Configuring VPN IPsec GRE Tunnel Interfaces As OER-Managed Exit Links

Available Languages

Download Options

  • PDF     (218.5 KB)
    View with Adobe Reader on a variety of devices
Updated:March 11, 2011

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Configuring VPN IPsec GRE Tunnel Interfaces As OER-Managed Exit Links

Contents

Configuring VPN IPsec GRE Tunnel Interfaces As OER-Managed Exit Links

Last Updated: March 10, 2011

This module documents an Optimized Edge Routing (OER) solution that describes how to configure IP security (IPsec)/Generic Routing Encapsulation (GRE) tunnel interfaces as OER-managed exit links. The VPN IPsec/GRE Tunnel Optimization solution was introduced in Cisco IOS Release 12.3(11)T, and only network-based IPsec Virtual Private Networks (VPNs) are supported.

OER provides automatic route optimization and load distribution for multiple connections between networks. OER is an integrated Cisco IOS solution that allows you to monitor IP traffic flows and then define policies and rules based on prefix performance, link load distribution, link bandwidth monetary cost, and traffic type. OER provides active and passive monitoring systems, dynamic failure detection, and automatic path correction. Deploying OER enables intelligent load distribution and optimal route selection in an enterprise network.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Configuring VPN IPsec GRE Tunnel Interfaces As OER-Managed Exit Links

  • Before implementing VPN IPsec/GRE tunnel interfaces as OER-managed exit links you need to understand how to configure a basic OER-managed network. See the Cisco IOS Optimized Edge Routing Overview and Setting Up OER Network components modules for more details. For a list of other OER configuration modules, see the Where to Go Next section and the Related Documents section.
  • Cisco Express Forwarding (CEF) must be enabled on all participating routers.
  • Routing protocol peering or static routing is configured in the OER-managed network.
  • Standard Cisco OER border router and master controller configurations are completed.

Restrictions for Configuring VPN IPsec GRE Tunnel Interfaces As OER-Managed Exit Links

Cisco IOS OER supports the optimization of prefixes that are routed over IPsec/GRE tunnel interfaces. Only GRE and multipoint GRE VPN tunnels are supported.

Information About Configuring VPN IPsec GRE Tunnel Interfaces As OER-Managed Exit Links

VPN IPsec GRE Tunnel Interface Optimization

Cisco IOS OER supports the optimization of prefixes that are routed over IPsec/GRE tunnel interfaces. The VPN tunnel interface is configured as OER external interfaces on the master controller. The figure below shows an OER-managed network that is configured to optimize VPN traffic. Cisco IOS OER is deployed at the central office and remote offices.

Figure 1. Cisco IOS OER Network Optimized for VPN Routing

This enhancement allows you to configure two-way VPN optimization. A master controller and border router process are enabled on each side of the VPN. Each site maintains a separate master controller database. VPN routes can be dynamically learned through the tunnel interfaces or can be configured. Prefix and exit link policies are configured for VPN prefixes through a standard Cisco IOS OER configuration.

Protection of Route Prefixes with IPsec over GRE Tunnels

The IPsec-to-GRE model allows a service provider to provide VPN services over the IP backbone. Both the central and remote VPN clients terminate according to the IPsec-to-IPsec model. Prefixes are encapsulated using GRE tunnels. The GRE packet is protected by IPsec. The encapsulated prefixes are forwarded from the central VPN site to a customer headend router that is the other endpoint for GRE. The IPsec-protected GRE packets provide secure connectivity across the IP backbone of the service provider network.

For more information about configuring IPsec over GRE tunnels, see the Dynamic Multipoint IPsec VPNs (Using Multipoint GRE/NHRP to Scale IPsec VPNs) document published at the following URL:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml

How to Configure VPN IPsec GRE Tunnel Interfaces As OER-Managed Exit Links

Configuring OER to Monitor and Control IPsec VPN Prefixes over GRE Tunnels

Perform this task to configure the IPsec VPN configuration over GRE tunnels. Initially the IPsec VPN is configured on a border router, and the tunnel interface is configured as an OER-managed external interface on the master controller. In this task an IKE policy is defined, a transform set is configured, a crypto profile and a crypto map are defined, and a GRE tunnel is configured.

