Networks Training

  • About
  • My Books
  • SUGGESTED TRAINING
  • HOME
  • Cisco Networking
    • Cisco General
    • Cisco IOS
    • Cisco VPN
    • Cisco Wireless
  • Cisco ASA
    • Cisco ASA General
    • Cisco ASA Firewall Configuration
  • Certifications Training
    • CCNA Training
    • Cisco Certifications
    • I.T Training
  • General
    • General Networking
    • IP Telephony
    • Network Security
    • Product Reviews
    • Software
  • Cisco Routers
  • Cisco Switches
You are here: Home / Cisco General / Passing non-IP Traffic over IPSEC VPN using GRE over IPSEC

Passing non-IP Traffic over IPSEC VPN using GRE over IPSEC

Written By Harris Andrea

IPSEC VPN is a great technology for encrypting and securing communications between networks (used also in VPN software clients as well). The only drawback is that IPSEC supports ONLY pure IP unicast traffic and nothing else.

If you want to securely pass multicast or non-IP traffic between sites then IPSEC alone will not work. Fortunately Cisco routers support the GRE protocol (Generic Routing Encapsulation) which is a tunneling protocol that can encapsulate a variety of network layer packet types into a GRE tunnel.

GRE therefore can encapsulate multicast traffic, routing protocols (OSPF, EIGRP etc) packets, and other non-IP traffic inside a point-to-point tunnel.

The downside of GRE is that it’s not as secure as IPSEC. Now, by using GRE over IPSEC, we can have the best of both technologies: Security and support for many network protocols. Some applications of using GRE over IPSEC are the following:

  • Pass multicast traffic from a video server of one site to another site over the Internet.
  • Pass routing protocol updates (multicast traffic) between sites working in an IPSEC VPN topology.
  • Running Novel IPX between IPSEC VPN sites.
  • Use load balancing with a routing protocol between IPSEC VPN sites.

Configuration example

Below we will describe a configuration example between two Cisco routers running GRE over IPSEC via the Internet.

cisco gre over ipsec between two routers

From the diagram above, we have two private LAN networks 192.168.1.0/24 and 192.168.2.0/24 and we want to send non-IP traffic between them (e.g multicast video server traffic from Site-A to Site-B or any other non-IP non-unicast traffic).

For each router we have a static Public IP address on the FE0/1 outside interface (100.100.100.1 and 200.200.200.1) over which we will set up the IPSEC tunnel.

MORE READING:  DNS Port Number - What is Domain Name System - How DNS Works

The GRE tunnels will be running between two private IP addresses (10.0.0.1 and 10.0.0.2) configured on each router (with the interface Tunnel command). The scenario also involves NAT for general internet access of the local networks.

SITE-A

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SITE-A
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
ip subnet-zero
!
!— This is the IPsec configuration.
!
crypto isakmp policy 10
authentication pre-share

crypto isakmp key testkey123 address 200.200.200.1
!
crypto ipsec transform-set ESPDES-TS esp-des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
!
set peer 200.200.200.1
set transform-set ESPDES-TS
match address 101
!
!— This is one end of the GRE tunnel.
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.0

!— Associate the tunnel with the physical outside interface.
tunnel source FastEthernet0/1
tunnel destination 200.200.200.1

!— Attach the IPSEC crypto map to the GRE tunnel.
crypto map myvpn

!— This is the internal network.

interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside

!— This is the external interface and one end of the GRE tunnel.

interface FastEthernet0/1
ip address 100.100.100.1 255.255.255.0
ip nat outside
crypto map myvpn

!— Define the NAT pool.

ip nat pool NATPOOL 100.100.100.2 100.100.100.20 netmask 255.255.255.0
ip nat inside source route-map nonat pool NATPOOL overload
ip classless

ip route 0.0.0.0 0.0.0.0 100.100.100.254

!— Force the private network traffic into the tunnel.

ip route 192.168.2.0 255.255.255.0 10.0.0.2

!— All traffic that enters the GRE tunnel is encrypted by IPsec.
access-list 101 permit gre host 100.100.100.1 host 200.200.200.1

!— Use access list in route-map to address what to NAT.

access-list 175 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 permit ip 192.168.1.0 0.0.0.255 any

