crypto map TUNNEL local-address FastEthernet 0/0

Attaches a defined crypto map to the specified interface.

The example attaches the crypto map named TUNNEL to interface FastEthernet 0/0.

Step 16 

crypto isakmp key encryption-level key-string {address peer-address [mask] | hostname name} [no-xauth]

Example:

Router(config)# crypto isakmp key 0 CISCO address 10.4.9.81 no-xauth

Creates the preshared authentication key.

The example configures encryption level 0 and configures the router to not prompt the IPsec peer for extended authentication. However, any encryption level or authentication level can be specified.

Step 17 

crypto isakmp keepalive seconds [retries] [periodic | on-demand]

Example:

Router(config)# crypto isakmp keepalive 10

Allows the gateway to send dead peer detection (DPD) messages to the peer.

Step 18 

crypto isakmp policy priority

Example:

Router(config)# crypto isakmp policy 1

Defines an Internet Key Exchange (IKE) policy and enters ISAKMP policy configuration mode.

Step 19 

encryption {des | 3des | aes | aes 192 | aes 256}

Example:

Router(config-isakmp)# encryption 3des

Specifies the encryption algorithm within the IKE policy.

The example specifies 168-bit DES encryption.

Step 20 

authentication {rsa-sig | rsa-encr | pre-share}

Example:

Router(config-isakmp)# authentication pre-share

Specifies the authentication method within the IKE policy.

The example specifies that a preshared key will be used.

Step 21 

exit

Example:

Router(config-isakmp)# exit

Exits ISAKMP policy configuration mode and enters global configuration mode.

Step 22 

interface type number [name-tag]

Example:

Router(config)# interface FastEthernet0/0

Configures an interface type and enters interface configuration mode.

The physical interface is defined in this step.

Step 23 

ip address ip-address mask [secondary]

Example:

Router(config-if)# ip address 10.4.9.14 255.255.255.0

Sets a primary or secondary IP address for an interface.

Step 24 

crypto map map-name [redundancy standby-name]

Example:

Router(config-if)# crypto map TUNNEL

Applies the crypto map set to the interface.

The example specifies the crypto map named TUNNEL, which was defined in Step 7.

Step 25 

exit

Example:

Router(config-if)# exit

Exits interface configuration mode and enters global configuration mode.

Step 26 

interface type number [name-tag]

Example:

Router(config)# interface Tunnel0

Configures an interface type and enters interface configuration mode.

The tunnel interface is defined in this step.

Step 27 

ip address ip-address mask [secondary]

Example:

Router(config-if) ip address 10.100.2.1 255.255.0.0

Sets a primary or secondary IP address for an interface.

Step 28 

keepalive [period [retries]]

Example:

Router(config-if) keepalive 30 5

Enables keepalive packets and specifies the number of times that the Cisco IOS software tries to send keepalive packets without a response before bringing down the interface or before bringing the tunnel protocol down for a specific interface.

Step 29 

bandwidth {kbps | inherit [kbps]}

Example:

Router(config-if)# bandwidth 500


Router(config-if)# bandwidth inherit

Sets and communicates the current bandwidth value for an interface to higher-level protocols.

Step 30 

tunnel mode gre ip

Example:

Router(config-if)# tunnel mode gre ip

Sets the encapsulation mode for the tunnel interface.

Note Only partial syntax is shown here. For more details, see the Cisco IOS Interface and Hardware Component Command Reference.

Step 31 

tunnel source {ip-address | interface-type interface-number}

Example:

Router(config-if)# tunnel source 10.4.9.14

Sets the source address for a tunnel interface.

The source interface in the example was defined in Step 22. The interface name or IP address can be specified.

Step 32 

tunnel destination {host-name | ip-address}

Example:

Router(config-if)# tunnel destination 10.4.9.81

Specifies the destination for a tunnel interface.

The IP address of the physical interface where the remote tunnel end point is attached is configured in this step.

Step 33 

tunnel protection ipsec profile name [shared]

Example:

Router(config-if)# tunnel protection ipsec profile PFR

Associates the tunnel interface with the IPsec profile.

The IPsec profile named PFR that is configured in the example was defined in Step 19.

Step 34 

exit

Example:

Router(config-if)# exit

Exits interface configuration mode and enters global configuration mode.

Step 35 

ip route prefix mask {ip-address | interface-type interface-number [ip-address]} [dhcp] [distance] [name] [permanent] [tag tag]

Example:

Router(config)# ip route 10.2.2.2 255.255.255.255 Tunnel0

Establishes a static route.

A default route is configured for the tunnel destination host or network.

Step 36 

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]

Example:

Router(config)# access-list 100 permit gre host 10.4.9.14 host 10.4.9.81

Creates or configures an extended IP access list.