The GRE tunnel and IPsec protection in this task are configured on the border router. The configuration steps in this task show how to configure a single tunnel. At least two tunnels must be configured on border routers in an OER-managed network. The IPsec configuration must be applied at each tunnel endpoint (the central and remote site).

Configuration of GRE Tunnel Interfaces As OER-Managed Exit Links

GRE tunnel interfaces on the border routers are configured as OER external interfaces on the master controller. At least two external tunnel interfaces must be configured on separate physical interfaces in an OER-managed network. These interfaces can be configured on a single border router or multiple border routers. Internal interfaces are configured normally using a physical interface that is on the border router and is reachable by the master controller.


Note

Cisco IOS OER supports only IPsec/GRE VPNs. No other VPN types are supported.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}

4.    crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]

5.    mode [tunnel | transport]

6.    exit

7.    crypto map map-name seq-num [ipsec-isakmp]

8.    set peer {host-name [dynamic] [default] | ip-address [default]}

9.    set transform-set transform-set-name [transform-set-name2...transform-set-name6]

10.    match address [access-list-id | name]

11.    exit

12.    crypto ipsec profile name

13.    set transform-set transform-set-name [transform-set-name2...transform-set-name6]

14.    exit

15.    crypto map map-name local-address interface-id

16.    crypto isakmp key encryption-level key-string {address peer-address [mask] | hostname name} [no-xauth]

17.    crypto isakmp keepalive seconds [retries] [periodic | on-demand]

18.    crypto isakmp policy priority

19.    encryption {des | 3des | aes | aes 192 | aes 256}

20.    authentication {rsa-sig | rsa-encr | pre-share}

21.    exit

22.    interface type number [name-tag]

23.    ip address ip-address mask [secondary]

24.    crypto map map-name [redundancy standby-name]

25.    exit

26.    interface type number [name-tag]

27.    ip address ip-address mask [secondary]

28.    keepalive [period [retries]]

29.    bandwidth {kbps | inherit [kbps]}

30.    tunnel mode gre ip

31.    tunnel source {ip-address | interface-type interface-number}

32.    tunnel destination {host-name | ip-address}

33.    tunnel protection ipsec profile name [shared]

34.    exit

35.    ip route prefix mask {ip-address | interface-type interface-number [ip-address]} [dhcp] [distance] [name] [permanent] [tag tag]

36.    access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]

37.    end


DETAILED STEPS
  Command or Action Purpose
Step 1 enable


Example: 
Router> enable
 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2 configure terminal


Example: 
Router# configure terminal
 

Enters global configuration mode.

 
Step 3 crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}


Example: 
Router(config)# crypto ipsec security-association lifetime kilobytes 530000000
 

Sets global lifetime values used when negotiating IPsec security associations.

  • The example sets volume of traffic, in kilobytes, that can pass between IPsec peers for this security association.
 
Step 4 crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]


Example: 
Router(config)# crypto ipsec transform-set VPN_1 esp-des esp-3des esp-sha-hmac
 

Enters crypto transform configuration mode to create or modify a transform set--an acceptable combination of security protocols and algorithms.

  • The example specifies 56-bit Data Encryption Standard (DES), 168-bit DES, or Secure Hash Algorithm (SHA) for authentication.
 
Step 5 mode [tunnel | transport]


Example: 
Router(cfg-crypto-trans)# mode transport
 

Sets the mode for the transform set.

  • The example sets the mode to transport. The default mode is tunnel. Under tunnel mode, the entire packet is protected. Under transport mode, only the payload is protected. Encapsulation is performed by GRE.
 
Step 6 exit


Example: 
Router(cfg-crypto-trans)# exit
 

Exits crypto transform configuration mode and enters global configuration mode.

 
Step 7 crypto map map-name seq-num [ipsec-isakmp]


Example: 
Router(config)# crypto map TUNNEL 10 ipsec-isakmp
 

Enters crypto map configuration mode to create or modify a crypto map.

  • The example creates a crypto map named TUNNEL and configures IKE to establish the security association.
 
Step 8 set peer {host-name [dynamic] [default] | ip-address [default]}


Example: 
Router(config-crypto-map)# set peer 10.4.9.81
 

Specifies the IPsec peer in the crypto map entry.

