Showing results for 
Search instead for 
Did you mean: 

How to configure GRE over an IPSec tunnel on routers ?



This document deals with configuration of GRE tunnel over IPSEC.

What is GRE?

Generic Routing Encapsulation (GRE), is a simple IP packet encapsulation protocol. A GRE tunnel is used when IP packets need to be sent from one network to another, without being parsed or treated like IP packets by any intervening routers.

For example, in Mobile IP, a mobile node registers with a Home Agent. When the mobile node roams to a new network, it registers with a Foreign Agent there. Whenever IP packets addressed to the mobile node are received by the Home Agent, they can be relayed over a GRE tunnel to the Foreign Agent for delivery. It does not matter how the Home Agent and Foreign Agent communicate with each other -- hops in between just pass along the GRE packet. Only the GRE tunnel endpoints -- the two Agents -- actually route the encapsulated IP packet.

What is IPSEC?

The IP Security (IPsec) Encapsulating Security Payload (ESP), also encapsulates IP packets. However, it does so for a different reason: to secure the encapsulated payload using encryption. IPsec ESP is used when IP packets need to be exchanged between two systems while being protected against eavesdropping or modification along the way.

For example, in a site-to-site VPN, a source host in network "A" transmits an IP packet. When that packet reaches the edge of network "A," it hits a VPN gateway. VPN gateway "A" encrypts the private IP packet and relays it over an ESP tunnel to a peer VPN gateway at the edge of network "B." VPN gateway "B" then decrypts the packet and delivers it to the destination host. Like GRE, it doesn't really matter how the two VPN gateways communicate with each other -- hops in between just pass along the ESP packet. But unlike GRE, someone at those hops could not possibly look at or change the encapsulated IP packet, even if they wanted to. That's because cryptographic algorithms have been applied to scramble the IP packet and detect any modification or replay.

In summary, use a GRE tunnel where IP tunneling without privacy is required -- it's simpler and thus faster. But use IPsec ESP where IP tunneling and data privacy are required -- it provides security features that are not even attempted by GRE.

Description with Configuration Example:

To configure Generic Routing Encapsulation (GRE) over an IPSec tunnel between two routers, perform these steps:

  1. Create a tunnel interface (the IP address of tunnel interface on both routers must be in the same subnet), and configure a tunnel source and tunnel destination under tunnel interface configuration, as shown:

    interface Tunnel0
    ip address
    tunnel source
    tunnel destination

  2. Configure isakmp policies, as shown:

    crypto isakmp policy 1
    authentication pre-share

  3. Configure pre share keys, as shown:

    crypto isakmp key cisco123 address (Remote outside interface IP with 32 bit subnet mask)

  4. Configure transform set, as shown:

    crypto ipsec transform-set strong esp-3des esp-md5-hmac

  5. Creat crypto ACI that permits GRE traffic from the outside interface of the local router to the outside interface of the remote router, as shown:

    access-list 120 permit gre host (local outside interface ip) host (Remote outside interface IP)

  6. Configure crypto map and bind transform set and crypto Access Control List (ACL) to crypto map. Define peer IP address under crypto map, as shown:

    crypto map vpn 10 ipsec-isakmp 
    set peer
    set transform-set strong
    match address 120

  7. Bind crypto map to the physical (outside) interface if you are running Cisco IOS  Software Release 12.2.15 or later. If not, then the crypto map must be applied to the tunnel interface as well as the physical interace, as shown:

    interface Ethernet0/0
    ip address
    crypto map vpn

  8. Configure Network Address Traslation (NAT) bypass if needed, as shown:

    access-list 175 deny  ip (local private network) (subnet mask) (remote private network) (subnet mask)
    access-list 175 permit ip (local private network) (subnet mask) any
    route-map nonat permit 10
    match ip address 175
    ip nat inside source route-map nonat interface (outside interface name) overload

Configure the remote router the same way. Once configured try passing traffic. If it does not, then add IP routes for the remote networks pointing to the tunnel interface IP address.

For additional information, refer to these documents:

Recognize Your Peers
Content for Community-Ad