This post explains how to configure and verify GRE over IPsec WAN architecture. First, we walk through configuring a GRE tunnel between two routers serving as entry points to two sites owned by two companies. Then we walk through the process of configuring an IPsec tunnel, which is accomplished in two phases, first creating an IKE Phase 1 policy, and second creating an IKE Phase 2 tunnel.
You may also be interested in CCNA Study Notes.
Before we dive in, I try to make the world a little better. You're invited to read my letter to uOttawa PresidentJacques Frémont about how to easily implement policy reforms to prevent supervisor bullying of uOttawa students: uOttawa President Jacques Frémont ignores university bullying problem. You may also be interested in How to end supervisor bullying at uOttawa.
GRE over IPsec - introduction
Private WAN services such as leased lines and MPLS provide security because each customer’s traffic is separated by using dedicated physical connections, as in leased lines, or by MPLS tags that separate the traffic.
However, when using the Internet to connect sites together, there is no built-in security by default. VPNs (Virtual Private Networks) can be used to provide secure communications over the Internet. GRE over IPsec is a method to set up site-to-site VPNs.
GRE (Generic Routing Encapsulation) is a tunneling protocol that can encapsulate various types of network traffic, including unicast, multicast, and broadcast.However, GRE does not provide security. GRE does not provide encryption, authentication, or integrity protection for encapsulated data.
GRE can be used for secure data transmission when used in conjunction with IPsec.
GRE over IPsec combines the functionalities of two separate networking protocols commonly used in WAN architectures, GRE (a tunneling protocol) and IPsec (a security protocol).
IPsec (Internet Protocol Security)
IPsec (IP Security) is a suite of protocols focused on providing secure communications at the IP layer by protecting data in transit through authentication, encryption, and integrity protection.
IPsec provides confidentiality (encryption), integrity (hashing), authentication (PSKs or digital signatures/digital certs), anti-replay, and key management.
IPsec can be used to create secure virtual tunnels to transmit data. IPsec uses three protocols: Authentication Header (AH), Encapsulation Security Protocol (ESP), and Internet Key Exchange (IKE). IKE is a key management protocol used to negotiate security association (SA).
In the diagram below, office A and office B are both connected to the Internet. A site-to-site VPN created between them allows the devices at each office to communicate securely with each other.
When creating a site-to-site VPN using IPsec,a VPN tunnel is created between the two devices by encapsulating the original IP packet with an IPsec VPN header and a new IP header. The router will take the original packet, encrypt it, add an IPsec VPN header and a new IP header, and then forward it over the Internet.
However, IPsec does not support multicast and broadcast. IPsec can only encapsulate unicast IP packets. This means that routing protocols such as OSPF cannot be used over the tunnels, because routing protocols rely on multicast traffic. GRE over IPsec allows us to securely transmit nearly any kind of network traffic (that GRE can encapsulate).
GRE over IPsec tunnel
So we combine GRE with IPsec. First we encapsulate our data inside GRE packets, then encrypt the entire encapsulated packet using IPsec.
GRE encapsulation step:
The GRE packet itself is a unicast IP packet. Once we encapsulate packets into GRE, we now have a series of unicast IP packets.
IPsec encapsulation step:
Now we can send the GRE packet down an IPsec tunnel.
Setting up an IPsec tunnel
IKE performs its job using the ISAKMP (Internet Security Association and Key Management Protocol) framework, in two phases:
1. Establish IKE Phase 1 tunnel aka ISAKMP tunnel.
2. Establish IKE Phase 2 tunnel aka IPsec tunnel.
Within the protection of the IKE Phase 1 tunnel, two peer routers negotiate the parameters for the IPsec tunnel.
Phase 1 of the IKE negotiation process is used to establish an ISAKMP policy by exchanging 5 parameters (5 SAs to configure between two nodes) referred to as HAGLE - Hash, Authentication, Diffie-Hellman Group, Lifetime, Encryption.
These parameters define the cryptographic algorithms and security settings used to secure the IPsec tunnel. Here's a breakdown of HAGLE and what it represents:
H: Hashing Algorithm (Hash Method): This defines the algorithm used to create message digests (hashed values) for data integrity verification. Common options include SHA-1, SHA-256, or MD5.
A: Authentication Method: This specifies how the communicating devices prove their identities to each other. Two main options exist:
G: Diffie-Hellman Group: This defines the cryptographic group used for the Diffie-Hellman key exchange protocol. This protocol allows peering devices to securely generate a shared secret key without exchanging the actual key itself over the network.
L: Lifetime: This parameter specifies the duration for which the negotiated ISAKMP policy, including the generated keys, will remain valid. This helps ensure keys are refreshed periodically to maintain security.
E: Encryption Algorithm: This defines the algorithm used to encrypt the data packets within the IPsec tunnel. Common options include AES (Advanced Encryption Standard) with different key lengths (e.g., AES-128, AES-256).
These parameters need to be configured on the two peering devices at both ends of the tunnel.
By exchanging and agreeing on these HAGLE parameters during Phase 1, the IKE protocol establishes a secure foundation, an ISAKMP policy, for the IPsec tunnel.
