Why do I need GRE?

Discussion in 'Cisco' started by CWShannon@gmail.com, Dec 28, 2005.

  1. Guest

    We have purchased two 2811 routers to use for a site to site VPN. Both
    routers have the VPN AIM. I have everything working in a lab now, but
    it was a struggle. I'm new to this, so I happily used SDM to configure
    everthing. Initially I used an IPSEC VPN without GRE. Everything went
    smooth and I tested the tunnel using SDM and it all checked out. Then
    when I tried to ping between clients across the tunnel, every other
    ping request timed out. This was repeatable and occured regardless of
    which side of the tunnel the ping was initiated from. Everything else
    (file transfer, web browsing) was not working. I started over and used
    GRE over IPSEC this time and everthing began working...sorta. Small
    data transfers (32 byte ping requests) would work but I couldn't
    transfer large files across the tunnel. I fixed this by changing the
    MTU on the tunnel interfaces and on the clients to 1476 bytes to allow
    for 24 bytes that would be added due to encapsulation (at least I think
    that's what's going on). Changing the MTU on every client is acceptable
    for the moment, but it might not be down the road. If GRE is causing me
    to change the MTU, it makes me wonder why exactly do I need it? The SDM
    wizard help says to use GRE to connect remote sites with different
    network topologies, but that's not what I'm doing. Also, if a non-GRE
    IPSEC vpn can't get the job done, why is it even included in the wizard?
     
    , Dec 28, 2005
    #1
    1. Advertising

  2. Hansang Bae Guest

    wrote:

    > We have purchased two 2811 routers to use for a site to site VPN. Both
    > routers have the VPN AIM. I have everything working in a lab now, but
    > it was a struggle. I'm new to this, so I happily used SDM to configure
    > everthing. Initially I used an IPSEC VPN without GRE. Everything went
    > smooth and I tested the tunnel using SDM and it all checked out. Then
    > when I tried to ping between clients across the tunnel, every other
    > ping request timed out. This was repeatable and occured regardless of
    > which side of the tunnel the ping was initiated from. Everything else
    > (file transfer, web browsing) was not working. I started over and used
    > GRE over IPSEC this time and everthing began working...sorta. Small
    > data transfers (32 byte ping requests) would work but I couldn't
    > transfer large files across the tunnel. I fixed this by changing the
    > MTU on the tunnel interfaces and on the clients to 1476 bytes to allow
    > for 24 bytes that would be added due to encapsulation (at least I
    > think that's what's going on). Changing the MTU on every client is
    > acceptable for the moment, but it might not be down the road. If GRE
    > is causing me to change the MTU, it makes me wonder why exactly do I
    > need it? The SDM wizard help says to use GRE to connect remote sites
    > with different network topologies, but that's not what I'm doing.
    > Also, if a non-GRE IPSEC vpn can't get the job done, why is it even
    > included in the wizard?



    The one book I can recommend for quick and dirty (with a little bit of
    in depth coverage) is Enhanced IP Services by Donald Lee. It has a very
    clear explanation of how to setup IPSEC. What are you using preshared
    keys, RSA-SIGs ore RSA-ENCR?

    Also, do you have a serial (like T1/FR etc) connection between your
    sites?

    --

    hsb


    "Somehow I imagined this experience would be more rewarding" Calvin
    **************************ROT13 MY ADDRESS*************************
    Due to the volume of email that I receive, I may not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Dec 29, 2005
    #2
    1. Advertising

  3. stl-eng Guest

    First Scrap the SDM
    Second GRE is preferable over static VPN tunnels in almost every
    situation.

    One thing you can do to prevent hardcoding mtu on machines is to
    configure
    IP TCP-ADJUST-MSS 1450 on an ethernet transit that will clear a lot up
    for you I think.

    GRE allows you to encapsulate non IP traffic as well as provide
    multicast support and full tunneling support as well. There are some
    good configurations on configuring gre over ipsec on cco you just have
    to sort through a bit. Also Cisco press just came out with the
    complete cisco vpn configuration guide about 2 weeks ago pretty good
    read If you do a lot of vpn work. It's paperback and it orange but it's
    comprehensive.

    GRE configs are actually simpler heres a sample x is your public y is
    remote public

    ip access-list extended ipsec_peer
    permit gre host x.x.x.x host y.y.y.y

    crypto map vpn 10 ipsec-isakmp
    set transform set xyz
    set peer y.y.y.y
    match address ipsec_peer

    int tunnel 1
    ip address 1.1.1.1 255.255.255.252
    ! note don't change default mtu on tunnel int as you have a 2800 series
    isr it's default takes into account overhead
    tunnel source x.x.x.x
    tunnel dest y.y.y.y

    interface public
    ip address x.x.x.x
    crypto map vpn

    ta da your done

    Bob Watson
    Implementation Engineer II
     
    stl-eng, Dec 29, 2005
    #3
  4. Chris Guest

    Thanks for the book reference. I was using pre-shared keys and far as
    the connection between sites, it is just a 10/100 switch right now. I
    have everything configured in a lab. When we do the install, each of
    the sites will have a T1.
     
    Chris, Dec 29, 2005
    #4
  5. Chris Guest

    Thanks Bob,
    I don't have to actually have this up and running in the real world
    until February. My plan was to get it working with SDM, so that a
    couple of my coworkers could test their software real quick and then
    figure out how to do it using CLI. In the mean time I can try the MSS
    tip you gave when everyone goes to lunch today and see if that
    simplifies things.
     
    Chris, Dec 29, 2005
    #5
  6. Hansang Bae Guest

    Chris wrote:
    > Thanks for the book reference. I was using pre-shared keys and far as
    > the connection between sites, it is just a 10/100 switch right now. I
    > have everything configured in a lab. When we do the install, each of
    > the sites will have a T1.


    I'm thinking you have things well under control then? As to your
    question about GRE, there is one reason to use it. You can stuff OSPF
    or EIGRP down the GRE tunnel. So if IPSec dies, routing will die too.
    If you don't use GRE, then you can have a situation where production
    traffic will die, but routing will not. Now you just created a black
    hole that can be tricky to troubleshoot.

    EBGP is the exception since it uses TCP (and can be encrypted).

    --

    hsb


    "Somehow I imagined this experience would be more rewarding" Calvin
    **************************ROT13 MY ADDRESS*************************
    Due to the volume of email that I receive, I may not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Dec 31, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. spremkumar

    VOIP with GRE/IPSEC..need help

    spremkumar, Dec 26, 2003, in forum: Cisco
    Replies:
    3
    Views:
    2,359
    spremkumar
    Dec 29, 2003
  2. Replies:
    10
    Views:
    1,345
  3. You HAVE NO IDEA

    Why Why Why

    You HAVE NO IDEA, Apr 22, 2004, in forum: MCSE
    Replies:
    31
    Views:
    1,554
    billyw
    Apr 24, 2004
  4. mailsubhra
    Replies:
    0
    Views:
    418
    mailsubhra
    Sep 8, 2006
  5. daddieos

    GRE not routing RPC traffic...why?

    daddieos, Jul 6, 2007, in forum: Cisco
    Replies:
    1
    Views:
    613
    jmcdonou
    Jul 9, 2007
Loading...

Share This Page