Help: Tunnel Interface

Answered Question
Mar 13th, 2007

Hi,Please help me understand what a Tunnel interface is because I'm confused with the tunnel source and tunnel destination.

interface Tunnel0

description Local GRE Tunnel Interface - Site A

ip address 172.16.3.22 255.255.255.252

ip tcp adjust-mss 1420

load-interval 30

keepalive 20 3

tunnel source 202.13.157.3

tunnel destination 14.160.7.164

What is the use of the tunnel source and destination? The Tunnel interface already has an IP address. From my understanding, the IP address of the local tunnel interface should be on the same subnet of the remote tunnel interface. Then what is the use of the tunnel source and destination? The tunnel source in this configuration is my fast ethernet IP address. I don't know what the tunnel destination is. Should this be the configuration on the other end?

Interface Tunnel 0

description Local GRE Tunnel Interface - Site B

ip address 172.16.3.21 255.255.255.252

ip tcp adjust-mss 1420

load-interval 30

keepalive 20 3

tunnel source 14.160.7.164

tunnel destination 202.13.157.3

So on my end (Site A) I need to have a route to 14.160.7.164 in order to establish the GRE tunnel?

Another one, what is difference of this configuration if I configure a site-to-site VPN?

Thank you very much.

I have this problem too.
0 votes
Correct Answer by Richard Burts about 9 years 8 months ago

John

I believe that you are pretty much getting it. The tunnel is exactly like a point to point connection between the 2 routers (even though physically there might be many hop). Routing over a GRE tunnel is functionally just like routing over a point to point serial. The routing table sees the tunnel address on the other router as the next hop address. Going through the Internet the packet will have a source address which is the tunnel source (and should be a public address). The source and destination of the packet being transported may be private address space.

And yes, GRE does not do any encryption. So if you want to protect/encrypt traffic then you combine GRE with IPSec.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
Richard Burts Tue, 03/13/2007 - 07:55

John

There is a simple explanation of the source address and destination address configured on the tunnel interface. To understand it I would like to start with an understanding that the tunnel is going to encapsulate traffic that is sent over the tunnel. That is the tunnel will take an existing packet and put it as the payload of a new packet. In the new packet the source address of the packet is taken from the tunnel source and the destination address of the packet is taken from the tunnel destination.

So you are correct that the tunnel has its own IP address. And that the IP address of the tunnel on a router needs to be in the same subnet as the tunnel address of the remote router. And as I have explained each tunnel needs to configure a tunnel source to give the source address of the tunnel packet and needs to configure tunnel destination to give the destination address of the tunnel packet.

HTH

Rick

Danilo Dy Tue, 03/13/2007 - 08:06

IP GRE Tunnel is a logical point-to-point link between two hosts (a Cisco Router - since its Cisco proprietary). To be able to build the tunnel, it needs to ride to an existing routable IP Network between two enabled interface (Loopback or Physical) of two hosts.

RouterA tunnel source ip address and RouterB tunnel source ip address should be able to reach each other before creating a tunnel. Both routers uses a local interface or ip address (hence the "tunnel source") and the other end ip address (hence the tunnel destination") to build a tunnel.

More on IP GRE

http://www.cisco.com/en/US/tech/tk827/tk369/tk287/tsd_technology_support_sub-protocol_home.html

Richard Burts Tue, 03/13/2007 - 08:36

Danilo

GRE was developed by Cisco but it is no longer a proprietary protocol. See RFCs 1701 Generic Routing Encapsulation (GRE), RFC 1702 Generic Routing Encapsulation over IPv4 networks, and RFC 2784 Generic Routing Encapsulation (GRE) which show it moving beyond the status of proprietary protocol.

HTH

Rick

Danilo Dy Tue, 03/13/2007 - 09:10

Yup, correct. I missed that one. Thanks for pointing that out :)

Richard Burts Tue, 03/13/2007 - 09:40

Danilo

It is a real advantage of the forum to have multiple people with different perspectives and we help each other out. I have had my share of responses where someone clarified aspects of what I had said, and the outcome was a better response. I enjoy seeing your postings on the forum and look forward to seeing more.

