Encrypted GRE Tunnel with IPSEC

GRE tunnels allow to tunnel unicast, multicast and broadcast traffic between routers and are often used for routing protocols between different sites. The downside of GRE tunneling is that it is clear text and offers no form of protection. On Cisco IOS routers however we can use IPSEC to encrypt the entire GRE tunnel, this allows us to have a safe and secure site-to-site tunnel. In this lesson I will show you how to configure an encrypted GRE tunnel with IPSEC. This is the topology that we will use:

three cisco routers with tunnel

Above we have 3 routers. The HQ and Branch router each have a loopback interface that will represent their LAN connection. Both routers are connected to “the Internet” using the ISP router.

We will create a GRE tunnel between the HQ and Branch router and ensure that the /24 and /24 can reach each other while all traffic between the two networks is encrypted with IPSEC. Let’s start with the configuration of the interfaces:

HQ(config)#interface fastEthernet 0/0           
HQ(config-if)#ip address
HQ(config)#interface loopback0
HQ(config-if)#ip address
HQ(config)#ip route
ISP(config)#interface fastEthernet 0/0
ISP(config-if)#ip address
ISP(config)#interface fastEthernet 1/0
ISP(config-if)#ip address
Branch(config)#interface fastEthernet 0/0
Branch(config-if)#ip address
Branch(config)#interface loopback 0
Branch(config-if)#ip address
Branch(config)#ip route

I will use a simple static route on the HQ and Branch router so that they can reach each other. Now let’s create the GRE tunnel between the two routers:

HQ(config)#interface tunnel 1     
HQ(config-if)#tunnel source fastEthernet 0/0
HQ(config-if)#tunnel destination
HQ(config-if)#ip address
Branch(config)#interface tunnel 1
Branch(config-if)#tunnel source fastEthernet 0/0
Branch(config-if)#tunnel destination
Branch(config-if)#ip address

We will use the IP addresses on the FastEthernet interfaces of the HQ and Branch router as the destination for the tunnel. On the tunnel itself we’ll use network /24.

With the tunnel operational, let’s configure a routing protocol so that the HQ and Branch router can learn about each others network on the loopback interfaces:

HQ(config)#router ospf 1
HQ(config-router)#network area 0
HQ(config-router)#network area 0
Branch(config)#router ospf 1
Branch(config-router)#network area 0
Branch(config-router)#network area 0

So far so good, we have a GRE tunnel and the two routers will form an OSPF neighbor adjacency and exchange routing information:

HQ#show ip route ospf is variably subnetted, 2 subnets, 2 masks
O [110/11112] via, 00:00:38, Tunnel1
Branch#show ip route ospf is variably subnetted, 2 subnets, 2 masks
O [110/11112] via, 00:00:50, Tunnel1

So everything is working, but right now everything will be transfered in clear text. Time to get IPSEC up and running to encrypt our GRE tunnel! There are a couple of things that we have to configure to achieve this, let me show you what to do:

HQ(config)#crypto isakmp policy 10
HQ(config-isakmp)# encr aes 256
HQ(config-isakmp)# authentication pre-share
HQ(config-isakmp)# group 5
HQ(config-isakmp)# lifetime 3600
Branch(config)#crypto isakmp policy 10
Branch(config-isakmp)# encr aes 256
Branch(config-isakmp)# authentication pre-share
Branch(config-isakmp)# group 5
Branch(config-isakmp)# lifetime 3600

First of all we have to configure an ISAKMP policy. In the example above I specify that I want to use 256-bit AES encryption and that we want to use a pre-shared key. We use Diffie-Hellman Group 5 for the key exchange process. The lifetime for the ISAKMP security association is 3600 seconds. Don’t forget to configure the pre-shared key on both routers:

HQ(config)#crypto isakmp key PASS address
Branch(config)#crypto isakmp key PASS address

I will use ‘PASS” as the pre-shared key on both routers. The next step is to create an IPSEC transform-set:

HQ(config)#crypto ipsec transform-set TRANS esp-aes 256 esp-sha-hmac
Branch(config)#crypto ipsec transform-set TRANS esp-aes 256 esp-sha-hmac

Above you can see I created a transform-set called ‘TRANS’ that specifies we want to use ESP AES 256-bit and HMAC-SHA authentication.