 
Step 9 set transform-set transform-set-name [transform-set-name2...transform-set-name6]


Example: 
Router(config-crypto-map)# set transform-set VPN_1
 

Specifies which transform sets can be used with the crypto map entry.

  • Specifies the transform set VPN_1, which was configured in Step 4.
 
Step 10 match address [access-list-id | name]


Example: 
Router(config-crypto-map)# match address 100
 

Specifies an extended access list to define IPsec peers for the crypto map entry.

  • The access list is defined in Step 36.
 
Step 11 exit


Example: 
Router(config-crypto-map)# exit
 

Exits crypto map configuration mode and enters global configuration mode.

 
Step 12 crypto ipsec profile name


Example: 
Router(config)# crypto ipsec profile OER
 

Defines the IPsec parameters that are to be used for IPsec encryption between two IPsec routers and enters IPsec profile configuration mode.

  • The example creates a profile named OER.
 
Step 13 set transform-set transform-set-name [transform-set-name2...transform-set-name6]


Example: 
Router(ipsec-profile)# set transform-set VPN_1
 

Specifies which transform sets can be used with the crypto map entry.

  • Specifies the transform set VPN_1, which was configured in Step 4.
 
Step 14 exit


Example: 
Router(ipsec-profile)# exit
 

Exits IPsec profile configuration mode and enters global configuration mode.

 
Step 15 crypto map map-name local-address interface-id


Example: 
Router(config)# crypto map TUNNEL local-address FastEthernet 0/0
 

Attaches a defined crypto map to the specified interface.

  • The example attaches the crypto map named TUNNEL to interface FastEthernet 0/0.
 
Step 16 crypto isakmp key encryption-level key-string {address peer-address [mask] | hostname name} [no-xauth]


Example: 
Router(config)# crypto isakmp key 0 CISCO address 10.4.9.81 no-xauth
 

Creates the preshared authentication key.

  • The example configures encryption level 0 and configures the router to not prompt the IPsec peer for extended authentication. However, any encryption level or authentication level can be specified.
 
Step 17 crypto isakmp keepalive seconds [retries] [periodic | on-demand]


Example: 
Router(config)# crypto isakmp keepalive 10
 

Allows the gateway to send dead peer detection (DPD) messages to the peer.

 
Step 18 crypto isakmp policy priority


Example: 
Router(config)# crypto isakmp policy 1
 

Defines an Internet Key Exchange (IKE) policy and enters ISAKMP policy configuration mode.

 
Step 19 encryption {des | 3des | aes | aes 192 | aes 256}


Example: 
Router(config-isakmp)# encryption 3des
 

Specifies the encryption algorithm within the IKE policy.

  • The example specifies 168-bit DES encryption.
 
Step 20 authentication {rsa-sig | rsa-encr | pre-share}


Example: 
Router(config-isakmp)# authentication pre-share
 

Specifies the authentication method within the IKE policy.

  • The example specifies that a preshared key will be used.
 
Step 21 exit


Example: 
Router(config-isakmp)# exit
 

Exits ISAKMP policy configuration mode and enters global configuration mode.

 
Step 22 interface type number [name-tag]


Example: 
Router(config)# interface FastEthernet0/0
 

Configures an interface type and enters interface configuration mode.

  • The physical interface is defined in this step.
 
Step 23 ip address ip-address mask [secondary]


Example: 
Router(config-if)# ip address 10.4.9.14 255.255.255.0
 

Sets a primary or secondary IP address for an interface.

 
Step 24 crypto map map-name [redundancy standby-name]


Example: 
Router(config-if)# crypto map TUNNEL
 

Applies the crypto map set to the interface.

  • The example specifies the crypto map named TUNNEL, which was defined in Step 7.
 
Step 25 exit


Example: 
Router(config-if)# exit
 

Exits interface configuration mode and enters global configuration mode.

 
Step 26 interface type number [name-tag]


Example: 
Router(config)# interface Tunnel0
 

Configures an interface type and enters interface configuration mode.

  • The tunnel interface is defined in this step.
 
Step 27 ip address ip-address mask [secondary]


Example: 
Router(config-if) ip address 10.100.2.1 255.255.0.0
 

Sets a primary or secondary IP address for an interface.