MORE READING:  This is the new domain home for Cisco-Tips

route-map nonat permit 10
match ip address 175

end

SITE-B

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SITE-B
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
ip subnet-zero
!
!— This is the IPsec configuration.
!
crypto isakmp policy 10
authentication pre-share

crypto isakmp key testkey123 address 100.100.100.1
!
crypto ipsec transform-set ESPDES-TS esp-des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
!
set peer 100.100.100.1
set transform-set ESPDES-TS
match address 101
!
!— This is one end of the GRE tunnel.
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.0

!— Associate the tunnel with the physical outside interface.
tunnel source FastEthernet0/1
tunnel destination 100.100.100.1

!— Attach the IPSEC crypto map to the GRE tunnel.
crypto map myvpn

!— This is the internal network.

interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
ip nat inside

!— This is the external interface and one end of the GRE tunnel.

interface FastEthernet0/1
ip address 200.200.200.1 255.255.255.0
ip nat outside
crypto map myvpn

!— Define the NAT pool.

ip nat pool NATPOOL 200.200.200.2 200.200.200.20 netmask 255.255.255.0
ip nat inside source route-map nonat pool NATPOOL overload
ip classless

ip route 0.0.0.0 0.0.0.0 200.200.200.254

!— Force the private network traffic into the tunnel.

ip route 192.168.1.0 255.255.255.0 10.0.0.1

!— All traffic that enters the GRE tunnel is encrypted by IPsec.
access-list 101 permit gre host 200.200.200.1 host 100.100.100.1

!— Use access list in route-map to address what to NAT.

access-list 175 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 permit ip 192.168.2.0 0.0.0.255 any

route-map nonat permit 10
match ip address 175

end

Related Posts

  • Cisco Branch Virtual Office Solutions – Network Design
  • How to Find IP Address From MAC Address on Cisco Devices
  • What is OSPF NSSA (Not So Stubby Area) and How is it Configured?
  • Comparison of BOOTP vs DHCP Protocols in Computer Networks
  • Pros and Cons of SD-WAN in Networks – Description and Discussion

Filed Under: Cisco General, General Networking

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. Mario says

    March 27, 2009 at 5:31 am

    Hi,

    Haven’t you forgotten to add the PIM details on the various interfaces so the multicast receivers at SITE B can send a “join” for the multicast stream available at SITE A?

    I’d appreciate if you could reply with your comment.

    Regards,
    Mario

  2. BlogAdmin says

    March 27, 2009 at 12:41 pm

    Hello Mario, thanks for your comment.

    Yes, indeed you are correct. If you are using GRE over IPSEC with a multicast Server on one site and multicast clients on the other site, then you will need to add on both the Tunnel Interfaces and the Ethernet Interfaces facing the LAN (for both site routers) the following commands:

    interface Tunnel0
    ip pim dense-mode

    interface FastEthernet0/0
    ip pim dense-mode

    Hope this clarified your question

  3. Sunny says

    April 29, 2009 at 9:30 am

    Is it possible to route VLAN traffic over IPSec using GRE?

    E.g. LAN A vlan 5 can talk to LAN B vlan 5

    Many thanks

  4. BlogAdmin says

    April 29, 2009 at 10:28 am

    Hello Sunny,

    Thanks for your question. No, you can not do that over IPSEC/GRE tunnels. For this to work you need some sort of Layer 2 VPN (such as MPLS Layer 2 VPN like martini link). The Service Providers usually offer such a Layer 2 connectivity over their MPLS infrastructure.

    Thanks

    Harris

  5. Rick says

    July 24, 2009 at 10:41 pm

    Is there a way to run GRE over IPSec when using the Cisco VPN Client to connect to an ASA 5505?

    We have a remote PC that can “see” a bank of IP Radios through the VPN, which is passing IP and UDP traffic, but your post suggests we may need the GRE setup you describe in order for everything to work.

    I appreciate your taking time to post this information, and to field our question–it’s been a TON of effort to get as far as we are!

    Rick

  6. BlogAdmin says

    July 25, 2009 at 5:28 am

    Hello Rick,

    If the IP Radios send traffic as multicast, then you will need GRE over IPSEC. However, this functionality (GRE over IPSEC) is not supported on Cisco VPN clients. You could install a small cisco router on the remote site in order to configure GRE over IPSEC. However, keep in mind also that ASA does not support termination of GRE tunnels.

