1

Configuring GRE VPN Tunnel

Introduction

Cisco’s Generic Routing Encapsulation (GRE) protocol is a tunneling protocol that can encapsulate a variety of network layer protocols between two point-to-point links. GRE can allow you to create an overlay network on top of the existing underlay network to offer flexibility and allow support for different purposes.

However, GRE will only do encapsulation and not encryption. Having a GRE tunnel without any encryption poses a security risk as sensitive data inside the tunnel can easily be obtained by mailicious intruders.

In this lab, we are going to configure a GRE VPN Tunnel over an existing IPv4 underlay network topology between the HQ site and the Branch site. We shall not touch on encryption inside the tunnel for this lab. We shall however cover GRE over IPSec Site-to-Site VPN in a separate lab.

Topology

N.B
In the above topology, I have already configured IP addressing and interfaces as well. I have not configured any dynamic routing.

We are going to first configure GRE tunnel

Configure GRE Tunnels between HQ and Branch Routers.

In this step, we are going to configure an IPv-based GRE tunnels between HQ and Branch routers.

IPv4-based GRE Tunnel configuration

We will configure an IPv4 tunnel using 10.10.10.0/30 and using a tunnel source of Interface GigabitEthernet0/0 and tunnel destination of 10.2.2.1 on HQ router as below.

HQ-RTR(config)#int tunnel 0
HQ-RTR(config-if)#
HQ-RTR(config-if)#
HQ-RTR(config-if)#desc
*Jan 18 11:49:51.056: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
HQ-RTR(config-if)#desc GRE-VPN-TUNNEL
HQ-RTR(config-if)#
HQ-RTR(config-if)#
HQ-RTR(config-if)#ip add 10.10.10.1 255.255.255.252
HQ-RTR(config-if)#bandwidth 10000000
HQ-RTR(config-if)#tunn
HQ-RTR(config-if)#tunnel sourc
HQ-RTR(config-if)#tunnel source int
HQ-RTR(config-if)#tunnel source gig
HQ-RTR(config-if)#tunnel source gigabitEthernet 0/0
HQ-RTR(config-if)#
HQ-RTR(config-if)#tunne
HQ-RTR(config-if)#tunnel des
HQ-RTR(config-if)#tunnel destination 10.2.2.1
HQ-RTR(config-if)#
*Jan 18 11:50:29.210: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
HQ-RTR(config-if)#exit
HQ-RTR(config)#
HQ-RTR(config)#

On the Branch router, we will configure an IPv4 tunnel using 10.10.10.0/30 and using a tunnel source of Interface GigabitEthernet0/0 and tunnel destination of 10.1.1.1 as below.

Branch(config)#int tunnel 0
Branch(config-if)#
Branch(config-if)#desc
*Jan 18 11:51:41.982: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
Branch(config-if)#desc GRE-VPN-TUNNEL
Branch(config-if)#
Branch(config-if)#ip add 10.10.10.2 255.255.255.252
Branch(config-if)#bandwidth 10000000
Branch(config-if)#tun
Branch(config-if)#tunnel sour
Branch(config-if)#tunnel source gig
Branch(config-if)#tunnel source gigabitEthernet 0/0
Branch(config-if)#
Branch(config-if)#tun
Branch(config-if)#tunnel des
Branch(config-if)#tunnel destination 10.1.1.1
Branch(config-if)#
Branch(config-if)#ex
*Jan 18 11:52:06.144: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch(config-if)#exit
Branch(config)#
Branch(config)#

Verify your Tunnel interface configuration on both routers

HQ router

HQ-RTR#show interfaces tunnel 0
Tunnel0 is up, line protocol is up
  Hardware is Tunnel
  Description: GRE-VPN-TUNNEL
  Internet address is 10.10.10.1/30
  MTU 17916 bytes, BW 10000000 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation up
  Tunnel source 10.1.1.1 (GigabitEthernet0/0), destination 10.2.2.1
   Tunnel Subblocks:
      src-track:
         Tunnel0 source tracking subblock associated with GigabitEthernet0/0
          Set of tunnels with source GigabitEthernet0/0, 1 member (includes iterators), on interface <OK>
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255, Fast tunneling enabled
  Tunnel transport MTU 1476 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
 --More--

