Secured

Connectivity

Configuring GRE Tunnels

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-1

 Generic Routing Encapsulation

 Generic Routing Encapsulation

 RFCs 1701, 1702, 2784
 Uses IP protocol 47 when encapsulated within IP
 Allows passing of routing information between connected
networks

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-2

 Default GRE Characteristics
IP GRE IP TCP Data

Identifies the type of payload: Ethertype

0x800 is used for IPv4.
Protocol
Flags
Type

Identifies the presence of optional

header fields

 Tunneling of arbitrary OSI Layer 3 payload is primary goal of GRE

 Stateless (no flow control mechanisms)
 No security (no confidentiality, data authentication, or integrity
assurance)
 24-B overhead by default (20-B IP header and 4-B GRE header)

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-3

 Deployment Scenario

Corporate
Headquarters Remote
Office
GRE Tunnel

Internet

Workplace Remote
Resources Users
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-4
 Configuring a GRE Tunnel

 Create and identify the tunnel interface.

 Configure the tunnel interface source address.
 Configure the tunnel interface destination address.
 Bring up tunnel interface (administratively).
 Configure routes.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-5

 Configure a Tunnel

Site 1 10.0.1.0 10.0.6.0 Site 2

R1 R6
Internet
A B
10.0.1.12 10.0.6.12
172.30.1.2 172.30.6.2

R1(config)#interface tunnel 0
R1(config-if)#ip address 172.16.1.1 255.255.255.0
R1(config-if)#tunnel source Fa0/1
R1(config-if)#tunnel destination 172.30.2.2
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 10.0.2.0 255.255.255.0 tunnel 0

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-6

 Configure a Tunnel

Site 1 10.0.1.0 10.0.6.0 Site 2

R1 R6
Internet
A B
10.0.1.12 10.0.6.12
172.30.1.2 172.30.6.2

R1(config)#interface tunnel 0
R1(config-if)#ip address 3.3.3.1
255.255.255.0
R1(config-if)#tunnel source Fa0/1
R1(config-if)#tunnel destination 172.30.6.2
R1(config)#router eigrp 1
R1(config-router)#network 3.3.3.0 0.0.0.255
R1(config-router)#network 1.0.1.0 0.0.0.255
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-7
 Verifying GRE Tunnels

Site 1 10.0.1.0 10.0.6.0 Site 2

R1 R6

Internet B
A
10.0.1.12 10.0.6.12
172.30.1.2 172.30.6.2

R1# show ip interface brief

R1# show interfaces tunnel 0

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-8

 GRE/IPsec

Tunnel Mode
IP ESP IP GRE IP TCP Data ESP
Example

Encrypted Payload
Transport Mode
IP ESP GRE IP TCP Data ESP
Example

Encrypted Payload

 GRE encapsulates arbitrary payload.

 IPsec encapsulates unicast IP packet (GRE)
– Tunnel mode (default): IPsec creates a new tunnel IP
packet.
– Transport mode: IPsec reuses the IP header of the GRE
(20 B less overhead).

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-9

 GRE with Encryption Example

Site 1 10.0.1.0 GRE/IPsec Tunnel 10.0.6.0 Site 2

R1 R6
Internet
A B
10.0.1.12 10.0.6.12
172.30.1.2 172.30.6.2

R1(config)#interface tunnel 0
R1(config-if)#ip address 3.3.3.1 255.255.255.0
R1(config-if)#tunnel source Fa0/1
R1(config-if)#tunnel destination 172.30.6.2
R1(config)#interface Fa0/1
R1(config-if)#crypto map SNRS-MAP
R1(config)#ip access-list 101 permit gre host 172.30.1.2 host 172.30.6.2
R1(config)#router eigrp 1
R1(config-router)#network 3.3.3.0 0.0.0.255
R1(config-router)#network 1.0.1.0 0.0.0.255

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-10

 Summary

 GRE was developed to encapsulate a wide variety of protocol

packet types inside IP tunnels.
• GRE can be used in conjunction with IPsec to pass routing
updates between sites on an IPsec VPN.
 Several simple steps are required to configure a GRE tunnel.
 Use the show interfaces command to verify tunnel configuration.
 You can configure encryption so that all traffic through the GRE
tunnel is encrypted.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-11

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-12