Create
Learn
Share

GRE & VPN

rename
beef410's version from 2018-04-03 15:39

General

Question Answer
GREGeneric Router Encapsulation
VPNProvides data origin authentication, data integrity, replay/antireplay protection (MIM stealing ID's to reuse)
IPSecDoesn't support dynamic routing protocols EIGRP/OSPF by itself. Adds data integrity and confidentiality
GRE IPSecCombined they provide secure encap for routing proto's. This is the secure tunneling that makes up the backbone of a VPN connection over WAN
ip addressTunnel IP
local tunnel sourceremote tunnel destination
local tunnel destinationremote tunnel source
DefaultGRE defaults to running over IP
memorize

Config

Question Answer
(config)#int tunnel 1Creates GRE tunnel 1
(config-if)#ip addr <net> <mask>Applied to the Tunnel's logical interface
(config-if)#tunnel source <interface>Can use interface or IP
(config-if)#tunnel destination <ip>Can only use IP for destination, local router must have an entry for the dest IP's network in its routing table.
sh int tunnel #Shows tunnel, what GRE is encapsulating as well as source/dest config.
PingFor testing tunnel, ping the remote tunnel IP, not the tunnel's dest interface as that doesn't mean the tunnel was used. sh ip route will show what routes are using tunnel
(config-if)#tunnel mode gre <proto>Select ip/ipv6/multipoint
memorize

Troubleshoot

Question Answer
IPSource / dest should be mirror images of each other
Routing tableMake sure the tunnel is being shown in the routing table
Tunnel is up/downMissing routing table entry
Recursive routingNew tunnel path can carry routing advertisements, local router can't learn about the remote tunnel IP from the tunnel. Causes flapping as the learned-through-tunnel route is not-legal
FlappingAdjust metric or remove tunnel network from routing proto to prevent recursive routing.
up/upCheck both ends of tunnel, one side does not depend on other for up/up
GREuses port 47, watch for ACL's blocking this port
memorize

DMVPN

Question Answer
DMVPNDynamic Multipoint VPN
WhySegments physical interface into multiple logical ones using different vlans in a hub/spoke setup. VPN portion allows direct spoke-to-spoke connections
NeedsStable dynamic routing protocol or static routes, multipointGRE, NextHopResolutionProtocol NHRP, and IPSec
NHRPKeeps track of physical interface and logical tunnel IP mapping, works as client/server.
memorize