9/23/13

Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE over IPSec Tunnels

Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE &

Protected GRE over IPSec Tunnels
Written by Administrator
Friday, 04 May 2012 21:10
Tweet

Like

Send

95 people like this.

Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that allows the encapsulation of a wide
variety of network layer protocols inside point-to-point links.
A GRE tunnel is used when packets need to be sent from one network to another over the Internet or an insecure network.
With GRE, a virtual tunnel is created between the two endpoints (Cisco routers) and packets are sent through the GRE
tunnel.
It is important to note that packets travelling inside a GRE tunnel are not encrypted as GRE does not encrypt the tunnel but
encapsulates it with a GRE header. If data protection is required, IPSec must be configured to provide data confidentiality
this is when a GRE tunnel is transformed into a secure VPN GRE tunnel.
The diagram below shows the encapsulation procedure of a simple - unprotected GRE packet as it traversers the router
and enters the tunnel interface:

While many might think a GRE IPSec tunnel between two routers is similar to a site to site IPSec VPN (crypto), it is not. A
major difference is that GRE tunnels allow multicast packets to traverse the tunnel whereas IPSec VPN does not support
multicast packets. In large networks where routing protocols such as OSPF, EIGRP are necessary, GRE tunnels are your
best bet. For this reason, plus the fact that GRE tunnels are much easier to configure, engineers prefer to use GRE rather
than IPSec VPN.
This article will explain how to create simple (unprotected) and secure (IPSec encrypted) GRE tunnels between endpoints.
We explain all the necessary steps to create and verify the GRE tunnel (unprotected and protected) and configure routing
between the two networks.

www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html?tmpl=component&print=1&page=

1/7

9/23/13

Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE over IPSec Tunnels

Creating a Cisco GRE Tunnel

GRE tunnel uses a tunnel interface a logical interface configured on the router with an IP address where packets are
encapsulated and decapsulated as they enter or exit the GRE tunnel.
First step is to create our tunnel interface on R1:
R1(config)# interface Tunnel0
R1(config-if)# ip address 172.16.0.1 255.255.255.0
R1(config-if)# ip mtu 1400
R1(config-if)# ip tcp adjust-mss 1360
R1(config-if)# tunnel source 1.1.1.10
R1(config-if)# tunnel destination 2.2.2.10
All Tunnel interfaces of participating routers must always be configured with an IP address that is not used anywhere else
in the network. Each Tunnel interface is assigned an IP address within the same network as the other Tunnel interfaces.
In our example, both Tunnel interfaces are part of the 172.16.0.0/24 network.
Since GRE is an encapsulating protocol, we adjust the maximum transfer unit (mtu) to 1400 bytes and maximum segment
size (mss) to 1360 bytes. Because most transport MTUs are 1500 bytes and we have an added overhead because of
GRE, we must reduce the MTU to account for the extra overhead. A setting of 1400 is a common practice and will ensure
unnecessary packet fragmentation is kept to a minimum.
Closing, we define the Tunnel source, which is R1s public IP address, and destination R2s public IP address
As soon as we complete R1s configuration, the router will confirm the creation of the tunnel and inform about its status:
R1#
*May 4 21:30:22.971: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Since the Tunnel 0 interface is a logical interface it will remain up even if there is no GRE tunnel configured or connected at
the other end.
Next, we must create the Tunnel 0 interface on R2:
R2(config)# interface Tunnel0
R2(config-if)# ip address 172.16.0.2 255.255.255.0
R2(config-if)# ip mtu 1400
R2(config-if)# ip tcp adjust-mss 1360
R2(config-if)# tunnel source 2.2.2.10
R2(config-if)# tunnel destination 1.1.1.10
www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html?tmpl=component&print=1&page=

