IPSec over GRE and IPSec VTI

When reviewing the topic of IPSEC over GRE Tunnel, I have observed that we have several ways to implement it. However, some posts are confusing people. For example, this post is named IPSEC over GRE Tunnel, the actual configuration is IPSec static VTI (Virtual Tunnel Interface), because the configuration under tunnel interface has one line, which indicated that the tunnel mode is changed.

tunnel mode ipsec ipv4

So, in this post, I would like to clarify some misunderstanding.

GRE as IPSec interested traffic

This is the first, and probably less-used solution for IPSec over GRE. We setup Lan-to-Lan IPSec between two physical interface of two routers. Under the crypto map, we set the interested traffic as

access-list 105 permit gre <tunnel_source_ip> <tunnel_source_mask> <tunnel_des_ip> <tunnel_des_mask>

After ping traffic between each end of the tunnel, the IPSec tunnel is setup. The following are the basic configuration of two routers.

R1

!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
crypto isakmp key CISCO address 150.1.12.2
!
!
crypto ipsec transform-set R1_TO_R2 esp-aes 192 esp-sha-hmac
!
crypto ipsec profile TEST
set transform-set R1_TO_R2
!
!
crypto map CRYPTO_MAP 10 ipsec-isakmp
set peer 150.1.12.2
set transform-set R1_TO_R2
match address 105
!
interface Tunnel0
ip address 150.1.121.1 255.255.255.0
tunnel source 150.1.12.1
tunnel destination 150.1.12.2
!
interface Serial1/0
ip address 150.1.12.1 255.255.255.0
crypto map CRYPTO_MAP
!
access-list 105 permit gre 150.1.12.0 0.0.0.255 150.1.12.0 0.0.0.255
!

R2

!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
crypto isakmp key CISCO address 150.1.12.1
!
!
crypto ipsec transform-set R2_TO_R1 esp-aes 192 esp-sha-hmac
!
crypto ipsec profile TEST
set transform-set R2_TO_R1
!
!
crypto map CRYPTO_MAP 10 ipsec-isakmp
set peer 150.1.12.1
set transform-set R2_TO_R1
match address 105
!
interface Tunnel0
ip address 150.1.121.2 255.255.255.0
tunnel source 150.1.12.2
tunnel destination 150.1.12.1
!
interface Serial1/0
ip address 150.1.12.2 255.255.255.0
crypto map CRYPTO_MAP
!
access-list 105 permit gre 150.1.12.0 0.0.0.255 150.1.12.0 0.0.0.255
!

GRE Tunnel Protection

Since we use tunnel protection command under tunnel interface, we don’t need to define crypto map, instead, we need to define ipsec profile. Then, we need apply ipsec protection profile to the tunnel interface. The following are the basic configuration. Please note that, there is no “tunnel mode ipsec ipv4” command, which means, the tunnel mode is still GRE.

R1

!
crypto ipsec transform-set R1_TO_R2 esp-aes 192 esp-sha-hmac
!
crypto ipsec profile TEST
set transform-set R1_TO_R2
!
interface Tunnel0
ip address 150.1.121.1 255.255.255.0
tunnel source 150.1.12.1
tunnel destination 150.1.12.2
tunnel protection ipsec profile TEST
!
interface Serial1/0
ip address 150.1.12.1 255.255.255.0
!

R2

!
crypto ipsec transform-set R2_TO_R1 esp-aes 192 esp-sha-hmac
!
crypto ipsec profile TEST
set transform-set R2_TO_R1
!
interface Tunnel0
ip address 150.1.121.2 255.255.255.0
tunnel source 150.1.12.2
tunnel destination 150.1.12.1
tunnel protection ipsec profile TEST
!
interface Serial1/0
ip address 150.1.12.2 255.255.255.0
!

Removing 4-Bytes GRE header ???

Cisco brought us IPSec VTI (virtual tunnel interface) in IOS 12.3T. The purpose of that is to have a new tunnel mode to reduce 4 bytes GRE header in the traffic. However, different tunnel mode can apply different application. Here are some considerations for IPSec VTI. The IPsec VTI is limited to IP unicast and multicast traffic only, as opposed to GRE tunnels, which have a wider application for IPsec implementation. Thus, for some non-IP traffic, we still need IPSec over GRE.

R1

!
crypto ipsec transform-set R1_TO_R2 esp-aes 192 esp-sha-hmac
!
crypto ipsec profile TEST
set transform-set R1_TO_R2
!
interface Tunnel0
ip address 150.1.121.1 255.255.255.0
tunnel source 150.1.12.1
tunnel destination 150.1.12.2
tunnel protection ipsec profile TEST
tunnel mode ipsec ipv4
!
interface Serial1/0
ip address 150.1.12.1 255.255.255.0
!

R2

!
crypto ipsec transform-set R2_TO_R1 esp-aes 192 esp-sha-hmac
!
crypto ipsec profile TEST
set transform-set R2_TO_R1
!
interface Tunnel0
ip address 150.1.121.2 255.255.255.0
tunnel source 150.1.12.2
tunnel destination 150.1.12.1
tunnel protection ipsec profile TEST
tunnel mode ipsec ipv4
!
interface Serial1/0
ip address 150.1.12.2 255.255.255.0
!

10 Responses to “IPSec over GRE and IPSec VTI”

  1. Fantastic article! I have not found very many other clear explanations of the differences between static VTI and a regular GRE/IP tunnel with IPSEC protection, and that is exactly what I was looking for.

    Great job!

  2. That it one excellent article… thanks brother…
    in a nutshell from a network configuration stand point, to make IPSec over gre in IPSec VTI is to add the following to the tunnel interface.

    tunnel mode ipsec ipv4

    :)

  3. Thanks for this article…I have been wondering why sometimes i see tunnels without the “tunnel mode ipsec ipv4″ command on there.

    Very helpful!!

  4. Thank you for this article makes things a lot easier :D Thanks!!!!

  5. for gre/ipsec you can remove 16 bytes more with ipsec in transport mode :
    crypto ipsec transform-set R1_TO_R2 esp-aes 192 esp-sha-hmac
    mode transport

    this work for two forms of gre encapsulation

  6. Thanks buddy!

  7. Thanks!

  8. Great Article. Helped me understands the basics of IPSec + GRE very quickly.

  9. Hi,

    thank for the article. It gives a clear overview about the varius IPsec implementations.

    Why do you say IPsec over GRE? It should be the opposite, as GRE is encrypted and encapsulated within an IPsec header. That confused me a little, and I had to spend some time in my lab.

    When you talk about savid 4 bytes withVTIs, am I correct saying that the resulting IPheader will be(with transport mode):
    | IP | ESP | IP | ….

    instead of

    | IP | ESP | GRE | IP | …..

    as depicted in figure 5 here:
    http://stack.nil.com/ipcorner/IPsecVPN2/#chapter7

    THanks

  10. Hi Marco,

    Thanks for your comments. I guess your question is about the term wildly used but does not have strict standard. We all accepted that, Protocol A over Protocol B means Protocol A encapsulated Protocol B. For example, PPPoE means protocol PPP encapsulate protocol Ethernet. IPSec over GRE means Protocol IPSec encapsulated Protocol GRE, as depicted in figure 5 you gave to me. For you 2nd comment, I haven’t got time to conduct a test. Intuitively, you are right, there is no 4-bytes GRE header.