How to Configure "GRE over IPSec Tunnel" on Cisco Routers (Site-to-Site) - Netizzan

How to Configure “GRE over IPSec Tunnel” on Cisco Routers (Site-to-Site)

GRE (Generic Routing Encapsulation) creates tunnels like IPSec; however, it does not encrypt the original packet, so it is not secure. Nevertheless, it has the advantage of being able to encapsulate a wide variety of Layer 3 protocols as well as broadcast and multicast messages.

To achieve the flexibility of GRE with the security of IPsec, “GRE over IPsec” can be used. In “GRE Over IPsec,”  the original packet will be encapsulated by a GRE header and a new IP header, and then the GRE packet will be encrypted and encapsulated within an IPsec VPN header and a new IP header before it is sent over the tunnel.

In this post, I will be showing you how to configure GRE over IPSec Tunnel on Cisco Routers.

Let’s get started

Network Topology

The network topology we will be making use of  in this post is shown below.

As you can see, it consists of two routers (R1 and R3) with separate connections to the internet (R2). In this demonstration, we will be configuring “GRE over an IPSec Tunnel” between the two routers (R1 and R3) so that the two routers can establish a WAN connection through the internet router.

network topology for GRE over IPsec

How to Configure GRE over an IPSec Tunnel on Cisco Router

Here are steps to Configure GRE over an IPSec Tunnel on Cisco Router using the network topology shown above.

Step 1: Configure Interfaces of the Routers

The first step is to assign an IP address to the interfaces of the routers. The configuration to do this is shown below.

Router 1

R1(config)#interface ethernet0/0
R1(config-if)#ip address 11.11.11.1 255.255.255.252
R1(config-if)#no shutdown 
R1(config-if)#exit

R1(config)#interface ethernet0/1
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R1(config-if)#no shutdown 
R1(config-if)#exit

Router 2

R2(config)#interface ethernet0/0
R2(config-if)#ip address 11.11.11.2 255.255.255.252
R2(config-if)#no shutdown 
R2(config-if)#exit

R2(config)#interface ethernet0/1
R2(config-if)#ip address 22.22.22.5 255.255.255.252
R2(config-if)#no shutdown 
R2(config-if)#exit

Router 3

R3(config)#interface ethernet0/0
R3(config-if)#ip address 22.22.22.6 255.255.255.252
R3(config-if)#no shutdown 
R3(config-if)#exit

R3(config)#interface ethernet0/1
R3(config-if)#ip address 192.168.21.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit 

Step 2: Configure Default route

Default route is the route a router will forward traffic to if the route to the destination of the packet does not appear in the routing table.

Router 1

R1(config)#ip route 0.0.0.0 0.0.0.0 11.11.11.2

 Router 2

R3(config)#ip route 0.0.0.0 0.0.0.0 22.22.22.5

Step 3: Create Cisco GRE Tunnel on the Routers

Router 1

R1(config)#interface tunnel 0
R1(config-if)#ip address 172.16.0.1 255.255.255.252 <-- Tunnel Address
R1(config-if)#ip mtu 1400 <-- Adjust the maximum transfer unit (MTU) to 1400 bytes
R1(config-if)#ip tcp adjust-mss 1360 <-- Adjust the maximum segment size (MSS) to 1360 bytes
R1(config-if)#tunnel source 11.11.11.1	<-- R1’s public IP address
R1(config-if)#tunnel destination 22.22.22.6 <-- R3’s public IP address
R1(config-if)#exit

*Dec 29 14:25:40.019: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

Router 2

R3(config)#interface tunnel 0
R3(config-if)#ip address 172.16.0.2 255.255.255.252 <-- Tunnel Address
R3(config-if)#ip mtu 1400 <-- Adjust the maximum transfer unit (MTU) to 1400 bytes
R3(config-if)#ip tcp adjust-mss 1360 <-- Adjust the maximum segment size (MSS) to 1360 bytes
R3(config-if)#tunnel source 22.22.22.6 <-- R3’s public IP address
R3(config-if)#tunnel destination 11.11.11.1 <-- R1’s public IP address
R3(config-if)#exit

*Dec 29 14:25:39.395: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

Step 4: Create Static route for the GRE Tunnel

Router 1

R1(config)#ip route 192.168.21.0 255.255.255.0 172.16.0.2

Router 2

R3(config)#ip route 192.168.12.0 255.255.255.0 172.16.0.1

Step 5: Configure IPSec Encryption For GRE Tunnel

Router 1

R1(config)#crypto isakmp policy 10 <--Configure ISAKMP (IKE) - (ISAKMP Phase 1) -->
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#hash sha256
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 5
R1(config-isakmp)#exit

R1(config)#crypto isakmp key cisco123 address 22.22.22.6 <-- Define a pre shared key for authentication with our peer (R3 router) -->

R1(config)#crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac <-- Create IPSec Transform (ISAKMP Phase 2 Policy) -->
R1(cfg-crypto-trans)#exit

