Last Updated: [last-modified] (UTC)
Previously, we’ve talked about how GRE works, and how to configure it. But this only really covers the basics. In this article, we’ll look at GRE in-depth, covering:
- GRE with IPSec encryption
- Recursive routing, and how to avoid it
- Improving stability and uptime
Before starting, understand how GRE and IPSec work
[maxbutton id=”4″ text=”GRE Tunnels” url=”https://networkdirection.net/GRE+Tunnels”][maxbutton id=”4″ text=”IPSec” url=”https://networkdirection.net/IPSec+Basics”]
Encryption
GRE does not have any built-in encryption. This is a problem if we want to tunnel through a public network like the internet.
Fortunately, it’s rather easy to add IPSec encryption to the GRE tunnel. IPSec is configured intransport modewhich means that it only encrypts data, it doesn’t use any native IPSec tunnelling functions.
Please note that when we’re talking about IPSec, we talk about phase-1 and phase-2 tunnels. This is part of how IPSec works, not part of GRE.
It’s quite common for NAT to be used. This presents a problem for native IPSec, as IKE (the phase-1 tunnel) detects IP changes (which is what NAT is for) and drops packets, thinking that they’ve been altered. To solve this problem, a feature called NAT-Traversal (NAT-T) was added.
NAT-T is automatically enabled during the phase-1 exchanges if NAT devices are detected.NAT-T adds an additional header to each encrypted packet. Everything is encapsulated in an extra layer of UDP, to trick IKE into thinking that the packet has not been altered.
If you’re tunnelling through a firewall, you will need to open additional ports and protocols to allow the encrypted traffic through:
- IP Protocol 47 – GRE. This is needed if you’re encrypting or not
- IP Protocol 50 – ESP. This is for encryption
- IP Protocol 51 – AH. This is optional, as AH may or may not be used
- UDP/500 – ISAKMP. This allows the phase-1 tunnel to be built
- UDP/4500 – NAT-T. If used, this port needs to be enabled to allow NAT detection and handling
IPSec adds more headers. This means that the maximum payload size is smaller, so it can fit into the MTU size. The size of the headers varies depending on encryption type, whether NAT-T is used (another 8 bytes) and other factors.
You will addanywhere from 56 bytes to 74 bytes of overhead, depending on these factors. The simplest option is to set the MTU to 1400, and the MSS to 1360 for a regular ethernet interface. Of course, this can change if you have jumbo frames.
Configuration
If you’ve configured IPSec before, this should look very familiar.
We start by configuring the IKE policy. This includes the encryption algorithm, the hashing algorithm, and the Diffie-Hellman group.
We also need to configure the authentication method. In our example, we configure this aspre-share, which means we’ll use pre-shared keys.
Finally, we set the pre-shared key, and configure this device to allow connections from0.0.0.0(any device).
crypto isakmp policy 10 encr aes 256 hash sha256 authentication pre-share group 19crypto isakmp key SecretPassword12 address 0.0.0.0
Next, the transform-set. This is the IPSec part. The transform set specifies the encryption algorithm and hashing algorithm. We also set transport mode here.
With this, we create a profile and assign the transform-set to the profile.
crypto ipsec transform-set TRANSFORM esp-aes 256 esp-sha384-hmac mode transportcrypto ipsec profile TUNNEL set transform-set TRANSFORM
And now, assign the profile to the tunnel interface. Not too hard is it?
interface Tunnel0 ip mtu 1400 ip tcp adjust-mss 1360 tunnel protection ipsec profile TUNNEL
Of course, you need to make sure you have the corresponding configuration on the remote device.
Crypto Maps
If you’ve used IPSec before, you may have used crypto-maps. If so, you’ve probably noticed that we’re not using them here. At least not in configuration…
We create profiles, but in the background, the router is dynamically creating crypto-maps for us.
Part of this is creating acrypto socket. This is the socket in software that is open and listening for traffic. This also brings the tunnel up, so we don’t have to manually generate ‘interesting traffic’, like we had to with manual crypto-maps.
