Security is a major concern when using the Internet. VPNs are used to ensure the security of data. VPNs are used to create a private tunnel over a public network. Data can be secured by using encryption in this tunnel through the Internet and by using authentication to protect data from unauthorized access.
INTRODUCING VPNs
VPNs are used to create an end-to-end private network connection over third-party networks, such as the Internet or extranets. To implement VPNs, a VPN gateway is necessary - it could be a router, a firewall, or a specific device.
GRE - GENERIC ROUTING ENCAPSULATION
GRE is a basic, non-secure, site-to-site VPN tunneling protocol. It encapsulates a wide variety of protocol packet types inside IP tunnels.
GRE creates a virtual point-to-point link to routers at remote points over an IP internetwork.
GRE is described in RFC 2784.
Source: Huawei documentation
GRE was first developed to provide the transmission of protocols among networks, Later the role of GRE became more towards providing routing-based protocol tunneling.
CHARACTERISTICS OF GRE
1. GRE is an IETF standard, IP protocol 47 is used for identification.
2. GRE encapsulation uses a protocol type field in the GRE header to support the encapsulation of any OSI Layer 3 protocol.
3. GRE does not include any strong security mechanisms to protect its payload.
4. The GRE header, together with the tunneling IP header, creates at least 24 bytes of additional overhead for tunneled packets.
Cost saving;
Security;
Scalability;
Compatibility with broadband technology.
WHY GRE?
An IPsec VPN does not allow routes to be forwarded between diverse site-to-site networks, as only Static routing is allowed, whereas GRE provides a mechanism for encapsulation of packets of one protocol into packets of another protocol and enables routing between remote and disparate networks.
IPSec VPN SUPPORT FOR GRE
GRE has one issue of unavailability to secure packets as they are carried across a public network (Internet).
To enable the encryption, IPSec solutions are used together with GRE to enable these tunnels with IPSec tunnels to include integrity and confidentiality.
Source: Huawei documentation
GRE CONFIGURATION
The steps for configuring GRE are as follows:
create the tunnel Interface;
configure the GRE encapsulation type;
set the tunnel source address or source interface and set the tunnel destination address;
set the tunnel interface network address (for supporting routes).
SOME KEY CONSIDERATIONS
Tunnel routes to be available on both ends (source and destination devices ) so that packets encapsulated with GRE can be forwarded correctly.
Both Static or dynamic route can be used to pass traffic through tunnel interfaces.
MTU of 1476 byte is well enough, as GRE has additional 24 Bytes overhead.
Source: Huawei documentation
[RTA]display interface Tunnel 0/0/1
Tunnel0/0/1 current state : UP
Line protocol current state : UP
Last line protocol up time : 2019-03-21 05:37
Description:HUAWEI, AR Series, Tunnel0/0/1 Interface
Route Port, The Maximum Transmit Unit is 1476
Internet Address is 30.1.1.1/24
Encapsulation is TUNNEL, loopback not set
Tunnel source 30.1.1.1 (GigabitEthernet0/0/1), destination 30.1.1.2
Tunnel protocol/transport GRE/IP, key disabled
keepalive disabled
Checksumming of packets disabled
……
VALIDATION OF GRE
An entry in the routing table verifies the tunnel establishment.
Routes for GRE can be static or dynamic.
[RTA]display ip routing-table
Route Flags: R - relay, D - download to fib
--------------------------------------------------------------
Routing Tables: Public Destinations : 13 Routes : 14
Destination/Mask Proto Pre Cost Flags NextHop Interface
……
10.10.2.0/24 Static 60 0 RD 30.1.1.2 Tunnel 0/0/1
GRE gives a cost-effective solution to run dynamic routing between remote networks that commonly belong to a single administrative domain. The IPSec VPN is normally preferred where there is a need to provide a site-to-site private tunnel over which routing dynamic information may be transmitted, but is not capable of forwarding of routing information.
thanks for sharing
