GRE VPN Tunnel Configuration

 Networking, Security  Comments Off on GRE VPN Tunnel Configuration
May 172022
 

Since Generic Routing Encapsulation (GRE) VPN tunnels continue to remain on Cisco exams like CCNA and CCNP ENCOR, let’s demonstrate a quick configuration of a GRE tunnel.

Why do we care about GRE?

We care about GRE because it can encapsulate diverse network layer protocols that can be transported over an IP network between two locations over a public network like the Internet.

GRE can be used with or for:
* Multicast packets, such as OSPF, EIGRP, and streaming applications
* Connecting IPv6 networks over IPv4 networks

For purposes of this demonstration, we used the GNS3 emulation software running on a Linux VM.

The biggest problem with default GRE configuration (like the one below) is that it does not include security.

GRE Tunnel Configuration

! Configure PC1
ip 10.1.1.2/24 10.1.1.1
save
! Configure PC2
ip 10.1.2.2/24 10.1.2.1
save

! Configure Router R1
conf t
hostname R1
interface f0/0
ip address 10.1.1.1 255.255.255.0
no shut
interface s0/0
ip address 4.1.1.1 255.255.255.252
no shut
! Configure Router R2
conf t
hostname R2
interface s0/1
ip address 4.1.1.2 255.255.255.252
no shut
int s0/0
ip address 4.1.2.1 255.255.255.252
no shut
! Configure Router R3
conf t
hostname R3
interface s0/1
ip address 4.1.2.2 255.255.255.252
no shut
interface f0/0
ip address 10.1.2.1 255.255.255.0
no shut

Static Routing
We’ll use static routing for end-to-end connectivity.

! Configure Static Routing on R1 & R3
!R1
conf t
ip route 0.0.0.0 0.0.0.0 4.1.1.2
!R3
conf t
ip route 0.0.0.0 0.0.0.0 4.1.2.1

GRE Tunnel Interfaces
Now it’s time to configure the GRE tunnel.

! Configure GRE Tunnel on R1
conf t
int tun 0
ip address 10.1.3.1 255.255.255.252
tunnel mode gre ip
tunnel source s0/0
tunnel destination 4.1.2.2

! Configure GRE Tunnel on R3
conf t
int tun 0
ip address 10.1.3.2 255.255.255.252
tunnel mode gre ip
tunnel source s0/1
tunnel destination 4.1.1.1

Let’s check the Tunnel Interfaces on R1 and R3 to make sure they’re up.

Verify Tunnel Interfaces
R1#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.1 YES NVRAM up up
Serial0/0 4.1.1.1 YES NVRAM up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial0/1 unassigned YES NVRAM administratively down down
Serial0/2 unassigned YES NVRAM administratively down down
Serial0/3 unassigned YES NVRAM administratively down down
FastEthernet1/0 unassigned YES NVRAM administratively down down
FastEthernet2/0 unassigned YES NVRAM administratively down down
Tunnel0 10.1.3.1 YES NVRAM up up

R3#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.2.1 YES NVRAM up up
Serial0/0 unassigned YES NVRAM administratively down down
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial0/1 4.1.2.2 YES NVRAM up up
Serial0/2 unassigned YES NVRAM administratively down down
Serial0/3 unassigned YES NVRAM administratively down down
FastEthernet1/0 unassigned YES NVRAM administratively down down
FastEthernet2/0 unassigned YES NVRAM administratively down down
Tunnel0 10.1.3.2 YES NVRAM up up
R3#

Configure EIGRP Routing on Tunnel Interfaces R1 and R3
! R1
conf t
router eigrp 100
network 10.0.0.0
no auto-summary

! R3
conf t
router eigrp 100
network 10.0.0.0
no auto-summary

Verify Routing on R1 and R3
R1#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is 4.1.1.2 to network 0.0.0.0

4.0.0.0/30 is subnetted, 1 subnets
C 4.1.1.0 is directly connected, Serial0/0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.1.3.0/30 is directly connected, Tunnel0
D 10.1.2.0/24 [90/297270016] via 10.1.3.2, 00:21:00, Tunnel0
C 10.1.1.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 4.1.1.2
R1#

R3#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is 4.1.2.1 to network 0.0.0.0

4.0.0.0/30 is subnetted, 1 subnets
C 4.1.2.0 is directly connected, Serial0/1
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.1.3.0/30 is directly connected, Tunnel0
C 10.1.2.0/24 is directly connected, FastEthernet0/0
D 10.1.1.0/24 [90/297270016] via 10.1.3.1, 00:21:28, Tunnel0
S* 0.0.0.0/0 [1/0] via 4.1.2.1
R3#

Verify GRE
Now that we have configured the GRE VPN tunnel, let’s run some Verify commands on Routers R1 and R3.