 
Step 28 keepalive [period [retries]]


Example: 
Router(config-if) keepalive 30 5
 

Enables keepalive packets and specifies the number of times that the Cisco IOS software tries to send keepalive packets without a response before bringing down the interface or before bringing the tunnel protocol down for a specific interface.

 
Step 29 bandwidth {kbps | inherit [kbps]}


Example: 
Router(config-if)# bandwidth 500


Example: 
 

Example: 
Router(config-if)# bandwidth inherit 
  		 
           
 Sets and communicates the current bandwidth value for an interface to higher-level protocols. 
  		 
         
 
         
 
          Step 30 
            tunnel mode   gre ip  
 

Example: 
Router(config-if)# tunnel mode gre ip
  		 
           
 Sets the encapsulation mode for the tunnel interface. 
  
             
           
 
             
             
 
              Note    
               Only partial syntax is shown here. For more details, see the Cisco IOS Interface and Hardware Component Command Reference, 12.4T.  
             
 
             
           
  		 
         
 
         
 
          Step 31 
            tunnel source {ip-address | interface-type interface-number} 
 

Example: 
Router(config-if)# tunnel source 10.4.9.14
  		 
           
 Sets the source address for a tunnel interface. 
  
             
           
     
            
  •  
               The source interface in the example was defined in Step 22. The interface name or IP address can be specified. 
    •  
           
  		 
         
 
         
 
          Step 32 
            tunnel destination {host-name | ip-address} 
 

Example: 
Router(config-if)# tunnel destination 10.4.9.81
  		 
           
 Specifies the destination for a tunnel interface. 
  
             
           
     
            
  •  
               The IP address of the physical interface where the remote tunnel end point is attached is configured in this step. 
    •  
           
  		 
         
 
         
 
          Step 33 
            tunnel protection   ipsec profile       name     [shared] 
 

Example: 
Router(config-if)# tunnel protection ipsec profile OER
  		 
           
 Associates the tunnel interface with the IPsec profile. 
  
             
           
     
            
  •  
               The IPsec profile named OER that is configured in the example was defined in Step 19. 
    •  
           
  		 
         
 
         
 
          Step 34 
            exit  
 

Example: 
Router(config-if)# exit 
  		 
           
 Exits interface configuration mode and enters global configuration mode. 
  		 
         
 
         
 
          Step 35 
            ip route   prefix mask  {ip-address | interface-type interface-number [ip-address]} [dhcp] [distance] [name] [permanent] [tag tag] 
 

Example: 
Router(config)# ip route 10.2.2.2 255.255.255.255 Tunnel0 
  		 
           
 Establishes a static route. 
  
             
           
     
            
  •  
               A default route is configured for the tunnel destination host or network. 
    •  
           
  		 
         
 
         
 
          Step 36 
            access-list   access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments] 
 

Example: 
Router(config)# access-list 100 permit gre host 10.4.9.14 host 10.4.9.81
  		 
           
 Creates or configures an extended IP access list. 
  
             
           
     
            
  •  
               An extended access list is defined to permit only the GRE hosts. 
    •  
            
  •  
               The access list in this example is referenced in the match address statement in Step 10. 
    •  
           
  		 
         
 
         
 
          Step 37 
            end  
 

Example: 
Router(config)# end
  		 
           
 Exits global configuration mode and enters privileged EXEC mode. 
  		 
         
 
         
       
 
      
 
      
 
       
 
       
 
      
 
     
 
    
 
   
 
   
 
     
      
    
Configuration Examples for Configuring VPN IPsec GRE Tunnel Interfaces As OER-Managed Exit Links
 
     
     
    
 
      
       
     
Configuring OER to Monitor and Control GRE IPsec VPN Prefixes Example
 
     
 
      
 
        
         
       
 The figure below shows a central VPN site and two remote VPN sites. VPN peering is established through the service provider clouds. An OER-managed network is configured at each site where Cisco IOS OER configuration is applied independently. Each site has a separate master controller and border router process, and each site maintains a separate master controller database. 
 
       
 
         
          
        Figure 2. VPN Sites Controlled by OER-Managed Networks 
        
 
        
 
         
          
         
       
 
       
 Two GRE tunnels are configured between each remote site and the central site. VPN prefixes are encapsulated in GRE tunnels, which in turn are protected by IPsec encryption. The examples in this section show the configuration for the central VPN site, VPN A, and VPN B. 
 
