Configure GRE over IPSec secured private channel

I'll try to show you easy and fast way to configure GRE IPSec between CentOS and Cisco 2821. This is not final config and it without any ACL/Firewall rules. This post provides only configuration examples. For more information about GRE and IPSec basics see Point-to-Point GRE over IPsec Design Guide.



Provide a secure connection with branch offices.


Two distributed offices each connected to shared network. Across this network is set encrypted GRE tunnel by using IPSec stack

The head office site

Connected to shared network (internet) with cisco 2821 router (head-gw). WAN interface is GigabitEthernet 0/0 (g0/0), IP-address is Tunnel interface tunnel0 (tun0), IP-address is

The branch office site

Connected to Shared Network (internet) with software router running CentOS 6.0 (branch-gw). WAN connection is eth0, IP-address is Tunnel connections is tun0, IP-address is IPSec support provided by StrongSwarn software.

WAN Topology Scheme


Branch office

Configure interface and routing

sudo ifconfig eth0 up  
sudo route add -net default gw  

Update system and install StronSwan

sudo yum -y update  
sudo rpm -Uhv*rpm  
sudo yum install strongswan  

Change system environment

cat << EOF >> /etc/sysctl.conf

# Controls IP packet forwarding 
# enable IP forwarding
net.ipv4.ip_forward = 1 

# disable ICMP redirects 
net.ipv4.conf.default.send_redirects = 0  
net.ipv4.conf.default.accept_redirects = 0  

StrongSwan Configuration

Change the ipsec.conf file to configure IPSec

cat << EOF > /etc/strongswan/ipsec.conf  
config setup  
    # loglevel configuration
    #charondebug="dmn 2, mgr 2, chd 2, net 2, ike 2, knl 3, cfg 0" 

conn head  
    # Try connect on daemon start
    # Authentication by PSK (see ipsec.secret)
    # Disable compression 
    # Re-dial setings
    # ESP Authentication settings (Phase 2)
    # UDP redirects 
    # IKE Authentication and keyring settings (Phase 1)
    # Internet Key Exchange (IKE) version
    # Default: Charon - ikev2, Pluto: ikev1 
    # connection type
    # Peers
    # Protocol type. May not work in numeric then need set 'gre'
    # Networks announcement,  %any — any networks.


cat << EOF >> /etc/strongswan/ipsec.secrets : PSK 1234567890  

Configure logging settings for StrongSwan. Here some configuration example (not full).

cat /etc/strongswan/strongswan.conf  
charon { 

    # number of worker threads in charon 
    threads = 16 

    # send strongswan vendor ID? 
    # send_vendor_id = yes 

    filelog { 
  /var/log/charon.log { 
      # add a timestamp prefix 
      time_format = %b %e %T 
      # loggers to files also accept the append option to open files in 
      # append mode at startup (default is yes) 
      append = no 
      # the default loglevel for all daemon subsystems (defaults to 1). 
      default = 1 
      # flush each line to disk 
      flush_line = yes 

    plugins { 

        sql { 
            # loglevel to log into sql database 
            loglevel = -1 

            # URI to the database 
            # database = sqlite:///path/to/file.db 
            # database = mysql://user:password@localhost/database 

    # ... 

pluto { 


libstrongswan { 

    #  set to no, the DH exponent size is optimized 
    #  dh_exponent_ansi_x9_42 = no 

iptable test config

Add some rules to iptabel to allow traffic

iptables -I INPUT 6 -i tun0 -s -j ACCEPT  
iptables -I INPUT 7 -i eth0 -s -j ACCEPT  
And if we need routing dont forget add

iptables -I FORWARD 2 -i tun0 -j ACCEPT  
iptables -I FORWARD 1 -o tun0 -j ACCEPT  

Note: at this stage we don't start StrongSwan daemon for future tests.

Head office

Configure interface and routing

interface GigabitEthernet0/0  
 description WAN connection
 ip address 
 duplex auto 
 speed auto

interface Tunnel0  
 description GRE tunnel to Branch Office
 ip address
 tunnel source GigabitEthernet0/0 
 tunnel destination

! Default route
ip route  
Remember, we do not enable a IPSec on StrongSwan (Branch office) so now we can test our Tunnel connection (without IPSec, GRE only). Let's see connection status on the cisco router.

show intterface Tunnel 0  
    Tunnel0 is up, line protocol is up 
          Hardware is Tunnel 
          Internet address is 
          MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 
         Encapsulation TUNNEL, loopback not set 
          Keepalive not set 
          Tunnel source (GigabitEthernet0/0), destination 
          Tunnel protocol/transport GRE/IP 
                Key disabled, sequencing disabled 
                Checksumming of packets disabled 
          Tunnel TTL 255
    Fast tunneling enabled 
          Tunnel transmit bandwidth 8000 (kbps) 
          Tunnel receive bandwidth 8000 (kbps) 
          Last input 00:02:37, output 00:02:37, output hang never 
         Last clearing of "show interface" counters never 
          Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2 
          Queueing strategy: fifo 
          Output queue: 0/0 (size/max) 
          5 minute input rate 0 bits/sec, 0 packets/sec 
          5 minute output rate 0 bits/sec, 0 packets/sec 
                 6237 packets input, 613782 bytes, 0 no buffer 
                 Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 
                 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 
                 7595 packets output, 872954 bytes, 0 underruns 
                 0 output errors, 0 collisions, 0 interface resets 
                 0 unknown protocol drops 
                 0 output buffer failures, 0 output buffers swapped out

As we can see connection is UP. GRE/IP encapsulation is used. Try to ping tunnel endpoint of branch office.


    Type escape sequence to abort. 
    Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds: 
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

IPSec configuration.

In this example I use crypto-map style but it will be work with ipsec profile too.

! CCreate ACL. Would encrypt only GRE traffic between offices.
ip access-list extended MATCH-STATIC-MAP-100  
 permit gre host host

! Encription policy
crypto isakmp policy 10  
 encr 3des 
 authentication pre-share 
 group 2

! PSK key for peer
crypto isakmp key 1234567890 address

! Create transform-set
crypto ipsec transform-set TS esp-3des esp-sha-hmac

! Create cryptomap
crypto map STATIC-MAP 100 ipsec-isakmp  
 set peer 
 set transform-set TS 
 match address MATCH-STATIC-MAP-100 

! Apply encryption on WAN interface
interface GigabitEthernet0/0  
 ip address
 duplex auto 
 speed auto 
 crypto map STATIC-MAP

Enable IPSec on Branch Office

Just start StronSwan

sudo strongswan start  

Now we can see connection status

strongswan statusall  
       cisco:  IKEv1, dpddelay=30s 
       cisco:   local:  [] uses pre-shared key authentication 
       cisco:   remote: [] uses pre-shared key authentication 
       cisco:   child:  dynamic[gre] === dynamic[gre] TUNNEL, dpdaction=restart 
    Security Associations (1 up, 0 connecting): 
       cisco[4]: ESTABLISHED 45 minutes ago,[]...[] 
       cisco[4]: IKEv1 SPIs: d1670af393d1e08c_i* b286166b7bc3a2e6_r, pre-shared key reauthentication in 4 minutes 
       cisco[4]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 
       cisco{1}:  INSTALLED, TUNNEL, ESP SPIs: c9027cb6_i 02ae527f_o 
       cisco{1}:  3DES_CBC/HMAC_SHA1_96, 8272 bytes_i (119 pkts, 0s ago), 6408 bytes_o (89 pkts, 0s ago), rekeying in 23 hours 
       cisco{1}:[gre] ===[gre]

If you can see this then all works fine!