Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

How to configure a GRE tunnel




Tunneling provides a mechanism to transport packets of one protocol within another protocol. The protocol that is carried is called as the passenger protocol, and the protocol that is used for carrying the passenger protocol is called as the transport protocol. Generic Routing Encapsulation (GRE) is one of the available tunneling mechanisms which uses IP as the transport protocol and can be used for carrying many different passenger protocols. The tunnels behave as virtual point-to-point links that have two endpoints identified by the tunnel source and tunnel destination addresses at each endpoint.


The below diagram shows encapsulation process of GRE packet as it traversers the router and enters the tunnel interface:



Configuring GRE Tunnel:


Configuring a GRE tunnel involves creating a tunnel interface, which is a logical interface. Then you must configure the tunnel endpoints for the tunnel interface.


To configure the tunnel source and destination, issue the tunnel source {ip-address | interface-type} and tunnel destination {host-name | ip-address} commands under the interface configuration mode for the tunnel.


The below example explain about how to create simple GRE tunnels between endpoints and the necessary steps to create and verify the GRE tunnel between the two networks.R1's and R2's Internal subnets( and are  communicating with each other using GRE tunnel over internet.Both Tunnel interfaces are part of the network.




First step is to create our tunnel interface on R1 and R2 :



R1(config)# interface Tunnel1

R1(config-if)# ip address

R1(config-if)# ip mtu 1400

R1(config-if)# ip tcp adjust-mss 1360

R1(config-if)# tunnel source

R1(config-if)# tunnel destination

R2(config)# interface Tunnel1

R2(config-if)# ip address

R2(config-if)# ip mtu 1400

R2(config-if)# ip tcp adjust-mss 1360

R2(config-if)# tunnel source

R2(config-if)# tunnel destination


Since GRE is an encapsulating protocol, we adjust the maximum transfer unit (mtu) to 1400 bytes and maximum segment size (mss) to 1360 bytes. Because most transport MTUs are 1500 bytes and we have an added overhead because of GRE, we must reduce the MTU to account for the extra overhead. A setting of 1400 is a common practice and will ensure unnecessary packet fragmentation is kept to a minimum.


After configuring tunnel,two tunnel endpoints can see each other can verify using an icmp echo from one end.

R1# ping

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:


Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms


Workstations on either network will still not be able to reach the other side unless a routing is configure on each router.Here We will configure static route on both router.


R1(config)# ip route

R2(config)# ip route


Now both networks ( and are able to freely communicate with each other over the GRE Tunnel .


Generic Routing Encapsulation (GRE)

Here is a sample config for GRE.

Consider the following topology

Router1 [S0]( ------ Internet -------([S0]Router2---
   |_( Tunnel____________________(|


interface Tunnel0
ip address
tunnel source
tunnel destination


interface Tunnel0
ip address
tunnel source
tunnel destination

And just apply the necessary routes for those tunnels:

for example

ip route Tunnel0

About Keepalives here is the information:

Router1(config)#interface Tunnel1

By default, this keepalive command sends a packet through the tunnel to check its status
once every 10 seconds. If there is no response to three successive polls, the router
declares the tunnel interface to be down. So, this will change the tunnel's status about
30 seconds after a failure.

You can adjust both the time interval and the number of retries. For example, to send a
keepalive packet every five seconds, but to keep the default three retry limit, you could
use the following command:

Router1(config)#interface Tunnel1
Router1(config-if)#keepalive 5
If you want to change the number of retries, you can specify the new value after the time
interval. The following example will send a keepalive packet every three seconds, and will
declare the tunnel down if it doesn't hear a response back to two successive keepalive

Router1(config)#interface Tunnel1
Router1(config-if)#keepalive 3 2
New Member

good explanation thanks


Dear Sachin,

Thanks for your feedback


Ashish Shirkar

(Community Manager-Network Infrastructure)

New Member


Good overview. Do you need to configure static routes or is dynamic routing (OSPF) sufficient for the tunnel to operate?


Hello Carlos,

Yes,you can also use dynamic routing ,Only endpoint should be reachable i.e your source and destination IP. Dynamic routing and tunnels combination can be a dangerous.You need to be careful when using a dynamic routing protocol bcoz it cause a GRE tunnel to avoid the recursive routing error message, which brings down the tunnel. This happens because the routers need to have a good path through the network to carry the tunnel to its destination.Make sure that the routers never get confused and think that the best path to the tunnel destination is through the tunnel can refer this documents for the same 

GRE - Recursive loops


Ashish Shirkar

Community Manager-NI

New Member

nice thanks for the config

New Member

nice one, simple and clear and easy to understand.

