© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Secured Connectivity Configuring GRE Tunnels

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Generic Routing Encapsulation RFCs 1701, 1702, 2784 Uses IP protocol 47 when encapsulated within IP Allows passing of routing information between connected networks

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Default GRE Characteristics Tunneling of arbitrary OSI Layer 3 payload is primary goal of GRE Stateless (no flow control mechanisms) No security (no confidentiality, data authentication, or integrity assurance) 24-B overhead by default (20-B IP header and 4-B GRE header) IPGREIPTCPData Protocol Type Flags Identifies the type of payload: Ethertype 0x800 is used for IPv4. Identifies the presence of optional header fields

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Deployment Scenario Corporate Headquarters Remote Office Workplace Resources Remote Users Internet GRE Tunnel

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuring a GRE Tunnel Create and identify the tunnel interface. Configure the tunnel interface source address. Configure the tunnel interface destination address. Bring up tunnel interface (administratively). Configure routes.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configure a Tunnel R1(config)#interface tunnel 0 R1(config-if)#ip address R1(config-if)#tunnel source R1(config-if)#tunnel destination R1(config-if)#no shutdown R1(config-if)#exit R1(config)#ip route tunnel Site 1Site R1 R6 Internet B A

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verifying GRE Tunnels R1# show ip interface brief R1# show interfaces tunnel Site 1Site R1 R6 Internet B A

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v GRE/IPsec GRE encapsulates arbitrary payload. IPsec encapsulates unicast IP packet (GRE) –Tunnel mode (default): IPsec creates a new tunnel IP packet. –Transport mode: IPsec reuses the IP header of the GRE (20 B less overhead). IPESPIPTCPData Tunnel Mode Example IPGRE ESPIPTCPData Transport Mode Example IPGRE Encrypted Payload ESP

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v GRE with Encryption Example R1(config)#interface tunnel 0 R1(config-if)#ip address R1(config-if)#tunnel source R1(config-if)#tunnel destination R1(config-if)#crypto map SNRS-MAP R1(config-if)#no shutdown R1(config-if)#exit R1(config)#ip access-list 101 permit gre host host R1(config)#ip route tunnel Site 1Site R1 R6 Internet GRE/IPsec Tunnel B A

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Summary GRE was developed to encapsulate a wide variety of protocol packet types inside IP tunnels. GRE can be used in conjunction with IPsec to pass routing updates between sites on an IPsec VPN. Several simple steps are required to configure a GRE tunnel. Use the show interfaces command to verify tunnel configuration. You can configure encryption so that all traffic through the GRE tunnel is encrypted.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v