GRE over IPsec Tunnel Configuration on Cisco Routers | Secure EIGRP over Internet
Step-by-step GRE over IPsec tunnel configuration on Cisco routers using EIGRP. Learn how to build a secure and encrypted tunnel across the internet with Netvorx Pro.
Raza Rehman
🔹 Overview
In modern enterprise networks, securing dynamic routing traffic across untrusted links—like the internet—is essential. One of the most common and reliable methods is GRE over IPsec, a combination that merges the flexibility of Generic Routing Encapsulation (GRE) with the strong security of IPsec encryption.
Below is the topology diagram representing our lab setup:
| Device | Tunnel IP | Public IP | LAN Subnet |
|---|---|---|---|
| R-ISB | 172.16.1.1/24 | 1.1.1.1 | 192.168.111.0/24 |
| R-KHI | 172.16.1.2/24 | 2.2.2.1 | 192.168.222.0/24 |
🔹 How GRE over IPsec Works
-
GRE (Generic Routing Encapsulation)
- Encapsulates routing traffic such as EIGRP, OSPF, or multicast into a unicast tunnel.
- Provides logical connectivity between routers even if the underlying network is public.
-
IPsec Encryption
- Protects the GRE traffic using encryption and authentication.
- Ensures confidentiality, integrity, and authentication across the public WAN or internet.
-
Combined Use
- GRE allows routing protocols and multiprotocol traffic.
- IPsec ensures that the GRE tunnel traffic is securely encrypted.
🔹 Configuration Steps
We’ll configure R-ISB and R-KHI routers with GRE tunnels protected by IPsec.
🖥️ R-ISB Configuration
interface Tunnel1
ip address 172.16.1.1 255.255.255.0
ip mtu 1400
tunnel source 1.1.1.1
tunnel destination 2.2.2.1
tunnel protection ipsec profile abc
router eigrp 1
network 172.16.0.0
network 192.168.111.0
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 2.2.2.1
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
crypto ipsec profile abc
set security-association lifetime seconds 86400
set transform-set TS
🖥️ R-KHI Configuration
interface Tunnel1
ip address 172.16.1.2 255.255.255.0
ip mtu 1400
tunnel source 2.2.2.1
tunnel destination 1.1.1.1
tunnel protection ipsec profile abc
router eigrp 1
network 172.16.0.0
network 192.168.222.0
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.1
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
crypto ipsec profile abc
set security-association lifetime seconds 86400
set transform-set TS
🔹 Verification Commands
After configuration, verify your tunnel using the following commands:
show interface tunnel 1
show crypto isakmp sa
show crypto ipsec sa
show ip route
ping 172.16.1.2 source 172.16.1.1
If everything is configured correctly, you should see EIGRP neighbor relationships established over the tunnel and encrypted traffic counters increasing.
🔹 Troubleshooting Tips
| Issue | Likely Cause | Fix |
|---|---|---|
| Tunnel is down | Incorrect source/destination IP | Verify tunnel endpoints |
| EIGRP not forming | IPsec tunnel not encrypting GRE | Check ISAKMP/IPsec SA status |
| No traffic | MTU mismatch | Adjust ip mtu 1400 and ip tcp adjust-mss 1360 |
🔹 Summary
By configuring GRE over IPsec, we achieve the best of both worlds:
- GRE provides routing protocol compatibility (EIGRP, OSPF, BGP).
- IPsec adds encryption, integrity, and secure communication.
This setup is ideal for branch connectivity over the internet, ensuring dynamic routing and end-to-end data protection.
🔹 Learn, Build & Secure Networks with Netvorx Pro
At Netvorx Pro Pvt Ltd, we design, secure, and manage enterprise networks — from MPLS and VPNs to Azure and FTTH systems.
💼 Connect with us:
