GRE-tunneling between two IOS-routers.

The last days I´ve been playing with GRE-tunnels (just to prepare myself for testing DMVPN). I did a simple GRE-tunnel between two routers (split apart with a firewall simulating internet) and made EIGRP flow thru the the tunnel. It´s really cool and simple. Just create a Tunnel-interface and assign source and destinations:

interface Tunnel0
ip address
tunnel source FastEthernet0.11
tunnel destination

and the same on the other router:

interface Tunnel0
ip address
tunnel source FastEthernet0.30
tunnel destination

the and ip:s are the physical interface-ip of respective router. The tunnel-interfaces shares a common subnet,

After doing that I just added the interface to the EIGRP process:

router eigrp 11

Since the GRE-tunnel handles multicast the EIGRP-enabled routers become neighbours and exchange routes.

The next step is to encrypt the traffic. Sending this tunnel-traffic in clear text is not a really good idea, is it? What needs to be done is to create an ipsec profile and isakmp policy on each router.

crypto ipsec transform-set TSET esp-aes esp-sha-hmac
mode transport
crypto ipsec profile IPSECPROF
set transform-set TSET
set pfs group2
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address

After doing that the only remaining step is to apply the ipsec profile to the tunnel interface, and voila, all traffic thru that interface will be encrypted:

interface Tunnel0
ip address
tunnel source FastEthernet0.11
tunnel destination
tunnel protection ipsec profile IPSECPROF

One thing to remember. Never use gre keepalives when ipsec-encrypting your GRE-traffic. This got me stuck in troubleshooting for a while before a kind guy on a mailing-list told me so and referred to this article.

Here and here are the complete configs for ipsec-protected GRE-tunnels in my home lab environment.

Tagged with: , ,
Posted in Uncategorized


[mc4wp_form id="2457"]
Website Security Test