You can see the crypto maps that have been generated with:
show crypto map
Keep Alives
IPSec may optionally have keepalives (this is different toGRE keepalives, which we’ll talk about later).
The keepalive is used as part of Dead Peer Detection (DPD). This enables one IPSec peer to detect the failure of another. It is best practice to enable keepalives.
There are two modes that this can be configured in. The first is ‘periodic’. This will send keepalives at regular intervals. This example sends a keepalive message every 10 seconds.
crypto isakmp keepalive 10 periodic
The other option is to configure on-demand keepalives, which are the default option.
In this case, the number of seconds is the maximum time a router will waitwithout seeing traffic from its neighbour, before sending a keepalive.
These are preferred in situations like DMVPN, as less bandwidth is used.
crypto isakmp keepalive 10 on-demand
Recursive Routing
We need to be careful how we handle routing. Consider this topology:
The router on the right has the address10.20.20.20as its ‘real’ address. It also has several networks in the 10.20.0.0 /16 range.
The router on the left has a summary route for 10.20.0.0 /16, pointing toward the core. This means it is able to reach the other edge router to build a tunnel.
The tunnel is now built, and the network administrators decide to configure an IGP, such as EIGRP or OSPF. The routers peer over the tunnel, and then they then advertise 10.20.20.0 /24 into the IGP. This is where we run into problems.
The router on the left has now learned 10.20.20.0 /24 dynamically. This goes into the routing table, pushing traffic over the tunnel. This is considered a better path to 10.20.20.20, as it’s a longer match than the /16 it already has.
The left router thinks it can send GRE traffic over the tunnel rather than over the core, which causes the tunnel to collapse. The IGP relationship then drops, causing traffic to be redirected over the core, causing the tunnel to come up again.
The process repeats indefinitely, leaving us with a flapping tunnel.
What we have here is calledRecursive Routing. This is where traffic should route over the underlay, but tries to route over the tunnel instead.
There are two main reasons that can cause this:
- The tunnel has a better metric to the network that the ‘real’ IP lives on. This can easily happen with RIP, which uses hop count as the metric
- The tunnel has a longer prefix match to the network that the ‘real’ IP lives on.
There are a few tricks that can help with this. One possibility is to use a different routing protocol for the overlay and the underlay. Perhaps you can use a static route to reach the real IP and a dynamic routing protocol over the tunnel. This would fix the metric problem, but not the longest prefix match problem.
Another option is to use a /32 route to the ‘real’ interface. You can’t get longer than a /32 (with IPv4 anyway), so that goes a long way to solving problem 2.
Mix the two together, and you have a winner!
Tunnel Stability
There’s a few tricks to help stability on your tunnel. We’re going to get a little Cisco-oriented here, but these tricks will likely translate well to other vendors.
Interfaces
TIP #1Use loopback interfaces
Take a moment to remember howGRE is configured. It needs a source and destination in order to build the tunnel. That means that the tunnel is generally dependant on the underlying interface.
This is an area we can tune. For starters, what if you had more than one path from one router to the other? If we rely on physical interfaces as the source and destination of the tunnel, we may only be using one available path. Instead, we can configure loopback interfaces.
Loopbacks aren’t physical, and therefore, they don’t go down on their own. So if one physical path fails, another may be used. This also leverages ECMP.
TIP #2Use an interface as the tunnel source
A tunnel source needs to be configured. We have two options for this; Configure an IP as the source, or configure an interface by name.So, what’s the difference? If you use an interface as the source (rather than the IP), the tunnel is tied to the interface. If the interface goes down, so does the tunnel.
If you use an IP as the source this does not happen. So, if there’s a problem with the real interface, the tunnel stays up. This can mean that traffic will continue to flow into the tunnel, even if it should be down. Traffic is now being ‘blackholed’.
