PG1X

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:vpn:tunneling:gre:gre

Cisco: GRE

Topology

IP

Project name: ccna-vpn-gre-0001-gre

  • R1
enable
configure terminal
!
hostname R1
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 10.100.0.1 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
ip address 100.0.0.1 255.255.0.0
no shutdown
exit
!
end
write
  • R2
enable
configure terminal
!
hostname R2
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 10.200.0.2 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
ip address 200.0.0.2 255.255.0.0
no shutdown
exit
!
end
write
  • R3
enable
configure terminal
!
hostname R3
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 34.0.0.3 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
no shutdown
exit
!
end
write
  • R4
enable
configure terminal
!
hostname R4
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 34.0.0.4 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
no shutdown
exit
!
end
write
  • PC-1
ip 10.100.0.100 255.255.255.0 10.100.0.1
save
  • PC-2
ip 10.200.0.200 255.255.255.0 10.200.0.2
save

Configure Basic Routing Protocol(BGP, Static routing)

  • R3
configure terminal
!
router bgp 3
neighbor 34.0.0.4 remote-as 4
network 100.0.0.1 mask 255.255.255.255
exit
!
end
  • R4
configure terminal
!
router bgp 3
neighbor 34.0.0.3 remote-as 3
network 200.0.0.2 mask 255.255.255.255
exit
!
end

Configure PPPoE Server, Client

  • R1
configure terminal
!
interface GigabitEthernet 0/1
no ip address
pppoe enable
pppoe-client dial-pool-number 10
exit
!
interface GigabitEthernet 0/0
ip tcp adjust-mss 1356
exit
!
interface Loopback 1
ip address 100.0.0.1 255.255.255.0
exit
!
interface Dialer 1
ip unnumbered Loopback 1
ip mtu 1454
encapsulation ppp
dialer pool 10
dialer-group 20
ppp authentication chap callin
ppp chap hostname ccie@example.com
ppp chap password cc13
no shutdown
exit
!
ip route 200.0.0.0 255.255.0.0 Dialer 1
ip route 34.0.0.0 255.255.255.0 Dialer 1
!
dialer-list 20 protocol ip permit
!
end
  • R2
configure terminal
!
interface GigabitEthernet 0/1
no ip address
pppoe enable
pppoe-client dial-pool-number 10
exit
!
interface GigabitEthernet 0/0
ip tcp adjust-mss 1356
exit
!
interface Loopback 1
ip address 200.0.0.2 255.255.255.0
exit
!
interface Dialer 1
ip unnumbered Loopback 1
ip mtu 1454
encapsulation ppp
dialer pool 10
dialer-group 20
ppp authentication chap callin
ppp chap hostname ccie@example.com
ppp chap password cc13
no shutdown
exit
!
ip route 100.0.0.0 255.255.0.0 Dialer 1
ip route 34.0.0.0 255.255.255.0 Dialer 1
!
dialer-list 20 protocol ip permit
!
end
  • R3
configure terminal
!
username ccie@example.com password cc13
!
ip local pool POOL1 100.0.0.1
!
interface Loopback1
ip address 100.1.3.3 255.255.255.0
exit
!
interface Virtual-Template1
mtu 1454
ip unnumbered Loopback1
peer default ip address pool POOL1
ppp authentication chap
exit
!
bba-group pppoe PPPOE-GROUP1
virtual-template 1
exit
!
interface GigabitEthernet 0/1
no ip address
pppoe enable group PPPOE-GROUP1
no shut
exit
!
end
  • R4
configure terminal
!
username ccie@example.com password cc13
!
ip local pool POOL1 200.0.0.2
!
interface Loopback1
ip address 200.2.4.4 255.255.255.0
exit
!
interface Virtual-Template1
mtu 1454
ip unnumbered Loopback1
peer default ip address pool POOL1
ppp authentication chap
exit
!
bba-group pppoe PPPOE-GROUP1
virtual-template 1
exit
!
interface GigabitEthernet 0/1
no ip address
pppoe enable group PPPOE-GROUP1
no shut
exit
!
end