An extended access list is defined to permit only the GRE hosts.

The access list in this example is referenced in the match address statement in Step 10.

Step 37 

end

Example:

Router(config)# end

Exits global configuration mode and enters privileged EXEC mode.

Configuration Examples for Configuring VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links

Example: Configuring PfR to Monitor and Control GRE/IPsec VPN Prefixes

Example: Configuring PfR to Monitor and Control GRE/IPsec VPN Prefixes

Figure 2 shows a central VPN site and two remote VPN sites. VPN peering is established through the service provider clouds. a PfR-managed network is configured at each site where Cisco IOS PfR configuration is applied independently. Each site has a separate master controller and border router process, and each site maintains a separate master controller database.

Figure 2 VPN Sites Controlled by PfR-Managed Networks

Two GRE tunnels are configured between each remote site and the central site. VPN prefixes are encapsulated in GRE tunnels, which in turn are protected by IPsec encryption. The examples in this section show the configuration for the central VPN site, VPN A, and VPN B.

Central VPN Configuration: PfR Master Controller

The central VPN site peers with VPN A and VPN B. A separate policy is defined for each site using a PfR map. For VPN A prefixes, a delay policy of 80 ms is configured and out-of-policy prefixes are moved to the first in-policy exit. For VPN B prefixes, a delay policy of 40 ms and a relative loss policy are configured, and out-of-policy prefixes are moved to the best available exit. 

key chain PFR

 key 1

  key-string CISCO

!

pfr master

 logging

 border 10.4.9.6 key-chain PFR

  interface Ethernet 0/0 external

  interface Ethernet 0/1 internal

!

 border 10.4.9.7 key-chain PFR

  interface Ethernet 0/0 external

  interface Ethernet 0/1 internal

!

 mode route control 

 mode monitor both 

 exit

!

ip prefix VPN A permit 10.4.9.25

pfr-map VPNA 

 match ip address prefix-list VPNB

 set delay 800 

 set mode select-exit good

 exit

!

ip prefix VPNB permit 10.4.9.254 

pfr-map VPNB 

 match ip address prefix-list VPNC

 set delay 400 

 set loss relative 100 

 set resolve loss priority 1 variance 10 

 set mode select-exit best

 end

Central VPN Configuration: BR1

The following example, starting in global configuration mode, shows the central VPN configuration for BR1: 

key chain PFR

 key 1

  key-string CISCO

!

pfr border 

 local serial 0/1

 master 10.4.9.4 key-chain PFR

!

ip route 10.70.1.0 255.255.255.0 

!

route-map REDISTRIBUTE_STATIC

 match tag 5000

 set metric -10

 exit

!

router eigrp 1 

 network 10.70.0.0 0.0.0.255

 redistribute static route-map REDISTRIBUTE_STATIC

 exit

!

crypto ipsec security-association lifetime kilobytes 530000000

crypto ipsec security-association lifetime second 14400

crypto ipsec transform-set VPN_1 esp-3des esp-sha-hmac 

 mode transport

 exit

!

crypto map TUNNEL 10 ipsec-isakmp

 set peer 10.4.9.81

 set transform-set VPN_1 

 match address 100 

!

crypto ipsec profile PFR

 set transform-set VPN_1

 exit 

crypto map TUNNEL local-address Ethernet 0/0

!

crypto isakmp key 0 CISCO address 10.4.9.81 no-xauth

crypto isakmp keepalive 10

crypto isakmp policy 1

 encryption 3des

 authentication pre-share

 exit

!

interface Ethernet0/0

 ip address 10.4.9.14 255.255.255.0

 crypto map TUNNEL 

 exit

!

interface Tunnel0

 ip address 10.100.2.1 255.255.0.0

 keepalive 30 5 

 bandwidth 500

 bandwidth inherit

 tunnel mode gre ip

 tunnel source 10.4.9.14

 tunnel destination 10.4.9.81

 tunnel protection ipsec profile PFR

 exit

Central VPN Configuration: BR2

The following example, starting in global configuration mode, shows the central VPN configuration of BR2: 

key chain PFR

 key 1

  key-string CISCO

!

pfr border 

 local Ethernet 0/1

 master 10.4.9.4 key-chain PFR

!

ip route 10.70.1.0 255.255.255.0

!

route-map REDISTRIBUTE_STATIC

 match tag 5000

 set metric -10

 exit

!

router eigrp 1 

 network 10.70.0.0 0.0.0.255

 redistribute static route-map REDISTRIBUTE_STATIC

!

crypto ipsec security-association lifetime kilobytes 530000000

crypto ipsec security-association lifetime second 14400

crypto ipsec transform-set VPN_1 esp-3des esp-sha-hmac 

 mode transport

 exit

!