  7. Rick says

    July 28, 2009 at 4:05 pm

    Thank you for your prompt and informative reply. I am working with customer service to purchase your book now!

    Regarding my current project, however…can you recommend a “small Cisco router” for the remote site?

    It sounds like another ASA 5505 will not work…is that correct?

    The IP Radios “do” send traffic as multicast…and it is the RTP/RTCP traffic that is not currently being sent across the VPN.

    This is our local Emergency Management Agency (EMA), so the “remote sites” are typically mobile units out in the field during a disaster…thus, we had hoped the Cisco VPN “client” would suffice.

    I will look forward to digesting your book for this and future projects, and really appreciate your taking time to help!

    Rick

  8. BlogAdmin says

    July 30, 2009 at 1:08 am

    Hello Rick,

    A possible small Cisco router for supporting your scenario and which supports GRE over IPSEC is the 800 series (look at the 871 for example). As I mentioned before, another ASA 5505 will not work because it does not support GRE.

    Have a nice day and thank you for purchasing my ebook.

    Harris

  9. guest says

    August 8, 2009 at 5:59 pm

    Hey,

    Just wanted to let you know that you do not need that NAT exemption for private to private networks because of a few things:
    1. ip nat inside is NOT applied to the tunnel interface.
    2. 192.168.2.0 will be routes through a locally connected(NON NAT OUTSIDE) interface so the adress swap and port mapping will never take place.

    Just wanted to clarify what you had.

  10. Nagaraj says

    October 7, 2009 at 1:38 pm

    Is this still true with virtual tunnel interface (VTI)? Since IPSec can be exposed as logical interface (VTI), multicast routing updates can also be carried in ipsec tunnel. If that is the case do we still need GRE tunnel to carry routing updates (multicast packets)?

    Thanks,
    Nagaraj

  11. BlogAdmin says

    October 9, 2009 at 4:40 pm

    To be honest I haven’t tried the scenario your are describing. In my opinion, you will still need GRE even if you use VTI. The problem with the multicast traffic and IPSEC is that IPSEC is a pure IP unicast technology and so it does not support multicast traffic, that is why we use GRE.

  12. Harris says

    January 19, 2010 at 8:47 am

    Is it possible to have the same subnet on both sites and do bridging (sending layer 2 frames between the two sites) over the VPN?

  13. BlogAdmin says

    January 19, 2010 at 9:04 am

    No, unfortunately this is not possible using GRE over IPSEC. You can look into L2TP for this scenario or even MPLS Layer2 VPN from a service provider.

  14. JKL says

    March 18, 2010 at 6:40 pm

    Hi. You said that this is not possible on ASA5505. Any other workaround possible for ASA? I have such problem just right now and not a clue how to make it work.
    Many thanks.

  15. BlogAdmin says

    March 19, 2010 at 1:43 am

    If you are trying to pass OSPF over the IPSEC tunnel, then you can do it without GRE. See the following link

    Otherwise you can get a small 800 series router that supports GRE

  16. JKL says

    March 19, 2010 at 3:47 am

    I need to enable multicast traffic betwen 2 ASA’s. Will that do the trick?

    Thanks.

  17. BlogAdmin says

    March 19, 2010 at 4:36 am

    If you don’t have IPSEC between them but normal IP routing then it will work. I assumed that you have IPSEC between the ASA.

  18. JKL says

    March 22, 2010 at 10:37 am

    I do have IPSEC. I have site-to-site vpn between the ASA. No way to enable multicast?

  19. BlogAdmin says

    March 23, 2010 at 12:39 pm

    You can not pass multicast inside IPSec since IPSEc supports only IP unicast traffic

  20. dokafe says

    June 8, 2010 at 9:50 pm

    Which of the following is a method for handling non-IP traffic in VPN?
    a) GRE
    b) SSL
    c) TLS
    d) All of the above

  21. Blog Admin says

    June 9, 2010 at 4:08 pm

    Is this a quiz question ? :)

    Well the answer is a) GRE

  22. dokafe says

    June 19, 2010 at 2:12 am

    uuuuuuuuuuu are so kind

    yep bro

    love ur help

  23. Enzo says

    November 4, 2010 at 3:35 pm

    Hi;

    Is possible enable GRE with adsl connection, i need work with dynamic IP using PAT (Port address translation), I try with port asignation, but no work

  24. Blog Admin says

    November 4, 2010 at 7:05 pm

    GRE has problems with NAT (especially PAT). No it will not work.

