Chapter 14: GRE Tunneling over IPsec

GRE over IPsec is primarily used to facilitate routing protocols within tunnels.

GRE is stateless.

GRE adds a new 20-byte IP header and its own 4-byte header, and up to 12 bytes of options:

• Bit 0: Checksum present - Adds an optional 4-byte checksum field
• Bit 2: Key present - Adds an optional 4-byte encryption key
• Bit 3: Sequence number present - Adds an optional 4-byte sequence number
• Bits 13-15: GRE version - 0 is basic GRE, 1 is used for PPTP
• Bits 16-31: Protocol field - Identifies layer 3 protocol being transported

GRE Tunnel Configuration

Basic configuration components:

• Tunnel source
• Tunnel destination
• Tunnel mode (GRE/IP is default)

Basic GRE/IP configuration:

Router(config)# interface tunnel0
Router(config-if)# ip address 192.168.0.1 255.255.255.252
Router(config-if)# tunnel source s0/0
Router(config-if)# tunnel destination 10.1.2.3
! GRE/IP is default
Router(config-if)# tunnel mode gre ip

GRE over IPsec configuration under the SDM involves the following steps:

1. Create the GRE tunnel
2. Create a backup GRE tunnel (optional)
3. Select the IPsec VPN authentication method
4. Select the IPsec VPN IKE proposals
5. Select the IPsec VPN transform sets
6. Select the routing method for the tunnel
7. Validate the configuration