The identity of peers in Phase 1 can be protected using encryption (main mode).
In aggressive mode the identity of peers is not protected.
The result of Phase 1 of the IKE negotiation process is a secure tunnel used for Phase 2.
IKE Phase 2 is used to negotiate IPsec security parameters (encapsulation protocols and algorithms).
Peers negotiate,
Encapsulation protocol (AH, ESP)
Encryption algorithm
Hashing algorithm
Tunnel mode (transport or tunnel)
Once these parameters are negotiated, we will have a common IPsec transform set between the two nodes (routers).
During Phase 1, the main goal is to establish a secure tunnel for communication. This secure tunnel is then used in Phase 2 to negotiate the specifics of encrypting and authenticating the actual data that will be transferred. In essence, Phase 1 negotiates how to secure the communication channel for Phase 2 to define how to secure the data itself.
Configuring GRE over IPsec tunnels
First we will configure a GRE tunnel. Then we will configure IPsec. When we set up IPsec we can decide what traffic is deserving of using the IPsec tunnel. In our case, we want all of our GRE traffic to be encrypted and secure.
This is our demo topology.
Our companies have two sites. One site is using R1 and the other site is using R4. Between R1 and R4 traffic goes through a service provider. R2 and R3 are routers owned by the service provider.
We want to create a secure tunnel between R1 and R4 to use to transmit unicast, multicast, and broadcast network traffic, i.e., we want to create a site-to-site VPN using GRE over IPsec.
Configuring a GRE tunnel
We will configure a GRE tunnel between R1 and R4. We will set up a GRE tunnel using virtual interfaces. From the perspective of R1 and R4, the packet travels one hop from R1 to R4.
We will create virtual tunnel interfaces. We will give an IP address to each virtual interface at each end of the tunnel using IP addresses in the same subnet. The interface tunnel numbers do not have to match on R1 and R4.
Let’s start on R1.
R1(config)#int tunnel 1
R1(config-if)#ip add 192.168.0.1 255.255.255.252
Next, specify the src of the tunnel and the dst of the tunnel.(Alternatively, you can use the routers’ loopback interfaces.)
R1(config-if)#tunnel source g0/1
R1(config-if)#tunnel destination 198.51.100.2
Now R4.
R4(config)#int tunnel 1
R4(config)#ip add 192.168.0.2 255.255.255.252
R4(config-if)#tunnel source g0/1
R4(config-if)#tunnel destination 192.0.2.1
Let’s check the configurations on R4. Let’s verify with show ip interface brief. The tunnel (Tunnel 1) interface is in the up/up state.
Notice the OSPF adjacency change. An OSPF neighborship was formed between R1 and R4. Let’s do a show ip ospf neighbor command.
R4 has formed an OSPF neighborship with 1.1.1.1 (R1). R4 is a neighbor of R3, which R4 is directly connected to, and also of R1.
Can R4 ping R1 at 192.168.0.1? Let’s do a traceroute. Traceroute shows one hop (the tunnel) from R4 to R1.
The underlay (service provider infrastructure) is transparent to R1 and R4, and to any end hosts using the virtual interfaces of the GRE tunnel between R1 and R4 as their next hop router.
Free CCNA | GRE Tunnels | Day 53 Lab – Notes
Configuring IPsec
Now let’s configure IPsec. First we will set up an IKE Phase 1 tunnel / ISAKMP tunnel. Then we will set up an IKE Phase 2 tunnel or IPsec tunnel.
Creating an IKE Phase 1 policy
Let’s start on R1.
R1(config)#crypto ?
R1(config)#crypto isakmp policy ?
We can specify a priority of protection suite number. The number serves as a reference number to identify a specific ISAKMP policy configuration. The number itself is not crucial. Routers process ISAKMP policies sequentially. The first matching policy is chosen. So the order you define them in (10, 20, 30, etc.) influences selection, but the number itself does not.
In essence, you can choose any number for the policy as long as it's unique within your ISAKMP configuration. The focus is on the parameters you define within that policy (like encryption, hashing algorithms, etc.), not the number itself.
For our demo, we will give a priority of 10. If that doesn't work we can go to policy 20, as an example, and see if the other side will support that.
R1(config)#crypto isakmp policy 10
Let's configure the encryption.
R1(config-isakmp)#encryption ?
We have different encryption options. The flagship (least vulnerable) is AES. We will select AES.
Recommended by LinkedIn
R1(config-isakmp)#encryption aes ?
We can select how many keys we will have.We will select the default.
Next let's configure the authentication. We can use a digital certificate or a pre-shared key. We will use a pre-shared key (the same key must be configured on both routers).
R1(config-isakmp)#authentication pre-share
Next let's configure the key exchange management protocol.
R1(config-isakmp)#group ?
We will choose Diffie Hellman Group 2. The higher the group number the more secure it is.
We need to set up the pre-shared key. Here is the command.