R1(config)#crypto ipsec profile protect-gre <--Create an IPSec profile to connect the previously defined ISAKMP and IPSec configuration together -->
R1(ipsec-profile)#set transform-set TS
R1(ipsec-profile)#exit

R1(config)#interface tunnel 0 <-- Apply the IPSec encryption to the Tunnel interface
R1(config-if)#tunnel protection ipsec profile protect-gre
R1(config-if)#exit

*Dec 29 15:03:02.076: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

 Router 3

R3(config)#crypto isakmp policy 10 <-- Configure ISAKMP (IKE) - (ISAKMP Phase 1) -->
R3(config-isakmp)#encryption aes 256
R3(config-isakmp)#hash sha256
R3(config-isakmp)#authentication pre-share 
R3(config-isakmp)#group 5
R3(config-isakmp)#exit

R3(config)#crypto isakmp key cisco123 address 11.11.11.1 <-- Define a pre shared key for authentication with our peer (R1 router) -->

R3(config)#crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac <-- Create IPSec Transform (ISAKMP Phase 2 Policy) -->
R3(cfg-crypto-trans)#exit

R3(config)#crypto ipsec profile protect-gre <-- Create an IPSec profile to connect the previously defined ISAKMP and IPSec configuration together -->
R3(ipsec-profile)#set transform-set TS
R3(ipsec-profile)#exit

R3(config)#interface tunnel 0 <-- Apply the IPSec encryption to the Tunnel interface
R3(config-if)#tunnel protection ipsec profile protect-gre
R3(config-if)#exit

*Dec 29 15:10:36.802: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Here’s a brief explanation of each of the above commands:

  1. crypto isakmp policy 10: This command is used to configure an ISAKMP policy on a device. In this case, it’s specifying Policy 10.
  2. encryption aes 256: This command is used within the ISAKMP configuration mode to specify the encryption algorithm for the ISAKMP policy. It’s setting AES with a key length of 256 bits.
  3. hash sha256: This command is used within the ISAKMP configuration mode to specify the hash algorithm for the ISAKMP policy. It’s setting SHA-256 for hashing.
  4. authentication pre-share: This command is used within the ISAKMP configuration mode to specify the authentication method for the ISAKMP policy. It’s setting pre-shared keys for authentication.
  5. group 5: This command is used within the ISAKMP configuration mode to specify the Diffie-Hellman group for the ISAKMP policy. It’s setting Group 5.
  6. crypto isakmp key cisco123 address 11.11.11.1: This command is used to configure a pre-shared key for ISAKMP peer authentication. In this case, the key “cisco123” is configured for the peer with the address 11.11.11.1.
  7. crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac: This command is used to configure an IPSec transform set, specifying the encryption and integrity algorithms to be used for IPSec. It’s setting ESP with AES encryption (256-bit key) and SHA-256 HMAC for integrity.
  8. crypto ipsec profile protect-gre: This command is used to create an IPSec profile, which is a collection of IPSec policies. In this case, the profile is named “protect-gre”.
  9. set transform-set TS: This command is used within the IPSec profile configuration mode to specify the transform set to be used for IPSec protection. It’s setting the transform set named “TS” for the “protect-gre” profile.
  10. interface tunnel 0: This command is used to enter the configuration mode for a specific tunnel interface. In this case, it’s Tunnel 0.
  11. tunnel protection ipsec profile protect-gre: This command is used within the tunnel interface configuration mode to specify IPSec protection for the tunnel. It’s applying the IPSec profile named “protect-gre” to the tunnel interface.

 Step 6: Configure Host Devices

PC1

Disable the routing table, configure the IP address on Ethernet0/0, set the IP gateway on PC1, and try to ping the gateway (192.168.12.1).

PC1(config)#no ip routing

PC1(config)#interface ethernet0/0
PC1(config-if)#ip address 192.168.12.2 255.255.255.0
PC1(config-if)#no shutdown 
PC1(config-if)#exit

PC1(config)#ip default-gateway 192.168.12.1

PC2

Disable the routing table, configure the IP address on Ethernet0/0, set the IP gateway on PC2, and try to ping the gateway (192.168.21.1).

PC2(config)#no ip routing

PC2(config)#interface ethernet0/0
PC2(config-if)#ip address 192.168.21.2 255.255.255.0
PC2(config-if)#no shutdown 
PC2(config-if)#exit

PC(config)#ip default-gateway 192.168.21.1

Step 7: Test Connectivity

You can test connectivity by pinging from PC1 to PC2.

PC1#ping 192.168.21.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.21.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/5 ms
PC1#ping 192.168.21.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.21.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms


PC2#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/5 ms
PC2#ping 192.168.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

Step 8: Verifying The GRE Over IPSec Tunnel

You can use the following show commands to verify that GRE over IPSec has been created;

R1#show crypto isakmp sa
R1#show crypto ipsec sa
R1#show interfaces tunnel 0
R1#show crypto session

R3#show crypto isakmp sa
R3#show crypto ipsec sa
R3#show interfaces tunnel 0
R3#show crypto session

Related Posts;

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top