26-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 26 GRE and DM VPNs
GRE and Dynamic GRE VPNs
Note When configuring an IPsec/GRE, GRE Dynamic IP, or DMVPN routing policy, Security Manager adds
a routing protocol to all the devices in the secured IGP, on deployment. If you want to maintain this
secured IGP, you must create a router platform policy (on each member device) using the same routing
protocol and autonomous system (or process ID) number as defined in the GRE Modes policy.
Related Topics
Understanding GRE, page 26-2
Understanding GRE Configuration for Dynamically Addressed Spokes, page 26-5
Understanding DMVPN, page 26-10
Understanding IPsec Technologies and Policies, page 24-5
GRE and Dynamic GRE VPNs
You can use Generic Routing Encapsulation (GRE) to create VPNs using Cisco IOS security routers and
Catalyst 6500/7600 devices in hub-and-spoke, point-to-point, and full mesh VPN topologies.
This section contains the following topics:
Understanding GRE, page 26-2
Configuring IPsec GRE VPNs, page 26-5
Configuring GRE Modes for GRE or GRE Dynamic IP VPNs, page 26-6

Understanding GRE

Generic Routing Encapsulation (GRE) is a tunneling protocol that encapsulates a variety of protocol
packet types inside IP tunnels, creating a virtual point-to-point connection to devices at remote points
over an IP network. With this technology, GRE encapsulates the entire original packet with a standard
IP header and GRE header before the IPsec process. Then, IPsec views the GRE packet as an
unremarkable IP packet and performs encryption and authentication services, as dictated by the IKE
negotiated parameters. Because GRE can carry multicast and broadcast traffic, it is possible to configure
a routing protocol for virtual GRE tunnels. The routing protocol detects loss of connectivity and reroutes
packets to the backup GRE tunnel, thus providing high resiliency.
For VPN resilience, a spoke must be configured with two GRE tunnels, one to the primary hub and the
other to the backup hub. Both GRE tunnels are secured with IPsec: each one has its own IKE security
association (SA) and a pair of IPsec SAs. An associated routing protocol automates the failover
mechanism, transferring to the backup tunnel if virtual link loss is detected.
Note GRE can be configured on Cisco IOS security routers and Catalyst 6500/7600 devices in hub-and-spoke,
point-to-point, and full mesh VPN topologies.
This section contains the following topics:
Advantages of IPsec Tunneling with GRE, page 26-3
How Does Security Manager Implement GRE?, page 26-3
Prerequisites for Successful Configuration of GRE, page 26-3