Professional Documents
Culture Documents
Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE over IPSec Tunnels
Like
Send
Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that allows the encapsulation of a wide
variety of network layer protocols inside point-to-point links.
A GRE tunnel is used when packets need to be sent from one network to another over the Internet or an insecure network.
With GRE, a virtual tunnel is created between the two endpoints (Cisco routers) and packets are sent through the GRE
tunnel.
It is important to note that packets travelling inside a GRE tunnel are not encrypted as GRE does not encrypt the tunnel but
encapsulates it with a GRE header. If data protection is required, IPSec must be configured to provide data confidentiality
this is when a GRE tunnel is transformed into a secure VPN GRE tunnel.
The diagram below shows the encapsulation procedure of a simple - unprotected GRE packet as it traversers the router
and enters the tunnel interface:
While many might think a GRE IPSec tunnel between two routers is similar to a site to site IPSec VPN (crypto), it is not. A
major difference is that GRE tunnels allow multicast packets to traverse the tunnel whereas IPSec VPN does not support
multicast packets. In large networks where routing protocols such as OSPF, EIGRP are necessary, GRE tunnels are your
best bet. For this reason, plus the fact that GRE tunnels are much easier to configure, engineers prefer to use GRE rather
than IPSec VPN.
This article will explain how to create simple (unprotected) and secure (IPSec encrypted) GRE tunnels between endpoints.
We explain all the necessary steps to create and verify the GRE tunnel (unprotected and protected) and configure routing
between the two networks.
www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html?tmpl=component&print=1&page=
1/7
9/23/13
Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE over IPSec Tunnels
2/7
9/23/13
Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE over IPSec Tunnels
R2s Tunnel interface is configured with the appropriate tunnel source and destination IP address. As with R1, R2 router
will inform us that the Tunnel0 interface is up:
R2#
*May 4 21:32:54.927: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Routing Networks Through the GRE Tunnel
At this point, both tunnel endpoints are ready and can see each other. An icmp echo from one end will confirm this:
R1# ping 172.16.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#
Again, this result means that the two tunnel endpoints can see each other. Workstations on either network will still not be
able to reach the other side unless a static route is placed on each endpoint:
R1(config)# ip route 192.168.2.0 255.255.255.0 172.16.0.2
On R1 we add a static route to the remote network 192.168.2.0/24 via 172.16.0.2 which is the other end of our GRE Tunnel.
When R1 receives a packet for 192.168.2.0 network, it now knows the next hop is 172.16.0.2 and therefore will send it
through the tunnel.
The same configuration must be repeated for R2:
R2(config)# ip route 192.168.1.0 255.255.255.0 172.16.0.1
Now both networks are able to freely communicate with each over the GRE Tunnel.
3/7
9/23/13
Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE over IPSec Tunnels
Next we are going to define a pre shared key for authentication with R1's peer, 2.2.2.10:
R1(config)# crypto isakmp key firewallcx address 2.2.2.10
The peers pre shared key is set to firewallcx. This key will be used for allISAKMP negotiations with peer 2.2.2.10 (R2).
4/7
9/23/13
Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE over IPSec Tunnels
28 comments
Add a comment
www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html?tmpl=component&print=1&page=
5/7
9/23/13
Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE over IPSec Tunnels
Umer Muhammad
Wow, Great...
this really helped me in field work.
Reply
Ahmed Said
Top commenter
www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html?tmpl=component&print=1&page=
6/7
9/23/13
Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE over IPSec Tunnels
Services
Very usefull and well organised description!
Reply
Rahul Singh
Excellent
Reply
View 13 more
F acebook social plugin
www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html?tmpl=component&print=1&page=
7/7