Implementing Secure

Converged Wide
Area Networks
(ISCW)

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

Configuring GRE
Tunnels over IPsec

Module 3 Lesson 5

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

Module Introduction
Virtual private networks (VPNs) use advanced encryption
techniques and tunneling to permit organisations to establish
secure, end-to-end, private network connections over third-party
networks such as the Internet
Cisco offers a wide range of VPN products, including VPNoptimised routers, PIX security and Adaptive Security Appliances
(ASA), and dedicated VPN concentrators. These infrastructure
devices are used to create VPN solutions that meet the security
requirements of any organisation
This module explains fundamental terms associated with VPNs,
including the IP Security protocol, and Internet Key Exchange. It
then details how to configure various types of VPN, using various
currently available methods

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

Objectives
At the completion of this fifth lesson, you will be able to:
Explain the requirement to use the GRE protocol
Describe GRE technology
Configure a GRE tunnel using SDM on IOS routers
Monitor and test the tunnel

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

Generic Routing Encapsulation GRE

GRE is an OSI Layer 3 tunneling protocol:

Encapsulates a wide variety of protocol packet types inside IP tunnels
Creates a virtual point-to-point link to Cisco routers at remote points over an IP
internetwork
Uses IP for transport
Uses an additional header to support any other OSI Layer 3 protocol as payload
(for example, IP, IPX, AppleTalk)

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

Generic Routing Encapsulation

IPsec only encapsulates IP traffic
This may be a problem for non-IP or multicast traffic that needs to
be sent across a secure tunnel
GRE a Cisco developed protocol allows traffic other than IP to
be transported using a powerful but simple tunnel technique
GRE supports any OSI Layer 3 protocol as payload, for which it
provides virtual point-to-point connectivity.
GRE also allows the use of routing protocols across the tunnel

However, GRE offers minimum security (basic plaintext

authentication using the tunnel key) to the payload, and so needs
to be used with IPsec if security is required

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

Generic Routing Encapsulation

Some of the reasons for using GRE over IPsec:
To pass multicast and broadcast traffic across the tunnel
securely
To pass non-IP traffic securely

To provide resiliency
To assist in saving memory and CPU cycles in the router, by
reducing the number of SA that need to be set up

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

Basic GRE Header - GRE flags

GRE is stateless (no flow control mechanisms).

GRE offers no security (no confidentiality, data authentication,
or integrity assurance).
GRE uses 24-byte overhead by default (20-byte IP header and
4-byte GRE header).

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

Basic GRE Header - GRE flags

The GRE flags are encoded in the first two octets. Bit 0 is the
MSB, and bit 15 the LSB. Some of the GRE flags include the
following:
Checksum Present (bit 0): If Checksum Present bit is set to 1, the
optional checksum field is present in the GRE header
Key Present (bit 2): If Key Present bit is set to 1, the optional Key field
is present in the GRE header
Sequence Number Present (bit 3): If Sequence Number Present bit
is set to 1, the optional Sequence Number field is present in the GRE
header
Version Number (bits 1315): Version Number indicates the GRE
implementation version. A value of 0 is typically used for basic GRE
implementation. Point-to-Point Tunneling Protocol (PPTP) uses
Version 1
Protocol Type: Protocol Type field contains the protocol type of the
payload packet. In general, the value will be the Ethernet protocol type
field for the packet. For IP, the hexadecimal value of 0x800 is used.
This field enables the GRE to tunnel any Layer 3 protocol

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

Optional GRE Extensions

GRE can optionally contain any one or more of these fields:

Tunnel checksum
Tunnel key
Tunnel packet sequence number

ISCW-Mod3_L5

GRE keepalives can be used to track tunnel path status.

2007 Cisco Systems, Inc. All rights reserved.

10

Optional GRE Extensions

The GRE tunnel header can contain additional optional header
information, depending on the flags in the first two bytes of the GRE
header
The optional GRE header information can include the following:
Tunnel checksum: The tunnel checksum detects packet corruption. This
option is not used often because checksums are used on other layers in the
protocol stack, typically to ensure the accuracy of the GRE packets
Tunnel key: Can be used for two purposes:
The tunnel key can be used for basic plaintext authentication of packets in
which only the two GRE endpoints share a secret number that enables the
tunnel to operate properly. However, anyone in the packet path can easily
see the key and be able to spoof tunnel packets
A more common use of the tunnel key is when two routers want to establish
parallel tunnels sourced from the same IP address. The tunnel key is then
used to distinguish between GRE packets belonging to different tunnels
Tunnel sequence number: This number is used to ensure that GRE packets
are accepted only if the packets arrive in the correct order.

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

11

Secure GRE Tunnels

IPsec provides what GRE lacks:
Confidentiality through encryption using symmetric
algorithms
Data source authentication using HMACs Data integrity
verification using HMACs

IPsec is not perfect at tunneling:

Older IOS versions do not support IP multicast over IPsec
IPsec was designed to tunnel IP only (no multiprotocol
support)
Using crypto maps to implement IPsec does not allow the
use of routing protocols across the tunnel
IPsec does not tunnel IP protocols; GRE does

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

12

GRE over IPsec

GRE over IPsec is typically used to do the

following:
Create a logical hub-and-spoke topology of virtual
point-to-point connections

Secure communication over an untrusted transport

network (e.g. the Internet)
ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

13

GRE over IPsec Encapsulation

GRE encapsulates an arbitrary payload.

