GRE over IPSec VPN

A GRE over IPSec VPN is a legacy solution that uses a crypto map to encrypt GRE traffic between two peer routers. GRE tunnels are required to tunnel unicast, multicast traffic between two peers and useful establishing a routing adjacency between sites, which a crypto map VPN cannot achieve natively. GRE transmits traffic in clear text, which is why IPSec is used to ensure the GRE traffic is encrypted.

Since IOS-XE 16.6 static and dynamic crypto maps are End of Life, Cisco recommends using a route based VPN solution such as FlexVPN or DMVPN.

This post covers the basic configuration of a GRE over IPSec VPN tunnel on Cisco IOS-XE routers.

Configuration

Configure the IKEv2 proposal and reference the proposal in the IKEv2 policy.

crypto ikev2 proposal IKEV2-PROP
 encryption aes-gcm-128
 prf sha384
 group 19
!
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROP

Configure the IPSec Transform Set

crypto ipsec transform-set TSET esp-aes esp-sha256-hmac

Configure the IKEv2 Profile, match on the remote peer IP address, FQDN or email address. Authentication can either be Pre-Shared Key or Certificates.

crypto ikev2 profile IKEV2-PROFILE
 match identity remote address 2.2.2.1 255.255.255.255
 identity local address 1.1.1.1
 authentication remote pre-share key Cisco1234
 authentication local pre-share key Cisco1234

Configure an Access Control List that matches GRE traffic sourced from the local public IP address to the remote peer public IP address.

ip access-list extended VPN-ACL
 permit gre host 1.1.1.1 host 2.2.2.1

Configure the Crypto Map that defines the peer IP address and references the transform set, IKEv2  profile and crypto ACL.

crypto map CMAP 1 ipsec-isakmp
 set peer 2.2.2.1
 set transform-set TSET
 set ikev2-profile IKEV2-PROFILE
 match address VPN-ACL

Apply the Crypto Map on the physical Interface.

interface GigabitEthernet0/1
 crypto map CMAP

Configure the Tunnel Interface, specify a unique tunnel IP address, specify the tunnel destination as the peer public IP address. Defining the keepalive ensures traffic is automatically sent to bring up the GRE tunnel.

interface tunnel 1
 ip address 192.168.250.1 255.255.255.252
 tunnel source gigabitethernet0/1
 tunnel destination 2.2.2.1
 keepalive 10 3

Configure EIGRP to establish a routing adjacency to the tunnel interface network on the peer router.

router eigrp 1
 network 192.168.250.0

Repeat the configuration of the peer router, just mirror the configuration of the ACL, IKEv2 local/remote identities and tunnel destination.

Testing

If configured correctly the tunnel should automatically establish.

Run the command show crypto ikev2 sa to confirm the IKEv2 SA have been established, the status should be READY.

RTR-1#show crypto ikev2 sa

 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         1.1.1.1/500           2.2.2.1/500           none/none            READY  
      Encr: AES-GCM, keysize: 128, PRF: SHA384, Hash: None, DH Grp:19, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/37 sec

 IPv6 Crypto IKEv2  SA

Run the command show crypto ipsec sa to confirm the IPSec SA have been established. From the output below we can confirm the local/remote ident is between the two VPN peer public IP addresses, 47 refers to IP Protcol 47 which is GRE.

RTR-1#show crypto ipsec sa

interface: GigabitEthernet0/1
    Crypto map tag: CMAP, local addr 1.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (2.2.2.1/255.255.255.255/47/0)
   current_peer 2.2.2.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 23, #pkts encrypt: 23, #pkts digest: 23
    #pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.1
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0xE89A1A70(3902413424)
     PFS (Y/N): N, DH group: none

Run the command show interface tunnel1 will confirm the tunnel line protocol is UP (or down) and the tunnel protocol is GRE.

RTR-1#show interfaces tunnel 1
Tunnel1 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is 192.168.250.1/30
  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation up
  Tunnel source 1.1.1.1 (GigabitEthernet0/1), destination 2.2.2.1
   Tunnel Subblocks:
      src-track:
         Tunnel1 source tracking subblock associated with GigabitEthernet0/1
          Set of tunnels with source GigabitEthernet0/1, 1 member (includes iterators), on interface <OK>
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled

Run show ip eigrp neighbors to confirm the EIGRP adjacency was established.

RTR-1#show ip eigrp neighbors

EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                                    (sec)                 (ms)       Cnt Num
0   192.168.250.2           Tu1                      10 00:21:43   23  1470  0  4