Keepalives
TIP #3Configure keepalives
GRE tunnels are stateless. This means that if a destination IP address is unavailable, the tunnel interface will stay up. This means that traffic will still enter the tunnel, but it will get blackholed.
If you’re using an IGP, theneventuallyit will notice that the peer is down (thanks to hold timers) and remove it, reroute traffic. But if you’re using static routes, you have a real outage on your hands. Not to mention that convergence is faster if you don’t have to wait for timers to expire.
You can do this with thekeepalivecommand. For example ‘keepalive 10 3‘. This sends a keepalive to the peer every 10 seconds. If 3 in a row are missed, the tunnel’s line protocol is brought down.
Part of the magic of GRE is that the other end does not need any special configuration to listen and respond to the keepalives. The keepalive is double-encapsulated, so the remote peer receives the keepalive, decapsulates it, and is ‘tricked’ into sending the response back to the original source.
However, I do still recommend configuring keepalives on both ends of the tunnel.
There is an important caveat when using GRE + Keepalives + IPSec encryption. Basically,keepalives do not work.
There are two workarounds to this. The first isto use IPSec as a crypto map, rather than applying it to the tunnel. This uses policy-based IPSec, which is outside the scope of this article.
The other workaround is to use another technology to determine if the tunnel is up. This includes timers in an IGP orIP SLA.
References
Incapsula –What is a GRE Tunnel
Juniper –GRE Tunnel Services
Cisco Learning Network –Anatomy of GRE Tunnels
Juniper –Understanding NAT-T
Cisco Live – BRKSEC-3052:Demystifying DMVPN
FAQs
GRE is a tunneling protocol which is used to transport multicast, broadcast and non-IP packets like IPX etc. IPSec is an encryption protocol. IPSec can only transport unicast packets not multicast & broadcast. Hence we wrap it GRE first and then into IPSec which is called as GRE over IPSec.
What is GRE in routing? ›
Generic Routing Encapsulation, or GRE, is a protocol for encapsulating data packets that use one routing protocol inside the packets of another protocol. "Encapsulating" means wrapping one data packet within another data packet, like putting a box inside another box.
What is the difference between VPN and GRE tunnel? ›
Multicast traffic forwarding – GRE tunnels can be used to forward multicast traffic, whereas a VPN cannot. Because of this, multicast traffic such as advertisem*nts sent by routing protocols can be easily transferred between remote sites when using a GRE tunnel.
What is the difference between L2TP and GRE tunnel? ›
L2TP and GRE are both tunneling technogies and the primary difference is that L2TP is a layer 2 protocol and GRE is a layer 3 protocol. Neither of these protocols encrypt traffic to provide protection for the data being tunneled.
What does GRE stand for in VPN? ›
Generic Routing Encapsulation (GRE) | Juniper Networks. Yes.
What is the difference between GRE and GRE over IPsec? ›
When to use GRE vs. IPsec. IT teams should use IPsec when they require secure IP tunneling. They should use GRE when they require tunneling without privacy and when they need to tunnel multiple protocols or multicast.
Why is GRE preferred over IPsec? ›
GRE and IPsec complement each other nicely in that IPsec offers confidentiality, integrity and authentication while GRE offers the ability to tunnel traffic that IPsec alone cannot. As such it is of no surprise that GRE over IPsec is a popular solution.
Is GRE in layer 3 VPN? ›
Junos OS allows you to configure a generic routing encapsulation (GRE) tunnel between the PE and CE routers for a Layer 3 VPN.
What are the 3 types of routing protocols? ›
7 types of routing protocols
- Routing information protocol (RIP) ...
- Interior gateway protocol (IGRP) ...
- Enhanced interior gateway routing protocol (EIGRP) ...
- Open shortest path first (OSPF) ...
- Exterior Gateway Protocol (EGP) ...
- Border gateway protocol (BGP) ...
- Immediate system-to-immediate system (IS-IS)
GRE was developed as a tunneling tool meant to carry any OSI Layer 3 protocol over an IP network. In essence, GRE creates a private point-to-point connection like that of a virtual private network (VPN).