HTH

Rick

John Patrick Lopez Tue, 03/13/2007 - 10:47

Is the Tunnel interface secured? Because I saw our configuration and there's a crypto map between the tunnel source and destination interface. Is this really necessary?

ip access-list extended GRE-ACL

permit gre host Site-A host Site-B

interface FastEthernet0/0

ip address Site-A

speed 100

full-duplex

crypto map Secondary

crypto ipsec transform-set GRE esp-3des esp-sha-hmac

mode transport

crypto map Secondary 1 ipsec-isakmp

set peer Site-B

set transform-set GRE

set pfs group2

match address GRE-ACL

John Patrick Lopez Tue, 03/13/2007 - 10:50

What is the advantage of this Tunnel Interface?

This can also be done by just creating a site-to-site VPN tunnel right? We created an eBGP connection between the Tunnel interfaces.

Richard Burts Tue, 03/13/2007 - 11:20

John

Based on the parts of the config that you have posted it becomes obvious that you have a GRE tunnel combined with IPSec. A GRE tunnel by itself is not secured. But a GRE tunnel with IPSec is secured.

In general the reasons to use a GRE tunnel with IPSec rather than just a VPN tunnel would be to support multicast. Traditional VPN tunnel only supports unicast (Cisco has introduced a new feature in new releases of IOS that supports multicast over VPN without requiring GRE). There is not anything in your post that tells us whether there is multicast over the tunnel. OSPF and EIGRP between sites have traditionally needed GRE with IPSec but BGP uses unicast not multicast and therefore would not necessarily need GRE.

Without knowing more about the environment and the details of the config I do not believe that we can know if everything that you are passing over the GRE tunnel would work over a plain VPN tunnel.

HTH

Rick

John Patrick Lopez Tue, 03/13/2007 - 13:12

So this is what you mean.

By creating a GRE tunnel between two routers is like creating a point-to-point link between them. But the data that passes thru that Tunnel interface will not be encrypted because GRE is not secured. In order to secure the data passing between the tunnel, I need to configure an IPSec which will also use the tunnel.

What will be the structure of the data in terms of source and destination IP? The data will traverse the public internet with the source and destination IP with the one configured with tunnel source and destination command? Because it is impossible to route using the private IP configured to the tunnel interface via public internet.

John Patrick Lopez Tue, 03/13/2007 - 13:27

Then for example, I want to configure EIGRP between the two sites, then I could utilize the GRE tunnel to pass this kind of traffic since EIGRP uses multicast. But then, If I want to secure all the GRE traffic that goes out of my router, then I need to configure IPSec for the tunnel source and tunnel destination IPs if the protocol being used is GRE.

And another one, since we are passing routes via GRE tunnel, the next hop of the router in the routing table is the remote router tunnel interface IP. But in reality, it will use the source tunnel and destination tunnel IP for packets. It is just that IPSec is the one responsible for encrypting the traffic.

Am I getting it? =)

Correct Answer
Richard Burts Tue, 03/13/2007 - 14:20

John

I believe that you are pretty much getting it. The tunnel is exactly like a point to point connection between the 2 routers (even though physically there might be many hop). Routing over a GRE tunnel is functionally just like routing over a point to point serial. The routing table sees the tunnel address on the other router as the next hop address. Going through the Internet the packet will have a source address which is the tunnel source (and should be a public address). The source and destination of the packet being transported may be private address space.

And yes, GRE does not do any encryption. So if you want to protect/encrypt traffic then you combine GRE with IPSec.

HTH

Rick

John Patrick Lopez Tue, 03/13/2007 - 15:23

Thank you very much Rick! You guys helped me a lot. Too bad the highest number is 5. It should be 10 for you guys. Thanks. =)

Richard Burts Tue, 03/13/2007 - 15:35

John

Thanks for using the rating system to mark that your issue is resolved. (and thanks for the ratings) It makes the forum much more useful when people can read about a problem and can know that they will find a solution that resolved the problem.

I encourage you to continue your participation in the forum.

HTH

Rick

Danilo Dy Thu, 04/05/2007 - 17:24

Hi Rick,

Thanks for welcoming me in this community. Also thanks for appreciating my little contributions.

I'm sorry, I have not replied earlier. I didn't see your post that day. Just saw it today when looking for GRE posts.

Thanks,

Danilo

Richard Burts Thu, 04/05/2007 - 19:52

Danilo

I do appreciate your contributions. And I am glad to see that you continue to be active in the forum. Your average rating this month is very impressive. Keep up the good work.

HTH

Rick

Actions

This Discussion