Académique Documents
Professionnel Documents
Culture Documents
Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that allows the encapsulation of a wide variety of network layer protocols inside point-to-point links. A GRE tunnel is used when packets need to be sent from one network to another over the Internet or an insecure network. With GRE, a virtual tunnel is created between the two endpoints (Cisco routers) and packets are sent through the GRE tunnel. It is important to note that packets travelling inside a GRE tunnel are not encrypted as GRE does not encrypt the tunnel but encapsulates it with a GRE header. If data protection is required, IPSec must be configured to provide data confidentiality this is when a GRE tunnel is transformed into a secure VPN GRE tunnel. The diagram below shows the encapsulation procedure of a simple - unprotected GRE packet as it traverses the router and enters the tunnel interface:
While many might think a GRE IPSec tunnel between two routers is similar to a site to site IPSec VPN (crypto), it is not. A major difference is that GRE tunnels allow multicast packets to traverse the tunnel whereas IPSec VPN does not support multicast packets. In large networks where routing protocols such as OSPF, EIGRP are necessary, GRE tunnels are your best bet. For this reason, plus the fact that GRE tunnels are much easier to configure, engineers prefer to use GRE rather than IPSec VPN. This article will explain how to create simple (unprotected) and secure (IPSec encrypted) GRE tunnels between endpoints. We explain all the necessary steps to create and verify the GRE tunnel (unprotected and protected) and configure routing between the two networks.
R2(config-if)# ip tcp adjust-mss 1360 R2(config-if)# tunnel source 2.2.2.10 R2(config-if)# tunnel destination 1.1.1.10 R2s Tunnel interface is configured with the appropriate tunnel source and destination IP address. As with R1, R2 router will inform us that the Tunnel0 interface is up: R2# *May 4 21:32:54.927: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
(1) Configure ISAKMP (ISAKMP Phase 1) (2) Configure IPSec (ISAKMP Phase 2)
R1(cfg-crypto-trans)# mode transport The above commands defines the following: - ESP-3DES - Encryption method - MD5 - Hashing algorithm - Set IPSec to transport mode Finally, we create an IPSec profile to connect the previously defined ISAKMP and IPSec configuration together. Weve named our IPSec profile protect-gre: R1(config)# crypto ipsec profile protect-gre R1(ipsec-profile)# set security-association lifetime seconds 86400 R1(ipsec-profile)# set transform-set TS We are ready to apply the IPSec encryption to the Tunnel interface:
R1(config)# interface R1(config-if)# tunnel protection ipsec profile protect-gre Now it's time to apply the same configuration on R2: R2(config)# crypto isakmp policy 1 R2(config-isakmp)# encr 3des R2(config-isakmp)# hash md5 R2(config-isakmp)# authentication pre-share R2(config-isakmp)# group 2 R2(config-isakmp)# lifetime 86400 R2(config)# crypto isakmp key firewallcx address 1.1.1.10
Tunnel
R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac R2(cfg-crypto-trans)# mode transport R2(config)# crypto ipsec profile protect-gre R2(ipsec-profile)# set security-association lifetime seconds 86400 R2(ipsec-profile)# set transform-set TS R2(config)# interface Tunnel 0 R2(config-if)# tunnel protection ipsec profile protect-gre