Tunneling provides a mechanism to transport packets of one protocol within another protocol. The protocol that is carried is called as the passenger protocol, and the protocol that is used for carrying the passenger protocol is called as the transport protocol. Generic Routing Encapsulation (GRE) is one of the available tunneling mechanisms which uses IP as the transport protocol and can be used for carrying many different passenger protocols. The tunnels behave as virtual point-to-point links that have two endpoints identified by the tunnel source and tunnel destination addresses at each endpoint. IPv6 traffic can be carried over IPv4 GRE tunnels using the standard GRE tunneling technique. The tunnels are not tied to a specific passenger or transport protocol, but in this case, carry IPv6 as the passenger protocol with the GRE as the carrier protocol and IPv4 or IPv6 as the transport protocol. The primary use of GRE tunnels is for stable connections that require regular secure communication between two edge routers or between an edge router and an end system. The edge routers and the end systems must be dual-stack implementations.
When running GRE tunnel over IPSec, a packet is first encapsulated in a GRE packet and then GRE is encrypted by IPSec
A drawback of IPSec is it does not support multicast traffic. But most popular routing protocols nowadays rely on multicast (like OSPF, EIGRP, RIP except BGP) to send their routing updates. A popular solution to this is using GRE tunnels. GRE tunnels do support transporting IP multicast and broadcast packets to the other end of the GRE tunnel. Non-IP traffic (such as IPX, AppleTalk) can be wrapped inside GRE encapsulation and then this packet is subjected to IPSec encapsulation so all traffic can be routed
Advantages of GRE tunnels include the following:
While GRE provides a stateless, private connection, it is not considered a secure protocol because it does not use encryption like the IP Security (IPSec) Encapsulating Security Payload (ESP), defined by RFC 2406
Configuring GRE Tunnel: Configuring a GRE tunnel involves creating a tunnel interface, which is a logical interface. Then you must configure the tunnel endpoints for the tunnel interface. Refer below fig
As seen, the GRE tunnel configuration at the minimum involves configuring the IP addresses at the Branch, HQ, and the ISP. Then, configuring the tunnel interfaces at the HQ and the Branch.
Configuration on HQ router:
HQ(config-if)#ip address 192.168.10.1 255.255.255.0
HQ(config-if)#ip address 172.16.10.1 255.255.255.0
HQ(config)#ip route 192.168.20.3 255.255.255.255 192.168.10.2
HQ(config)#interface tunnel 9
HQ(config-if)#tunnel source fastEthernet 0/0
HQ(config-if)#tunnel destination 192.168.20.3
HQ(config-if)#ip address 192.168.30.1 255.255.255.0
Configuration on Branch office router:
Branch(config)#interface fastEthernet 0/0
Branch(config-if)#ip address 192.168.20.3 255.255.255.0
Branch(config)#interface loopback 0
Branch(config-if)#ip address 172.16.20.3 255.255.255.0
Branch(config)#ip route 192.168.10.1 255.255.255.255 192.168.20.2
Branch(config)#interface tunnel 9
Branch(config-if)#tunnel source fastEthernet 0/0
Branch(config-if)#tunnel destination 192.168.10.1
Branch(config-if)#ip address 192.168.30.3 255.255.255.0
Configuration on ISP router:
ISP(config)#interface fastEthernet 0/0
ISP(config-if)#ip address 192.168.10.2 255.255.255.0
ISP(config)#interface fastEthernet 1/0
ISP(config-if)#ip address 192.168.20.2 255.255.255.0
Four steps to configure GRE tunnel over IPsec are:
1. Create a physical or loopback interface to use as the tunnel endpoint. Using a loopback rather than a physical interface adds stability to the configuration.
2. Create the GRE tunnel interfaces.
3. Add the tunnel subnet to the routing process so that it exchanges routing updates across that interface.
4. Add GRE traffic to the crypto access list, so that IPsec encrypts the GRE tunnel traffic.
An example of configuring GRE Tunnel is shown below:
ip address 192.168.16.2 255.255.255.0
tunnel source FastEthernet1/0
tunnel destination 22.214.171.124
tunnel mode gre ip
Note: The last command is enabled by default so we can ignore it in the configuration)