Configuring Generic Routing Encapsulation (GRE) tunnels on Cisco IOS
Overview
Generic routing encapsulation (GRE) is a tunneling protocol which was initially developed by Cisco, and later it has been adopted as an industry standard in RFC 2784. GRE allows the encapsulation of a wide variety of network layer protocols inside virtual point-to-point links. This means that the original packet is encapsulated inside a GRE header and a new IP header containing the source and the destination of the tunnel endpoints. The GRE protocol does not provide any security for the data being transported so if encryption is needed GRE must be used in conjunction with IPsec protocol. Some of the reasons for using GRE are the need to transport multicast traffic, or to provide workarounds for networks with limited hops. In this article we will demonstrate how two networks which do not have reachability can be connected through an GRE tunnel.
GRE tunnelling concepts
GRE tunnelling configuration involves the creation of tunnel interfaces. Tunnel interfaces are logical interfaces which are configured in the same manner as physical or loopback interfaces. Since the tunnel interfaces are behaving as point-to-point interfaces the IP addresses configured on both sides must be in the same subnet. When setting up the GRE tunnel each side must specify a source and a destination. The IP address of the source on side A of the tunnel must match the IP address of the destination on side B of the tunnel and vice versa.
IP reachability between the tunnel endpoints is critical otherwise the GRE tunnel will not come up. The GRE tunnel interface comes up as soon as it is configured and it stays up as long as there is a valid tunnel source address or interface which is up. When a packet is sent through the GRE tunnel it gets encapsulated with a GRE header and an outer IP header and these headers are removed when the packet exits the GRE tunnel. GRE tunnels are designed to be completely stateless. This means that if one side of the tunnel goes down the other side might remain up because it cannot detect if the remote tunnel endpoint is unreachable. In this situation packets that go through the GRE tunnel will be dropped. Fortunately there is a solution for this issue by enabling keepalives on both sides of the tunnel. We’ll discuss this in more detail in the troubleshooting section.
Initial IP configuration and routing
First let’s proceed and configure the IP addressing and routing. Below is the topology I will use to demonstrate how GRE tunnels work. In order to simplify the routing I have used OSPF as the routing protocol and configured all the routers to be in the same area 0. Hosts PC1 and PC2 will be used to test reachability through the GRE tunnel.
The IP addressing scheme is configured as displayed in the topology above. We will assign an router ID (RID) following a simple scheme (i’ll use 1.1.1.1 for R1, 2.2.2.2 for R2 and so on) and then enable OSPF on all interfaces in area 0. Below is the OSPF configuration snippet for all four routers.
R1(config)# router ospf 1 R1(config-router)# router-id 1.1.1.1 R1(config-router)# network 10.10.12.0 0.0.0.255 area 0
R1(config)# router ospf 1 R2(config-router)# router-id 2.2.2.2 R2(config-router)# network 10.10.12.0 0.0.0.255 area 0 R2(config-router)# network 10.10.23.0 0.0.0.255 area 0
R1(config)# router ospf 1 R3(config-router)# router-id 3.3.3.3 R3(config-router)# network 10.10.23.0 0.0.0.255 area 0 R3(config-router)# network 10.10.34.0 0.0.0.255 area 0
R1(config)# router ospf 1 R4(config-router)# router-id 4.4.4.4 R4(config-router)# network 10.10.34.0 0.0.0.255 area 0
After this OSPF neighborship should come up and you should have reachability between interface Gi0/1 of router R1 and Gi0/0 of router R4. Let’s test this by running a traceroute from R1 to R4.
R1# traceroute 10.10.34.4 Tracing the route to 10.10.34.4 VRF info: (vrf in name/id, vrf out name/id) 1 10.10.12.2 1 msec 1 msec 0 msec 2 10.10.23.3 3 msec 2 msec 1 msec 3 10.10.34.4 3 msec 2 msec 1 msec
As you can see router R1 can reach router R4. The goal of this configuration is that host PC1 can reach host PC2 and viceversa via the GRE tunnel.
Creating a GRE tunnel
First we need to create two tunnel interfaces one (Tunnel1) on router R1 and the other (Tunnel2) on router R4. The tunnel will be established between these two routers. The tunnel interfaces on both routers must always be configured with an IP address that needs to be from the same subnet. In my topology, both tunnel interfaces will use IPs from 172.30.1.0/30 network. Let’s create and configure the Tunnel1 interface on router R1.
R1(config)# interface Tunnel1 R1(config-if)# ip address 172.30.1.1 255.255.255.252 R1(config-if)# ip mtu 1400 R1(config-if)# ip tcp adjust-mss 1360 R1(config-if)# tunnel source 10.10.12.1 R1(config-if)# tunnel destination 10.10.34.4 R1(config-if)# exit
After we complete the tunnel configuration, the router will confirm the creation of the tunnel by displaying a message on the console similar to the one below.
*Jun 1 13:56:54.588: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
Since GRE is encapsulating protocol this adds some extra overhead to the original packet and can cause fragmentation. In this case we can adjust the maximum transmission unit (MTU) value to 1400 bytes and maximum segment size (MSS) to 1360 bytes. TCP MSS defines the maximum amount of data that a host is willing to accept in a single TCP/IP datagram and it’s usually 40 bytes less than the MTU of the interface. Using a value of 1400 is a common practice and will ensure unnecessary packet fragmentation is kept to a minimum. A similar configuration needs to be applied for interface Tunnel2 on router R4 with the exception that the tunnel source and destination are reversed.
