In this tutorial, I want to share the steps that you need to take to configure a GRE tunnel between two Cisco routers.
GRE – stands for Generic Routing Encapsulation protocol. It is a tunnelling protocol developed by Cisco. It can encapsulate a wide variety of network layer protocols inside a virtual point-to-point tunnel.
This is the network diagram that I will use in my lab.
Table of Contents
Configure IP addresses on all the routers
In the first step, you need to configure the IP addresses on all the routers and ensure that there is connectivity between them.
On router SiteA, I will use the CIDR 192.168.10.0/24 for the LAN interface and the CIDR 152.10.10.0/24 for the WAN interface.
SiteA#show ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 152.10.10.2 YES manual up up
GigabitEthernet0/1 192.168.10.1 YES manual up up
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/3 unassigned YES unset administratively down down
SiteA#On router SiteB, I will use the CIDR 192.168.20.0/24 for the LAN interface and the CIDR 152.10.20.0/24 for the WAN interface.
SiteB#show ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 152.10.20.2 YES manual up up
GigabitEthernet0/1 192.168.20.1 YES manual up up
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/3 unassigned YES unset administratively down down
SiteB#
On router ISP, I will configure the following IP addresses.
ISP#show ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 152.10.10.1 YES manual up up
GigabitEthernet0/1 152.10.20.1 YES manual up up
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/3 unassigned YES unset administratively down down
ISP#Check the connectivity between the routers
To have connectivity between the routers, I will use static routing. If you prefer to configure a dynamic routing protocol, you can do it.
Router SiteA
SiteA#conf term
Enter configuration commands, one per line. End with CNTL/Z.
SiteA(config)#ip route 0.0.0.0 0.0.0.0 152.10.10.1
SiteA(config)#
SiteA(config)#
SiteA(config)#Router SiteB
SiteB#conf term
Enter configuration commands, one per line. End with CNTL/Z.
SiteB(config)#ip route 0.0.0.0 0.0.0.0 152.10.20.1
SiteB(config)#
SiteB(config)#
SiteB(config)#
Check the connectivity between the router SiteA and the router SiteB.
SiteA#
*Jan 2 20:36:39.803: %SYS-5-CONFIG_I: Configured from console by console
SiteA#ping 152.10.20.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 152.10.20.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 11/16/22 ms
SiteA#Check the connectivity between the router SiteA and the router SiteB.
SiteB#ping 152.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 152.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 11/13/18 ms
SiteB#
Configure the GRE tunnel on the router SiteA
The next step is to configure the tunnel interface on the router SiteA.
You need to add an IP address for the tunnel interface. You need to specify the tunnel source and the tunnel destination. There should be reachability between the tunnel source and the tunnel destination.
SiteA#conf term
Enter configuration commands, one per line. End with CNTL/Z.
SiteA(config)#interface Tunnel1
SiteA(config-if)# ip address 172.16.1.1 255.255.255.0
SiteA(config-if)# tunnel source 152.10.10.2
SiteA(config-if)# tunnel destination 152.10.20.2
SiteA(config-if)#
*Jan 2 20:41:34.974: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
*Jan 2 20:41:35.874: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
SiteA(config-if)#tunnel mode gre
% Incomplete command.
SiteA(config-if)#tunnel mode gre ?
ip over IP
ipv6 over IPv6
multipoint over IPv4 (multipoint)
SiteA(config-if)#tunnel mode gre ip
SiteA(config-if)#Configure the tunnel interface on the router SiteB
Next, you need to configure the tunnel interface on the router SiteB. There is no need to configure the command tunnel mode gre ip, because this is the default mode when no other mode is configured.
SiteB#conf term
Enter configuration commands, one per line. End with CNTL/Z.
SiteB(config)#interface Tunnel1
SiteB(config-if)# ip address 172.16.1.2 255.255.255.0
SiteB(config-if)# tunnel source 152.10.20.2
SiteB(config-if)# tunnel destination 152.10.10.2
SiteB(config-if)#
*Jan 2 20:44:03.704: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
*Jan 2 20:44:04.360: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
SiteB(config-if)#
Check the status of the tunnel interfaces
After you have configured the tunnel interfaces on both routers, you need to check and ensure that they are in an up status.
