GRE Tunnel Primer in Cisco IOS

Generic Route Encapsulation is a tunneling technique in IP networking where a received IP packet is re-encapsulated in a second IP header (IP-in-IP) and sent across the network. It is like a Layer 3 VPN but alone it is not a secure VPN.

You can encrypt GRE with an encryption protocol such as IPSec to form a secure VPN. If you configure Microsoft VPN tunnels, by default IOS uses PPTP, the point-to-point tunneling protocol (PPTP), which uses GRE. Originally developed by Cisco, (GRE) is now a standard, defined in RFC 1701, RFC 1702, and RFC 2784.

Here’s an example of a simple configuration:

Router 1:

interface Ethernet0/0
ip address 10.0.0.1 255.255.255.0
interface Serial0
ip address 192.168.100.1 255.255.255.240
interface Tunnel0
ip address 10.0.1.1 255.255.255.0
tunnel source Serial0/0
tunnel destination 192.168.100.2

Router 2:

interface Ethernet0/0
ip address 10.0.0.2 255.255.255.0
interface Serial0
ip address 192.168.100.2 255.255.255.240
interface Tunnel0
ip address 10.0.1.2 255.255.255.0
tunnel source Serial0/0
tunnel destination 192.168.100.1

In this example, the two routers each have a virtual interface-the tunnel interface. This interface is its own network, just like a point-to-point T1 circuit would be. The traffic going over the tunnel network is tunneling through the serial network in my example. Notice that the tunnels are unidirectional, and we had to create a tunnel in each direction.

To each of the routers invloved, it appears that it has two paths to the remote-the serial interface and the tunnel interface (running through the tunnel).

As you can see in the output below, the tunnel interface on Router 1 is an interface like any other:

Cell_pe1# show ip interface brief

Interface IP-Address OK? Method Status Protocol
Ethernet0 10.0.0.1 YES manual up down
Serial0 192.168.100.2 YES manual up up
Tunnel0 10.0.1.1 YES manual up up

You can now use these tunnels for multiple purposes. One of the primary uses is when you need to connect two similar networks connected by a different network with different IP addressing.

Because GRE takes one packet and encapsulates it in another packet, you might run into a situation where the packet you’re sending is larger than your interface allows. The solution to this issue is to configure ip tcp adjust-mss 1436 on the tunnel interface.

While GRE doesn’t provide encryption by itself, you can enable a key on each side of the tunnel using the tunnel key command. This is like a simple clear-text password with no encryption.

Because GRE tunnels are stateless, it’s possible for one side of the tunnel to go down while the other side remains up. The solution to this problem is to enable keepalive packets on each side of the tunnel. By doing this, each side of the tunnel periodically sends a keepalive to the other side. If one side doesn’t receive a keepalive in the specified time, the tunnels go down on each side.

We hope this helps you get started with GRE!

Leave a Comment

Contact Us Here


Please verify.
Validation complete :)
Validation failed :(
 
Your contact request has been received. We usually respond within an hour, but please be patient. We will get back to you very soon.
Scroll to Top