Now we can create a crypto map that tells the router what traffic to encrypt and what transform-set to use:

HQ(config)#crypto map MYMAP 10 ipsec-isakmp 
HQ(config-crypto-map)# set peer
HQ(config-crypto-map)# set transform-set TRANS 
HQ(config-crypto-map)# match address 100
Branch(config)#crypto map MYMAP 10 ipsec-isakmp 
Branch(config-crypto-map)# set peer
Branch(config-crypto-map)# set transform-set TRANS 
Branch(config-crypto-map)# match address 100

Above we have a crypto-map called ‘MYMAP’ that specifies the transform-set ‘TRANS’ and what traffic it should encrypt. I used access-list 100 for this but I still have to create it:

HQ(config)#access-list 100 permit gre any any
Branch(config)#access-list 100 permit gre any any

We will use a permit statement that only matches GRE traffic. Now the final step is to activate crypto map by applying it to the FastEthernet interfaces:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 739 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

542 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , , , ,

Forum Replies

  1. Hi Mithun,

    These are not the same. Take a look at this picture from my IPsec lesson:


    When we use IPsec tunnel mode, we encapsulate the original IP packet and put an AH or ESP header and new IP header in front of it. IPsec only supports unicast packets.

    GRE also encapsulates IP packets and it supports multicast traffic. It adds a GRE header in front of the original IP packet and then a new IP header. You can see this in this capture file:

    GRE Encapsulated ICMP Captur

    ... Continue reading in our forum

  2. Hello Mohammad.

    What exactly is meant by each of the two phrases depends on the context. Encrypted GRE Tunnel with IPSec refers to the encryption of the information sent over a GRE tunnel using the functionalities of IPSec. GRE over IPSec is not that specific and it depends on what the person speaking really means.

    IPSec used in combination with GRE can function in two ways, either in tunnel mode, or transport mode.

    Tunnel mode, which is the default, which is also what Rene has configured in the lesson, the whole GRE packet is encapsulated and encrypted withi

    ... Continue reading in our forum

  3. Hi Hussein,

    The only thing you have to change is the transform set:

    R1(config)#crypto ipsec transform-set MY_TRANSFORM_SET ?
      ah-md5-hmac      AH-HMAC-MD5 transform
      ah-sha-hmac      AH-HMAC-SHA transform
      ah-sha256-hmac   AH-HMAC-SHA256 transform
      ah-sha384-hmac   AH-HMAC-SHA384 transform
      ah-sha512-hmac   AH-HMAC-SHA512 transform
      comp-lzs         IP Compression using the LZS compression algorithm
      esp-3des         ESP transform using 3DES(EDE) cipher (168 bits)
      esp-aes          ESP transform using AES cipher
      esp-des          ESP transform using DE
    ... Continue reading in our forum

  4. Hello Brian

    When you use the ip route command, what you are telling the router is “in order to get to this network, use this next hop IP.” Now the contents of the command is a network address and a subnet mask. So, if you enter the command

    ip route

    then what you are saying is that if you get a packet with a destination IP address in the range to, send it to

    If you change the subnet mask, what you’re doing is essentially modifying the range within which the destination address mu

    ... Continue reading in our forum

  5. Hello Vadim

    About your first question, it’s important to understand what each entity is and does. GRE is a tunneling protocol. It encapsulates packets and allows them to run over another network. So you can run your internal private IP addresses between two sites that connect to each other over the Internet. A GRE tunnel is not encrypted or secured in any way.

    IPSec is a secure network protocol suite that authenticates and encrypts packets. It is a method of encryption and authentication and does not include any tunneling mechanisms. It cannot and will no

    ... Continue reading in our forum

82 more replies! Ask a question or join the discussion by visiting our Community Forum