GRE is a mechanism for encapsulating any network layer protocol over any other network layer protocol. GRE can be used in point-to-point mode to provide a VPN between two sites. Additionally, GRE can be used for Multipoint Virtual Private Networks (VPNs) using GRE in point-to-multipoint mode.
Is GRE UDP or TCP? ›
Delivery protocols
GRE packets that are encapsulated within IP directly, use IP protocol type 47 in the IPv4 header's Protocol field or the IPv6 header's Next Header field. For performance reasons, GRE can also be encapsulated in UDP packets.
What are the disadvantages of GRE tunnel? ›
Disadvantages of GRE
It does not provide a data encryption facility, and it needs to be integrated with other security protocols to provide network security.
What is the difference between GRE over ipsec and L2tp? ›
L2tp is primarily for vpn it is a combination of pptp and cisco's l2f or layer 2 forwarding. GRE is cisco's generic route epcapsulation basically creating an ip tunnel to carry "other" traffic accross an ip backbone. it must be terminated on the outside or closet points of the tunnel.
Which is better IKEv2 or IPSec or L2TP? ›
IKEv2 is not as common as L2TP/IPSec as it is supported on many fewer platforms (although this situation is changing fast). It is, however, considered at least as good as, if not superior to, L2TP/IPsec in terms of security, performance (speed), stability and the ability to establish (and re-establish) a connection.
What is an advantage offered by GRE tunnels? ›
The advantage of GRE over other tunneling protocols is that it can encapsulate broadcast, multicast traffic (multicast streaming or routing protocols) or other non-IP protocols. GRE packets can be protected by using Internet Protocol Security (IPSec) ensuring confidentiality and integrity of the tunneled traffic.
Should I use IKEv2 IPSec or L2TP? ›
Furthermore, IKEv2 speed is considerably better as the L2TP needs much more time to transfer information and security credentials through a VPN tunnel. IKEv2 is more stable and can't be as easily blocked by a NAT firewall as L2TP.
Is the GRE only on the computer? ›
The GRE General Test is a computer-delivered test.
How is GRE at home monitored? ›
All at home tests are monitored by a human proctor online through ProctorU®. At home testing is available around the clock, 7 days a week.
What is the bandwidth limitation of GRE tunnel? ›
Zscaler supports a maximum bandwidth of 1 Gbps for each GRE tunnel if its internal IP addresses aren't behind NAT. Zscaler uses the internal IP addresses to load balance GRE traffic over multiple servers. If the internal subnet is behind NAT, Zscaler can only support up to 250 Mbps of traffic for each tunnel.
Proponents of standardized testing have long argued that the GRE provides an objective measurement of students' academic capability and potential to succeed in their graduate programs.
Is the GRE still used? ›
The GRE, a test that typically has been part of the prospective student's application to graduate school, is falling out of favor as fewer universities make it a requirement. Two key data points illustrate the extent of this recent decline: 1.
Is the GRE really that important? ›
In fact, some studies have shown a correlation between GRE scores and program completion, grade point average, and other important measures of graduate student performance. So, if a graduate program requires GRE scores, you can bet it pays attention to them!
Why is the GRE so easy? ›
Compared to other graduate exams, such as the MCAT, LSAT or, GMAT, the GRE is often considered less difficult because the GRE requires less specialized knowledge, has an easier curve, and generally has less-challenging math questions compared to other graduate exams.
Are there two types of GRE? ›
There are two types of GRE – GRE General test and Subject test.
What are three requirements to ensure proper GRE or IP IP tunnel routing? ›
Exam JN0-349 topic 1 question 16 discussion
- A. Keepalives must be used on stateless tunneling protocols.
- Tunnel endpoints must have a route that directs traffic into the tunnel. ...
- C. ...
- Tunnel endpoints must have a valid route to the remote endpoint. ...
- All intermediary devices must have a route to the tunnel endpoints.