crypto map TUNNEL 10 ipsec-isakmp

 set peer 10.4.9.82

 set transform-set VPN_1 

 match address 100 

!

crypto ipsec profile PFR

 set transform-set VPN_1

 exit 

crypto map TUNNEL local-address Ethernet 0/0

!

crypto isakmp key 0 CISCO address 10.4.9.82 no-xauth

crypto isakmp keepalive 10

crypto isakmp policy 1

 encryption 3des

 authentication pre-share

 exit

!

interface Ethernet0/0

 ip address 10.4.9.15 255.255.255.0

 crypto map TUNNEL 

 exit

!

interface Tunnel0

 ip address 10.100.2.2 255.255.0.0

 keepalive 30 5 

 bandwidth 500

 bandwidth inherit

 tunnel mode gre ip

 tunnel source 10.4.9.15

 tunnel destination 10.4.9.82

 tunnel protection ipsec profile PFR

 end

Central VPN Configuration: Internal Peers

The following example shows an EIGRP routing process created to establish peering with the border routers and internal peers: 

router eigrp 1 

 network 10.50.1.0 0.0.0.255 

 redistribute static route-map REDISTRIBUTE_STATIC 

 end

VPN A Configuration: MC/BR

The following configuration example, starting in global configuration mode, shows the configuration of VPN A. VPN A is a remote site that is configured for a small office home office (SOHO) client. A single router is deployed. This router peers with service provider B and service provider E. No Interior Gateway Protocol (IGP) is deployed at this network; only a static route is configured to the remote tunnel endpoint at the central site. A delay policy, a loss policy, and optimal exit link selection are configured so that traffic is always routed through the ISP with the lowest delay time and lowest packet loss. A resolve policy is configured to configure loss to have the highest priority. Neither the physical interface configuration nor the router IGP peering configurations are shown in this example. 

key chain BR1

 key 1

  key-string CISCO

!

Note The local border router process is enabled. Because the border router and master controller process is enabled on the same router, a loopback interface (192.168.0.1) is configured as the local interface. 

pfr border

 local Loopback0 

 master 192.168.0.1 key-chain BR1

!

pfr master

 learn

 delay

 mode route control 

 delay threshold 100

 loss relative 200

 periodic 300 

 mode select-exit good 

resolve loss priority 1 variance 20

resolve delay priority 2 variance 10

!

 border 192.168.0.1 key-chain BR1

  interface Serial0/0 internal

  interface Tunnel0 external

  interface Tunnel0 external

  exit

!

crypto ipsec security-association lifetime kilobytes 530000000

crypto ipsec security-association lifetime second 14400

crypto ipsec transform-set VPN_1 esp-3des esp-sha-hmac 

 mode transport

 exit

!

crypto map TUNNEL 10 ipsec-isakmp

 set peer 10.4.9.81

 set transform-set VPN_1 

 match address 100 

!

crypto ipsec profile PFR

 set transform-set VPN_1

 exit 

crypto map TUNNEL local-address Ethernet 0/0

!

crypto isakmp key 0 CISCO address 10.4.9.81 no-xauth

crypto isakmp keepalive 10

crypto isakmp policy 1

 encryption 3des

 authentication pre-share

 exit

!


interface Ethernet0/0

 ip address 10.4.9.14 255.255.255.0

 crypto map TUNNEL 

 exit

!

interface Tunnel0

 ip address 10.100.2.1 255.255.0.0

 keepalive 30 5 

 bandwidth 500

 bandwidth inherit

 tunnel mode gre ip

 tunnel source 10.4.9.14

 tunnel destination 10.4.9.81

 tunnel protection ipsec profile PFR

 exit

!

Note A single tunnel configuration is show in this example. Two tunnels are required to configure VPN optimization.

VPN B Configuration: PfR Master Controller

The following example, starting in global configuration mode, shows the master controller configuration in VPN B. Load distribution and route control mode are enabled. Out-of-policy prefixes are configured to be moved to the first in-policy exit. 

key chain PFR 

 key 1

  key-string CISCO

!

pfr master

 logging

 border 10.4.9.6 key-chain PFR

  interface Ethernet 0/0 external

  interface Ethernet 0/1 internal

!

 border 10.4.9.7 key-chain PFR

  interface Ethernet 0/0 external

  interface Ethernet 0/1 internal

!

mode route control 

mode select-exit good 

max-range utilization 

!

 learn

  delay

  end

VPN B Configuration: BR1

The following example, starting in global configuration mode, shows the VPN B configuration for BR1: 

key chain PFR

 key 1

  key-string CISCO

!

pfr border 

 local Ethernet 0/1

 master 10.4.9.4 key-chain PFR

!

