IPSec over GRE

Both IPSec and GRE are standard Virtual Private Networking (VPN) tunneling protocols for site-to-site data communication. They are included by default in many enterprise grade Router/Firewall/VPN products, and usually are inter-operable between different brands. All RansNet mbox appliances (CMG, HSG, HSA) support these two protocols as well.

IPSec includes a suit of security protocols that provide data security, authenticity and integrity (see earlier post). However, IPSec has some limitations, eg. IPSec used to have problems when tunnels pass through NAT device (although can work around with NAT-T), and most importantly IPSec tunnel does not support dynamic routing protocols (eg. OSPF/BGP). This makes large sites deployment difficult, because large scale deployment usually relies on dynamic routing to auto learn networks between sites and auto fail-over between redundant paths etc.

GRE is a very commonly used encapsulation protocol and it's very easy to implement. In addition, GRE tunnel supports dynamic routing protocols across the tunnel. However, GRE tunnel does not encrypt data across the WAN/Internet so it's not ideal for security.

"IPSec over GRE" combines the best of both worlds. So the idea is to build GRE tunnel between site-to-site, run dynamic routing protocols within GRE tunnel, so that we can auto learn routes and pass data between sites within GRE tunnels and fast fail-over between redundant tunnels/paths if any; then use IPSec to encrypt GRE tunnel, therefore all data transmitted within GRE tunnel is also encrypted.

There're two main drivers for using "IPSec over GRE":

There're a few things we need to take note when implementing "IPSec over GRE"

CONFIGURATION EXAMPLE

!hostname remote!interface eth0 description "Connection to WAN" enable ip address 110.19.112.126/30!interface eth1 description "Connection to LAN" enable!interface eth2!interface eth3!interface tun0 tunnel local 110.19.112.126 remote 96.3.36.10 enable mtu 1400 ip address 11.11.11.2/30!interface vlan 1 20 description "local LAN" enable ip address 10.2.1.1/24!ip default-gateway 110.19.112.125ip route 10.1.1.0/24 nexthop 11.11.11.1!firewall-access 10 permit outbound eth0firewall-access 11 permit outbound tun0 src 10.2.1.0/24!firewall-snat 08 exempt outbound eth0 src 11.11.11.0/30 remark "bypass SNAT for tunnel traffic"firewall-snat 10 overload outbound eth0!ipsec ike-policy 10 authentication psk policy AES SHA 14 keylife 28800 version 2!ipsec esp-policy 10 policy AES SHA 14 keylife 3600!ipsec peer 96.3.36.10 local ip 110.19.112.126 local-net 11.11.11.2 remote-net 11.11.11.1 policy ike 10 esp 10 psk Letmein99!ipsec start