26-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter2 6 GRE and DM VPNs
GRE and Dynamic GRE VPNs
Understanding GRE Configuration for Dynamically Addressed Spokes, page 26-5
Advantages of IPsec Tunneling with GRE
The main advantages of IPsec tunneling with GRE are the following:
GRE uses a routing protocol by which every IPsec peer knows the status of every other peer at all
times.
GRE provides higher resiliency than IKE keepalive.
Spoke-to-spoke connectivity is supported when you use GRE.
GRE supports multicast and broadcast transmissions.
Note GRE does not support the use of dynamic cryptographic tunnels.
How Does Security Manager Implement GRE?
Security Manager implements an additional Interior Gateway Protocol (IGP) solution for GRE. An IGP
refers to a group of devices that receive routing updates from one another by a routing protocol, EIGRP,
OSPF, or RIP. Each “routing group” is identified by a logical number. For general routing purposes, the
interfaces on the routers in your networks belong to an IGP. Security Manager adds an additional IGP
that is dedicated for IPsec and GRE-secured communication. This additional IGP is the secured IGP. The
existing IGP (unsecured IGP), is used for routing traffic that does not require encryption.
For a GRE tunnel to be established, Security Manager configures a virtual interface on each device.
These virtual interfaces are the endpoints of the GRE tunnel. Each virtual interface is unique. The GRE
tunnel interface has an IP address (inside tunnel IP address) which is taken from an interface that
Security Manager creates. The GRE tunnel points to the source and destination IP addresses of either the
physical or loopback interfaces on each device. The GRE virtual interfaces belong to the secured IGP,
as do the inside interfaces. Routing updates within the secured IGP are GRE encapsulated and IPsec is
applied. A flow whose destination is a secured interface (according to the routing updates of the secured
IGP) is directed through the GRE interface where it is GRE encapsulated and then evaluated against the
crypto ACL. If it matches the crypto ACL, it is routed through the GRE and VPN tunnels.
Prerequisites for Successful Configuration of GRE
Consider the following prerequisites before using GRE in your network:
You must identify the inside interfaces on your devices—the physical interfaces on the device that
connect the device with its internal subnets and networks.
You must select a routing protocol (known as an IGP) or a static route, whenever you enable GRE.
Security Manager supports the EIGRP, OSPF, and RIPv2 dynamic routing protocols, and GRE static
routes.
EIGRP—Enhanced Interior Gateway Routing Protocol enables the exchange of routing
information within an autonomous system and addresses some of the more difficult issues
associated with routing in large, heterogeneous networks. Compared to other protocols, EIGRP
provides superior convergence properties and operating efficiency, and combines the
advantages of several different protocols. For more information, see EIGRP Routing on Cisco
IOS Routers, page 64-8.