IPsec encapsulates unicast IP packet (GRE):

Tunnel mode (default): IPsec creates a new tunnel IP
packet

Transport mode: IPsec reuses the IP header of the

GRE (20 bytes less overhead than tunnel mode)

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

14

Configuring GRE over IPsec Site-to-Site

Tunnel Using SDM
To configure a GRE over IPsec tunnel using SDM, follow
these steps (see next slide):
1. Use a web browser to connect via HTTP server to the
router. Click the Configure icon in the top navigation bar to
enter the configuration page

2. Click the VPN icon in the vertical navigation bar to open the
VPN page
3. Choose the Site to Site VPN wizard in the menu
4. Click the Create Site to Site VPN tab at the top of the
section on the right
5. Click the Create a secure GRE tunnel (GRE over IPSec)
radio button
6. Click the Launch the selected task button to start the
wizard that will guide you through the configuration steps
ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

15

Configuring GRE over IPsec Site-to-Site

Tunnel Using SDM
1.
3.

4.

2.

5.
6.

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

16

GRE Tunnel (GRE over IPsec)

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

17

Configuring GRE Tunnel Information

Follow these steps for configuring the GRE tunnel (see next):
1. Under Tunnel Source, enter the GRE tunnel source IP address
from a configured interface or manually specify the source IP
address. This address must be a valid IP address configured on
one of the interfaces on the router. Under Tunnel Destination,
enter the tunnel destination IP address
2. In the IP address of the GRE tunnel section, define the inner IP
address and subnet mask that is applied to the virtual point-to-point
link
3. Note that the Enable path MTU discovery (PMTUD) button is
enabled by default. This setting lets the router determine the
maximum transmission unit (MTU) for the virtual interface. This is
accomplished by using ICMP
4. Click the Next button to proceed to the next task
NOTE: ICMP unreachable message must be permitted by all ACLs
and firewalls in the path between the two tunnel endpoints in order
for PMTUD to work

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

18

Configuring GRE Tunnel Information

1.

2.

3.
4.

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

19

Configuring a Backup GRE Tunnel

To provide resilience to the VPN, create a second

GRE tunnel in case the primary tunnel fails. (The
steps are shown on next slide):
1. Check Create a backup secure GRE tunnel for resilience

2. Define the IP address of the backup VPN peer in the

available field
3. In the TunnelIP address section, define the inner IP
address and the subnet mask for the logical tunnel interface

4. Click the Next button to proceed to the next task

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

20

Configuring a Backup GRE Tunnel

1.
2.

3.

4.

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

21

Configuring VPN Authentication

After defining the GRE tunnel parameters, the SDM

wizard proceeds to configure IPsec-specific
parameters. This step ensures that both ends of the
tunnel connect with the same secret key:
1. Click the radio button for the desired authentication method
Pre-shared keys
Digital certificates
2. If you choose pre-shared keys to provide authentication,
then specify a pre-shared secret. The secret should be long
and random

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

22

Configuring VPN Authentication

1A

1B
2.

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

23

IKE Proposals

You can now use a predefined IKE policy, or click the Add button and
enter the required information to create a custom IKE policy:
You can also modify the existing policies by selecting an individual policy and
clicking the Edit button

When adding or editing an IKE policy, define the required parameters

that appear in the Add IKE Policy window
1. IKE proposal priority
2. Encryption algorithm (most commonly 3DES or AES; Software Encryption
Algorithm [SEAL] can also be used to improve crypto performance on
routers that do not have hardware IPsec accelerators; DES is no longer
advised)
3. HMAC (SHA-1 or MD5)
4. Authentication method (pre-shared key or digital certificates)
5. DH group (1, 2, or 5)
6. IKE lifetime
7. When you finish adding or editing IKE proposals, click Next button on the
IKE proposals window to proceed to next task

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

24

IKE Proposals

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

25

Creating a Custom IKE Policy

Define all IKE policy parameters:

Priority
Encryption algorithm: DES, 3DES, or AES
HMAC: SHA-1 or MD5
Authentication method: preshared secrets or digital certificates
Diffie-Hellman group: 1, 2, or 5
IKE lifetime
ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

26

Configuring the Transform Set

When creating an IPsec transform set, the same set of algorithms

as were used with the configured IKE policy should be used:
1. There is a default IPsec transform set predefined by SDM that
can be used.
If choosing to use the default, skip Step 2. A new transform set can
also be created

2. If wanting to use a custom IPsec transform set, create the

transform set by clicking the Add button and specifying these
parameters:
Transform set name
Encryption algorithm
HMAC
Mode of operation
Optional compression

3. When finished adding sets, click the Next button to proceed to

the next task.
ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

27

Transform Set

1.

2.
3.

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

28

Configuring Routing Information

A GRE tunnel supports multicast across the addressed point-topoint link.