The following basic Multiprotocol Label Switching (MPLS) configuration example uses a generic routing encapsulation (GRE) tunnel to span a non-MPLS network. This example is similar to the configuration shown in the first figure above.
Is GRE a layer 4 protocol? ›
GRE is a layer 3 protocol.
Is GRE a layer 2 protocol? ›
Layer-2 GRE. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnels allow you to have the same VLAN.
What is the most efficient routing protocol? ›
BGP and OSPF are two of the most common routing protocols. While BGP excels with dynamic routing for large networks, OSPF offers more efficient path choice and convergence speed.
Dynamic Routing Protocols
- OSPF (Open Shortest Path First) It is a very famous dynamic routing protocol that is being used in today's world. ...
- EIGRP (Enhanced Interior Gateway Routing Protocol) It is considered a proprietary protocol for Cisco. ...
- RIP (Routing Information Protocol) ...
- BGP (Border Gateway Protocol)
Professionals consider BGP the most challenging routing protocol to perfect due to its configuration complexity.
Does L2TP use GRE? ›
PPTP uses TCP and GRE as transport protocol. L2TP uses TCP or UDP (when paired with IPSec) as the transport protocol.
What is GRE vs IPSec Palo Alto? ›
GRE is used when IP packets need to be sent from one network to another, without being parsed or treated like IP packets by any intervening routers. IPsec ESP is used when IP packets need to be exchanged between two systems while being protected against eavesdropping or modification along the way.
What is Ethernet over GRE? ›
The Ethernet over GRE Tunnels feature allows customers to leverage existing low–end residential gateways to provide mobility services to mobile nodes using Proxy Mobile IPv6 (PMIPv6), General Packet Radio Service (GPRS) Tunneling Protocol (GTP), and Intelligent Service Gateway (ISG).
What uses GRE protocol? ›
Generic Routing Encapsulation or GRE protocol is developed by Cisco and it provides a virtual point-to-point private connection and encapsulates and forwards packets over an IP-based network. GRE is used in many instances, such as transporting IPv6 traffic over an IPv4-only network.
Is GRE a Layer 3 protocol? ›
By default, GRE. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnels are in IPv4 Layer-3 mode.
What is the difference between IP in IP and GRE? ›
Basically it's that IPIP can handle only IPv4 unicast, no multicast traffic and only one tunnel for unique tunnel endpoints pair. GRE is more generic, with up to 64k tunnels between two unique endpoints plus multicast traffic which is important when tunneling routing protocols.
What port is used by GRE? ›
Point-to-Point Tunneling Protocol (PPTP) uses TCP port 1723 and IP protocol 47 Generic Routing Encapsulation (GRE). PPTP provides a low-cost, private connection to a corporate network through the Internet. PPTP works well for people who work from home or travel and need to access their corporate networks.
What is the difference between GRE and WireGuard? ›
WireGuard puts the encryption directly into the tunnel device; unlike with GRE it's not possible to have either an unencrypted tunnel or IKE IPSec but no operating tunnel. Apart from how the tunnel is created and secured, the rest of my setup is the same, which is a large part of what made it so easy to switch over.
GRE over IPSec means that GRE is inside the packet and IPSec is outside the packet. Traffic needs to be encapsulated in the GRE tunnel and then encrypted in the IPSec tunnel. IPSec does not support the encryption of multicast and broadcast packets.
Is GRE Cisco proprietary? ›
GRE is a proprietary protocol developed by Cisco. It is not an open standard like IPsec. GRE is not supported by all routers.
Is L2TP outdated? ›
L2TP or Layer 2 Tunneling Protocol is a VPN protocol that's been around since 2000 and is still very much available.
What is VxLAN vs GRE? ›
Backers and Transport Protocol
NVGRE is mainly supported by Microsoft while VXLAN is mainly driven by Cisco. Different from VXLAN which makes use of a standard transport protocol (TCP/UDP), NVGRE protocol is GRE (generic routing encapsulation).
