L2 over GRE over IPSec between HPE and CISCO

IOU2#sh run

version 15.1
!
hostname IOU2
!
interface Ethernet0/0
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,20
 switchport mode trunk
 duplex auto
!
interface Ethernet0/1
 switchport access vlan 10
 switchport mode access
 duplex auto
!
interface Ethernet0/2
 switchport access vlan 20
 switchport mode access
 duplex auto
!

IOU1#sh run

version 15.5

!

hostname IOU1

!

crypto isakmp policy 5

 authentication pre-share

 group 2

crypto isakmp key hpdemo address 90.0.5.2       

!

crypto ipsec transform-set MY-SET esp-aes esp-md5-hmac 

 mode tunnel

crypto ipsec transform-set MY-SET2 esp-des esp-md5-hmac 

 mode tunnel

!

crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp 

 set peer 90.0.5.2

 set transform-set MY-SET2 

 match address VPN-TRAFFIC

!

interface Loopback0

 ip address 9.9.9.4 255.255.255.255

!

interface Tunnel0

 ip address 172.16.1.1 255.255.255.252

 mpls ip

 tunnel source 90.0.5.1

 tunnel destination 90.0.5.2

!

interface Ethernet0/0

 ip address 90.0.5.1 255.255.255.0

 crypto map IPSEC-SITE-TO-SITE-VPN

!

interface Ethernet0/1.10

 encapsulation dot1Q 10

 xconnect 9.9.9.5 45 encapsulation mpls

!         

interface Ethernet0/1.20

 encapsulation dot1Q 20

 xconnect 9.9.9.5 46 encapsulation mpls

!

ip route 9.9.9.5 255.255.255.255 172.16.1.2

ip route 192.168.20.0 255.255.255.0 172.16.1.2

!

ip access-list extended VPN-TRAFFIC

 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

 permit gre any any

!

[HPE]dis cur

#

 version 7.1.059, ESS 0321P01

#

 sysname HPE

#

 mpls lsr-id 9.9.9.5

#

mpls ldp

#

 l2vpn enable

#

interface LoopBack0

 ip address 9.9.9.5 255.255.255.255

#

interface GigabitEthernet1/0

 port link-mode route

 ip address 90.0.5.2 255.255.255.0

 ipsec apply policy hq-policy1

#

interface GigabitEthernet2/0

 port link-mode route

#

interface GigabitEthernet2/0.10

 vlan-type dot1q vid 10

#

interface GigabitEthernet2/0.20

 vlan-type dot1q vid 20

#

interface Tunnel0 mode gre

 ip address 172.16.1.2 255.255.255.252

 mpls enable

 mpls ldp enable

 source 90.0.5.2

 destination 90.0.5.1

#

xconnect-group vpna

 connection svc

  ac interface GigabitEthernet2/0.10

  peer 9.9.9.4 pw-id 45

 connection svc2

  ac interface GigabitEthernet2/0.20

  peer 9.9.9.4 pw-id 46

#

 ip route-static 9.9.9.4 32 172.16.1.1

 ip route-static 192.168.10.0 24 172.16.1.1

#

acl advanced 3001

 rule 0 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

 rule 10 permit gre

#

ipsec transform-set tran1

 esp encryption-algorithm des-cbc 

 esp authentication-algorithm md5 

#

ipsec policy hq-policy1 10 isakmp

 transform-set tran1 

 security acl 3001 

 local-address 90.0.5.2

 remote-address 90.0.5.1

 ike-profile profile1

#

ike profile profile1

 keychain keychain1

 match remote identity address 90.0.5.1 255.255.255.255

 proposal 1 

#

ike proposal 1

 dh group2

#

ike keychain keychain1

 pre-shared-key address 90.0.5.1 255.255.255.255 key cipher $c$3$UomKZx6Zl2Ek7syk/NayiZUAiEY4vjkUUA==

#

IOU3#sh run

version 15.1

hostname IOU3

!

interface Ethernet0/0

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 10,20

 switchport mode trunk

 duplex auto

!

interface Ethernet0/1

 switchport access vlan 20

 switchport mode access

 duplex auto

!

interface Ethernet0/2

 switchport access vlan 10

 switchport mode access

 duplex auto

!