1. Home
  2. Cisco Systems
  3. Why do I need GRE?

Why do I need GRE?

We have purchased two 2811 routers to use for a site to site VPN. Both routers have the VPN AIM. I have everything working in a lab now, but it was a struggle. I'm new to this, so I happily used SDM to configure everthing. Initially I used an IPSEC VPN without GRE. Everything went smooth and I tested the tunnel using SDM and it all checked out. Then when I tried to ping between clients across the tunnel, every other ping request timed out. This was repeatable and occured regardless of which side of the tunnel the ping was initiated from. Everything else (file transfer, web browsing) was not working. I started over and used GRE over IPSEC this time and everthing began working...sorta. Small data transfers (32 byte ping requests) would work but I couldn't transfer large files across the tunnel. I fixed this by changing the MTU on the tunnel interfaces and on the clients to 1476 bytes to allow for 24 bytes that would be added due to encapsulation (at least I think that's what's going on). Changing the MTU on every client is acceptable for the moment, but it might not be down the road. If GRE is causing me to change the MTU, it makes me wonder why exactly do I need it? The SDM wizard help says to use GRE to connect remote sites with different network topologies, but that's not what I'm doing. Also, if a non-GRE IPSEC vpn can't get the job done, why is it even included in the wizard?

Reply to
CWShannon
Loading thread data ...

The one book I can recommend for quick and dirty (with a little bit of in depth coverage) is Enhanced IP Services by Donald Lee. It has a very clear explanation of how to setup IPSEC. What are you using preshared keys, RSA-SIGs ore RSA-ENCR?

Also, do you have a serial (like T1/FR etc) connection between your sites?

Reply to
Hansang Bae

First Scrap the SDM Second GRE is preferable over static VPN tunnels in almost every situation.

One thing you can do to prevent hardcoding mtu on machines is to configure IP TCP-ADJUST-MSS 1450 on an ethernet transit that will clear a lot up for you I think.

GRE allows you to encapsulate non IP traffic as well as provide multicast support and full tunneling support as well. There are some good configurations on configuring gre over ipsec on cco you just have to sort through a bit. Also Cisco press just came out with the complete cisco vpn configuration guide about 2 weeks ago pretty good read If you do a lot of vpn work. It's paperback and it orange but it's comprehensive.

GRE configs are actually simpler heres a sample x is your public y is remote public

ip access-list extended ipsec_peer permit gre host x.x.x.x host y.y.y.y

crypto map vpn 10 ipsec-isakmp set transform set xyz set peer y.y.y.y match address ipsec_peer

int tunnel 1 ip address 1.1.1.1 255.255.255.252 ! note don't change default mtu on tunnel int as you have a 2800 series isr it's default takes into account overhead tunnel source x.x.x.x tunnel dest y.y.y.y

interface public ip address x.x.x.x crypto map vpn

ta da your done

Bob Watson Implementation Engineer II

Reply to
stl-eng

Thanks for the book reference. I was using pre-shared keys and far as the connection between sites, it is just a 10/100 switch right now. I have everything configured in a lab. When we do the install, each of the sites will have a T1.

Reply to
Chris

Thanks Bob, I don't have to actually have this up and running in the real world until February. My plan was to get it working with SDM, so that a couple of my coworkers could test their software real quick and then figure out how to do it using CLI. In the mean time I can try the MSS tip you gave when everyone goes to lunch today and see if that simplifies things.

Reply to
Chris

I'm thinking you have things well under control then? As to your question about GRE, there is one reason to use it. You can stuff OSPF or EIGRP down the GRE tunnel. So if IPSec dies, routing will die too. If you don't use GRE, then you can have a situation where production traffic will die, but routing will not. Now you just created a black hole that can be tricky to troubleshoot.

EBGP is the exception since it uses TCP (and can be encrypted).

Reply to
Hansang Bae

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.