What encryption does GRE use? ›
As mentioned earlier, GRE is an encapsulation protocol and does not perform any encryption. Creating a point-to-point GRE tunnel without any encryption is extremely risky as sensitive data can easily be extracted from the tunnel and viewed by others.
Why is L2TP over IPSec not recommended? ›
A pure L2TP VPN is unsafe to use. It means that a VPN reroutes traffic but does not encrypt it. Therefore, users' internet activities are still susceptible to interception and tracking.
What is the strongest VPN encryption? ›
PureVPN – always-on audit VPN
PureVPN is among the best VPNs for security due to its always on-audit policy, privacy-friendly jurisdiction in British Virgin Islands, and functional security features. Security: As most top-tier VPNs, PureVPN encrypts your traffic with an industry-standard AES-256 encryption.
Which is the fastest VPN best protocol? ›
WireGuard is considered the fastest among all the VPN protocols. If you wish to stream and download P2P files faster on the network, make sure to use WireGuard after signing in to PureVPN. Besides WireGuard, L2TP and IKEv2 are also considered fast, while OpenVPN and SSTP are slower than other VPN protocols.
What is the GRE used for? ›
The GRE General Test helps admissions committees get a more complete picture of applicant strengths by providing information about applicants' reasoning, critical thinking and analytical writing skills.
What is the difference between GRE over IPsec and L2tp? ›
L2tp is primarily for vpn it is a combination of pptp and cisco's l2f or layer 2 forwarding. GRE is cisco's generic route epcapsulation basically creating an ip tunnel to carry "other" traffic accross an ip backbone. it must be terminated on the outside or closet points of the tunnel.
Is GRE Required for Canada? If you are wondering is GRE required for Canada,then the answer is YES!. Though it is not compulsory, institutions do look at your GRE scores for admission to graduate programs. It is also an acceptable alternative for GMAT scores at many universities.
What are the benefits of GRE in Canada? ›
The Canadian government provides scholarships for international students with good GRE scores to fund their studies. Several universities offer admissions in doctorate and MS programs, for which the government provides scholarships for GRE-based eligible applicants.
What are the advantages and disadvantages of the GRE? ›
The GRE test is just like any other standardized test with its own advantages and disadvantages. In the table above, these pros and cons are presented. Its advantages focus on its use and function, while its disadvantages are the fees, test bias, and prep costs.
Is GRE an IP protocol? ›
Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets in order to route other protocols over IP networks. GRE is defined by RFC 2784. GRE was developed as a tunneling tool meant to carry any OSI Layer 3 protocol over an IP network.
Is a GRE tunnel secure? ›
GRE is not by design a secure protocol because it does not encrypt the payloads. The GRE Tunnels are for creating locations to route the traffic directly to Zscaler. If security is of concern, then IPSEC would be of benefit to add encryption.
Why is GRE not required for Canada? ›
MS in Canada Without GRE Scores
Even though GRE is compulsory in many of the top Canadian universities, you can still get admission to a good MS course without your GRE score. Instead, other factors like academic profile, personal statement, and language proficiency are considered a criterion for admission.
What is the GRE controversy? ›
Critics have raised serious concerns about the ways that the GRE exam requirement may restrict access to graduate study, distort the admissions process, and, according to some studies, particularly disadvantage low income applicants, women, and people of color.
How much does the GRE really matter? ›
Many graduate schools in the United States and Canada, as well as most universities around the world, use the GRE to determine an applicant's eligibility for the program. To gain admission to their programs, most universities place a premium on a high GRE score.
Can I use GRE in Canada? ›
Yes, GRE is required for Canada. However, it is not mandatory. Many universities look at the GRE scores for admission into graduate programs.
Is GRE acceptable in Canada? ›
If you are wondering is GRE required for Canada,then the answer is YES!. Though it is not compulsory, institutions do look at your GRE scores for admission to graduate programs. It is also an acceptable alternative for GMAT scores at many universities.
GRE scores are reportable for 5 years following your test date.