  25. Hiraman says

    January 9, 2011 at 3:02 am

    I have set this up on my LAB without NAT.
    Both network can reach each other other the tunnel.
    But my question is how can we verify whether encryption is happening or not.
    I used “sh crypto iskamp sa” and “sh crypto ipsec sa”
    They didn’t show any output.

  26. Hiraman says

    January 9, 2011 at 3:20 am

    I enabled ip cache flow command on the Internet router.
    I saw GRE packets passing through.
    My question is that are GRE packets visible to ISP.

    Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
    ——– Flows /Sec /Flow /Pkt /Sec /Flow /Flow
    GRE 8 0.0 7 108 0.0 3.4 15.4
    Total: 8 0.0 7 108 0.0 3.4 15.4

    SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

    SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
    Se1 200.200.200.1 Se0 100.100.100.1 2F 0000 0000 5
    Se0 100.100.100.1 Se1 200.200.200.1 2F 0000 0000 5
    R3#

  27. Blog Admin says

    January 12, 2011 at 7:52 pm

    GRE packets are visible but the carried traffic within the GRE tunnel is encrypted by ipsec.

  28. liaz says

    February 23, 2011 at 1:16 pm

    Hi, i applied the configuration as mentioned on 2 cisco 877 in a lab.
    I am missing something because it doesn’t work.
    Actually, i used 3 cisco’s 877, 2 for site a and B and 1 acts as internet router.
    i can ping the external ip’s but no vpn or gre tunnel is up…
    here are the configs:

    SITE A
    ——

    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname SITE-A
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    !
    no aaa new-model
    ip subnet-zero
    !
    !— This is the IPsec configuration.
    !
    crypto isakmp policy 10
    authentication pre-share

    crypto isakmp key testkey123 address 200.200.200.1
    !
    crypto ipsec transform-set ESPDES-TS esp-des esp-md5-hmac
    !
    crypto map myvpn 10 ipsec-isakmp
    !
    set peer 200.200.200.1
    set transform-set ESPDES-TS
    match address 101
    !
    !— This is one end of the GRE tunnel.
    !
    interface Tunnel0
    ip address 10.0.0.1 255.255.255.0

    !— Associate the tunnel with the physical outside interface.
    tunnel source FastEthernet0/1
    tunnel destination 200.200.200.1

    !— Attach the IPSEC crypto map to the GRE tunnel.
    crypto map myvpn

    !— This is the internal network.

    interface VLAN 1
    ip address 192.168.1.1 255.255.255.0
    ip nat inside

    !— This is the external interface and one end of the GRE tunnel.

    interface VLAN 2
    ip address 100.100.100.1 255.255.255.0
    ip nat outside
    crypto map myvpn

    !— Define the NAT pool.

    ip nat pool NATPOOL 100.100.100.2 100.100.100.20 netmask 255.255.255.0
    ip nat inside source route-map nonat pool NATPOOL overload
    ip classless

    ip route 0.0.0.0 0.0.0.0 100.100.100.254

    !— Force the private network traffic into the tunnel.

    ip route 192.168.2.0 255.255.255.0 10.0.0.2

    !— All traffic that enters the GRE tunnel is encrypted by IPsec.
    access-list 101 permit gre host 100.100.100.1 host 200.200.200.1

    !— Use access list in route-map to address what to NAT.

    access-list 175 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 175 permit ip 192.168.1.0 0.0.0.255 any

    route-map nonat permit 10
    match ip address 175

    end

    Site B:
    ——-

    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname SITE-B
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    !
    no aaa new-model
    ip subnet-zero
    !
    !— This is the IPsec configuration.
    !
    crypto isakmp policy 10
    authentication pre-share

    crypto isakmp key testkey123 address 100.100.100.1
    !
    crypto ipsec transform-set ESPDES-TS esp-des esp-md5-hmac
    !
    crypto map myvpn 10 ipsec-isakmp
    !
    set peer 100.100.100.1
    set transform-set ESPDES-TS
    match address 101
    !
    !— This is one end of the GRE tunnel.
    !
    interface Tunnel0
    ip address 10.0.0.2 255.255.255.0

