Netflow over IPSEC using GRE tunnels

14/08/2012

Whilst implementing Netflow it became apparent that the flows from a router terminating an IPSEC VPN tunnel could not process the flows to the Netflow collector. The following provides a basic configuration for the endpoint sending the flows and a centralised router beyoned the headend unit to process the flows onto the collector. This means that all traffic to the Netflow collector is passed over the GRE tunnel.

 

# # REMOTE ROUTER # #

!
interface Tunnel1
description GRE-Tunnel for NETFLOW
ip address 192.168.0.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 5 3 tunnel
source 172.16.32.1
tunnel destination 172.16.33.1
!
!
ip route 1.1.1.1 255.255.255.255 172.16.33.1
!
!
interface Vlan1
ip flow ingress
ip flow egress
!
!
ip flow-export source Tunnel1
ip flow-export version 5
ip flow-export destination 1.1.1.1 9996
!

# # CENTRAL ROUTER # #

!
interface Loopback1
ip address 192.168.0.254 255.255.255.0
end
!
!
interface Tunnel1
ip unnum loop 1
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 5 3
tunnel source 172.16.33.1
tunnel destination 172.16.32.1