Static Routing

configure terminal
!
interface GigabitEthernet 0/0
 ! MSS 1500 - 24 = 1476 (Ethernet + GRE)
 ! MSS 1500 - 8 = 1492 (PPPoE)
 ! MSS 1454 - 40 = 1414 (NTT NGN + PPPoE)
 ! MSS 1454 - 40 - 24 = 1390 (NTT NGN + PPPoE + GRE)
 ! MSS 1356 - 24 = 1332 (NTT NGN + PPPoE + IPsec(3des, md5-hamc)+ GRE)
 ip tcp adjust mss 1332
exit
!
interface Tunnel 0
 ip address 192.168.0.1 255.255.255.252
 tunnel source 100.0.0.1
 tunnel destination 200.0.0.2
 keepalive 10 5
exit
!
ip route 10.200.0.0 255.255.255.0 Tunnel 0
!
end
configure terminal
!
interface GigabitEthernet 0/0
 ! MSS 1356 - 24 = 1332 (NTT NGN + PPPoE + IPsec(3des, md5-hamc)+ GRE)
 ip tcp adjust mss 1332
exit
!
interface Tunnel 0
 ip address 192.168.0.2 255.255.255.252
 tunnel source 200.0.0.2
 tunnel destination 100.0.0.1
 keepalive 10 5
exit
!
ip route 10.100.0.0 255.255.255.0 Tunnel 0
!
end

Dynamic Routing

configure terminal
!
interface GigabitEthernet 0/0
 ! MSS 1356 - 24 = 1332 (NTT NGN + PPPoE + IPsec(3des, md5-hamc)+ GRE)
 ip tcp adjust mss 1332
exit
!
interface Tunnel 0
 ip address 192.168.0.1 255.255.255.252
 tunnel source 100.0.0.1
 tunnel destination 200.0.0.2
exit
!
router ospf 1
 network 10.100.0.1 0.0.0.0 area 0
 network 192.168.0.1 0.0.0.0 area 0
exit
!
end
configure terminal
!
interface GigabitEthernet 0/0
 ! MSS 1356 - 24 = 1332 (NTT NGN + PPPoE + IPsec(3des, md5-hamc)+ GRE)
 ip tcp adjust mss 1332
exit
!
interface Tunnel 0
 ip address 192.168.0.2 255.255.255.252
 tunnel source 200.0.0.2
 tunnel destination 100.0.0.1
exit
!
router ospf 1
 network 10.200.0.2 0.0.0.0 area 0
 network 192.168.0.2 0.0.0.0 area 0
exit
!
end

Verification

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int Tunn
R1(config)#int Tunnel 0
R1(config-if)#ip add
R1(config-if)#ip address 
*Apr 11 20:53:56.068: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R1(config-if)#ip address 192.168.0.1 255.255.255.252
R1(config-if)#tu
R1(config-if)#tunnel sou
R1(config-if)#tunnel source 100.0.0.1
R1(config-if)#tun
R1(config-if)#tunnel des
R1(config-if)#tunnel destination 200.0.0.2
R1(config-if)#k
*Apr 11 20:54:27.480: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R1(config-if)#ke
R1(config-if)#keepalive 10 5
R1(config-if)#exit
R1(config)#ip route 10.200.0.0 255.255.255.0 tu
R1(config)#ip route 10.200.0.0 255.255.255.0 tunnel 0
R1(config)#
*Apr 11 20:55:25.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R1(config)#int gig0/0
R1(config-if)#ip tc
R1(config-if)#ip tcp ad
R1(config-if)#ip tcp adjust-mss 1332
R1(config-if)#
*Apr 11 20:57:05.104: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R1(config-if)#exit
R1(config)#do ping 10.200.0.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.0.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/7/8 ms
R1(config)#do ping 10.200.0.200 source 100.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.0.200, timeout is 2 seconds:
Packet sent with a source address of 100.0.0.1 
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 6/256/1005 ms
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int gig0/0
R2(config-if)#ip tc
R2(config-if)#ip tcp ad
R2(config-if)#ip tcp adjust-mss 1332
R2(config-if)#int tunn0
R2(config-if)#
*Apr 11 20:56:18.973: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R2(config-if)#ip add
R2(config-if)#ip address 192.168.0.2 255.255.255.252
R2(config-if)#tu
R2(config-if)#tunnel so
R2(config-if)#tunnel source 200.0.0.2
R2(config-if)#tu
R2(config-if)#tunnel des
R2(config-if)#tunnel destination 100.0.0.1
R2(config-if)#
*Apr 11 20:56:49.333: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R2(config-if)#ke
R2(config-if)#keepalive 10 5
R2(config-if)#exit
R2(config)#ip router 10.100.0.0 255.255.255.0 tun
R2(config)#ip router 10.100.0.0 255.255.255.0 tunn
R2(config)#ip route 10.100.0.0 255.255.255.0 tunn 
R2(config)#ip route 10.100.0.0 255.255.255.0 tunnel 0

