Introduction to generic Routing encapsulation and basic configuration methods

As we all know, IPSec can be used to encapsulate a variety of packets such as router-to-router, firewall-to-router, PC-to-router and PC-to-server to ensure the security of packets between these devices. It contains 2 types of data encapsulation, which are channel mode and transfer mode. The transport mode encapsulates only the payload of the packet, and the channel pattern also encapsulates the header of the packet.

In this article, let's take a look at one of the more common encapsulation methods in the IPSec channel pattern: Generic Routing Encapsulation (Generic Routing encapsulation, the following abbreviation GRE).

GRE uses a GRE proprietary encapsulation header to encrypt the header and payload of the packet. This encapsulation method is typically used by network designers to hide the IP header of a packet as part of the GRE package payload. By hiding this kind of information, network designers can allow data to be transferred to another network through a "hidden channel" without changing the underlying architecture of any network.

The following are the basic configuration methods for GRE:

2010-7-7 12:59 Upload Download Attachments (42.45 KB)

Let's take a general look at the general information in this network topology diagram: The network contains 3 Cisco routers. R1 and R2,R2 and R3 are interconnected in a serial manner. We will configure a GRE channel between R1 and R3.

In the R1 router, the address of the serial interface s0/0/0 is 192.168.12.1/24 and the other end is connected to the R2 serial interface at the address: 192.168.12.2/24. R2 Serial Interface S0/0/1 address is: 192.168.23.2/24, connected to the R3 serial interface S0/0/1, the address is: 192.168.23.1, all the interfaces in this area through the enhanced Internal Gateway routing Protocol (enhanced Interior Gateway Routing Protocol, hereinafter referred to as EIGRP) is connected, Zone 1. In addition, there are 2 circuit interfaces (Loopback) for R1 and R3, especially for the experimental environment.

Before you formally start configuring the GRE channel, allow me to explain the meaning of this topology in the actual application environment. In this figure, R2 can be seen as an intermediary connecting 2 (R1 and R3) remote sites, and establishing a GRE channel between R1 and R3 allows a simple VPN to be established between the two and provide routing to each other. This type of GRE-based VPN is not encapsulated by default, but can be encapsulated with a simple configuration.

The following is the start of configuring the GRE channel between R1 and R3:

The GRE channel is a logical interface that is used to connect 2 nodes of a device. It is somewhat similar to the previously mentioned loopback interfaces, which are virtual interfaces created by the software. In this environment, because of the 2 devices involved, you must configure the channel ports and connect them separately on 2 devices.

In Cisco Internet Operating system 12.0 or above, you first need to enter configuration mode to create a channel interface in which the channel number is defined as 0. Then, specify the source port name of the channel and the IP address of the destination port, and then manually configure the channel interface's IP address and subnet mask for it. The relevant commands are as follows:

R1 (config) # int tunnel0

R1 (config-if) # Tunnel Source serial0/0/0

R1 (config-if) # Tunnel Destination 192.168.23.3

R1 (config-if) # IP address 172.16.13.1 255.255.255.0

R3 (config) # int tunnel0

R3 (config-if) # Tunnel Source SERIAL0/0/1

R3 (config-if) # Tunnel Destination 192.168.12.1

R3 (config-if) # IP address 172.16.13.3 255.255.255.0

After the configuration is complete, you can check the connectivity of the channel ports through the ping command:

r1# Ping 172.16.13.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.13.3, timeout is 2 seconds:

!!!!!

Success rate is percent (5/5), round-trip Min/avg/max = 68/69/72 ms

r3# Ping 172.16.13.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.13.1, timeout is 2 seconds:

!!!!!

