GRE (Generic Routing Encapsulation) creates tunnels like IPSec; however, it does not encrypt the original packet, so it is not secure. Nevertheless, it has the advantage of being able to encapsulate a wide variety of Layer 3 protocols as well as broadcast and multicast messages.
To achieve the flexibility of GRE with the security of IPsec, “GRE over IPsec” can be used. In “GRE Over IPsec,” the original packet will be encapsulated by a GRE header and a new IP header, and then the GRE packet will be encrypted and encapsulated within an IPsec VPN header and a new IP header before it is sent over the tunnel.
In this post, I will be showing you how to configure GRE over IPSec Tunnel on Cisco Routers.
Let’s get started
Network Topology
The network topology we will be making use of in this post is shown below.
As you can see, it consists of two routers (R1 and R3) with separate connections to the internet (R2). In this demonstration, we will be configuring “GRE over an IPSec Tunnel” between the two routers (R1 and R3) so that the two routers can establish a WAN connection through the internet router.
How to Configure GRE over an IPSec Tunnel on Cisco Router
Here are steps to Configure GRE over an IPSec Tunnel on Cisco Router using the network topology shown above.
Step 1: Configure Interfaces of the Routers
The first step is to assign an IP address to the interfaces of the routers. The configuration to do this is shown below.
Router 1
R1(config)#interface ethernet0/0
R1(config-if)#ip address 11.11.11.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface ethernet0/1
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
Router 2
R2(config)#interface ethernet0/0
R2(config-if)#ip address 11.11.11.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface ethernet0/1
R2(config-if)#ip address 22.22.22.5 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#exit
Router 3
R3(config)#interface ethernet0/0
R3(config-if)#ip address 22.22.22.6 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface ethernet0/1
R3(config-if)#ip address 192.168.21.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit
Step 2: Configure Default route
Default route is the route a router will forward traffic to if the route to the destination of the packet does not appear in the routing table.
Router 1
R1(config)#ip route 0.0.0.0 0.0.0.0 11.11.11.2
Router 2
R3(config)#ip route 0.0.0.0 0.0.0.0 22.22.22.5
Step 3: Create Cisco GRE Tunnel on the Routers
Router 1
R1(config)#interface tunnel 0
R1(config-if)#ip address 172.16.0.1 255.255.255.252 <-- Tunnel Address
R1(config-if)#ip mtu 1400 <-- Adjust the maximum transfer unit (MTU) to 1400 bytes
R1(config-if)#ip tcp adjust-mss 1360 <-- Adjust the maximum segment size (MSS) to 1360 bytes
R1(config-if)#tunnel source 11.11.11.1 <-- R1’s public IP address
R1(config-if)#tunnel destination 22.22.22.6 <-- R3’s public IP address
R1(config-if)#exit
*Dec 29 14:25:40.019: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Router 2
R3(config)#interface tunnel 0
R3(config-if)#ip address 172.16.0.2 255.255.255.252 <-- Tunnel Address
R3(config-if)#ip mtu 1400 <-- Adjust the maximum transfer unit (MTU) to 1400 bytes
R3(config-if)#ip tcp adjust-mss 1360 <-- Adjust the maximum segment size (MSS) to 1360 bytes
R3(config-if)#tunnel source 22.22.22.6 <-- R3’s public IP address
R3(config-if)#tunnel destination 11.11.11.1 <-- R1’s public IP address
R3(config-if)#exit
*Dec 29 14:25:39.395: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Step 4: Create Static route for the GRE Tunnel
Router 1
R1(config)#ip route 192.168.21.0 255.255.255.0 172.16.0.2
Router 2
R3(config)#ip route 192.168.12.0 255.255.255.0 172.16.0.1
Step 5: Configure IPSec Encryption For GRE Tunnel
Router 1
R1(config)#crypto isakmp policy 10 <--Configure ISAKMP (IKE) - (ISAKMP Phase 1) -->
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#hash sha256
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 5
R1(config-isakmp)#exit
R1(config)#crypto isakmp key cisco123 address 22.22.22.6 <-- Define a pre shared key for authentication with our peer (R3 router) -->
R1(config)#crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac <-- Create IPSec Transform (ISAKMP Phase 2 Policy) -->
R1(cfg-crypto-trans)#exit
R1(config)#crypto ipsec profile protect-gre <--Create an IPSec profile to connect the previously defined ISAKMP and IPSec configuration together -->
R1(ipsec-profile)#set transform-set TS
R1(ipsec-profile)#exit
R1(config)#interface tunnel 0 <-- Apply the IPSec encryption to the Tunnel interface
R1(config-if)#tunnel protection ipsec profile protect-gre
R1(config-if)#exit
*Dec 29 15:03:02.076: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Router 3
R3(config)#crypto isakmp policy 10 <-- Configure ISAKMP (IKE) - (ISAKMP Phase 1) -->
R3(config-isakmp)#encryption aes 256
R3(config-isakmp)#hash sha256
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 5
R3(config-isakmp)#exit
R3(config)#crypto isakmp key cisco123 address 11.11.11.1 <-- Define a pre shared key for authentication with our peer (R1 router) -->
