GRE tunnels allow to tunnel unicast, multicast and broadcast traffic between routers and are often used for routing protocols between different sites. The downside of GRE tunneling is that it is clear text and offers no form of protection. On Cisco IOS routers however we can use IPSEC to encrypt the entire GRE tunnel, this allows us to have a safe and secure site-to-site tunnel. In this lesson I will show you how to configure an encrypted GRE tunnel with IPSEC. This is the topology that we will use:
Above we have 3 routers. The HQ and Branch router each have a loopback interface that will represent their LAN connection. Both routers are connected to “the Internet” using the ISP router.
We will create a GRE tunnel between the HQ and Branch router and ensure that the 172.16.1.0 /24 and 172.16.3.0 /24 can reach each other while all traffic between the two networks is encrypted with IPSEC. Let’s start with the configuration of the interfaces:
HQ(config)#interface fastEthernet 0/0
HQ(config-if)#ip address 192.168.12.1 255.255.255.0
HQ(config-if)#exit
HQ(config)#interface loopback0
HQ(config-if)#ip address 172.16.1.1 255.255.255.0
HQ(config-if)#exit
HQ(config)#ip route 192.168.23.3 255.255.255.255 192.168.12.2
ISP(config)#interface fastEthernet 0/0
ISP(config-if)#ip address 192.168.12.2 255.255.255.0
ISP(config-if)#exit
ISP(config)#interface fastEthernet 1/0
ISP(config-if)#ip address 192.168.23.2 255.255.255.0
Branch(config)#interface fastEthernet 0/0
Branch(config-if)#ip address 192.168.23.3 255.255.255.0
Branch(config-if)#exit
Branch(config)#interface loopback 0
Branch(config-if)#ip address 172.16.3.3 255.255.255.0
Branch(config-if)#exit
Branch(config)#ip route 192.168.12.1 255.255.255.255 192.168.23.2
I will use a simple static route on the HQ and Branch router so that they can reach each other. Now let’s create the GRE tunnel between the two routers:
HQ(config)#interface tunnel 1
HQ(config-if)#tunnel source fastEthernet 0/0
HQ(config-if)#tunnel destination 192.168.23.3
HQ(config-if)#ip address 192.168.13.1 255.255.255.0
Branch(config)#interface tunnel 1
Branch(config-if)#tunnel source fastEthernet 0/0
Branch(config-if)#tunnel destination 192.168.12.1
Branch(config-if)#ip address 192.168.13.3 255.255.255.0
We will use the IP addresses on the FastEthernet interfaces of the HQ and Branch router as the destination for the tunnel. On the tunnel itself we’ll use network 192.168.13.0 /24.
With the tunnel operational, let’s configure a routing protocol so that the HQ and Branch router can learn about each others network on the loopback interfaces:
HQ(config)#router ospf 1
HQ(config-router)#network 192.168.13.0 0.0.0.255 area 0
HQ(config-router)#network 172.16.1.0 0.0.0.255 area 0
Branch(config)#router ospf 1
Branch(config-router)#network 192.168.13.0 0.0.0.255 area 0
Branch(config-router)#network 172.16.3.0 0.0.0.255 area 0
So far so good, we have a GRE tunnel and the two routers will form an OSPF neighbor adjacency and exchange routing information:
HQ#show ip route ospf
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
O 172.16.3.3/32 [110/11112] via 192.168.13.3, 00:00:38, Tunnel1
Branch#show ip route ospf
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
O 172.16.1.1/32 [110/11112] via 192.168.13.1, 00:00:50, Tunnel1
So everything is working, but right now everything will be transfered in clear text. Time to get IPSEC up and running to encrypt our GRE tunnel! There are a couple of things that we have to configure to achieve this, let me show you what to do:
HQ(config)#crypto isakmp policy 10
HQ(config-isakmp)# encr aes 256
HQ(config-isakmp)# authentication pre-share
HQ(config-isakmp)# group 5
HQ(config-isakmp)# lifetime 3600
Branch(config)#crypto isakmp policy 10
Branch(config-isakmp)# encr aes 256
Branch(config-isakmp)# authentication pre-share
Branch(config-isakmp)# group 5
Branch(config-isakmp)# lifetime 3600
First of all we have to configure an ISAKMP policy. In the example above I specify that I want to use 256-bit AES encryption and that we want to use a pre-shared key. We use Diffie-Hellman Group 5 for the key exchange process. The lifetime for the ISAKMP security association is 3600 seconds. Don’t forget to configure the pre-shared key on both routers:
HQ(config)#crypto isakmp key PASS address 192.168.23.3
Branch(config)#crypto isakmp key PASS address 192.168.12.1
I will use ‘PASS” as the pre-shared key on both routers. The next step is to create an IPSEC transform-set:
HQ(config)#crypto ipsec transform-set TRANS esp-aes 256 esp-sha-hmac
Branch(config)#crypto ipsec transform-set TRANS esp-aes 256 esp-sha-hmac
Above you can see I created a transform-set called ‘TRANS’ that specifies we want to use ESP AES 256-bit and HMAC-SHA authentication.
