Contents

Introduction
Hub-to-spoke Topology
Routing Protocol
Fully Mesh Topology
IPSec over GRE Tunnel
Conclusion

Introduction

Generic Routing Encapsulation (GRE) is used to build tunnel between two physical interfaces. It is very common to use GRE in Virtual Private Network (VPN) to protect information. In this article, we will introduce the configuration of GRE tunnel first and then we will go through the IPSec configuration in order to have authentication and encryption.

Hub-to-spoke Topology

In the following figure, we will try to build GRE tunnel between Hong Kong, Taiwan and Beijing. It is assumed we can already ping between R1's e1/0, R2's e1/0 and R3's e1/0.

gre-tunnel

First, build a tunnel between R1 and R2.

R1(config)#int tunnel 12
R1(config-if)#ip address 172.16.12.1 255.255.255.0
R1(config-if)#tunnel source ethernet 1/0
R1(config-if)#tunnel destination 10.0.24.2
R2(config)#int tunnel 12
R2(config-if)#ip address 172.16.12.2 255.255.255.0
R2(config-if)#tunnel source ethernet 1/0
R2(config-if)#tunnel destination 10.0.14.1

Next, build tunnel between R1 and R3.

R1(config)#int tunnel 13
R1(config-if)#ip address 172.16.13.1 255.255.255.0
R1(config-if)#tunnel source ethernet 1/0
R1(config-if)#tunnel destination 10.0.34.3
R2(config)#int tunnel 13
R2(config-if)#ip address 172.16.13.3 255.255.255.0
R2(config-if)#tunnel source ethernet 1/0
R2(config-if)#tunnel destination 10.0.14.1

Verfity that R1's tunnel interface can ping R2's and R3's tunnel interface.

R1#ping 172.16.12.2 source 172.16.12.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.12.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.12.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/22/32 ms
R1# R1#ping 172.16.13.3 source 172.16.12.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.13.3, timeout is 2 seconds: Packet sent with a source address of 172.16.12.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/19/24 ms

Also, R2's interface tunnel can ping R3's, but the path is R2 > R1 > R3 since it is a Hub-to-spoke Topology.

R2#ping 172.16.13.3 source 172.16.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.13.3, timeout is 2 seconds:
Packet sent with a source address of 172.16.12.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/64/104 ms
R2#
R2#traceroute 172.16.13.3 source 172.16.12.2

Type escape sequence to abort.
Tracing the route to 172.16.13.3

  1 172.16.12.1 8 msec 40 msec 36 msec
  2 172.16.13.3 60 msec 32 msec 72 msec

Routing Protocol

Then, use routing protocol to advertise the network information, e.g. using EIGRP.

R1(config)#router eigrp 1
R1(config-router)network 172.16.12.0 0.0.0.255
R1(config-router)network 172.16.13.0 0.0.0.255
R1(config-router)network 192.168.1.0
R1(config-router)#no auto-summary
R2(config)#router eigrp 1
R2(config-router)network 172.16.12.0 0.0.0.255
R2(config-router)network 192.168.2.0
R2(config-router)#no auto-summary
R3(config)#router eigrp 1
R3(config-router)network 172.16.13.0 0.0.0.255
R3(config-router)network 192.168.3.0
R3(config-router)#no auto-summary

We can see the routes in the route table.

R1#show ip route eigrp 1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

D     192.168.2.0/24 [90/27008000] via 172.16.12.2, 00:12:30, Tunnel12
D     192.168.3.0/24 [90/27008000] via 172.16.13.3, 00:12:53, Tunnel13
R1#
R1#ping 192.168.2.2 source 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds: Packet sent with a source address of 192.168.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/19/24 ms R1#
R1#ping 192.168.3.3 source 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Packet sent with a source address of 192.168.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/28/40 ms

From R2 192.168.2.0/24 to R3 192.168.3.0/24, of course, it goes through R1.