2/7

9/23/13

Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE over IPSec Tunnels

R2s Tunnel interface is configured with the appropriate tunnel source and destination IP address. As with R1, R2 router
will inform us that the Tunnel0 interface is up:
R2#
*May 4 21:32:54.927: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Routing Networks Through the GRE Tunnel
At this point, both tunnel endpoints are ready and can see each other. An icmp echo from one end will confirm this:
R1# ping 172.16.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#
Again, this result means that the two tunnel endpoints can see each other. Workstations on either network will still not be
able to reach the other side unless a static route is placed on each endpoint:
R1(config)# ip route 192.168.2.0 255.255.255.0 172.16.0.2
On R1 we add a static route to the remote network 192.168.2.0/24 via 172.16.0.2 which is the other end of our GRE Tunnel.
When R1 receives a packet for 192.168.2.0 network, it now knows the next hop is 172.16.0.2 and therefore will send it
through the tunnel.
The same configuration must be repeated for R2:
R2(config)# ip route 192.168.1.0 255.255.255.0 172.16.0.1
Now both networks are able to freely communicate with each over the GRE Tunnel.

Securing the GRE Tunnel with IPSec

As mentioned earlier, GRE is an encapsulation protocol and does not perform any encryption. Creating a point-to-point
GRE tunnel without any encryption is extremely risky as sensitive data can easily be extracted from the tunnel and viewed
by others.
For this purpose, we use IPSec to add an encryption layer and secure the GRE tunnel. This provides us with the necessary
military-grade encryption and peace of mind. Our example below covers GRE IPSec Tunnel mode.
GRE IPSec modes are covered extensively in our GRE and IPSec GRE Over IPSec - Selecting and Configuring Gre IPSec
Tunnel or Transport Mode.

Configuring IPSec Encryption for GRE Tunnel (GRE over IPSec)

IPSec encryption involves two steps for each router. These steps are:
(1) Configure ISAKMP (ISAKMP Phase 1)
(2) Configure IPSec (ISAKMP Phase 2)

Configure ISAKMP (IKE) - (ISAKMP Phase 1)

IKE exists only to establish SAs (Security Association) for IPsec. Before it can do this, IKE must negotiate an SA (an
ISAKMP SA) relationship with the peer.
www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html?tmpl=component&print=1&page=

3/7

9/23/13

Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE over IPSec Tunnels

To begin, well start working on R1.

First step is to configure an ISAKMP Phase 1 policy:
R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encr 3des
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# lifetime 86400
The above commands define the following (in listed order):
3DES - The encryption method to be used for Phase 1.
MD5 - The hashing algorithm
Pre-share - Use Pre-shared key as the authentication method
Group 2 - Diffie-Hellman group to be used
86400 Session key lifetime. Expressed in either kilobytes (after x-amount of traffic, change the key) or seconds. Value set
is the default value.

Next we are going to define a pre shared key for authentication with R1's peer, 2.2.2.10:
R1(config)# crypto isakmp key firewallcx address 2.2.2.10
The peers pre shared key is set to firewallcx. This key will be used for allISAKMP negotiations with peer 2.2.2.10 (R2).

Create IPSec Transform (ISAKMP Phase 2 policy)

Now we need to create the transform set used to protect our data. Weve named this TS:
R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
R1(cfg-crypto-trans)# mode transport
The above commands defines the following:
- ESP-3DES - Encryption method
- MD5 - Hashing algorithm
- Set IPSec to transport mode
Finally, we create an IPSec profile to connect the previously defined ISAKMP and IPSec configuration together. Weve
named our IPSec profile protect-gre:
R1(config)# crypto ipsec profile protect-gre
R1(ipsec-profile)# set security-association lifetime seconds 86400
R1(ipsec-profile)# set transform-set TS
We are ready to apply the IPSec encryption to the Tunnel interface:
R1(config)# interface Tunnel 0
R1(config-if)# tunnel protection ipsec profile protect-gre
Now it's time to apply the same configuration on R2:
R2(config)# crypto isakmp policy 1
R2(config-isakmp)# encr 3des
R2(config-isakmp)# hash md5
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2
R2(config-isakmp)# lifetime 86400
www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html?tmpl=component&print=1&page=

4/7

9/23/13

Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE over IPSec Tunnels

R2(config)# crypto isakmp key firewallcx address 1.1.1.10

R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
R2(cfg-crypto-trans)# mode transport
R2(config)# crypto ipsec profile protect-gre
R2(ipsec-profile)# set security-association lifetime seconds 86400
R2(ipsec-profile)# set transform-set TS
R2(config)# interface Tunnel 0
R2(config-if)# tunnel protection ipsec profile protect-gre

