To minimize the complexity of configuration we can use IPsec profiles and associate them to Virtual Tunnel Interfaces. Its more like a Route Based VPN in Juniper NetScreen. There are other reasons why you would want to consider using VTIs to implement GRE over IPsec and they can be found here.
Jeremy Stretch has written a fantastic post on configuring GRE over IPsec using VTIs in the most simplest way possible – http://packetlife.net/blog/2008/jul/14/ipsec-quick-and-dirty/ so i won’t be bothering to include that all over again.
Just adding some notes below for my reference;
Notes:
- By default the IPsec SA will be created for the tunnel source and destination IP using ‘GRE’ (protocol 47) to carry multicast traffic.
interface Tunnel12
ip address 192.168.12.1 255.255.255.0
tunnel source 10.1.101.1
tunnel destination 192.168.1.2
tunnel protection ipsec profile P2-PROFILE
end
R1#sh crypto ipsec sa
interface: Tunnel12
Crypto map tag: Tunnel12-head-0, local addr 10.1.101.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.101.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/47/0)
- If the command “tunnel mode ipsec ipv4“ is used – an “IP any any” (protocol 0) SA is created.
interface Tunnel12
ip address 192.168.12.1 255.255.255.0
tunnel source 10.1.101.1
tunnel mode ipsec ipv4
tunnel destination 192.168.1.2
tunnel protection ipsec profile P2-PROFILE
end
R1#sh crypto ipsec sa
interface: Tunnel12
Crypto map tag: Tunnel12-head-0, local addr 10.1.101.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)