GRE Tunneling ; Site to Site VPN



GRE: Generic Routing and Encapsulation protocol.
This is a tunneling protocol that allows encapsulation of many different network layer protocols between two end points. Packets are sent in a virtual tunnel on a point to point link.
GRE Tunnels; does not encrypt traffic in any way instead; traffic is encapsulated in an additional GRE and IP header. This is considered an insecure VPN tunneling method.
If a secure tunnel is required, IPSec or GRE over IPSec should be used to ensure data confidentiality is adhered to.

Next will consider the configuration of GRE (insecure, with low overhead) and then look at GRE over IPSec VPN later (secure).

Setup:


GRE Tunnel Configuration
Create the tunnel interface on the VPN router.               
A GRE tunnel uses a virtual tunnel interface, configured with an IP address where packets are encapsulated/ decapsulated as they enter and exit the GRE tunnel.
The IP address must be in the same subnet on both router’s tunnel interfaces.
Hq(config)#interface Tunnel0
Hq(config-if)#ip address 172.16.1.1 255.255.255.0

It is common practice to also reduce the maximum transmission unit (MTU) to 1400 bytes to avoid any fragmentation problems over the transport networks. Remember that GRE adds an additional 20-byte IP header as well as a 4-byte GRE header to each packet in the tunnel.
Because most devices have an MTU of 1500 bytes, reducing the GRE tunnel MTU will account for the added overhead and help prevent unnecessary packet fragmentation.  MTU and MSS consideration:
  •  MSS- TCP Maximum Segment Size  defines the maximum amount of data that a host is willing to accept in a single TCP/IP datagram. sending host is required to limit the size of data in a single TCP segment to a value less than or equal to the MSS reported by the receiving host
  • MTU - Maximum Transmission Unit. If an interface with an MTU of 1500 receives a packet of 4800bytes, this packet has to be fragmented 4 times as below:
1st Packet = 1500bytes
2nd Packet = 1500bytes
3rd Packet = 1500bytes
4th Packet = 300bytes 
Physical Interface MTU and MSS value calculation:
WAN Interface MTU = 1500     (-- Default MTU size on most devices interfaces.)
WAN Interface MSS = MTU (1500) – IP (20) – TCP (20) = 1460 (40 bytes TCP+IP Header)
GRE Tunnel MTU and MSS value calculation:
GRE = 24 bytes header
GRE MTU = MTU (1500) – IP (20) – GRE (24) = 1456
GRE MSS = GRE MTU (1456) – IP (20) – TCP (20) = 1416
Note that an incorrectly configured MTU results in higher fragmentation, leading to performance degradation



Tunnel Setup:
Hq(config)#interface tunnel0
Hq(config-if)#ip address 172.16.1.1 255.255.255.0
Hq(config-if)#ip mtu 1400
Define the tunnel source and destination under each tunnel interface.
The router uses its local interface that connects to the internet as its tunnel source. The tunnel destination corresponds to the remote router’s publicly routable IP address.

Hq(config)#interface tunnel0
Hq(config-if)#ip address 172.16.1.1 255.255.255.0
Hq(config-if)#ip mtu 1400
Hq(config-if)#tunnel source giga0
Hq(config-if)#tunnel destination 41.72.112.3

Note that the tunnel source and destination can both be IP addresses. For example, “tunnel source 197.203.40.2″ could have been used instead of “tunnel source giga0″.
Testing Connectivity
The configuration above is from the perspective of Hq router. The same configuration template would need to be applied to office2 router for the tunnel to begin passing traffic (with source/destination IPs swapped of course).
Now that both endpoint routers have been configured, they should be reachable via pings.

Hq#ping 172.16.1.2
Type escape sequency to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timwout is 2 seconds:
!!!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Add Routes to Remote Networks
This confirms that we can pass traffic inside the GRE tunnel, but hosts on the Branch LAN networks will not be able to send packets to each other without some routes added. We can use a simple static route for this purpose.

Hq(config)# ip route 192.168.1.0 255.255.255.0 172.16.1.2 

Office2(config)# ip route 10.10.10.0 255.255.255.0 172.16.1.1

Now when Hq router receives a packet destined for the office2 LAN (10.10.10.0/24), it knows it’s next-hop interface is the tunnel endpoint, so it will forward the packet through the GRE tunnel.
That’s it for the GRE tunnel configuration.

                                           End.

Comments

Post a Comment

Popular posts from this blog

MPLS - L2MPLS / L2 Circuits

Image
L2MPLS L2 Circuits Before MPLS MPLS Enabled Core: Required: Head office and Branch office to be interconnected on L2 which is of full redundancy on Service Provider Core Network Configuration: 1. Select VLAN to use for the circuit. For our case we assign VLAN 200 note: Configuration only done on Edge Devices (PE) 2.Configure on PE-1 Defining presudowire class to MPLS; #pseudowire-class ethernet-port encapsulation mpls #exit Note: fa0/0 is the interface facing HQ #show run int fa0/0.200 #interface FastEthernet0/0.200 #encapsulation dot1Q 200 #xconnect 3.3.3.3 200 pw-class ethernet-port 3. Configure on PE-3: Defining presudowire class to MPLS; #pseudowire-class ethernet-port #encapsulation mpls #exit Note: fa0/0 is the interface facing HQ # no shut #interface FastEthernet0/0.200 #encapsulation dot1Q 200 #Xconnect 1.1.1.1 200 pw-class ethernet-port Troubleshooting; Make sure that the CEF is enabled ...
Read more

GRE over IPSec Site to Site VPN

Image
IPSEC VERSUS IPSEC GRE As we mentioned, GRE provides no form of payload confidentiality or encryption. If the packet are sniffed over the public transit networks, their contents are in plain-text. IPSec solves this security concerns in GRE by encrypting part or all of the GRE packets GRE OVER IPSEC TUNNEL: GRE over IPSec tunnels supports multicast traffic whiles the standalone IPSec does not. It is for this reason why it is advisable to implement GRE over IPSec tunnels where routing protocols like EIGRP or OSPF are in use. Such protocols which need to send routing information across the tunnel through multicast, GRE over Multicast would be the most suitable since it allow and provide secure transport via the tunnel for these services. There are two IPSec tunnel modes – tunnel and transport. This configuration example will show the default, tunnel-mode IPSec encryption which protects the entire GRE header and payload. Setup: Steps to follow : - Create GRE ...
Read more

Enterprise Soln: High Availability - VRRP / HSRP

Image
  VRRP:  Virtual Router Redundancy Protocol Implementation Topology:   Configurations; Primary-Router: Interface gi0/1 description LAN vrrp 1 ip 10.1.1.254 vrrp 1 priority 110  vrrp 1 track gi0/0 65   ///default is 10 vrrp 1 track 100 decrement 65    // Track internet Track Internet Reachability: R1(config)#ip sla monitor 10 R1(config-sla-monitor)#type echo protocol ipIcmpEcho 8.8.8.8 R1(config-sla-monitor-echo)#frequency 5 R1(config-sla-monitor-echo)#exit R1(config)#ip sla monitor schedule 10 life forever start-time now R1(config)#track  100 rtr 10 Secondary-Router: interface gi0/1 description LAN-sec-gw ip address 10.1.1.2 255.255.255.0 vrrp 1 ip 10.1.1.254 vrrp 1 priority 90      vrrp 1 track 1 gi0/0 20 Note: 1) Default Priority is 100 (higher is better) ; So you need to set the Secondary Router with a slightly lower Value 2) No need to s...
Read more