VPN technology: GRE

VPN technology: GRE
GRE is a lightweight tunnel protocol developed by Cisco. It can encapsulate various network layer protocols into an IP package and create a virtual point-to-point link through a tunnel, connect the two routers for data transmission. GRE itself is not encrypted, but IPSEC can be used to protect data in GRE, that is, GRE Over IPSEC. Our commonly used DMVPN is also a type of GRE. Encapsulation: Packet Capture: GRE experiment topology: Experiment Introduction: R1 and R3 simulate a company's routers in two different places, R2 simulate a carrier's router. R1 is located in Beijing and R3 is located in Shanghai. To allow Shanghai employees to access servers in Beijing, create a GRE tunnel between R1 and R3 and enable dynamic routing protocol, connect the networks behind the R1 and R3 routers. Basic Network Configuration: R1 (config) # int f0/0R1 (config-if) # ip add 12.1.1.1255.20.255.0r1 (config-if) # no shutR1 (config-if) # int lo 0R1 (config-if) # ip add 1.1.1.1255.20.255.0r1 (config) # ip route 0.0.0.0 0.0.012.1.1.2 R2 (config) # int f0/0R2 (config-if) # ip add 12.1.1.22.16255.255.0r2 (config-if) # no shutR2 (config-if) # int f1/0R2 (config-if) # ip add 23.1.1.22.16255.255.0r2 (config-if) # no shut R3 (config) # int f1/0R3 (config-if) # ip Add 23.1.1.32.16255.255.0r3 (config-if) # no shutR3 (config-if) # int lo 0R3 (config-if) # ip add 3.3.3.32.16255.255.0r3 (config) # ip route 0.0.0.0.0 0.0.3.1.021.2 GRE Configuration: r1: R1 (config) # int tunnel 0R1 (config-if) # ip add 172.16.1.1255.20.255.0r1 (config-if) # tunnel source f0/0R1 (config-if) # tunnel destination23.1.1.3 R3: r3 (config) # int tunnel 0R3 (config-if) # ip add 172.16.1.22.16255.255.0r3 (config-if) # tunnel source F1/0R3 (config-if) # tunnel destination12.1.1.1 test: R1 # ping 172.16.1.2Type escape sequence to abort. sending 5, 100-byte ICMP Echos to172.16.1.2, timeout is 2 seconds :!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/84/104 MS Dynamic Routing Protocol: R1: R1 (config) # router ospf 110R1 (config-router) # net 1.1.1.0 0.0.255a 0R1 (config-router) # net 172.16.1.00.0.0.255 a 0 R3: R3 (config) # router ospf 110R3 (config-router) # net 3.3.3.0 0.0.0.255a 0R3 (config-router) # net 172.16.1.00.0.0.255 a 0 test: View OSPF neighbors: R1 # show ip ospf neighborNeighbor ID Pri State Dead Time Address Interface3.3. 3.3 0 FULL/-00:00:38 172.16.1.2 Tunnel0Ping test: R1 # ping 3.3.3.3 source 1.1.1.1Type escape sequence to abort. sending 5, 100-byte ICMP Echos to3.3.3.3, timeout is 2 seconds: Packet sent with a source address of1.1.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/79/100 MS can see that R1 and the network behind R3 has been connected, need to note, at this time, the data is not encrypted. As long as the data is captured in the middle, the content can be seen, which is not safe. You can use GRE Over IPSEC to encapsulate GRE data in the ipsec vpn. In this way, the data is encrypted. You can also use the GRE interface to enable the dynamic routing protocol and add an ACL for route control, which is much more flexible than the pure L2L ipsec vpn.