New Member

Thanks for this, but i want to ask, in your example, the internet ip addresses used, would one have to get them off an isp or one can just pick up any one?

tunnel source
tunnel destination

New Member

For use on the Internet, you need addresses that are assigned by an ISP or the registry appropriate to your country (ARIN, RIPE, etc.).

New Member

I have an issue with a new GRE tunnel:

I can ping the tunnel source and destination addresses and the tunnel seems to be up, but I can't ping the endpoints...

I checked all configs and compared them to another working tunnel, maybe someone has an idea? :-)

New Member

check your routes

New Member

as long as both of them have the route of the addresses used in the tunnel source and destination.

New Member

Hi Tom,

If you the tunnel is up and you are able to ping the tunnel source & destination ips then there is definetly an issue with the routing which is configured for the endpoints, you should check if the routes are configured rightly.

thanks, Veneet

New Member


Thank you all for the possible answers. But it was another solution. Because of the tunnel vrf command I had left out. This would have worked if the used Loopback was part of the General/Generic/Unnamed vrf.

DCAT1S4-Edge#sh vrf

  Name                             Default RD          Protocols   Interfaces

  CustomerX                        6:6                 ipv4        Lo1541

  CustomerX-Q1541                  1541:1541           ipv4        Tu154128              


interface Tunnel154128

description CustomerX-V1541-Registration

ip vrf forwarding CustomerX-Q1541

ip address

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source Loopback1541

tunnel destination

-> tunnel vrf CustomerX <-


Best regards, Tom

New Member

Thank you so much for the information and the explanation. It was so simple and straight forward. wink

New Member
Thanks , very helpful.
New Member

Can you do this on an ehwic card?

I'm trying to simulate it in Cisco Packet Tracer Student 6.1 before rolling it into production.  Have a simulation of two 2811's with the same config as production on.

Issue when I go to specify the tunnel source it says Invalid input detected at '^' marker.  So running tunnel source ? shows it's looking for an interface name, not an ip address.

Well I have an HWIC card in the simulation and on Fa0/2/2 I have a cable going to another router where I am trying to gre tunnel over.  Issue is, if I specify Fa0/2/2 it says %ERROR: Source interface does not exist.  But clearly I can go into that interface and clearly I can ping the router connected to that interface!!!!

Cisco Employee

Really helpful info.

Thanks for posting.


New Member

You should use Loopback for source and destination interface for a better stability

New Member

Thanks helpful :)

New Member

Please note this example GRE tunnel is not encrypted.

You don't want to set this up over a Public Internet without additional encryption such as IPSEC.



New Member

Hi , Tks for posting :)

But , 

I really want to know what I need as a prerequisite or special  configuration in the case of a GRE tunnel between two public IP address (two different wan) 


Configuration : 

R1 :

wan : @IP1 ..........@tunnel : dest : @IP2

R2 :

wan : @IP2...............@tunnel @IP1


it does not ping between points of tunnel  !!!!!!


Is what I need something from the provider?



New Member


Ive tried to configure Gre tunnel on out site 1 and 2 but both site has no connection. 

All tunnel interface status is UP/UP

from isp router 2 ip can ping the int tunnel IP but ISP router 1 can't ping it's own tunnel address.

Is it fine to run with s0/0 interface?

Router 2 - 2800 and router 1 - 2600

Do i need to setup OSPF to ping r1-r2? or just static configuration?

Please see the attached photo for the configuration.

New Member


Check your IP adresses of the Tunnels , They are the same. ( ) gre.png (644×434)

New Member
New Member

check the settings of your routing protocol, you should broadcast tunnel interface and not the public interface on you routing protocol..

New Member

I would look at your static/default route on both. That might be a reach but I have those statements on the configs that I am using.

I would also look at your ACL's, if any.

New Member

This is blogspam and links to copyrighted material. This post should be removed.

New Member

GRE can encapsulate other protocols. But how can you prove it? Can you please use routers as small as 3 to show me that?

New Member

if You visit i am sure you will get useful information

New Member

good explanation

New Member

Great guide. If you're using Linux, there's also a Guide for Setting up a GRE Tunnel on a Cisco Router using Ubuntu AWS Client.

New Member

Is GRE supported on N5548?  I am investigating possibility of setting up GRE between Cisco 4948-10GE and Nexus N5548.  If these is not possible, can you suggest any alternative options?

New Member

I have an issue that enpdoints are able to reach each other only when i enter routes as:

R1: ip route int tunnel1

R2: ip route int tunnel1

Have anyone idea why doesn’t it works when i enter route by next hop address?

P.S. also i saw this type of routes on working enterprise routers that had been configured not by me

P.P.S all the test routers have only initial config of GRE by this article

Sorry for bad English