Router SiteA
SiteA#show ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 152.10.10.2 YES manual up up
GigabitEthernet0/1 192.168.10.1 YES manual up up
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/3 unassigned YES unset administratively down down
Tunnel1 172.16.1.1 YES manual up up
SiteA#Router SiteB
SiteB#show ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 152.10.20.2 YES manual up up
GigabitEthernet0/1 192.168.20.1 YES manual up up
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/3 unassigned YES unset administratively down down
Tunnel1 172.16.1.2 YES manual up up
SiteB#
Check the connectivity between the tunnel interfaces
Next check the connectivity between the tunnel interfaces.
Router SiteA
SiteA#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/25 ms
SiteA#Router SiteB
SiteB#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 14/17/22 ms
SiteB# Configure a static route to have connectivity between the LANs
In order to have connectivity between the LANs, you will need to configure a static route on both routers which will have as the next hop the tunnel interface. This way the LAN traffic will be encapsulated using the GRE and the traffic will be passed through the virtual point-to-point tunnel.
Router SiteA
SiteA#conf term
Enter configuration commands, one per line. End with CNTL/Z.
SiteA(config)#ip route 192.168.20.0 255.255.255.0 172.16.1.2
SiteA(config)#Routing table for the router SiteA
SiteA#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 152.10.10.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 152.10.10.1
152.10.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 152.10.10.0/24 is directly connected, GigabitEthernet0/0
L 152.10.10.2/32 is directly connected, GigabitEthernet0/0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.1.0/24 is directly connected, Tunnel1
L 172.16.1.1/32 is directly connected, Tunnel1
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
S 192.168.20.0/24 [1/0] via 172.16.1.2
SiteA#Router SiteB
SiteB#conf term
Enter configuration commands, one per line. End with CNTL/Z.
SiteB(config)#ip route 192.168.10.0 255.255.255.0 172.16.1.1
SiteB(config)#Routing table for the router SiteB
SiteB#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 152.10.20.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 152.10.20.1
152.10.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 152.10.20.0/24 is directly connected, GigabitEthernet0/0
L 152.10.20.2/32 is directly connected, GigabitEthernet0/0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.1.0/24 is directly connected, Tunnel1
L 172.16.1.2/32 is directly connected, Tunnel1
S 192.168.10.0/24 [1/0] via 172.16.1.1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, GigabitEthernet0/1
L 192.168.20.1/32 is directly connected, GigabitEthernet0/1
SiteB#
Check the connectivity between the end hosts
The last step is to check the connectivity between the end host. I use two VMs running Linux Alpine.
ClientA has the IP address 192.168.10.10.
ClientA:~$ ip add show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:15:73:74 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.10/24 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe15:7374/64 scope link
valid_lft forever preferred_lft forever
ClientA:~$ ClientB has the IP address 192.168.20.10.
ClientB:~$ ip add show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:05:61:f5 brd ff:ff:ff:ff:ff:ff
inet 192.168.20.10/24 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe05:61f5/64 scope link
valid_lft forever preferred_lft forever
ClientB:~$ 
Ping between ClientA and ClientB.
ClientA:~$ ping -c 4 192.168.20.10
PING 192.168.20.10 (192.168.20.10): 56 data bytes
64 bytes from 192.168.20.10: seq=0 ttl=42 time=10.397 ms
64 bytes from 192.168.20.10: seq=1 ttl=42 time=12.135 ms
64 bytes from 192.168.20.10: seq=2 ttl=42 time=13.319 ms
64 bytes from 192.168.20.10: seq=3 ttl=42 time=12.018 ms
--- 192.168.20.10 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 10.397/11.967/13.319 ms
ClientA:~$ 
Collect a packet capture to confirm that the traffic is encapsulated using the GRE protocol
You can collect a packet capture to confirm that the traffic is encapsulated using the GRE protocol.
Another method to confirm that the traffic is encapsulated and forwarded to the GRE tunnel is to use the traceroute command.
ClientA:~$ traceroute 192.168.20.10
traceroute to 192.168.20.10 (192.168.20.10), 30 hops max, 46 byte packets
1 192.168.10.1 (192.168.10.1) 6.586 ms 11.167 ms 8.723 ms
2 172.16.1.2 (172.16.1.2) 13.799 ms 12.983 ms 14.275 ms
3 192.168.20.10 (192.168.20.10) 12.581 ms 15.568 ms 15.785 ms
ClientA:~$ 
That’s it! You have learned how to configure GRE on Cisco routers. If you found this blog post helpful, please like and subscribe for more Cisco networking tutorials. Thank you for reading it!
[…] In this tutorial, I want to share the steps you need to take to configure GRE over IPSec in Cisco IOS devices. I am using the same network diagram as in the tutorial which explains how to configure the GRE tunnel between Cisco routers. […]