R4(config)# interface Tunnel2 R4(config-if)# ip address 172.30.1.2 255.255.255.252 R4(config-if)# ip mtu 1400 R4(config-if)# ip tcp adjust-mss 1360 R4(config-if)# tunnel source 10.10.34.4 R4(config-if)# tunnel destination 10.10.12.1 R4(config-if)# exit
GRE tunnels doesn’t provide encryption, but we can provide a key on each side of the tunnel by using the tunnel key command.
R1(config)# interface Tunnel1 R1(config-if)# tunnel key 100
R1(config)# interface Tunnel2 R4(config-if)# tunnel key 100
This can be thinked as a simple clear-text password authentication mechanism with no encryption. Tunnel ID keys are locally configured and can be used as a form of weak security to prevent improper configuration or injection of packets from a foreign source. They need to match on both sides. It’s not recommended to rely on this key for security purposes, instead you can use IPsec to protect GRE tunnel traffic.
At this point, both tunnel endpoints and should be able to communicate between them. Let’s test this by running a ping from router R1 using Tunnel1 as source to the IP address of the Tunnel2 interface on router R4.
R1# ping 172.30.1.2 source Tunnel1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.30.1.2, timeout is 2 seconds: Packet sent with a source address of 172.30.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms
As we can see the test is successful. Although the GRE tunnel is up hosts PC1 and PC2 are still not able to communicate yet. We need to setup a static route on both endpoints. On router R1 we need to add a static route to the remote network 192.168.20.0/24 via Tunnel1 interface which connects the remote end of our GRE Tunnel. Therefore, when R1 receives a packet destined for 192.168.20.0 network, it knows that the exit interface is Tunnel1 and it will route the packet through the GRE tunnel.
R1(config)# ip route 192.168.20.0 255.255.255.0 Tunnel1
The same configuration must be repeated for R2:
R4(config)# ip route 192.168.10.0 255.255.255.0 Tunnel2
Now both hosts PC1 and PC2 should have full reachability over the GRE tunnel.
GRE tunnel verification and troubleshooting
We can check the operational status of the tunnel interface using the show interfaces Tunnel command. Let’s check the status of Tunnel1 interface on router R1.
R1(config)# show interfaces Tunnel1 Tunnel1 is up, line protocol is up Hardware is Tunnel Internet address is 172.30.1.1/30 MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel linestate evaluation up Tunnel source 10.10.12.1, destination 10.10.34.4 Tunnel protocol/transport GRE/IP Key disabled, sequencing disabled Checksumming of packets disabled Tunnel TTL 255, Fast tunneling enabled Tunnel transport MTU 1476 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Last input 00:44:31, output 00:44:31, output hang never Last clearing of "show interface" counters 04:49:44 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 892 packets input, 44212 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 28 packets output, 3256 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out
The output of this command displays a lot of useful information for troubleshooting and debugging. I have highlighted in red the most important lines from the output. We can see that the Tunnel1 interface is up and the transport protocol is GRE. Also we can see the source and destination endpoints and the fact that traffic is being passed in both directions. Let’s run some tests to verify reachability between hosts PC1 and PC2. First let’s ping PC2 from PC1.
PC1> ping 192.168.20.100 Pinging 192.168.20.100 with 32 bytes of data: Reply from 192.168.20.100: bytes=32 time=4ms TTL=126 Reply from 192.168.20.100: bytes=32 time=3ms TTL=126
Now let’s run a traceroute from PC1 to PC2
PC1> tracert 192.168.20.100 Tracing route to 192.168.20.100 over a maximum of 30 hops 1 <1ms <1ms <1ms 192.168.10.1 2 2ms 2ms 2ms 172.30.1.2 3 2ms 2ms 2ms 192.168.20.100
From the traceroute output we can see that the path goes through the GRE tunnel. Since GRE tunnels are stateless, by default they cannot detect the operational status of the remote tunnel interface. So if one interface can go down while the other side remains up. We can resolve this by enabling keepalive packets on each side of the tunnel. By doing this, each side of the tunnel periodically sends a keepalive to the other side. If one side doesn’t receive a keepalive in the specified time, the tunnels go down on each side. Let’s configure both interfaces to send keepalives at every 30 seconds.
R1(config)# interface Tunnel1 R4(config-if)# keepalive 10 3
R4(config)# interface Tunnel2 R4(config-if)# keepalive 10 3
We configured both tunnel interfaces to send 3 keepalives at interval of 10 seconds. In this case if 3 keepalives are missed after 30 seconds the interfaces status should go down. From the output of the show interface Tunnel command we should see that keepalives have been set.
R1(config)# show interfaces Tunnel1 | include Keepalive
Keepalive set (10 sec), retries 3
Let’s simulate a failure by shutting down interface Gi0/1 on router R3. After 30 seconds both tunnel interfaces will go down and the following message will be displayed on the router console.
*Jun 1 19:26:14.358: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
If we check the operational status the interfaces it will display that the line protocol is down.
R1#show interface tunnel 1 | include Tunnel1 Tunnel1 is up, line protocol is down
Some things to keep in mind when troubleshooting GRE tunnels:
- make sure the source and destination tunnels are setup correctly
- if using tunnel keys check that they match on both sides
- check the routing tables for missing routes
- check for any access lists blocking GRE traffic
Summary
In this article we discussed basic concepts and configuration of GRE tunnels. GRE is used as the core protocol for DMVPN which allows you to build scalable networks where a single tunnel interface can be used to reach numerous remote sites. In situations where encryption is needed GRE can be used in conjunction with IPsec to protect the traffic for security reasons.