correct

has issue: return packets are not encapsulated GRE. it must be dropped.

configure ACL on R2 side.

R2(config)#ip acce
R2(config)#ip access-list ex
R2(config)#ip access-list extended A-security-out
R2(config-ext-nacl)#den
R2(config-ext-nacl)#deny ip 10.200.0.0 0.0.0.255 an
R2(config-ext-nacl)#deny ip 10.200.0.0 0.0.0.255 any 
R2(config-ext-nacl)#permi
R2(config-ext-nacl)#permit an
R2(config-ext-nacl)#permit any any
                            ^
% Invalid input detected at '^' marker.

R2(config-ext-nacl)#permit ip an  
R2(config-ext-nacl)#permit ip any an
R2(config-ext-nacl)#permit ip any any 
R2(config-ext-nacl)#int dia1
R2(config-if)#ip access
R2(config-if)#ip access-group A-security-out out
R2(config-if)#noip access-group A-security-out out
                ^
% Invalid input detected at '^' marker.

R2(config-if)#no ip access-group A-security-out out
R2(config-if)#ip access-group A-security-out out   

R1(config-ext-nacl)#do ping 10.200.0.200 source 100.0.0.1             
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.0.200, timeout is 2 seconds:
Packet sent with a source address of 100.0.0.1 
.....
Success rate is 0 percent (0/5)
R1(config-ext-nacl)#

works fine

Dynamic routing verification

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int gig0/0
R1(config-if)#ip ad
R1(config-if)#ip tc
R1(config-if)#ip tcp ad
R1(config-if)#ip tcp adjust-mss 1332
R1(config-if)#int tunnel 0
R1(config-if)#
*Apr 11 22:51:00.006: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R1(config-if)#ip add
R1(config-if)#ip address 192.168.0.1 255.255.255.252
R1(config-if)#tunne
R1(config-if)#tunnel so
R1(config-if)#tunnel source dia
R1(config-if)#tunnel source dialer 1
R1(config-if)#tunn
R1(config-if)#tunnel des
R1(config-if)#tunnel destination 200
R1(config-if)#tunnel destination 200.0.0.1
R1(config-if)#
*Apr 11 22:51:56.139: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R1(config-if)#do ping 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1(config-if)#tunnel source loo           
R1(config-if)#tunnel source loopback 1
R1(config-if)#do ping 192.168.0.2     
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1(config-if)#do ping 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1(config-if)#kee                
R1(config-if)#keepalive 10 5
R1(config-if)#do ping 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1(config-if)#do ping 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
...
Success rate is 0 percent (0/3)
R1(config-if)#tunnel source loopback  
*Apr 11 22:56:09.028: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R1(config-if)#do sh ip int tun0      
Tunnel0 is up, line protocol is down
  Internet address is 192.168.0.1/30
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1430 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP Null turbo vector
  IP multicast fast switching is enabled
          