We’ll start by verifying the tunnel0 interface on R1.

R1#show interface tunnel0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.1.3.1/30
MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 4.1.1.1 (Serial0/0), destination 4.1.2.2
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:03, output 00:00:01, output hang never
Last clearing of “show interface” counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
302 packets input, 25344 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
302 packets output, 25364 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
R1#

Let’s check the tunnel interface on router R3 now.

R3#show interface tunnel0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.1.3.2/30
MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 4.1.2.2 (Serial0/1), destination 4.1.1.1
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:03, output 00:00:04, output hang never
Last clearing of “show interface” counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
316 packets input, 26540 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
318 packets output, 26688 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out

We can verify that the GRE tunnel is working fine by running traceroute on R1 and R3.

R1#traceroute 10.1.2.1
Type escape sequence to abort.
Tracing the route to 10.1.2.1
1 10.1.3.2 8 msec 0 msec 0 msec

We can see that the packet is moving through the tunnel interface.

R3#traceroute 10.1.1.1
Type escape sequence to abort.
Tracing the route to 10.1.1.1
1 10.1.3.1 4 msec 4 msec 0 msec

Troubleshooting GRE
* Tunnel Interface IP addresses on either side must be in same subnet
* Subnet masks on both sides of the tunnel must match
* Check if interfaces for tunnel source/destination are configured with correct IP address
* Check if Tunnel interfaces are up
* Verify if static or dynamic routing is configured properly

Adding Security to GRE via IPSec
The biggest drawback of GRE is that GRE by itself does not provide security.

So we leverage IPSec to strengthen GRE.

In a following blog post, we’ll demonstrate GRE with IPSec.

 Posted by at 9:34 pm

Find DNS Server in Linux Mint

 Command Line, Linux  Comments Off on Find DNS Server in Linux Mint
Feb 242021
 

If you’re a networking or sys admin student, you might want to know how to identify the DNS server address of your Linux system on the Command Line. DNS refers to the Domain Name System, which resolves domain names into IP addresses. In this case, we’re talking specifically about finding Read More

 Posted by at 10:49 am

CCNA 200-301 Practice Exam 1

 Networking  Comments Off on CCNA 200-301 Practice Exam 1
Jul 192020
 
CCNA 200-301 Practice Exam 1

CCNA Test – 75 Questions 1) What is the configuration register that ignores the startup configuration file? A. 0x4142 B. 0x4214 C. 0x2142 D. 0x2123 E. 0x4212 2) Where does RIPv2 send its routing updates? A. 127.0.0.0 B. 224.0.0.10 C. 255.255.255.255 D. 224.0.0.9 E. 255.255.255.254 3) Identify two Link-State protocols: Read More

 Posted by at 5:28 pm

How to Install Packet Tracer Networking Simulator on Linux

 How To, Linux, Networking  Comments Off on How to Install Packet Tracer Networking Simulator on Linux
Mar 312019
 
How to Install Packet Tracer Networking Simulator on Linux

For anyone starting on the rewarding journey into computer networking, Packet Tracer is an indispensable learning tool. If you’re planning to take the Cisco Certified Network Associate (CCNA) ) exam, you must practice on the Packet Tracer networking simulation software from Cisco. Download Packet Tracer On Cisco’s Networking Academy web Read More

 Posted by at 10:11 pm

Should Linux Mint Users Switch to ElementaryOS?

 Linux  Comments Off on Should Linux Mint Users Switch to ElementaryOS?
Feb 142019
 
Should Linux Mint Users Switch to ElementaryOS?

As a long time Linux desktop user, I’m often tempted to try out new distros to see if any of them can match my current favorite – Linux Mint. So as part of that experiment, I downloaded ElementaryOS 5.0, which debuted in October 2018, and installed it as a guest Read More

 Posted by at 6:51 pm

How to Perform Shasum Checks in Windows 10

 Windows  Comments Off on How to Perform Shasum Checks in Windows 10
Dec 252018
 

In this post, I will demonstrate two ways to perform Shasum verification on Windows 10 computers. Shasum checks are useful to ensure the integrity of your software downloads, i.e., making sure that the files are not tampered with. When you run a shasum256 or shasum512 check on a file, you Read More

 Posted by at 7:07 pm