How to protect traffic on GRE Tunnels with IPsec
Posted on 15 May 2019 by Beaming SupportGRE tunnels are a great way of getting connectivity between two remote sites
We’ve previously shown you how to configure generic routing encapsulation tunnels on a Cisco router. Unfortunately one of the biggest problems with GRE tunnels is that if any sensitive traffic were to pass over them it would not be encrypted.
We can mitigate this problem by running GRE/IPsec tunnels instead of just GRE. The main advantage of this is that the GRE tunnel will not come up unless IPsec is happy with the proposal. Please see the below configuration between 2 sites.
Here’s how to protect traffic on GRE tunnels with IPsec
| R1 config:
interface FastEthernet0/0 Description WAN ip address 1.1.1.1 255.255.255.252 duplex auto speed auto
interface FastEthernet0/1 Description LAN ip address 192.168.1.1 255.255.255.0 duplex auto speed auto
interface tunnel 100 ip address 169.254.1.1 255.255.255.252 tunnel source FastEthernet0/0 tunnel destination 2.2.2.2 tunnel protection ipsec profile IPSEC-GRE
ip route 192.168.2.1 255.255.255.0 169.254.1.2
crypto isakmp policy 10 authentication pre-share crypto isakmp key V3ryS3cuR3KeY* address 2.2.2.2 ! ! crypto ipsec transform-set IPSEC-TS esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile IPSEC-GRE set transform-set IPSEC-TS |
R2 config:
interface FastEthernet0/0 Description WAN ip address 2.2.2.2 255.255.255.252 duplex auto speed auto
interface FastEthernet0/1 Description LAN ip address 192.168.2.1 255.255.255.0 duplex auto speed auto
interface tunnel 100 ip address 169.254.1.2 255.255.255.252 tunnel source FastEthernet0/0 tunnel destination 1.1.1.1 tunnel protection ipsec profile IPSEC-GRE
ip route 192.168.1.1 255.255.255.0 169.254.1.1
crypto isakmp policy 10 authentication pre-share crypto isakmp key V3ryS3cuR3KeY* address 1.1.1.1 ! ! crypto ipsec transform-set IPSEC-TS esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile IPSEC-GRE set transform-set IPSEC-TS |
To verify the tunnel status run the command “show int tun 100”. If the tunnel is in the below state then the tunnel has formed correctly:
“Tunnel100 is up, line protocol is up”
You have successfully protected your GRE tunnels with IPsec.
However if the tunnel is in the below state then you may need to look back over IPsec configuration:
“Tunnel100 is up, line protocol is down”
We're networking experts
Beaming is an Internet Service Provider specialising in business connectivity, so we know our stuff when it comes to networking.
Want more of this?
We’ll appear in your inbox once a month to help you stay productive and safe online, whether you’re an IT novice or a tech expert.