Many companies have multiple remote offices which need secure network connectivity with the headquarters or between them. This can be achieved by using a site-to-site VPN setup which allows offices in multiple fixed locations to establish secure connections and share resources with each other over a public network such as the Internet. Cisco ASA supports the IPsec protocol for configuring an site-to-site VPN tunnel. IPsec works by authenticating and encrypting each IP packet of a communication session and uses the Internet Key Exchange (IKE) protocol to negotiate and establish a secure VPN tunnel. The original IKE version 1 is defined in RFC 2409 and the IKE version 2 (IKEv2) is defined in RFC 5996. Cisco introduced support for IKEv2 beginning with ASA version 8.4 but in this article we will focus only on the legacy IKEv1 implementation.
Generic routing encapsulation (GRE) is a tunneling protocol which was initially developed by Cisco, and later it has been adopted as an industry standard in RFC 2784. GRE allows the encapsulation of a wide variety of network layer protocols inside virtual point-to-point links. This means that the original packet is encapsulated inside a GRE header and a new IP header containing the source and the destination of the tunnel endpoints. The GRE protocol does not provide any security for the data being transported so if encryption is needed GRE must be used in conjunction with IPsec protocol. Some of the reasons for using GRE are the need to transport multicast traffic, or to provide workarounds for networks with limited hops. In this article we will demonstrate how two networks which do not have reachability can be connected through an GRE tunnel.