On Branch router

Branch#show interfaces tunnel 0
Tunnel0 is up, line protocol is up
  Hardware is Tunnel
  Description: GRE-VPN-TUNNEL
  Internet address is 10.10.10.2/30
  MTU 17916 bytes, BW 10000000 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation up
  Tunnel source 10.2.2.1 (GigabitEthernet0/0), destination 10.1.1.1
   Tunnel Subblocks:
      src-track:
         Tunnel0 source tracking subblock associated with GigabitEthernet0/0
          Set of tunnels with source GigabitEthernet0/0, 1 member (includes iterators), on interface <OK>
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255, Fast tunneling enabled
  Tunnel transport MTU 1476 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
 --More--

Pings should be successful

HQ-RTR#ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/7/8 ms
HQ-RTR#

Configure OSPFv2 for reachability between the two sites.

In this step, we will configure OSPFv2 to allow connectivity between HQ site and Branch site. We will advertise the two networks (172.16.1.0/24 and 172.16.3.0/24) in our OSPFv2 configuration.

Configure OSPFv2

On the HQ router, configure OSPFv2 as below:

HQ-RTR(config)#router
HQ-RTR(config)#router os
HQ-RTR(config)#router ospf 1
HQ-RTR(config-router)#
HQ-RTR(config-router)#
HQ-RTR(config-router)#
HQ-RTR(config-router)#router
HQ-RTR(config-router)#router-id 1.1.1.1
HQ-RTR(config-router)#
HQ-RTR(config-router)#network
HQ-RTR(config-router)#network 10.10.10.0 0.0.0.3 are
HQ-RTR(config-router)#network 10.10.10.0 0.0.0.3 area 0
HQ-RTR(config-router)#
HQ-RTR(config-router)#net
HQ-RTR(config-router)#network 172.16.1.0 0.0.0.255 are
HQ-RTR(config-router)#network 172.16.1.0 0.0.0.255 area 0
HQ-RTR(config-router)#
HQ-RTR(config-router)#exit
HQ-RTR(config)#
HQ-RTR(config)#

On the Branch router configure OSPFv2 as below:

Branch(config)#router os
Branch(config)#router ospf 1
Branch(config-router)#
Branch(config-router)#
Branch(config-router)#router
Branch(config-router)#router-id 2.2.2.2
Branch(config-router)#
Branch(config-router)#net
Branch(config-router)#network 10.10.10.0 0.0.0.3 are
Branch(config-router)#network 10.10.10.0 0.0.0.3 area 0
Branch(config-router)#
Branch(config-router)#net
*Jan 18 13:28:49.287: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Tunnel0 from LOADING to FULL, Loading Done
Branch(config-router)#net
Branch(config-router)#network 172.16.3.0 0.0.0.255 are
Branch(config-router)#network 172.16.3.0 0.0.0.255 area 0
Branch(config-router)#
Branch(config-router)#exit
Branch(config)#

From the above configuration, we have already established an adjacency with HQ looking at the message:

*Jan 18 13:28:49.287: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Tunnel0 from LOADING to FULL, Loading Done

Verify your OSPFv2 configuration.

HQ-RTR#show ip ospf nei
HQ-RTR#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           0   FULL/  -        00:00:39    10.10.10.2      Tunnel0
HQ-RTR#
HQ-RTR#show ip route osp
HQ-RTR#show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 10.1.1.2 to network 0.0.0.0

      172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
O        172.16.3.0/24 [110/2] via 10.10.10.2, 00:14:06, Tunnel0
HQ-RTR#

Verify GRE VPN Tunnel over IPv4 network.

We can verify our GRE VPN tunnel configuration through issuing a ping and tracing the route from the HQ-PC to the Branch-PC. When tracing the route to the branch-pc, you can notice that the traffic is passing through Tunnel0 interface (10.10.10.2).

Our Hq-PC can now be able to ping the Branch-PC through tunnel 0 interface.

bl4ckwidow

Co-Founder of Labing Overload. I am a Web Developer/Network Engineer turned CyberSecurity Engineer. FOSS enthusiast. Cisco Technologies enthusiast. Network Penetration Tester.

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *