How to Configure GRE over an IPSec Tunnel on Routers?

2023 SEASON SALE Networking and Security Showcase In-stock ICT products at exclusive discounts

To configure Generic Routing Encapsulation (GRE) over an IPSec tunnel between two routers, you can refer to these steps as follows:

Configure GRE over an IPSec Tunnel on Routers

1. Create a tunnel interface (the IP address of tunnel interface on both routers must be in the same subnet), and configure a tunnel source and tunnel destination under tunnel interface configuration, as shown:

interface Tunnel0
ip address 192.168.16.1 255.255.255.0
tunnel source
tunnel destination

2. Configure isakmp policies, as shown:

crypto isakmp policy 1
authentication pre-share

3. Configure pre share keys, as shown:

crypto isakmp key cisco123 address (Remote outside interface IP with 32 bit subnet mask)

4. Configure transform set, as shown:

crypto ipsec transform-set strong esp-3des esp-md5-hmac

5. Creat crypto ACI that permits GRE traffic from the outside interface of the local router to the outside interface of the remote router, as shown:

access-list 120 permit gre host (local outside interface ip) host (Remote outside interface IP)

6. Configure crypto map and bind transform set and crypto Access Control List (ACL) to crypto map. Define peer IP address under crypto map, as shown:

crypto map vpn 10 ipsec-isakmp
set peer
set transform-set strong
match address 120

7. Bind crypto map to the physical (outside) interface if you are running Cisco IOS Software Release 12.2.15 or later. If not, then the crypto map must be applied to the tunnel interface as well as the physical interace, as shown:

interface Ethernet0/0
ip address
half-duplex
crypto map vpn

8. Configure Network Address Traslation (NAT) bypass if needed, as shown:

access-list 175 deny  ip (local private network) (subnet mask) (remote private network) (subnet mask)
access-list 175 permit ip (local private network) (subnet mask) any
route-map nonat permit 10
match ip address 175
exit
ip nat inside source route-map nonat interface (outside interface name) overload

Configure the remote router the same way. Once configured try passing traffic. If it does not, then add IP routes for the remote networks pointing to the tunnel interface IP address.

More Reference

GRE over IPSec with EIGRP to Route Through a Hub and Multiple Remote Sites Configuration Example

Configuring GRE over IPSec Between a Cisco IOS Router and a VPN 5000 Concentrator Using Static Routing

More Related Reading:
How to Configure EIGRP on a Cisco Router?
How to Configure IPSEC Encryption with the Cisco IOS?

Share This Post

Post Comment