R1(config)#crypto isakmp key kevinskey address 0.0.0.0 0.0.0.0
crypto: enters the cryptography configuration submode.
isakmp: the ISAKMP configuration keyword.
key: keyword to define a new pre-shared key.
kevinskey: the defined pre-shared key in our example.
address: keyword to identify the IP address of the peer we will exchange keys with.
0.0.0.0: wildcard IP address, meaning the key is applicable to any source IP address.
0.0.0.0: wildcard IP address, meaning the key is applicable to any destination IP address.
This configuration leaves it open to any peer that has a matching key. In the real world we should be very specific. But sometimes you might want to leave it open if it could be multiple routers to connect to you.
We have specified the parameters for IKE phase 1.
Creating an IKE Phase 2 tunnel / IPsec tunnel
Next, we create a transform set for IKE Phase 2.
The transform set is again a collection of encryption and hashing algorithms, and we have to find a matching transform set on the other side, kind of like the isakmp policy.
Here's how we do that.
The command is crypto ipsec transform-set, followed by a name for the transform set, KWTRAIN in this case.
R1(config)#crypto ipsec transform-set KWTRAIN ?
We are given some encapsulation options.
esp stands for encapsulating security payload.ah stands for authentication header.We will select esp-aes. ESP offers better security than AH.
R1(config)#crypto ipsec transform-set KWTRAIN esp-aes ?
Now we select a hashing algorithm. We have several options. We select esp-sha-hmac.
R1(config)#crypto ipsec transform-set KWTRAIN esp-aes esp-sha-hmac
sha is better than md5. hmac is Hash-based Message Authentication Code, an algorithm for protecting messages against MitM attacks by providing data integrity and sender authentication using a shared secret key.
IPsec operates in two modes:1) transport mode, using the packet’s original header - the payload is encrypted and encapsulated, and 2) tunnel mode - the entire packet is encapsulated. We are selecting transport mode for this demo.
Next let’s specify what traffic is qualified to go over the IPSec tunnel - what we consider to be interesting traffic. We will use an access list.
The command is ip access-list extended, followed by a name for the named access control list, GRE-IN-IPSEC.
R1(config)#ip access-list extended GRE-IN-IPSEC
We are permitting GRE traffic from anywhere to anywhere.All the traffic going over that tunnel is gonna be interesting traffic.
The next step is to create a crypto map, which is like the connective tissue that bonds everything that we've been configuring together. It ties together the interesting traffic,the transform set,and points to the ip address of our peer.
Here is the command to create a crypto map. crypto map, followed by a crypto map name, VPN in our example, then a sequence number (the sequence number helps prioritize crypto maps if multiple maps are configured), and the keyword ipsec-isakmp.
R1(config)#crypto map VPN 10 ipsec-isakmp
Notice it says the crypto map will remain disabled until we point to a peer and specify what traffic is interesting.
Let's oblige.
R1(config-crypto-map)#match address GRE-IN-IPSEC
Then,
R1(config-crypto-map)#set transform-set KWTRAIN
Next,
R1(config-crypto-map)#set peer 198.51.100.2
The command “set peer 198.51.100.2” defines the peer device with which the IPsec tunnel will be established.
set peer: this instructs the router to configure a peer for the crypto map.
198.51.100.2: this is the IP address of the remote device (peer) that will participate in the IPsec tunnel.
The final thing we do is we apply this configuration to the interface we are using to send our GRE packets, which on R1 is gigabit 0/1. We have created a crypto map that tied everything together,now we apply the crypto map to traffic exiting gigabit 0/1.
We go into interface configuration mode for gigabit 0/1 and then apply the command crypto map, followed by the VPN name.
R1(config)#int g0/1
R1(config-if)#crypto map VPN
This concludes half the configuration, the configuration on R1. Now we do the same configurations on R4 - from “Creating an IKE Phase 1 policy".
This is a matching configuration, the only thing that's different is we will point to R1’s IP address.
Verification commands
Let's send some traffic over the IPsec tunnel to check site to site connectivity.
Let's ping the loopback interface on R1, 1.1.1.1. We find that traffic gets through.
To check the state of the IKE Phase 1 tunnel, we can do show crypto isakmp sa (sa stands for security Association). The status is active.
To check the state of the IKE Phase 2 tunnel, instead of show crypto isakmp, it's show crypto ipsec sa.
We can see packet counts. It says we have encapsulated these many packets, and we have decapsulated this many packets.
This is giving us confirmation that traffic really is flowing over our IPsec tunnel and the only traffic that we considered interesting for the IPSec tunnel was our GRE traffic.
Finally, let's do a show ip ospf neighbor command.
That all means traffic we are sending from R1 to R4 is going over that GRE tunnel.
Key references
Related content
CCNA 200-301 study notes
CCNA configurations portal
CCNA math portal
Compliance frameworks and industry standards
Coursera’s top courses
How data flow through the Internet
How to get CCNA certification
IT career paths – everything you need to know
Job roles in IT and cybersecurity
Networking Fundamentals
Networking (IT)
The GRC approach to managing cybersecurity
The Security Operations Center (SOC) career path
What is the Google Cybersecurity Professional Certificate?
What is the Google Data Analytics certification?
DTI Courses