R3(config)#crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac <-- Create IPSec Transform (ISAKMP Phase 2 Policy) -->
R3(cfg-crypto-trans)#exit
R3(config)#crypto ipsec profile protect-gre <-- Create an IPSec profile to connect the previously defined ISAKMP and IPSec configuration together -->
R3(ipsec-profile)#set transform-set TS
R3(ipsec-profile)#exit
R3(config)#interface tunnel 0 <-- Apply the IPSec encryption to the Tunnel interface
R3(config-if)#tunnel protection ipsec profile protect-gre
R3(config-if)#exit
*Dec 29 15:10:36.802: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Here’s a brief explanation of each of the above commands:
crypto isakmp policy 10
: This command is used to configure an ISAKMP policy on a device. In this case, it’s specifying Policy 10.encryption aes 256
: This command is used within the ISAKMP configuration mode to specify the encryption algorithm for the ISAKMP policy. It’s setting AES with a key length of 256 bits.hash sha256
: This command is used within the ISAKMP configuration mode to specify the hash algorithm for the ISAKMP policy. It’s setting SHA-256 for hashing.authentication pre-share
: This command is used within the ISAKMP configuration mode to specify the authentication method for the ISAKMP policy. It’s setting pre-shared keys for authentication.group 5
: This command is used within the ISAKMP configuration mode to specify the Diffie-Hellman group for the ISAKMP policy. It’s setting Group 5.crypto isakmp key cisco123 address 11.11.11.1
: This command is used to configure a pre-shared key for ISAKMP peer authentication. In this case, the key “cisco123” is configured for the peer with the address 11.11.11.1.crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
: This command is used to configure an IPSec transform set, specifying the encryption and integrity algorithms to be used for IPSec. It’s setting ESP with AES encryption (256-bit key) and SHA-256 HMAC for integrity.crypto ipsec profile protect-gre
: This command is used to create an IPSec profile, which is a collection of IPSec policies. In this case, the profile is named “protect-gre”.set transform-set TS
: This command is used within the IPSec profile configuration mode to specify the transform set to be used for IPSec protection. It’s setting the transform set named “TS” for the “protect-gre” profile.interface tunnel 0
: This command is used to enter the configuration mode for a specific tunnel interface. In this case, it’s Tunnel 0.tunnel protection ipsec profile protect-gre
: This command is used within the tunnel interface configuration mode to specify IPSec protection for the tunnel. It’s applying the IPSec profile named “protect-gre” to the tunnel interface.
Step 6: Configure Host Devices
PC1
Disable the routing table, configure the IP address on Ethernet0/0, set the IP gateway on PC1, and try to ping the gateway (192.168.12.1).
PC1(config)#no ip routing
PC1(config)#interface ethernet0/0
PC1(config-if)#ip address 192.168.12.2 255.255.255.0
PC1(config-if)#no shutdown
PC1(config-if)#exit
PC1(config)#ip default-gateway 192.168.12.1
PC2
Disable the routing table, configure the IP address on Ethernet0/0, set the IP gateway on PC2, and try to ping the gateway (192.168.21.1).
PC2(config)#no ip routing
PC2(config)#interface ethernet0/0
PC2(config-if)#ip address 192.168.21.2 255.255.255.0
PC2(config-if)#no shutdown
PC2(config-if)#exit
PC(config)#ip default-gateway 192.168.21.1
Step 7: Test Connectivity
You can test connectivity by pinging from PC1 to PC2.
PC1#ping 192.168.21.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.21.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/5 ms
PC1#ping 192.168.21.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.21.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
PC2#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/5 ms
PC2#ping 192.168.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
Step 8: Verifying The GRE Over IPSec Tunnel
You can use the following show commands to verify that GRE over IPSec has been created;
R1#show crypto isakmp sa
R1#show crypto ipsec sa
R1#show interfaces tunnel 0
R1#show crypto session
R3#show crypto isakmp sa
R3#show crypto ipsec sa
R3#show interfaces tunnel 0
R3#show crypto session
Related Posts;
- How to Configure GRE VPN Tunnel in Cisco Router (Site-to-Site)
- How to Configure IPSec VPN Tunnel in Cisco Router(Site-to-Site)
I am a passionate Networking Associate specializing in Telecommunications.
With a degree in Electronic engineering, I possess a strong understanding of electronic systems and the intricacies of telecommunications networks. I gained practical experience and valuable insights working for a prominent telecommunications company.
Additionally, I hold certifications in networking, which have solidified my expertise in network architecture, protocols, and optimization.
Through my writing skills, I aim to provide accurate and valuable knowledge in the networking field.
Connect with me on social media using the links below for more insights.
You can contact me using [email protected] or connect with me using any of the social media account linked below