      
 
      
 
        
         
       
Central VPN Configuration: OER Master Controller
 
       
 The central VPN site peers with VPN A and VPN B. A separate policy is defined for each site using an OER map. For VPN A prefixes, a delay policy of 80 ms is configured and out-of-policy prefixes are moved to the first in-policy exit. For VPN B prefixes, a delay policy of 40 ms and a relative loss policy are configured, and out-of-policy prefixes are moved to the best available exit. 
 
       
key chain OER 
 key 1
  key-string CISCO
!
oer master
 logging
 border 10.4.9.6 key-chain OER
  interface Ethernet 0/0 external
  interface Ethernet 0/1 internal
!
 border 10.4.9.7 key-chain OER
  interface Ethernet 0/0 external
  interface Ethernet 0/1 internal
!
 mode route control 
 mode monitor both 
 exit
!
ip prefix VPN A permit 10.4.9.25
oer-map VPNA 
 match ip address prefix-list VPNB
 set delay 800 
 set mode select-exit good
 exit
!
ip prefix VPNB permit 10.4.9.254 
oer-map VPNB 
 match ip address prefix-list VPNC
 set delay 400 
 set loss relative 100 
 set resolve loss priority 1 variance 10 
 set mode select-exit best
 end
 
      
 
      
 
        
         
       
Central VPN Configuration: BR1 
 
       
 The following example, starting in global configuration mode, shows the central VPN configuration for BR1: 
 
       
key chain OER
 key 1
  key-string CISCO
!
oer border 
 local serial 0/1
 master 10.4.9.4 key-chain OER
!
ip route 10.70.1.0 255.255.255.0 
!
route-map REDISTRIBUTE_STATIC
 match tag 5000
 set metric -10
 exit
!
router eigrp 1 
 network 10.70.0.0 0.0.0.255
 redistribute static route-map REDISTRIBUTE_STATIC
 exit
!
crypto ipsec security-association lifetime kilobytes 530000000
crypto ipsec security-association lifetime second 14400
crypto ipsec transform-set VPN_1 esp-3des esp-sha-hmac 
 mode transport
 exit
!
crypto map TUNNEL 10 ipsec-isakmp
 set peer 10.4.9.81
 set transform-set VPN_1 
 match address 100 
!
crypto ipsec profile OER
 set transform-set VPN_1
 exit 
crypto map TUNNEL local-address Ethernet 0/0
!
crypto isakmp key 0 CISCO address 10.4.9.81 no-xauth
crypto isakmp keepalive 10
crypto isakmp policy 1
 encryption 3des
 authentication pre-share
 exit
!
interface Ethernet0/0
 ip address 10.4.9.14 255.255.255.0
 crypto map TUNNEL 
 exit
!
interface Tunnel0
 ip address 10.100.2.1 255.255.0.0
 keepalive 30 5 
 bandwidth 500
 bandwidth inherit
 tunnel mode gre ip
 tunnel source 10.4.9.14
 tunnel destination 10.4.9.81
 tunnel protection ipsec profile OER
 exit
 
      
 
      
 
        
         
       
Central VPN Configuration: BR2 
 
       
 The following example, starting in global configuration mode, shows the central VPN configuration of BR2: 
 
       
key chain OER
 key 1
  key-string CISCO
!
oer border 
 local Ethernet 0/1
 master 10.4.9.4 key-chain OER
!
ip route 10.70.1.0 255.255.255.0
!
route-map REDISTRIBUTE_STATIC
 match tag 5000
 set metric -10
 exit
!
router eigrp 1 
 network 10.70.0.0 0.0.0.255
 redistribute static route-map REDISTRIBUTE_STATIC
!
crypto ipsec security-association lifetime kilobytes 530000000
crypto ipsec security-association lifetime second 14400
crypto ipsec transform-set VPN_1 esp-3des esp-sha-hmac 
 mode transport
 exit
!
crypto map TUNNEL 10 ipsec-isakmp
 set peer 10.4.9.82
 set transform-set VPN_1 
 match address 100 
!
crypto ipsec profile OER
 set transform-set VPN_1
 exit 
crypto map TUNNEL local-address Ethernet 0/0
!
crypto isakmp key 0 CISCO address 10.4.9.82 no-xauth
crypto isakmp keepalive 10
crypto isakmp policy 1
 encryption 3des
 authentication pre-share
 exit
!
interface Ethernet0/0
 ip address 10.4.9.15 255.255.255.0
 crypto map TUNNEL 
 exit
!
interface Tunnel0
 ip address 10.100.2.2 255.255.0.0
 keepalive 30 5 
 bandwidth 500
 bandwidth inherit
 tunnel mode gre ip
 tunnel source 10.4.9.15
 tunnel destination 10.4.9.82
 tunnel protection ipsec profile OER
 end 
 
