This document deals with configuration of GRE tunnel over IPSEC.
What is GRE?
Generic Routing Encapsulation (GRE), is a simple IP packet encapsulation protocol. A GRE tunnel is used when IP packets need to be sent from one network to another, without being parsed or treated like IP packets by any intervening routers.
For example, in Mobile IP, a mobile node registers with a Home Agent. When the mobile node roams to a new network, it registers with a Foreign Agent there. Whenever IP packets addressed to the mobile node are received by the Home Agent, they can be relayed over a GRE tunnel to the Foreign Agent for delivery. It does not matter how the Home Agent and Foreign Agent communicate with each other -- hops in between just pass along the GRE packet. Only the GRE tunnel endpoints -- the two Agents -- actually route the encapsulated IP packet.
What is IPSEC?
The IP Security (IPsec) Encapsulating Security Payload (ESP), also encapsulates IP packets. However, it does so for a different reason: to secure the encapsulated payload using encryption. IPsec ESP is used when IP packets need to be exchanged between two systems while being protected against eavesdropping or modification along the way.
For example, in a site-to-site VPN, a source host in network "A" transmits an IP packet. When that packet reaches the edge of network "A," it hits a VPN gateway. VPN gateway "A" encrypts the private IP packet and relays it over an ESP tunnel to a peer VPN gateway at the edge of network "B." VPN gateway "B" then decrypts the packet and delivers it to the destination host. Like GRE, it doesn't really matter how the two VPN gateways communicate with each other -- hops in between just pass along the ESP packet. But unlike GRE, someone at those hops could not possibly look at or change the encapsulated IP packet, even if they wanted to. That's because cryptographic algorithms have been applied to scramble the IP packet and detect any modification or replay.
In summary, use a GRE tunnel where IP tunneling without privacy is required -- it's simpler and thus faster. But use IPsec ESP where IP tunneling and data privacy are required -- it provides security features that are not even attempted by GRE.
Description with Configuration Example:
To configure Generic Routing Encapsulation (GRE) over an IPSec tunnel between two routers, perform these steps:
Create a tunnel interface (the IP address of tunnel interface on both routers must be in the same subnet), and configure a tunnel source and tunnel destination under tunnel interface configuration, as shown:
interface Tunnel0 ip address 192.168.16.1 255.255.255.0 tunnel source tunnel destination
Configure isakmp policies, as shown:
crypto isakmp policy 1 authentication pre-share
Configure pre share keys, as shown:
crypto isakmp key cisco123 address (Remote outside interface IP with 32 bit subnet mask)
Configure crypto map and bind transform set and crypto Access Control List (ACL) to crypto map. Define peer IP address under crypto map, as shown:
crypto map vpn 10 ipsec-isakmp set peer set transform-set strong match address 120
Bind crypto map to the physical (outside) interface if you are running Cisco IOS Software Release 12.2.15 or later. If not, then the crypto map must be applied to the tunnel interface as well as the physical interace, as shown:
interface Ethernet0/0 ip address half-duplex crypto map vpn
Configure Network Address Traslation (NAT) bypass if needed, as shown:
access-list 175 deny ip (local private network) (subnet mask) (remote private network) (subnet mask) access-list 175 permit ip (local private network) (subnet mask) any route-map nonat permit 10 match ip address 175 exit ip nat inside source route-map nonat interface (outside interface name) overload
Configure the remote router the same way. Once configured try passing traffic. If it does not, then add IP routes for the remote networks pointing to the tunnel interface IP address.
For additional information, refer to these documents:
Hi, I edited the default policy for ikev2 ( it is done for ipsec site to site vpn policy )The below is before editing crypto ikev2 policy 1encryption aes-256integrity shagroup 5prf shalifetime seconds 86400 and the below is afte...
Dear all, I've configured authentication Using Ldap server but Failed.After save the configuration and logout to test, I can't access to my FMC with both Local and External User :( Please help me procedure to rollback my FMC configuration from C...
Hi, Does someone know if ASA supports client certificate authentication + SAML with anyconnect ?As I understand the certificate is verified on the ASA, then I need a second factor auth with a SAML connection to a 2FA provider. note : I also have...
Hello. i was wondering why this setup im using doesnt work. I have an asa 5506-x with traffic policing on. I have a service policy rule to limit port tcp/8080 to 3MBit traffic. I have tried to set it up under global, inside and outside interfaces. There i...