    !— Associate the tunnel with the physical outside interface.
    tunnel source FastEthernet0/1
    tunnel destination 100.100.100.1

    !— Attach the IPSEC crypto map to the GRE tunnel.
    crypto map myvpn

    !— This is the internal network.

    interface vlan 1
    ip address 192.168.2.1 255.255.255.0
    ip nat inside

    !— This is the external interface and one end of the GRE tunnel.

    interface vlan 25
    ip address 200.200.200.1 255.255.255.0
    ip nat outside
    crypto map myvpn

    !— Define the NAT pool.

    ip nat pool NATPOOL 200.200.200.2 200.200.200.20 netmask 255.255.255.0
    ip nat inside source route-map nonat pool NATPOOL overload
    ip classless

    ip route 0.0.0.0 0.0.0.0 200.200.200.254

    !— Force the private network traffic into the tunnel.

    ip route 192.168.1.0 255.255.255.0 10.0.0.1

    !— All traffic that enters the GRE tunnel is encrypted by IPsec.
    access-list 101 permit gre host 200.200.200.1 host 100.100.100.1

    !— Use access list in route-map to address what to NAT.

    access-list 175 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 175 permit ip 192.168.2.0 0.0.0.255 any

    route-map nonat permit 10
    match ip address 175

    end

  29. Blog Admin says

    February 24, 2011 at 11:16 am

    liaz,

    Why your WAN interface is Vlan2? If its a 877 (ADSL over POTS), the WAN interface isn’t an ATM / ADSL port? Check out this because the problem is on the WAN port I believe.

  30. José Dias says

    March 18, 2011 at 10:41 pm

    Hi Sunny,

    You may use L2TPv3 do emulate vlan5 over a IPv4 cloud.

    Regards.

  31. Alex says

    June 5, 2011 at 11:04 pm

    very helpful indeed. Thanx for posting. It really helped me to create gre over ipsec via internet using a cisco 887 and 877. My issue is that even though local networks (192.168.1.0 on one side and 192.168.2.0 on the other) are visible on both routing tables, nodes (all in the same workgroup) are not visible. used RIP and/or static route. I can however ping every node from one network to the other.

  32. Blog Admin says

    June 6, 2011 at 4:42 am

    Alex,

    Individual IP addresses will NOT appear in the routing table. Only the whole subnet appears in the table. As long as you can reach individual IP addresses by pinging them from the other local network, this means you are ok.

  33. rah says

    November 23, 2014 at 10:59 am

    hi, very good scenario !
    but one question:
    what should we do if we have one firewall between vpn servers(R1) and internet connection in site A and on other site?
    it means for example in this scenari f0/1 has not a public ip address and has a private link to firewall. actually firewall has 2 link. first link to inside network (link between firewall and router) and another link with public ip address to ISP.

    Thanksss

  34. Harris Andrea says

    November 23, 2014 at 5:50 pm

    Rah,
    I haven’t tested an exact scenario as you mention but I suggest two options:

    1) Configure a static NAT on the firewall so that its outside public IP will be translated to the private IP of f0/1 on router. Then configure the exact steps on the routers as the example above(i.e configure both IPSEC and GRE on the routers).
    2) Configure IPSEC on the firewall and GRE on the routers (this needs some deeper thinking!!).

  35. Asir says

    April 2, 2019 at 5:37 am

    Hi,
    I have following scenario, do think it will work? I’m Site A.
    Site A and site B having different IP subnets
    Between two sites, I have two firewalls.
    I want the IPsec tunnel between the two firewalls, and the GRE from Site A router to Site B router.
    I have L3 & L2 switches between Site A router and Site A firewall.
    Should I NAT the IP at Site A firewall?

  36. Harris Andrea says

    April 2, 2019 at 3:34 pm

    what do you mean exactly by NAT the IP? Static NAT or dynamic NAT? Which IP are you talking about?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search this site

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Search

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2023 | Privacy Policy | Terms and Conditions | Hire Me | Contact | Amazon Disclaimer | Delivery Policy

0 shares