Skip to Content

How Can You Securely Set Up a GRE Tunnel with IPsec on Cisco Routers? (Step-by-Step Guide for Reliable VPNs)

What’s the Most Reliable Way to Configure GRE over IPsec? (Simple Steps for Secure Cisco VPNs)

I want to help you set up a GRE tunnel with IPsec on Cisco routers. This guide uses very simple words. I’ll walk you through each step, so you can connect two networks safely. If you follow along, you’ll have a strong, safe tunnel for your data.

What is GRE?

GRE stands for Generic Routing Encapsulation. GRE lets you put one type of data packet inside another. This helps send that packet across different networks. Think of it like putting a letter inside another envelope.

Why Use IPsec?

IPsec is a way to lock your data so no one else can read it. GRE by itself does not lock your data. When you use IPsec with GRE, your data stays safe while it travels.

What You Need

  • Two routers (R1 and R3)
  • Each router has its own public IP address
  • You want to connect two networks (for example, 192.168.1.0/24 and 192.168.2.0/24)
  • Access to the routers’ command line

Step 1: Set Up GRE Tunnel on Router R1

  1. Go to R1’s command line.
  2. Make a tunnel interface.
  3. Give the tunnel an IP address (use 10.0.0.1/30).
  4. Set the MTU to 1400. This helps avoid problems because GRE adds extra data.
  5. Set the TCP MSS to 1360.
  6. Tell the tunnel where to start (source) and where to end (destination).
    R1# configure terminal
    R1(config)# interface Tunnel0
    R1(config-if)# ip address 10.0.0.1 255.255.255.252
    R1(config-if)# ip mtu 1400
    R1(config-if)# ip tcp adjust-mss 1360
    R1(config-if)# tunnel source 1.1.1.1
    R1(config-if)# tunnel destination 2.2.2.1
    R1(config-if)# exit
  7. Add a static route. This tells R1 to use the tunnel for the other network.
    R1(config)# ip route 192.168.2.0 255.255.255.0 Tunnel0

Step 2: Set Up GRE Tunnel on Router R3

  1. Repeat the same steps on R3, but swap the source and destination.
    R3# configure terminal
    R3(config)# interface Tunnel0
    R3(config-if)# ip address 10.0.0.2 255.255.255.252
    R3(config-if)# ip mtu 1400
    R3(config-if)# ip tcp adjust-mss 1360
    R3(config-if)# tunnel source 2.2.2.1
    R3(config-if)# tunnel destination 1.1.1.
    R3(config-if)# exit
  2. Add a static route for R1’s network.
    R3(config)# ip route 192.168.1.0 255.255.255.0 Tunnel0

Step 3: Check the Tunnel

On R1, type:

show interface tunnel 0

Look for “Tunnel0 is up, line protocol is up.”

Try to ping the other side:

ping 192.168.2.10

If you get replies, the tunnel works.

Step 4: Secure the Tunnel with IPsec

Now, let’s lock the tunnel so no one can read your data.

On R1

  1. Make an ISAKMP policy (this is phase 1 of IPsec):
    R1(config)# crypto isakmp policy 10
    R1(config-isakmp)# authentication pre-share
    R1(config-isakmp)# encryption aes
    R1(config-isakmp)# group 2
    R1(config-isakmp)# hash sha
    R1(config-isakmp)# exit
  2. Set a shared key (use the other router’s IP):
    R1(config)# crypto isakmp key 0 Sh@reds3cret address 2.2.2.1
  3. Make a transform set (this is phase 2):
    R1(config)# crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
    R1(cfg-crypto-trans)# exit
  4. Make an IPsec profile:
    R1(config)# crypto ipsec profile PF-PNL
    R1(ipsec-profile)# set transform-set TFS-PNL
    R1(ipsec-profile)# exit
  5. Apply the profile to the tunnel:
    R1(config)# interface Tunnel0
    R1(config-if)# tunnel mode ipsec ipv4
    R1(config-if)# tunnel protection ipsec profile PF-PNL
    R1(config-if)# exit

On R3

Repeat the same steps, but use R1’s IP for the key.

R3(config)# crypto isakmp policy 10
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# encryption aes
R3(config-isakmp)# group 2
R3(config-isakmp)# hash sha
R3(config-isakmp)# exit
R3(config)# crypto isakmp key 0 Sh@reds3cret address 1.1.1.1
R3(config)# crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
R3(cfg-crypto-trans)# exit
R3(config)# crypto ipsec profile PF-PNL
R3(ipsec-profile)# set transform-set TFS-PNL
R3(ipsec-profile)# exit
R3(config)# interface Tunnel0
R3(config-if)# tunnel mode ipsec ipv4
R3(config-if)# tunnel protection ipsec profile PF-PNL
R3(config-if)# exit

Step 5: Make Sure Everything Works

Send a ping from one side to the other.

Check the IPsec status:

show crypto isakmp sa

You want to see “QM_IDLE.” This means phase 1 is working.

Next, check phase 2:

show crypto ipsec sa

You should see “Status: ACTIVE.”

Summary Checklist

  • Set up GRE tunnel on both routers.
  • Add static routes.
  • Test the tunnel with a ping.
  • Set up IPsec on both routers.
  • Apply the IPsec profile to the tunnel.
  • Test again with a ping.
  • Check the IPsec status.

Why This Matters

  • Your data is safe from prying eyes.
  • The tunnel is reliable and strong.
  • You can connect networks far away as if they are next to each other.

Tips

  • Always double-check IP addresses.
  • Use strong keys.
  • If something does not work, check each step again.
  • MTU and MSS settings help avoid dropped packets.

This setup gives you a secure, reliable tunnel. You can now connect two networks safely, and your data stays private. If you follow these steps, you’ll feel confident and successful.