GRE over IPSec

Note :

- Tranverse a wide variety of network layer protocol inside p2p links

- Packets are not encrypted in GRE, but encapsulated. Using Ipsec with GRE will
encrypts the data

- Different from L2L VPN, GRE allows multicast and broadcast packets traverse
through the tunnel

- When routing protocols (EIGRP,OSPF) are necessary, GRE is your best bet.

- Protects the GRE tunnel with IPSec in transport mode to reduce the extensive
overhead

UNSECURED GRE

Create tunnel R1

Interface tunnel0
Ip address 172.16.0.1 255.255.255.0
Ip mtu 1400
Ip tcp adjust-mss 1360
Tunnel-source 1.1.1.10
Tunnel-destination 2.2.2.10

Reduce the mtu size for account of the extra overhead, unnecessary packet
fragmentation is kept to a minimum.
 Create tunnel R2

Interface tunnel0
Ip address 172.16.0.2 255.255.255.0
Ip mtu 1400
Ip tcp adjuct-mss 1360
Tunnel-source 2.2.2.10
Tunnel-destionatio 1.1.1.10

- For local network to be able to communicate with others, configure a

static route on each endpoint.
R1(config)# ip route 192.168.2.0 255.255.255.0 172.16.0.2
R2(config)# ip route 192.168.1.0 255.255.255.0 172.16.0.1

SECURED GRE

R2(config)# crypto isakmp policy 1

R2(config-isakmp)# encr 3des
R2(config-isakmp)# hash md5
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2
R2(config-isakmp)# lifetime 86400

R2(config)# crypto isakmp key C0mpn3t! address 1.1.1.10

R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
R2(cfg-crypto-trans)# mode transport

R2(config)# crypto ipsec profile protect-gre

R2(ipsec-profile)# set security-association lifetime seconds 86400
R2(ipsec-profile)# set transform-set TS

R2(config)# interface Tunnel 0

R2(config-if)# tunnel protection ipsec profile protect-gre