R2#show ip route eigrp 1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
D        172.16.13.0/24 [90/28160000] via 172.16.12.1, 00:15:07, Tunnel0
D     192.168.1.0/24 [90/27008000] via 172.16.12.1, 00:15:07, Tunnel0
D     192.168.3.0/24 [90/28288000] via 172.16.12.1, 00:15:07, Tunnel0
R2#
R2#traceroute 172.16.13.3 source 172.16.12.2 Type escape sequence to abort. Tracing the route to 172.16.13.3 1 172.16.12.1 12 msec 36 msec 40 msec 2 172.16.13.3 64 msec 44 msec 48 msec

Fully Mesh Topology

Although Hub-to-spoke topology is easy to setup, the problem is when a spoke site need to communicate with the other spoke, bandwidth is wasted and the response time is delayed since every packet is needed to pass through the hub first. To solve the issue, we can use a fully mesh topology. Use the previous network as an example, we can add a tunnel between R2 and R3.

gre-tunnel

R2(config)#int tunnel 23
R2(config-if)#ip address 172.16.23.2 255.255.255.0
R2(config-if)#tunnel source ethernet 1/0
R2(config-if)#tunnel destination 10.0.34.3
R3(config)#int tunnel 23
R3(config-if)#ip address 172.16.23.3 255.255.255.0
R3(config-if)#tunnel source ethernet 1/0
R3(config-if)#tunnel destination 10.0.24.2

Of course, we need to add the new network in the EIGRP configuration to allow R2 and R3 to become EIGRP adjacency.

R2(config)#router eigrp 1
R2(config-router)#network 172.16.23.0 0.0.0.255
R3(config)#router eigrp 1
R3(config-router)#network 172.16.23.0 0.0.0.255

After that, R2 can reach R3 directly.

R2#show ip route eigrp 1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
D        172.16.13.0/24 [90/28160000] via 172.16.23.3, 00:00:44, Tunnel23
                        [90/28160000] via 172.16.12.1, 00:00:44, Tunnel12
D     192.168.1.0/24 [90/27008000] via 172.16.12.1, 00:00:44, Tunnel12
D     192.168.3.0/24 [90/27008000] via 172.16.23.3, 00:00:44, Tunnel23
R2#
R2#traceroute 192.168.3.3 source 192.168.2.2

Type escape sequence to abort.
Tracing the route to 192.168.3.3

  1 172.16.23.3 28 msec 40 msec 20 msec

IPSec over GRE Tunnel

In this session, we try to add IPSec to the tunnel.

First, configure the IKE Phase 1 parameters in R1, R2 and R3. Please click here for details.

R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share

Next, configure the Phase 2 parameters in R1, R2 and R3. Please clickhere for details.

R1(config)#crypto ipsec transform-set TS esp-3des esp-sha-hmac
R1(cfg-crypto-trans)#exit

Then, set the pre-share key, please be reminded that the destination address is the physical Interface but not the tunnel Interface.

R1(config)#crypto isakmp key ccie address 10.0.24.2
R1(config)#crypto isakmp key ccie address 10.0.34.3
R2(config)#crypto isakmp key ccie address 10.0.12.1
R2(config)#crypto isakmp key ccie address 10.0.34.3
R3(config)#crypto isakmp key ccie address 10.0.12.1
R3(config)#crypto isakmp key ccie address 10.0.24.2

Then, define the IPSec profile at R1, R2 and R3.

R1(config)#crypto ipsec profile PF
R1(ipsec-profile)#set transform-set TS

At last, add IPSec profile on all the tunnel interfaces.

R1(config)#interface tunnel 12
R1(config-if)#tunnel protection ipsec PRofile PF

Conclusion

Fully Mesh Topology allows spoke site to communicate the other spoke directly, but it needs a large amount of tunnels. The number of tunnels needed for n sites is n(n-1)/2, for example, 20 sites needs 190 tunnels. It is a nightmare for network administration to configure and maintain such large amount of tunnels. So, if there are many spoke sites, mGRE (or called DMVPN) is suggested to use instead of GRE.