route-map REDISTRIBUTE_STATIC

 match tag 5000

 set metric -10

 exit

!

router rip

 network 10.60.1.0 

 redistribute static route-map REDISTRIBUTE_STATIC

 end

!

crypto ipsec security-association lifetime kilobytes 530000000

crypto ipsec security-association lifetime second 14400

crypto ipsec transform-set VPN_1 esp-3des esp-sha-hmac 

 mode transport

 exit

!

crypto map TUNNEL 10 ipsec-isakmp

 set peer 10.4.9.82

 set transform-set VPN_1 

 match address 100 

!

crypto ipsec profile PFR

 set transform-set VPN_1

 exit 

crypto map TUNNEL local-address Ethernet 0/0

!

crypto isakmp key 0 CISCO address 10.4.9.82 no-xauth

crypto isakmp keepalive 10

crypto isakmp policy 1

 encryption 3des

 authentication pre-share

 exit

!

interface Ethernet0/0

 ip address 10.4.9.15 255.255.255.0

 crypto map TUNNEL 

 exit

!

interface Tunnel0

 ip address 10.100.2.2 255.255.0.0

 keepalive 30 5 

 bandwidth 500

 bandwidth inherit

 tunnel mode gre ip

 tunnel source 10.4.9.15

 tunnel destination 10.4.9.82

 tunnel protection ipsec profile PFR

 end

VPN B Configuration: BR2

The following example, starting in global configuration mode, shows the VPN B configuration for BR2: 

key chain PFR

 key 1

  key-string CISCO

!

pfr border 

 local Ethernet 0/1

 master 10.4.9.4 key-chain PFR

 exit 

!

route-map REDISTRIBUTE_STATIC

 match tag 5000

 set metric -10

 exit

!

router rip

 network 10.60.1.0 

 redistribute static route-map REDISTRIBUTE_STATIC

 exit

!

crypto ipsec security-association lifetime kilobytes 530000000

crypto ipsec security-association lifetime second 14400

crypto ipsec transform-set VPN_1 esp-3des esp-sha-hmac 

 mode transport

 exit

!

crypto map TUNNEL 10 ipsec-isakmp

 set peer 10.4.9.82

 set transform-set VPN_1 

 match address 100 

!

crypto ipsec profile PFR

 set transform-set VPN_1

 exit 

crypto map TUNNEL local-address Ethernet 0/0

!

crypto isakmp key 0 CISCO address 10.4.9.82 no-xauth

crypto isakmp keepalive 10

crypto isakmp policy 1

 encryption 3des

 authentication pre-share

 exit

!

interface Ethernet0/0

 ip address 10.4.9.15 255.255.255.0

 crypto map TUNNEL 

 exit

!

interface Tunnel0

 ip address 10.100.2.2 255.255.0.0

 keepalive 30 5 

 bandwidth 500

 bandwidth inherit

 tunnel mode gre ip

 tunnel source 10.4.9.15

 tunnel destination 10.4.9.82

 tunnel protection ipsec profile PFR

 end

VPN B Configuration: Internal Peers

The following example shows a Routing Information Protocol (RIP) routing process created to establish peering with the border routers and internal peers: 

router rip 

 network 10.60.1.0 

 end

Where to Go Next

This module covers configuring VPN IPsec/GRE tunnel interfaces as PfR-managed exit links and presumes that you are familiar with the PfR technology. If you want to review more information about PfR, see the documents that are listed under "Related Documents" section.

Additional References

Related Documents

Related Topic
Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

Cisco PfR commands: complete command syntax, command mode, command history, defaults, usage guidelines and examples

Cisco IOS Performance Routing Command Reference

Basic PfR configuration

"Configuring Basic Performance Routing" module

Advanced PfR configuration

"Configuring Advanced Performance Routing" module

Concepts required to understand the Performance Routing operational phases

"Understanding Performance Routing" module

Location of PfR features

"Cisco IOS Performance Routing Features Roadmap" module

Key Chain Authentication: information about authentication key configuration and management in Cisco IOS software

"Managing Authentication Keys" section of the "Configuring IP Routing Protocol-Independent Features" chapter in the Cisco IOS IP Routing: Protocol-Independent Configuration Guide


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html


Feature Information for Configuring VPN IPsec/GRE Tunnel Interfaces As PfR-Managed Exit Links

Table 1 lists the release history for this feature.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Table 1 Feature Information for VPN IPsec/GRE Tunnel Interface Optimization

Feature Name
Releases
Feature Information

VPN IPsec/GRE Tunnel Optimization

12.3(11)T

Introduced the ability to configure IPsec/GRE tunnel interfaces as PfR-managed exit links.


Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2010 Cisco Systems, Inc. All rights reserved.