Set Up a Secure GRE Tunnel over IPSEC on a Router
|
|
|
|
Introduction
This document explains how to configure a secure GRE Tunnel (GRE over
IPSEC) on your router.
Generic routing encapsulation (GRE) is a tunneling protocol developed
by Cisco that can encapsulate a wide variety of protocol packet types inside IP
tunnels, to create a virtual point-to-point link to Cisco routers at remote
points over an IP internetwork. Normal IP Security (IPSec) configurations are
unable to transfer routing protocols, such as Enhanced Interior Gateway Routing
Protocol (EIGRP) and Open Shortest Path First (OSPF), or non-IP traffic, such
as Internetwork Packet Exchange (IPX) and AppleTalk. This document illustrates
how to route between different networks that use a routing protocol and non-IP
traffic with IPSec. This example uses generic routing encapsulation (GRE) in
order to accomplish routing between the different networks.
Note: This document uses examples from SDM version 2.3.4. Other versions of
SDM displays a different output.
Back to Top
Requirements
To perform the steps described in this document, you need to have these
items:
Back to Top
Configure GRE Tunnel (GRE over IPSEC) on a Router
Follow these steps to set up a GRE Tunnel (GRE over IPSEC) on your
router:
-
Open a web browser and type
http://
router-IP-address
in the Address field. Use the IP address
that you entered in field L6A of the LAN Addressing Worksheet. Press
Enter to launch SDM. For more information about how to launch
SDM, refer to
Configure
your Router with Security Device Manager.
-
Click Configure.
-
Click VPN.
-
On the VPN screen, click Site-to-Site
VPN.
-
On the Create Site to Site VPN screen, choose
Create a Secure GRE tunnel (GRE over IPSEC) radio button and
click Launch the Selected task button.
-
On the Create a Secure GRE tunnel (GRE over IPSEC)
screen, click Next.
-
On the GRE Tunnel Information window, enter these
values:
-
For Tunnel Source, select the interface name or
the IP address of the interface that the tunnel uses. The interface is the
Internet interface that you entered in field B37 of the Router Worksheet. The
IP address of the interface must be reachable from the other end of the tunnel;
therefore it must be a public, routable IP address. The IP address is the one
that you entered in the field B 46 of the Internet Worksheet.
-
For Tunnel Destination, enter the Peer IP
Address of the Tunnel Destination.
-
For IP address of the GRE tunnel, enter the IP
address and the subnet mask of the tunnel. The IP addresses at both ends of the
tunnel must be in the same subnet.
Note: The tunnel is given a separate IP address so that it can be a
private address, if necessary.
-
Click
Next.
-
On the Backup GRE Tunnel Information screen, click
Next.
-
On the VPN Authentication Information screen, for
Authentication, choose Pre-shared Keys and enter the VPN group
password in the pre-share key that you entered in field R22 of
the Security Appliance Worksheet and reenter it for
confirmation.
-
On the IKE Proposals screen, click
Next to accept the SDM default IKE proposals
settings.
-
On the Transform Set screen, click
Next to accept the SDM default Transform Set
settings.
-
On the Select Routing Protocol screen, enter these
values:
-
If you use EIGRP as the routing protocol in your network, check
the EIGRP box to use the Enhanced Interior Gateway Routing
Protocol to route traffic. Click Next and specify EIGRP AS
number and networks which participate in the GRE-over-IPSec VPN in the
Routing Information window. For more details on how to
configure EIGRP, refer
Configure
Enhanced Interior Gateway Routing Protocol (EIGRP) with Security Device
Manager. Proceed to step 14.
-
If you use OSPF as the routing protocol in your network, check
the OSPF box to use the Open Shortest Path First protocol to
route traffic. Click Next to specify OSPF Process ID and Area
ID along with the networks which participate in the GRE-over-IPSec VPN in the
Routing Information window. For more details on how to
configure OSPF, refer
Configure
Open Shortest Path First (OSPF) with Security Device Manager. Proceed to
sep 14.
-
If you use RIP as the routing protocol in your network, check the
RIP box to use the Routing Information Protocol to route
traffic. Click Next to specify which networks participate in
the GRE-over-IPSec VPN in the Routing Information window. For
more details on how to configure RIP, refer
Configure
Routing Internet Protocol (RIP) with Security Device Manager. Proceed to
step 14.
-
If you use Static Routing in your network, check the
Static Routing box and click Next.
Note: Configuring routing enables you to specify the networks which
participate in the GRE-over-IPSec VPN and changes that you make in the
Routing window affects routing of VPN traffic. For further
assistance contact
SMB
Technical Assistance Center (SMB TAC).
-
On the Static Routing Information screen, choose
the default option Do split tunneling and enter the IP address
of the network at the other end of the tunnel. Also, you must ensure that the
IP address entered in this field is reachable before you configure this option.
If it is not reachable, no tunnel is established.
Note: Split tunneling allows traffic that is destined for the network
specified in the IP Address and Network Mask, fields to be encrypted and routed
through the tunnel interface. All other traffic is not encrypted. When this
option is selected, SDM creates a static route to the network, with the IP
address and network mask.
-
On the Summary of the Configuration screen, click
Finish.
-
On the Commands Delivery Status window, click
OK.
-
Click the Save icon to save the new
configuration.
Back to Top
Next Step
You have completed this procedure.
To make further changes to the router, refer to the
Router Support
Page.
To configure other devices in your network, refer to the
Configuration
Overview Page.
Back to Top
Troubleshoot the Procedure
This section provides information about common problems that you may
encounter. If this information does not solve your problem, contact the
SMB
Technical Assistance Center (SMB TAC) for assistance.
Back to Top
Related Information