      
 
      
 
        
         
       
Central VPN Configuration: Internal Peers 
 
       
 The following example shows an EIGRP routing process created to establish peering with the border routers and internal peers: 
 
       
router eigrp 1 
 network 10.50.1.0 0.0.0.255 
 redistribute static route-map REDISTRIBUTE_STATIC 
 end
 
      
 
      
 
        
         
       
VPN A Configuration: MC/BR 
 
       
 The following configuration example, starting in global configuration mode, shows the configuration of VPN A. VPN A is a remote site that is configured for a small office home office (SOHO) client. A single router is deployed. This router peers with service provider B and service provider E. No Interior Gateway Protocol (IGP) is deployed at this network; only a static route is configured to the remote tunnel endpoint at the central site. A delay policy, a loss policy, and optimal exit link selection are configured so that traffic is always routed through the ISP with the lowest delay time and lowest packet loss. A resolve policy is configured to configure loss to have the highest priority. Neither the physical interface configuration nor the router IGP peering configurations are shown in this example. 
 
       
key chain BR1
 key 1
  key-string CISCO
!
 
        
         
       
 
         
         
 
          
Note		 
          
 
           
 The local border router process is enabled. Because the border router and master controller process is enabled on the same router, a loopback interface (192.168.0.1) is configured as the local interface. 
           
 
         
 
         
       
 
       
oer border
 local Loopback0 
 master 192.168.0.1 key-chain BR1
!
oer master
 learn
 delay
 mode route control 
 delay threshold 100
 loss relative 200
 periodic 300 
 mode select-exit good 
resolve loss priority 1 variance 20
resolve delay priority 2 variance 10
!
 border 192.168.0.1 key-chain BR1
  interface Serial0/0 internal
  interface Tunnel0 external
  interface Tunnel0 external
  exit
!
crypto ipsec security-association lifetime kilobytes 530000000
crypto ipsec security-association lifetime second 14400
crypto ipsec transform-set VPN_1 esp-3des esp-sha-hmac 
 mode transport
 exit
!
crypto map TUNNEL 10 ipsec-isakmp
 set peer 10.4.9.81
 set transform-set VPN_1 
 match address 100 
!
crypto ipsec profile OER
 set transform-set VPN_1
 exit 
crypto map TUNNEL local-address Ethernet 0/0
!
crypto isakmp key 0 CISCO address 10.4.9.81 no-xauth
crypto isakmp keepalive 10
crypto isakmp policy 1
 encryption 3des
 authentication pre-share
 exit
!
interface Ethernet0/0
 ip address 10.4.9.14 255.255.255.0
 crypto map TUNNEL 
 exit
!
interface Tunnel0
 ip address 10.100.2.1 255.255.0.0
 keepalive 30 5 
 bandwidth 500
 bandwidth inherit
 tunnel mode gre ip
 tunnel source 10.4.9.14
 tunnel destination 10.4.9.81
 tunnel protection ipsec profile OER
 exit
!
 
        
         
       
 
         
         
 
          
Note		 
          
 
           
 A single tunnel configuration is show in this example. Two tunnels are required to configure VPN optimization. 
           