Success rate is percent (5/5), round-trip Min/avg/max = 68/68/72 ms

As mentioned earlier, after the GRE channel configuration is complete, we still need to configure a dynamic routing protocol to ensure that remote sites can dynamically learn which IP networks are accessing them. Here, we still use the EIGRP protocol, but we define this GRE channel as Region 2. The relevant commands are as follows:

R1 (config) # router EIGRP 2

R1 (config-router) # no Auto-summary

R1 (config-router) # network 172.16.0.0

R3 (config) # router EIGRP 2

R3 (config-router) # no Auto-summary

R3 (config-router) # network 172.16.0.0

Upon completion we can use the show ip eigrp neighbors 2 command to check whether the other party is already included in the routing protocol.

r1# show ip eigrp Neighbors 2

IP-EIGRP Neighbors for Process 2

H Address Interface hold Uptime SRTT RTO Q Seq

(sec) (MS) Cnt Num

0 172.16.13.3 Tu0 10 00:01:14 100 5000 0 3

r3# show ip eigrp Neighbors 2

IP-EIGRP Neighbors for Process 2

H Address Interface hold Uptime SRTT RTO Q Seq

(sec) (MS) Cnt Num

0 172.16.13.1 Tu0 13 00:02:47 1608 5000 0 2

Finally we can view the routing table for 3 routers:

r1# show ip route

CODES:C-connected, s-static, R-rip, M-mobile, B-BGP

D-EIGRP, Ex-eigrp External, O-OSPF, IA-OSPF Inter area

N1-OSPF NSSA External Type 1, N2-OSPF NSSA external type 2

E1-OSPF external Type 1, E2-OSPF external type 2

I-is-is, Su-is-is Summary, L1-is-is level-1, L2-is-is level-2

Ia-is-is Inter area, *-candidate default, U-per-user static route

O-ODR, P-periodic downloaded static route

Gateway of last resort are not set

C 192.168.12.0/24 is directly connected, serial0/0/0

172.16.0.0/24 is subnetted, 3 subnets

C 172.16.13.0 is directly connected, Tunnel0

C 172.16.1.0 is directly connected, Loopback0

D 172.16.3.0 [90/297372416] via 172.16.13.3, 00:04:23, Tunnel0

D 192.168.23.0/24 [90/2681856] via 192.168.12.2, 03:06:16, serial0/0/0

r2# show ip route

CODES:C-connected, s-static, R-rip, M-mobile, B-BGP

D-EIGRP, Ex-eigrp External, O-OSPF, IA-OSPF Inter area

N1-OSPF NSSA External Type 1, N2-OSPF NSSA external type 2

E1-OSPF external Type 1, E2-OSPF external type 2

I-is-is, Su-is-is Summary, L1-is-is level-1, L2-is-is level-2

Ia-is-is Inter area, *-candidate default, U-per-user static route

O-ODR, P-periodic downloaded static route

Gateway of last resort are not set

C 192.168.12.0/24 is directly connected, serial0/0/0

C 192.168.23.0/24 is directly connected, SERIAL0/0/1

r3# show ip route

CODES:C-connected, s-static, R-rip, M-mobile, B-BGP

D-EIGRP, Ex-eigrp External, O-OSPF, IA-OSPF Inter area

N1-OSPF NSSA External Type 1, N2-OSPF NSSA external type 2

E1-OSPF external Type 1, E2-OSPF external type 2

I-is-is, Su-is-is Summary, L1-is-is level-1, L2-is-is level-2

Ia-is-is Inter area, *-candidate default, U-per-user static route

O-ODR, P-periodic downloaded static route

Gateway of last resort are not set

D 192.168.12.0/24 [90/2681856] via 192.168.23.2, 03:06:54, SERIAL0/0/1

172.16.0.0/24 is subnetted, 3 subnets

C 172.16.13.0 is directly connected, Tunnel0

D 172.16.1.0 [90/297372416] via 172.16.13.1, 00:05:12, Tunnel0

C 172.16.3.0 is directly connected, Loopback0

C 192.168.23.0/24 is directly connected, SERIAL0/0/1

You can see from the three routing tables that R1 and R3 can identify each other's channel routes (loop addresses), however, R2 is not involved, so it does not show any information about the GRE channel.

After these configurations are complete, R2 does not need to be told that there will be a private network behind R1 and R3, and that it does only pass IP data based on the destination of the packet. In this experiment, because the transmitted data in the GRE channel is encapsulated by a new IP header, R2 only transmits data based on the outermost IP header. A routing protocol needs to be configured on both sides of the GRE channel to ensure that the remote site can dynamically learn which IP networks are accessing them.

From for notes (Wiz)

Introduction to generic Routing encapsulation and basic configuration methods