IPSec over GRE

Both IPSec and GRE are standard Virtual Private Networking (VPN) tunneling protocols for site-to-site data communication. They are included by default in many enterprise grade Router/Firewall/VPN products, and usually are inter-operable between different brands. All RansNet mbox appliances (CMG, HSG, HSA) support these two protocols as well.

IPSec includes a suit of security protocols that provide data security, authenticity and integrity (see earlier post). However, IPSec has some limitations, eg. IPSec used to have problems when tunnels pass through NAT device (although can work around with NAT-T), and most importantly IPSec tunnel does not support dynamic routing protocols (eg. OSPF/BGP). This makes large sites deployment difficult, because large scale deployment usually relies on dynamic routing to auto learn networks between sites and auto fail-over between redundant paths etc.

GRE is a very commonly used encapsulation protocol and it's very easy to implement. In addition, GRE tunnel supports dynamic routing protocols across the tunnel. However, GRE tunnel does not encrypt data across the WAN/Internet so it's not ideal for security.

"IPSec over GRE" combines the best of both worlds. So the idea is to build GRE tunnel between site-to-site, run dynamic routing protocols within GRE tunnel, so that we can auto learn routes and pass data between sites within GRE tunnels and fast fail-over between redundant tunnels/paths if any; then use IPSec to encrypt GRE tunnel, therefore all data transmitted within GRE tunnel is also encrypted.

There're two main drivers for using "IPSec over GRE":

  1. Encrypt multiple networks between sites. Usually if we use IPSec only, we have to specify all the networks in the encryption domains (local and remote LANs), which can easily prompt configuration errors. And there are also compatibility problems between different vendor products due to implementation differences. So building a single GRE tunnel and a simple IPSec tunnel to encrypt the GRE tunnel is very simple, then we just need to add routes (static or dynamic) to forward traffic across the GRE tunnel.
  2. Simplify deployment. In large scale deployment, with multiple remote sites, we will prefer to use dynamic routing protocols (eg. OSPF/BGP) to auto learn and advertise network routes among all sites. This makes configuration very simple and very easy to maintain. Many SD-WAN vendors use this combination as their underlying SD-WAN technologies, overlayed with some other advanced features.

There're a few things we need to take note when implementing "IPSec over GRE"

  1. Since we're talking about static tunnels here, both peers must have publicly reachable static IP addresses (SD-WAN implementation will be a separate discussion).
  2. GRE and IPSec tunnels add overheads (headers) to original packets, so we need to decrease the GRE tunnel mtu size to "shrink" a bit of the data payload size. The recommended GRE tunnel mtu size is 1400.
  3. Note L3 GRE tunnel requires IP address assignment, usually a private/unused network, and the peer tunnel IP addresses must be in the same network/subnet.
  4. If you're running OSPF between sites, then just follow OSPF configuration to advertise routes; if you're not, just add static routes to reach each other via the GRE tunnel (use peer GRE tunnel IP as next hope).
  5. If you have firewall SNAT rules, please make sure to have "exempt" rule to supersede the SNAT rules, so that the tunnel source/destination is not being mistakenly overwritten by firewall.
  6. Configure other firewall-access rules necessary to allow traffic to pass through each other.

CONFIGURATION EXAMPLE

!hostname remote!interface eth0 description "Connection to WAN" enable ip address 110.19.112.126/30!interface eth1 description "Connection to LAN" enable!interface eth2!interface eth3!interface tun0 tunnel local 110.19.112.126 remote 96.3.36.10 enable mtu 1400 ip address 11.11.11.2/30!interface vlan 1 20 description "local LAN" enable ip address 10.2.1.1/24!ip default-gateway 110.19.112.125ip route 10.1.1.0/24 nexthop 11.11.11.1!firewall-access 10 permit outbound eth0firewall-access 11 permit outbound tun0 src 10.2.1.0/24!firewall-snat 08 exempt outbound eth0 src 11.11.11.0/30 remark "bypass SNAT for tunnel traffic"firewall-snat 10 overload outbound eth0!ipsec ike-policy 10 authentication psk policy AES SHA 14 keylife 28800 version 2!ipsec esp-policy 10 policy AES SHA 14 keylife 3600!ipsec peer 96.3.36.10 local ip 110.19.112.126 local-net 11.11.11.2 remote-net 11.11.11.1 policy ike 10 esp 10 psk Letmein99!ipsec start