Professional Documents
Culture Documents
Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE Over IPSec Tunnels 2
Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE Over IPSec Tunnels 2
GRE is a tunneling protocol developed by Cisco that allows the encapsulation of a wide variety
of network layer protocols inside point-to-point links.
The diagram below shows the encapsulation procedure - unprotected GRE packet as it traversers
the router and enters the tunnel interface:
A major difference is that GRE tunnels allow multicast packets to traverse the tunnel whereas
IPSec VPN does not support multicast packets.
This article will explain how to create simple (unprotected) and secure (IPSec encrypted) GRE
tunnels between endpoints.
Creating a Cisco GRE Tunnel
Since GRE is an encapsulating protocol, we adjust the mtu to 1400 bytes and maximum segment
size (mss) to 1360 bytes. Because most transport MTUs are 1500 bytes and we have an added
overhead because of GRE, we must reduce the MTU to account for the extra overhead. A setting
of 1400 is a common practice and will ensure unnecessary packet fragmentation is kept to a
minimum.
As soon as we complete R1’s configuration, the router will confirm the creation of the tunnel and
inform about its status:
R1#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Since the Tunnel 0 interface is a logical interface it will remain up even if there is no GRE tunnel
configured or connected at the other end.
As with R1, R2 router will inform us that the Tunnel0 interface is up:
R2#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
IKE exists only to establish SAs for IPsec. Before it can do this, IKE must negotiate an SA (an
ISAKMP SA) relationship with the peer.
First step is to configure an ISAKMP Phase 1 policy:
86400 – Session key lifetime. Expressed in either kilobytes (after x-amount of traffic, change the
key) or seconds. Value set is the default value.
Next we are going to define a pre shared key for authentication with R1's peer, 2.2.2.10:
The peer’s pre shared key is set to firewallcx. This key will be used for allISAKMP negotiations
with peer 2.2.2.10 (R2).
create the transform set used to protect our data. We’ve named this TS:
we create an IPSec profile to connect the previously defined ISAKMP and IPSec configuration
together. We’ve named our IPSec profile protect-gre:
Finally, our tunnel has been encrypted with IPSec, providing us with the much needed security
layer. To test and verify this, all that is required is to ping the other end and force the VPN IPSec
tunnel to come up and start encrypting/decrypting our data:
Using the show crypto session command, we can quickly verify the encryption is in place and
doing its work: