This document deals with configuration of GRE tunnel over IPSEC.
What is GRE?
Generic Routing Encapsulation (GRE), is a simple IP packet encapsulation protocol. A GRE tunnel is used when IP packets need to be sent from one network to another, without being parsed or treated like IP packets by any intervening routers.
For example, in Mobile IP, a mobile node registers with a Home Agent. When the mobile node roams to a new network, it registers with a Foreign Agent there. Whenever IP packets addressed to the mobile node are received by the Home Agent, they can be relayed over a GRE tunnel to the Foreign Agent for delivery. It does not matter how the Home Agent and Foreign Agent communicate with each other -- hops in between just pass along the GRE packet. Only the GRE tunnel endpoints -- the two Agents -- actually route the encapsulated IP packet.
What is IPSEC?
The IP Security (IPsec) Encapsulating Security Payload (ESP), also encapsulates IP packets. However, it does so for a different reason: to secure the encapsulated payload using encryption. IPsec ESP is used when IP packets need to be exchanged between two systems while being protected against eavesdropping or modification along the way.
For example, in a site-to-site VPN, a source host in network "A" transmits an IP packet. When that packet reaches the edge of network "A," it hits a VPN gateway. VPN gateway "A" encrypts the private IP packet and relays it over an ESP tunnel to a peer VPN gateway at the edge of network "B." VPN gateway "B" then decrypts the packet and delivers it to the destination host. Like GRE, it doesn't really matter how the two VPN gateways communicate with each other -- hops in between just pass along the ESP packet. But unlike GRE, someone at those hops could not possibly look at or change the encapsulated IP packet, even if they wanted to. That's because cryptographic algorithms have been applied to scramble the IP packet and detect any modification or replay.
In summary, use a GRE tunnel where IP tunneling without privacy is required -- it's simpler and thus faster. But use IPsec ESP where IP tunneling and data privacy are required -- it provides security features that are not even attempted by GRE.
Description with Configuration Example:
To configure Generic Routing Encapsulation (GRE) over an IPSec tunnel between two routers, perform these steps:
Create a tunnel interface (the IP address of tunnel interface on both routers must be in the same subnet), and configure a tunnel source and tunnel destination under tunnel interface configuration, as shown:
interface Tunnel0 ip address 192.168.16.1 255.255.255.0 tunnel source tunnel destination
Configure isakmp policies, as shown:
crypto isakmp policy 1 authentication pre-share
Configure pre share keys, as shown:
crypto isakmp key cisco123 address (Remote outside interface IP with 32 bit subnet mask)
Configure crypto map and bind transform set and crypto Access Control List (ACL) to crypto map. Define peer IP address under crypto map, as shown:
crypto map vpn 10 ipsec-isakmp set peer set transform-set strong match address 120
Bind crypto map to the physical (outside) interface if you are running Cisco IOS Software Release 12.2.15 or later. If not, then the crypto map must be applied to the tunnel interface as well as the physical interace, as shown:
interface Ethernet0/0 ip address half-duplex crypto map vpn
Configure Network Address Traslation (NAT) bypass if needed, as shown:
access-list 175 deny ip (local private network) (subnet mask) (remote private network) (subnet mask) access-list 175 permit ip (local private network) (subnet mask) any route-map nonat permit 10 match ip address 175 exit ip nat inside source route-map nonat interface (outside interface name) overload
Configure the remote router the same way. Once configured try passing traffic. If it does not, then add IP routes for the remote networks pointing to the tunnel interface IP address.
For additional information, refer to these documents:
I have one Meraki MX250 and need to establish a site-to-site VPN with Oracle Cloud. Oracle creates two tunnels for its site-to-site VPN, and each tunnel has a unique public IP. Apparently, AWS does this too. I'm assuming that for my ...
dear professional, i have a cisco 9800 wlc, cisco ise, and ad server. Now my requirement is to setup wireless client to authenticate using active directory account via cisco ise. Now i got below question: 1. I beleive i need to setup 802.1x auth...
Hello Team, I got two Cisco FTDs being managed by Cisco FMC. I'm looking for a way to monitor the interfaces (inside and outside) of both FTDs when there is change in their status i.e. Up, Down, when there is no traffic passing through them etc...
For weeks now I have been running issues with some different user workstations working in the Home Office mode that use the Cisco VPN Version 4.2 client by throwing the message I have added to this forum, providing support for restarting a computer or pc,...
I have a setup with 2 FTD's- primary and secondary and 2 ISP's. When my primary ISP fails, while we still have internet access via the secondary ISP, I loose vpn access. Can you recommend a setup that if my primary ISP fails, vpn would still work and publ...