 
         
 
         
       
 
      
 
      
 
        
         
       
VPN B Configuration: OER Master Controller
 
       
 The following example, starting in global configuration mode, shows the master controller configuration in VPN B. Load distribution and route control mode are enabled. Out-of-policy prefixes are configured to be moved to the first in-policy exit. 
 
       
key chain OER 
 key 1
  key-string CISCO
!
oer master
 logging
 border 10.4.9.6 key-chain OER
  interface Ethernet 0/0 external
  interface Ethernet 0/1 internal
!
 border 10.4.9.7 key-chain OER
  interface Ethernet 0/0 external
  interface Ethernet 0/1 internal
!
mode route control 
mode select-exit good 
max-range utilization 
!
 learn
  delay
  end 
 
      
 
      
 
        
         
       
VPN B Configuration: BR1
 
       
 The following example, starting in global configuration mode, shows the VPN B configuration for BR1: 
 
       
key chain OER
 key 1
  key-string CISCO
!
oer border 
 local Ethernet 0/1
 master 10.4.9.4 key-chain OER
!
route-map REDISTRIBUTE_STATIC
 match tag 5000
 set metric -10
 exit
!
router rip
 network 10.60.1.0 
 redistribute static route-map REDISTRIBUTE_STATIC
 end
!
crypto ipsec security-association lifetime kilobytes 530000000
crypto ipsec security-association lifetime second 14400
crypto ipsec transform-set VPN_1 esp-3des esp-sha-hmac 
 mode transport
 exit
!
crypto map TUNNEL 10 ipsec-isakmp
 set peer 10.4.9.82
 set transform-set VPN_1 
 match address 100 
!
crypto ipsec profile OER
 set transform-set VPN_1
 exit 
crypto map TUNNEL local-address Ethernet 0/0
!
crypto isakmp key 0 CISCO address 10.4.9.82 no-xauth
crypto isakmp keepalive 10
crypto isakmp policy 1
 encryption 3des
 authentication pre-share
 exit
!
interface Ethernet0/0
 ip address 10.4.9.15 255.255.255.0
 crypto map TUNNEL 
 exit
!
interface Tunnel0
 ip address 10.100.2.2 255.255.0.0
 keepalive 30 5 
 bandwidth 500
 bandwidth inherit
 tunnel mode gre ip
 tunnel source 10.4.9.15
 tunnel destination 10.4.9.82
 tunnel protection ipsec profile OER
 end
 
      
 
      
 
        
         
       
VPN B Configuration: BR2 
 
       
 The following example, starting in global configuration mode, shows the VPN B configuration for BR2: 
 
       
key chain OER
 key 1
  key-string CISCO
!
oer border 
 local Ethernet 0/1
 master 10.4.9.4 key-chain OER
 exit 
!
route-map REDISTRIBUTE_STATIC
 match tag 5000
 set metric -10
 exit
!
router rip
 network 10.60.1.0 
 redistribute static route-map REDISTRIBUTE_STATIC
 exit
!
crypto ipsec security-association lifetime kilobytes 530000000
crypto ipsec security-association lifetime second 14400
crypto ipsec transform-set VPN_1 esp-3des esp-sha-hmac 
 mode transport
 exit
!
crypto map TUNNEL 10 ipsec-isakmp
 set peer 10.4.9.82
 set transform-set VPN_1 
 match address 100 
!
crypto ipsec profile OER
 set transform-set VPN_1
 exit 
crypto map TUNNEL local-address Ethernet 0/0
!
crypto isakmp key 0 CISCO address 10.4.9.82 no-xauth
crypto isakmp keepalive 10
crypto isakmp policy 1
 encryption 3des
 authentication pre-share
 exit
!
interface Ethernet0/0
 ip address 10.4.9.15 255.255.255.0
 crypto map TUNNEL 
 exit
!
interface Tunnel0
 ip address 10.100.2.2 255.255.0.0
 keepalive 30 5 
 bandwidth 500
 bandwidth inherit
 tunnel mode gre ip
 tunnel source 10.4.9.15
 tunnel destination 10.4.9.82
 tunnel protection ipsec profile OER
 end 
 
      
 
      
 
        
         
       
VPN B Configuration: Internal Peers 
 
       
 The following example shows a Routing Information Protocol (RIP) routing process created to establish peering with the border routers and internal peers: 
 
       
router rip 
 network 10.60.1.0 
 end

 
      
 
     
 
     
 
      
 
      
 
     
 
    
 
   
 
   
 
     
      
    
Where to Go Next
 
    
 
     
 This document describes a specific implementation of OER and presumes that you are familiar with the OER technology. If you want to review more information about OER, proceed to the Cisco IOS Optimized Edge Routing Overview module, followed by the Setting Up OER Network Components module. To learn more about the other OER phases, read through the other modules in the following list: 
 
      
       
     
     
      
  •  
         Using OER to Profile the Traffic Classes 
    •  
      
  •  
         Measuring the Traffic Class Performance and Link Utilization Using OER 
    •  
      
  •  
         Configuring and Applying OER Policies 
    •  
      
  •  
         Using OER to Control Traffic Classes and Verify the Route Control Changes 
    •  
     
 
     
 After you understand the various OER phases you may want to review other OER Solutions modules that are listed under the Related Documents section. 
 