R1(config-if)#tunn
R1(config-if)#tunnel so
R1(config-if)#tunnel source 100.0.0.1
R1(config-if)#tu
R1(config-if)#tunnel so
R1(config-if)#tunnel source dia
R1(config-if)#tunnel source dialer 1
R1(config-if)#tu
R1(config-if)#tunnel des
R1(config-if)#tunnel destination 200.0.0.2
R1(config-if)#
*Apr 11 22:57:49.034: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R1(config-if)#do ping 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/8/11 ms
R1(config-if)#router ospf 1
R1(config-router)#network 10.100.0.1 0.0.0.0 are
R1(config-router)#network 10.100.0.1 0.0.0.0 area 0
R1(config-router)#ne
R1(config-router)#netwo
R1(config-router)#network 192.168.0.1 0.0.0.0 area 0
R1(config-router)#
*Apr 11 23:03:46.160: %OSPF-5-ADJCHG: Process 1, Nbr 200.0.0.2 on Tunnel0 from LOADING to FULL, Loading Done
R1(config-router)#do sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
200.0.0.2         0   FULL/  -        00:00:38    192.168.0.2     Tunnel0
R1(config-router)#do sh ip ro ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
O        10.200.0.0/24 [110/1001] via 192.168.0.2, 00:00:13, Tunnel0
R1(config-router)#ping 10.200.0.204
                   ^
% Invalid input detected at '^' marker.

R1(config-router)#do ping 10.200.0.204
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.0.204, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/18 ms
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int gig0/0
R2(config-if)#ip tc
R2(config-if)#ip tcp ad
R2(config-if)#ip tcp adjust-mss 1332
R2(config-if)#int tun0 
R2(config-if)#
*Apr 11 22:51:16.347: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R2(config-if)#tunn
R2(config-if)#tunnel sou
R2(config-if)#tunnel source dia
R2(config-if)#tunnel source dialer 1
R2(config-if)#ip add
R2(config-if)#ip address 192.168.0.2 255.255.255.252 
R2(config-if)#tu
R2(config-if)#tunnel des
R2(config-if)#tunnel destination 100.0.0.1
R2(config-if)#
*Apr 11 22:53:04.664: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R2(config-if)#tunnel source loo                     
R2(config-if)#tunnel source loopback 1
R2(config-if)#kee
R2(config-if)#keepalive 10 5
R2(config-if)#
*Apr 11 22:56:15.362: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R2(config-if)#do sh ip int tun0
Tunnel0 is up, line protocol is down
  Internet address is 192.168.0.2/30
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1430 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP Null turbo vector
  IP multicast fast switching is enabled
          
R2(config-if)#tunn
R2(config-if)#tunnel so
R2(config-if)#tunnel source 200.0.0.2
R2(config-if)#tunnel source dia         
R2(config-if)#tunnel source dialer 1
R2(config-if)#tun
R2(config-if)#tunnel 
*Apr 11 22:57:55.370: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R2(config-if)#tunnel des
R2(config-if)#tunnel destination 100.0.0.1
R2(config-if)#router ospf 1
R2(config-router)#netwo
R2(config-router)#network 10.200.0.2 0.0.0.0 area 0
R2(config-router)#netwo
R2(config-router)#network 192.168.0.2 0.0.0.0 area 0
R2(config-router)#
*Apr 11 23:03:47.152: %OSPF-5-ADJCHG: Process 1, Nbr 100.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done
PC-1> ping 10.200.0.204
84 bytes from 10.200.0.204 icmp_seq=1 ttl=62 time=6.818 ms
84 bytes from 10.200.0.204 icmp_seq=2 ttl=62 time=6.569 ms
84 bytes from 10.200.0.204 icmp_seq=3 ttl=62 time=5.863 ms
84 bytes from 10.200.0.204 icmp_seq=4 ttl=62 time=4.850 ms
84 bytes from 10.200.0.204 icmp_seq=5 ttl=62 time=5.164 ms

PC-1> 

TCP SYN packet MSS negotiation

PC-3 - PC-4

ifconfig eth0 10.100.0.103 netmask 255.255.255.0 broadcast 10.100.0.255
route add default gw 10.100.0.1 eth0
ifconfig eth0 10.200.0.204 netmask 255.255.255.0 broadcast 10.200.0.255
route add default gw 10.200.0.2 eth0
echo "hello, PC-4">index.html
php -S 0.0.0.0:80
curl http://10.200.0.204/index.html

References

tech/network/cisco/vpn/tunneling/gre/gre.txt · Last modified: 2019/04/11 23:07 by wnoguchi