Verifying the GRE over IPSec Tunnel

Finally, our tunnel has been encrypted with IPSec, providing us with the much needed security layer. To test and verify this,
all that is required is to ping the other end and force the VPN IPSec tunnel to come up and start encrypting/decrypting our
data:
R1# ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
Using the show crypto session command, we can quickly verify the encryption is in place and doing its work:
R1# show crypto session
Crypto session current status
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 2.2.2.10 port 500
IKE SA: local 1.1.1.10/500 remote 2.2.2.10/500 Active
IPSEC FLOW: permit 47 host 1.1.1.10 host 2.2.2.10
Active SAs: 2, origin: crypto map

28 comments

Add a comment

Alan Cameron Managing Director at Cameron IT

Solutions
Great Guide to GRE Tunnels, although I am having
trouble securing the gre tunnel (setup a lab
environment) once I setup ipsec as above I can no
longer ping the over side of the tunnel. tried putting
in access-lists to allow the gre tunnel etc but to no
avail.
any ideas would be great.
Reply

1 Like 22 June at 17:17

Chris Partsenidis
Top commenter
Founder, Editor-in-Chief at Firewall.cx
Thanks for the feedback Alan. Normally
you shouldn't have these kind of
problems. GRE tunnels are pretty
straight forward and usually work 'firstgo'. Unlike Crypto IPsec tunnels, they

www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html?tmpl=component&print=1&page=

5/7

9/23/13

Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE over IPSec Tunnels

go'. Unlike Crypto IPsec tunnels, they

do not require 'no-nat' access lists. I'd
advise to check your configuration
again and pay attention to your
routing, perhaps you missed something
there; Good luck and feel free to 'Like'
us and share the site with others!
Reply

1 Like 22 June at 22:50

Dan Anderson Kansas City, Missouri

Good grief this page saved me a lot of time thanks.
Reply

2 Like 22 May at 10:33

Chris Partsenidis
Top commenter
Founder, Editor-in-Chief at Firewall.cx
Glad to hear it helped you Dan - Feel
free to share it! Thanks,
Reply Like 22 May at 11:48

Andy Mba Stockholm, Sweden

Well explaned, easy to understand.
Reply

2 Like 18 December 2012 at 04:12

Umer Muhammad
Wow, Great...
this really helped me in field work.
Reply

1 Like 4 November 2012 at 01:28

Mihai Parasca Universitatea Tehnic Cluj-Napoca

Amazingly clear!
Thank you!
Reply

1 Like 27 October 2012 at 20:18

Chris Partsenidis
Top commenter
Founder, Editor-in-Chief at Firewall.cx
Thanks Mihai for your feedback! Please
don't forget to 'like' our articles and site
:)
Reply
03:24

1 Like 28 October 2012 at

Aamir Sadiq Aalim Muhammed Salegh College of

Engineering
helpful indeed, many thanks.
Reply

3 Like 19 August 2012 at 06:22

Mudassar Jaleel Works at Verizon
Wireless
kya bhai,getting in tunnel :)
Reply

Ahmed Said

1 Like 19 August 2012 at 06:25

Top commenter

You saved my ass.

Reply

2 Like 6 September 2012 at 01:24

Karthick Sivarajan Works at Tata Consultancy

Services

www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html?tmpl=component&print=1&page=

6/7

9/23/13

Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE over IPSec Tunnels

Services
Very usefull and well organised description!
Reply

2 Like 28 August 2012 at 12:24

Rahul Singh
Excellent
Reply

3 Like 8 May 2012 at 04:03

Thiasma Thithi Institut suprieur de tecnologies

Siantou
Smart configuration.... (^_^)
Reply

1 Like 30 May at 10:13

Foster Lavrov Devant ma cours
Man. Ne nous blase plus avec les way
fort. Mboutman
Reply Like 30 May at 10:35

View 13 more
F acebook social plugin

Last Updated on Sunday, 13 May 2012 21:42

www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html?tmpl=component&print=1&page=

7/7