    
 
    
 
     
 
     
 
    
 
   
 
   
 
     
      
    
Additional References
 
    
 
     
 
       
        
      
 The following sections provide references related to configuring VPN IPsec/GRE tunnel interfaces as OER-managed exit links. 
 
     
 
     
 
       
        
      
Related Documents
 
      
 
        
         
       
 
         
         
 
           
 Related Topic 
 		 
           
 Document Title 
 		 
         
 
         
         
         
 
           
 Cisco OER technology overview 
 		 
           
 Cisco IOS Optimized Edge Routing Overview module 
 		 
         
 
         
 
           
 Concepts and configuration tasks required to set up OER network components. 
 		 
           
 Setting Up OER Network Components module 
 		 
         
 
         
 
           
 OER solution module: voice traffic optimization using OER active probes. 
 		 
           
 OER Voice Traffic Optimization Using Active Probes module 
 		 
         
 
         
 
           
 Cisco OER commands: complete command syntax, command mode, command history, defaults, usage guidelines and examples 
 		 
           
 Cisco IOS Optimized Edge Routing Command Reference 
 		 
         
 
         
 
           
 IP Routing Protocol commands 
 		 
           
 Cisco IOS IP Routing Protocols Command Reference 
 		 
         
 
         
 
           
 Key Chain Authentication: information about authentication key configuration and management in Cisco IOS software 
 		 
           
 Managing Authentication Keys section of the Configuring IP Routing Protocol-Independent Features chapter in the Cisco IOS IP Routing Protocols Configuration Guide 
 		 
         
 
         
       
 
      
 
     
 
     
 
       
        
      
Technical Assistance
 
      
 
        
         
       
 
         
         
 
           
 Description 
 		 
           
 Link 
 		 
         
 
         
         
         
 
           
 The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. 
 
 To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. 
 
 Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. 
 		 
           
 http://www.cisco.com/techsupport  
 		 
         
 
         
       
 
      
 
     
 
    
 
    
 
     
 
     
 
    
 
   
 
   
 
     
      
    
Feature Information for Configuring VPN IPsec GRE Tunnel Interfaces As OER-Managed Exit Links
 
    
 
     
 
       
        
      
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. 
 
      
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required. 
 
     
 
     
 
       
        
      
 
        
         
       
 
         
         Table 1 Feature Information for VPN IPsec/GRE Tunnel Interface Optimization 
         
         
         
 
           
 Feature Name 
 		 
           
 Releases 
 		 
           
 Feature Information 
 		 
         
 
         
         
         
 
           
 VPN IPsec/GRE Tunnel Optimization 
 		 
           
 12.3(11)T 
 		 
           
 Introduces the ability to configure IPsec/GRE tunnel interfaces as OER-managed exit links. 
 		 
         
 
         
       
 
      
 
     
 
    
 
    
 
     
 
     
 
    
 
   
 
   
 
     
      
    
 
 
    
 
     
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) 
 
     
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. 
 
    
 
    
 
     
 
     
 
     
 
     
 
     
 
     
 
     
 
     
 
     
 
     
 
     
 
     
 
     
 
     
 
     
 
     
 
     
 
     
 
     
 
     
 
    
 
   
 
  
 
  
 
  
 
  
 
  
Copyright © 2010, Cisco Systems, Inc. All rights reserved.
  
 


    
    


















     

     
    
    








	




    


    

        














 




























    

    

        

    

    
    
     
			
            

























    
    
    
    









            

                

















  
  

  
    
    
    
    
  






            

        
            
            




















  
Was this Document Helpful?

  
    
    
  
  
    
      
      FeedbackFeedback
    
  







            

                

















  
    
  



            


            

                
















    
Contact Cisco

    







            


            
            































    
   
    





            

                























      

    
    	
This Document Applies to These Products