Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected

GRE over IPSec Tunnels

GRE is a tunneling protocol developed by Cisco that allows the encapsulation of a wide variety
of network layer protocols inside point-to-point links.

The diagram below shows the encapsulation procedure - unprotected GRE packet as it traversers
the router and enters the tunnel interface:

A major difference is that GRE tunnels allow multicast packets to traverse the tunnel whereas
IPSec VPN does not support multicast packets.

This article will explain how to create simple (unprotected) and secure (IPSec encrypted) GRE
tunnels between endpoints.
Creating a Cisco GRE Tunnel

First step is to create our tunnel interface on R1:

R1(config)# interface Tunnel0

R1(config-if)# ip address 172.16.0.1 255.255.255.0
R1(config-if)# ip mtu 1400
R1(config-if)# ip tcp adjust-mss 1360
R1(config-if)# tunnel source 1.1.1.10
R1(config-if)# tunnel destination 2.2.2.10

Since GRE is an encapsulating protocol, we adjust the mtu to 1400 bytes and maximum segment
size (mss) to 1360 bytes. Because most transport MTUs are 1500 bytes and we have an added
overhead because of GRE, we must reduce the MTU to account for the extra overhead. A setting
of 1400 is a common practice and will ensure unnecessary packet fragmentation is kept to a
minimum.

As soon as we complete R1’s configuration, the router will confirm the creation of the tunnel and
inform about its status:

R1#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

Since the Tunnel 0 interface is a logical interface it will remain up even if there is no GRE tunnel
configured or connected at the other end.

Next, we must create the Tunnel 0 interface on R2:

R2(config)# interface Tunnel0

R2(config-if)# ip address 172.16.0.2 255.255.255.0
R2(config-if)# ip mtu 1400
R2(config-if)# ip tcp adjust-mss 1360
R2(config-if)# tunnel source 2.2.2.10
R2(config-if)# tunnel destination 1.1.1.10

As with R1, R2 router will inform us that the Tunnel0 interface is up:

R2#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

Routing Networks Through the GRE Tunnel

R1# ping 172.16.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#

R1(config)# ip route 192.168.2.0 255.255.255.0 172.16.0.2

The same configuration must be repeated for R2:

R2(config)# ip route 192.168.1.0 255.255.255.0 172.16.0.1

Securing the GRE Tunnel with IPSec

Configuring IPSec Encryption for GRE Tunnel (GRE over IPSec)

IPSec encryption involves two steps for each router.

(1) Configure ISAKMP (ISAKMP Phase 1)

(2) Configure IPSec (ISAKMP Phase 2)

Configure ISAKMP (IKE) - (ISAKMP Phase 1)

IKE exists only to establish SAs for IPsec. Before it can do this, IKE must negotiate an SA (an
ISAKMP SA) relationship with the peer.
First step is to configure an ISAKMP Phase 1 policy:

R1(config)# crypto isakmp policy 1

R1(config-isakmp)# encr 3des
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# lifetime 86400

86400 – Session key lifetime. Expressed in either kilobytes (after x-amount of traffic, change the
key) or seconds. Value set is the default value.

Next we are going to define a pre shared key for authentication with R1's peer, 2.2.2.10:

R1(config)# crypto isakmp key firewallcx address 2.2.2.10

The peer’s pre shared key is set to firewallcx. This key will be used for allISAKMP negotiations
with peer 2.2.2.10 (R2).

Create IPSec Transform (ISAKMP Phase 2 policy)

create the transform set used to protect our data. We’ve named this TS:

R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac

R1(cfg-crypto-trans)# mode transport

we create an IPSec profile to connect the previously defined ISAKMP and IPSec configuration
together. We’ve named our IPSec profile protect-gre:

R1(config)# crypto ipsec profile protect-gre

R1(ipsec-profile)# set security-association lifetime seconds 86400
R1(ipsec-profile)# set transform-set TS

We are ready to apply the IPSec encryption to the Tunnel interface:

R1(config)# interface Tunnel 0

R1(config-if)# tunnel protection ipsec profile protect-gre

Now it's time to apply the same configuration on R2:

R2(config)# crypto isakmp policy 1

R2(config-isakmp)# encr 3des
R2(config-isakmp)# hash md5
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2
R2(config-isakmp)# lifetime 86400

R2(config)# crypto isakmp key firewallcx address 1.1.1.10

R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
R2(cfg-crypto-trans)# mode transport

R2(config)# crypto ipsec profile protect-gre

R2(ipsec-profile)# set security-association lifetime seconds 86400
R2(ipsec-profile)# set transform-set TS

R2(config)# interface Tunnel 0

R2(config-if)# tunnel protection ipsec profile protect-gre

Verifying the GRE over IPSec Tunnel

Finally, our tunnel has been encrypted with IPSec, providing us with the much needed security
layer. To test and verify this, all that is required is to ping the other end and force the VPN IPSec
tunnel to come up and start encrypting/decrypting our data:

R1# ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

Using the show crypto session command, we can quickly verify the encryption is in place and
doing its work:

R1# show crypto session

Crypto session current status
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 2.2.2.10 port 500
IKE SA: local 1.1.1.10/500 remote 2.2.2.10/500 Active
IPSEC FLOW: permit 47 host 1.1.1.10 host 2.2.2.10
Active SAs: 2, origin: crypto map