Professional Documents
Culture Documents
GRE Over Ipsec
GRE Over Ipsec
While many might think a GRE IPSec tunnel between two routers is similar to a site to site IPSec
VPN (crypto), it is not. A major difference is that GRE tunnels allow multicast packets to traverse the
tunnel whereas IPSec VPN does not support multicast packets. In large networks where routing
protocols such as OSPF, EIGRP are necessary, GRE tunnels are your best bet. For this reason,
plus the fact that GRE tunnels are much easier to configure, engineers prefer to use GRE rather
than IPSec VPN.
This article will explain how to create simple (unprotected) and secure (IPSec encrypted) GRE
tunnels between endpoints. We explain all the necessary steps to create and verify the GRE tunnel
(unprotected and protected) and configure routing between the two networks.
and we have an added overhead because of GRE, we must reduce the MTU to account for the
extra overhead. A setting of 1400 is a common practice and will ensure unnecessary packet
fragmentation is kept to a minimum.
Closing, we define the Tunnel source, which is R1s public IP address, and destination R2s public
IP address
As soon as we complete R1s configuration, the router will confirm the creation of the tunnel and
inform about its status:
R1#
*May 4 21:30:22.971: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed
state to up
Since the Tunnel 0 interface is a logical interface it will remain up even if there is no GRE tunnel
configured or connected at the other end.
Next, we must create the Tunnel 0 interface on R2:
R2(config)# interface Tunnel0
R2(config-if)# ip address 172.16.0.2 255.255.255.0
R2(config-if)# ip mtu 1400
R2(config-if)# ip tcp adjust-mss 1360
R2(config-if)# tunnel source 2.2.2.10
R2(config-if)# tunnel destination 1.1.1.10
R2s Tunnel interface is configured with the appropriate tunnel source and destination IP address.
As with R1, R2 router will inform us that the Tunnel0 interface is up:
R2#
*May 4 21:32:54.927: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed
state to up
R1#
Again, this result means that the two tunnel endpoints can see each other. Workstations on either
network will still not be able to reach the other side unless a static route is placed on each endpoint:
R1(config)# ip route 192.168.2.0 255.255.255.0 172.16.0.2
On R1 we add a static route to the remote network 192.168.2.0/24 via 172.16.0.2 which is the other
end of our GRE Tunnel. When R1 receives a packet for 192.168.2.0 network, it now knows the next
hop is 172.16.0.2 and therefore will send it through the tunnel.
The same configuration must be repeated for R2:
R2(config)# ip route 192.168.1.0 255.255.255.0 172.16.0.1
Now both networks are able to freely communicate with each over the GRE Tunnel.
TS
esp-3des
esp-md5-hmac
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 2.2.2.10 port 500
IKE SA: local 1.1.1.10/500 remote 2.2.2.10/500 Active
IPSEC FLOW: permit 47 host 1.1.1.10 host 2.2.2.10
Active SAs: 2, origin: crypto map
Back to Cisco Routers Section