Static routing is typically used for simple stub sites with a single
GRE over IPsec tunnel. Complex topologies with sites that use
backup tunnels or have multiple IP subnets require a routing
protocol to dynamically distribute routing information, detect
failures, and reroute to backup tunnels.

The SDM wizard allows choosing from three options:

1. Static routing

2. Dynamic routing using Enhanced Interior Gateway Routing

Protocol (EIGRP)
3. Dynamic routing using Open Shortest Path First (OSPF)

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

29

Configuring Routing Information

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

30

Static Routing
If choosing to configure using static routing, select
static routing button and then click Next.
In the first drop-down menu, disable split tunneling by
choosing the Tunnel all traffic option. This option
results in a default route pointing into the tunnel. Unless
more specific routes are in the routing table all traffic
will be sent through the tunnel.
Alternatively, choose the Do split tunneling option
from this drop-down menu and specify the IP address
and subnet mask of the destination that is reachable
through the tunnel. All other destinations are reachable
by bypassing the tunnel.

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

31

Static Routing

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

32

Dynamic Routing Using EIGRP

If choosing to configure using dynamic routing using

EIGRP, select EIGRP button on routing choice screen

There are two steps for configuring EIGRP across the

tunnel:
1. Select an existing or define a new EIGRP autonomous
system (AS) number by clicking the appropriate button and
entering the number.
2. Define one or more local subnets (IP address and wildcard
mask) on which EIGRP will run and thus advertise to EIGRP
neighbors.

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

33

Dynamic Routing Using EIGRP

1.

2.

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

34

Dynamic Routing Using OSPF

If choosing to configure using dynamic routing using

OSFP, click OSPF button on initial routing screen and
then click Next.

There are three steps used to configure OSPF across

the tunnel:
1. Select an existing or define a new OSPF process number by
clicking the appropriate radio button and entering the
number
2. Enter an OSPF area number for the tunnels
3. Enter the network IP address, subnet mask, and area
number of one or more local subnets that you want to
advertise to OSPF neighbors

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

35

Dynamic Routing Using OSPF

1.
2.

3.

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

36

Review the Configuration

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

37

Review the Configuration (Cont.)

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

38

Testing, Monitoring and Troubleshooting GRE

Tunnel Configuration

After creating the GRE over IPsec site-to-site tunnel, the tunnel status
can immediately be seen. A test can be run to determine the
configuration correctness of the tunnel, or generate a mirroring
configuration. The information in the mirror configuration is required to set
up the other end of the tunnel. The mirror configuration is useful if the
other router at the other end of the tunnel does not have SDM and CLI is
to be used to configure the tunnel.

To test the tunnel:

1. Click the Configure icon in the top navigation bar of the SDM home page to
enter the configuration page
2. Click the VPN icon in the vertical navigation bar to open the VPN page
3. Choose the Site to Site VPN wizard from the list in the middle section
4. Click the Edit Site to Site VPN tab at the top of the section on the right side.
5. Choose and highlight the tunnel that you want to test
6. Click the Test Tunnel button. The testing screen appears.

7. Click the Start button and wait until the test is complete
8. For each failed task, the bottom part of the window shows the reason and
recommended actions to resolve the issue
ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

39

Test Tunnel Configuration and Operation

1.
3.

4.
5.

2.

6.

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

40

Test Results

7.

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

41

Monitor Tunnel Operation

Use the Monitor page to view the status of the tunnel. To see all
IPsec tunnels, their parameters, and status, follow this procedure:
1. Click the Monitor icon in the top navigation bar of the SDM home
page.
2. Click the VPN Status icon in the vertical navigation bar.
3. Click the IPSec Tunnels tab.

Testing and Monitoring

Use the show commands to determine the status of IPsec VPN
connections

Troubleshooting
Connect a terminal to the Cisco IOS router to use debugging
commands to troubleshoot VPN connectivity. Figure [5] shows the
syntax and an example of how to use the debug crypto isakmp
command
The debug crypto isakmp EXEC command displays detailed
information about the IKE Phase 1 and Phase 2 negotiation
processes

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

42

Monitor Tunnel Operation

1.

3.

2.

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

43

Testing and Monitoring GRE Tunnel

Configuration
router#

show crypto isakmp sa

To display all current IKE SAs, use the show crypto isakmp sa command
in EXEC mode. QM_IDLE status indicates an active IKE SA
router#

show crypto ipsec sa

To display the settings used by current SAs, use the show crypto ipsec
sa command in EXEC mode. Non-zero encryption and decryption
statistics can indicate a working set of IPsec SA
router#

show interfaces
Use the show interfaces command to display statistics for all interfaces
that are configured on the router, including the tunnel interfaces
ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

44

Troubleshooting GRE Tunnel Configuration

router#

debug crypto isakmp

Debugs IKE communication

Advanced troubleshooting can be performed using the Cisco IOS CLI

Troubleshooting requires knowledge of Cisco IOS CLI commands

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

45

ISCW-Mod3_L5

2007 Cisco Systems, Inc. All rights reserved.

46