GRE Tunnels and VPN Tunnels

 
GRE is to run dynamic routing protocols across another network.

For example:

Branch Router -------- Internet -------- HQ Router
| |
OSPF OSPF

Normally, the internet won't carry routing protocol packets between your routers. A GRE tunnel creates a virtual point-to-point link:

Branch Router ===== GRE Tunnel ===== HQ Router

Now both routers behave as if they're connected by a dedicated cable, allowing protocols like OSPF or EIGRP to exchange routes.


Common uses of GRE

  • Running dynamic routing protocols across an IP network (its most common use).
  • Transporting multicast and broadcast traffic, which plain IP forwarding often doesn't support.
  • Connecting branch offices over an existing IP network.
  • Carrying different Layer 3 protocols inside IP.
  • Creating overlay networks between routers.

Example

Suppose a company has:

  • Headquarters in one city
  • Branch office in another
  • An internet connection between them

Without GRE:

HQ Router ---- Internet ---- Branch Router

The routers can exchange ordinary IP traffic, but running OSPF between them is problematic.

With GRE:

HQ Router == GRE Tunnel == Branch Router

Now OSPF works normally, and each router learns the other's networks automatically.




GRE: A transport tunnel

Think of GRE as a virtual pipe.


VPN: A secure tunnel

A VPN is more like a locked pipe.




Simple analogy

  • GRE = Putting a letter into a larger envelope so it can be delivered through a particular mail system. Anyone can still open the envelope if it's not sealed.
  • VPN = Putting the letter into a locked, tamper-resistant box before shipping it. The contents remain confidential during transit.





Why GRE and IPsec are often used together

A common deployment is GRE over IPsec because each technology provides something the other lacks:

  • GRE provides:
    • Multicast support
    • Broadcast support
    • Dynamic routing protocol support
    • Encapsulation of various Layer 3 protocols
  • IPsec provides:
    • Encryption
    • Authentication
    • Integrity protection

The packet flow looks like this:

Application

Original IP Packet

GRE Encapsulation

IPsec Encryption

Internet

The remote router decrypts the IPsec packet, removes the GRE header, and forwards the original packet.


GRE use case: running OSPF through a GRE tunnel.

Topology

PC1 ---- R1 -------- Internet -------- R2 ---- PC2
G0/0 G0/1 G0/1 G0/0

LAN1: 192.168.1.0/24
Internet: 10.0.12.0/24
LAN2: 192.168.2.0/24

GRE Tunnel:
R1 Tunnel0: 172.16.12.1/30
R2 Tunnel0: 172.16.12.2/30

The goal is:

  • R1 and R2 can already reach each other over the Internet.
  • Create a GRE tunnel.
  • Run OSPF over the tunnel.
  • PC1 and PC2 can then communicate.

Step 1: Configure the Internet interfaces

R1

conf t

interface g0/1
ip address 10.0.12.1 255.255.255.0
no shutdown

interface g0/0
ip address 192.168.1.1 255.255.255.0
no shutdown

ip route 10.0.12.0 255.255.255.0 g0/1

R2

conf t

interface g0/1
ip address 10.0.12.2 255.255.255.0
no shutdown

interface g0/0
ip address 192.168.2.1 255.255.255.0
no shutdown

ip route 10.0.12.0 255.255.255.0 g0/1

Verify:

R1# ping 10.0.12.2

It should succeed.


Step 2: Configure the GRE tunnel

R1

interface Tunnel0
ip address 172.16.12.1 255.255.255.252
tunnel source g0/1
tunnel destination 10.0.12.2

R2

interface Tunnel0
ip address 172.16.12.2 255.255.255.252
tunnel source g0/1
tunnel destination 10.0.12.1

Verify:

R1# ping 172.16.12.2

Step 3: Configure OSPF

R1

router ospf 1

network 192.168.1.0 0.0.0.255 area 0
network 172.16.12.0 0.0.0.3 area 0

R2

router ospf 1

network 192.168.2.0 0.0.0.255 area 0
network 172.16.12.0 0.0.0.3 area 0

After a few seconds:

R1# show ip ospf neighbor

You should see:

Neighbor ID     State     Address
2.2.2.2 FULL 172.16.12.2

Step 4: Verify routes

On R1:

show ip route

You should learn:

O 192.168.2.0/24

On R2:

O 192.168.1.0/24

Step 5: Test connectivity

Configure the PCs:

PC1

IP: 192.168.1.10
Mask: 255.255.255.0
Gateway: 192.168.1.1

PC2

IP: 192.168.2.10
Mask: 255.255.255.0
Gateway: 192.168.2.1

Now test:

PC1> ping 192.168.2.10

The ping should succeed.


Packet flow

PC1


R1

│ OSPF learns remote LAN

GRE Tunnel
(172.16.12.1 <----> 172.16.12.2)


R2


PC2

This is the classic enterprise use of GRE: routers form an OSPF adjacency over the GRE tunnel, exchange routes, and traffic between the LANs is carried through the tunnel.





GRE tunnels and VPN tunnels are related concepts, but they solve different problems.

FeatureGeneric Routing Encapsulation (GRE)VPN Tunnel (e.g., IPsec, WireGuard, OpenVPN)
PurposeEncapsulate trafficSecure traffic
Encryption❌ None✅ Yes
Authentication❌ None✅ Yes
Supports routing protocols✅ YesDepends on the VPN technology
Multicast/Broadcast✅ YesUsually no (IPsec alone doesn't)
Typical useConnecting networks and carrying routing trafficSecure communication over untrusted networks

Comments

Popular posts from this blog

🖧 VLAN (Virtual Local Area Network)

🌐 NAT (Network Address Translation)

🛰️ OSPF (Open Shortest Path First)