Now we can create a crypto map that tells the router what traffic to encrypt and what transform-set to use:
HQ(config)#crypto map MYMAP 10 ipsec-isakmp
HQ(config-crypto-map)# set peer 192.168.23.3
HQ(config-crypto-map)# set transform-set TRANS
HQ(config-crypto-map)# match address 100
Branch(config)#crypto map MYMAP 10 ipsec-isakmp
Branch(config-crypto-map)# set peer 192.168.12.1
Branch(config-crypto-map)# set transform-set TRANS
Branch(config-crypto-map)# match address 100
Above we have a crypto-map called ‘MYMAP’ that specifies the transform-set ‘TRANS’ and what traffic it should encrypt. I used access-list 100 for this but I still have to create it:
HQ(config)#access-list 100 permit gre any any
Branch(config)#access-list 100 permit gre any any
We will use a permit statement that only matches GRE traffic. Now the final step is to activate crypto map by applying it to the FastEthernet interfaces:
Hi Mithun,
These are not the same. Take a look at this picture from my IPsec lesson:
https://networklessons.com/wp-content/uploads/2015/08/ipsec-ah-transport-tunnel-mode-headers.png
When we use IPsec tunnel mode, we encapsulate the original IP packet and put an AH or ESP header and new IP header in front of it. IPsec only supports unicast packets.
GRE also encapsulates IP packets and it supports multicast traffic. It adds a GRE header in front of the original IP packet and then a new IP header. You can see this in this capture file:
GRE Encapsulated ICMP Captur
... Continue reading in our forumHello Mohammad.
What exactly is meant by each of the two phrases depends on the context. Encrypted GRE Tunnel with IPSec refers to the encryption of the information sent over a GRE tunnel using the functionalities of IPSec. GRE over IPSec is not that specific and it depends on what the person speaking really means.
IPSec used in combination with GRE can function in two ways, either in tunnel mode, or transport mode.
Tunnel mode, which is the default, which is also what Rene has configured in the lesson, the whole GRE packet is encapsulated and encrypted withi
... Continue reading in our forumHi Hussein,
The only thing you have to change is the transform set:
... Continue reading in our forumHello Brian
When you use the
ip route
command, what you are telling the router is “in order to get to this network, use this next hop IP.” Now the contents of the command is a network address and a subnet mask. So, if you enter the commandip route 192.168.23.0 255.255.255.0 192.168.12.2
then what you are saying is that if you get a packet with a destination IP address in the range 192.168.23.1 to 192.168.23.254, send it to 192.168.12.2.
If you change the subnet mask, what you’re doing is essentially modifying the range within which the destination address mu
... Continue reading in our forumHello Vadim
About your first question, it’s important to understand what each entity is and does. GRE is a tunneling protocol. It encapsulates packets and allows them to run over another network. So you can run your internal private IP addresses between two sites that connect to each other over the Internet. A GRE tunnel is not encrypted or secured in any way.
IPSec is a secure network protocol suite that authenticates and encrypts packets. It is a method of encryption and authentication and does not include any tunneling mechanisms. It cannot and will no
... Continue reading in our forum