Skip to main content
Your first session is free. Claim mine
PacketMentor logo
Open menu
Home
Training
Cisco Mentorship
CCNACCNP
Short Courses
Python for Network EngineersAI for Network OperationsDevNet Associate PrepInterview Sprint
Custom Training
Corporate Training
All training →
CCNA Library (74)
Browse all CCNA topics →
Network (13)
OSI Model & TCP/IPIPv4 AddressingTCP vs UDPSubnettingIPv6 BasicsARP — Address Resolution ProtocolICMP — Internet Control Message ProtocolTCP 3-Way HandshakeCabling & Media StandardsMTU & FragmentationWAN Connection TypesHierarchical Network DesignNetwork Virtualization & Containers
Device Operations (5)
Cisco IOS Device ManagementPower over Ethernet (PoE)Cisco IOS File SystemPassword Recovery & Configuration RegisterNetwork Troubleshooting Methodology
Network Access (12)
MAC Address TableVLANsTrunks & 802.1Q TaggingSpanning Tree Protocol (STP)EtherChannel (Link Aggregation)Switching OperationCDP & LLDP — Neighbor DiscoveryBPDU Guard & Root GuardCatalyst Boot ProcessVTP — VLAN Trunking ProtocolRapid STP & MSTPPrivate VLANs (PVLAN)
Wireless (6)
Wireless LAN BasicsWLAN Architectures — Autonomous, Centralized (WLC), Cloud, EmbeddedWi-Fi Security — WEP, WPA, WPA2, WPA3Wi-Fi 6, 6E, and 7 FeaturesWireless RF FundamentalsAccess Point Operating Modes
IP Connectivity (10)
Inter-VLAN RoutingStatic RoutingDefault RoutingRouting Decision ProcessFHRP — HSRP, VRRP & GLBPLayer-3 Switch & SVI RoutingOSPF Single-AreaRoute SummarizationIPv6 SLAAC & DHCPv6IPv6 Transition Mechanisms
IP Services (11)
HSRP vs VRRP vs GLBP — FHRP ComparedDHCP — Dynamic Host Configuration ProtocolNAT & PATDNS — Domain Name SystemNTP — Network Time ProtocolSyslogQoS BasicsSNMP — Simple Network Management ProtocolIGMP & IGMP SnoopingNTP Authentication & SecurityDHCP Relay & IP Helper
Security (10)
Access Control Lists (ACLs)Port SecurityDHCP SnoopingAAA · RADIUS & TACACS+802.1X — Port-Based Network Access ControlVPN Basics — IPsec & SSLDynamic ARP Inspection (DAI)IP Source Guard (IPSG)Encryption FundamentalsCybersecurity Threats & Mitigation
Automation (7)
REST APIs for Network EngineersAnsible for Network EngineersJSON, YAML & XML for Network EngineersNETCONF & YANGPython for Network EngineersSDN & Controller-Based NetworkingAI & ML in Network Operations
CCNP Library (15)
Browse all CCNP topics → SPAN, RSPAN & ERSPAN — Port MirroringGRE TunnelsEIGRPOSPF Multi-AreaIPv6 Routing — Static & OSPFv3BGP BasicsTCP Connection StatesCisco AnyConnect / Remote Access VPNCisco ISE BasicsNetFlow & Flow-Based MonitoringgRPC & gNMI — Streaming TelemetrySD-WAN ConceptsMPLS BasicsCisco DNA Center / Catalyst CenterVRF Basics — Virtual Routing and Forwarding
LabsPricing
Contact 📞 +1 (860) 556-3010 Book a Call
← All topics
IP Connectivity Intermediate

GRE Tunnels

How to make two distant routers feel directly connected by wrapping IP inside IP. Covers tunnel interface config, MTU caveats, why GRE itself isn't encrypted, and the standard 'GRE over IPsec' combination.

TL;DR
  • GRE wraps an IP packet inside another IP packet — making a virtual point-to-point link between two routers over any IP path.
  • GRE itself doesn't encrypt. For privacy, run GRE over IPsec — GRE for tunnel functionality + multicast support, IPsec for encryption.
  • Carries any L3 (IPv4, IPv6, multicast) — so OSPF/EIGRP can run inside the tunnel between sites.

Mental model

You have two routers separated by the public internet. You want them to feel like they’re directly connected with a private link — so you can run OSPF between them, route between private subnets, send multicast, etc.

GRE (Generic Routing Encapsulation) is the trick. Each router has a virtual Tunnel0 interface that, when you put a packet in, wraps it in another IP header and shoots it across the internet to the other router. That router unwraps and forwards normally.

Inner packet:  [ IP: 10.1.0.5 → 10.2.0.10 ][ TCP / payload ]
After GRE:     [ IP: pubA → pubB ][ GRE hdr ][ IP: 10.1.0.5 → 10.2.0.10 ][ TCP / payload ]
                       ^^ added by GRE encapsulation

The outer IP uses the routers’ public addresses. The inner IP is whatever the original packet was — private addresses, IPv6, whatever. The internet’s routers see only the outer addressing.

Two things GRE is good at, one thing it’s not

Capability
Carries any Layer-3 protocol — IPv4, IPv6, multicast, AppleTalk, IPX
Multicast / OSPF / EIGRP can run inside (they need a directly-connected link feel)
No encryption — contents are visible to anyone on the path

That last point is why you almost always pair GRE with IPsec:

  • GRE-over-IPsec = GRE first, then IPsec wraps the GRE
  • IPsec gives encryption, GRE gives multicast support and protocol flexibility

Pure IPsec can encrypt unicast IP, but doesn’t natively carry multicast / OSPF — which is why GRE + IPsec is the standard combo for site-to-site VPNs that need internal routing protocols.

Configuration — minimal GRE tunnel

! R-A (one side of the tunnel)
R-A(config)# interface Tunnel0
R-A(config-if)# ip address 10.99.99.1 255.255.255.252      ! tunnel IPs (private)
R-A(config-if)# tunnel source 198.51.100.1                  ! my public IP
R-A(config-if)# tunnel destination 203.0.113.50             ! their public IP
R-A(config-if)# tunnel mode gre ip                          ! default — explicit for clarity

! R-B (other side — mirror)
R-B(config)# interface Tunnel0
R-B(config-if)# ip address 10.99.99.2 255.255.255.252
R-B(config-if)# tunnel source 203.0.113.50
R-B(config-if)# tunnel destination 198.51.100.1
R-B(config-if)# tunnel mode gre ip

Now 10.99.99.1 and 10.99.99.2 can ping each other through the tunnel — and the tunnel rides whatever internet path connects 198.51.100.1 and 203.0.113.50.

Add routes to use the tunnel

A static route pointing the remote private network through the tunnel:

R-A(config)# ip route 10.2.0.0 255.255.255.0 10.99.99.2
R-B(config)# ip route 10.1.0.0 255.255.255.0 10.99.99.1

Or run OSPF over the tunnel:

R-A(config)# router ospf 1
R-A(config-router)# network 10.99.99.0 0.0.0.3 area 0
R-A(config-router)# network 10.1.0.0 0.0.0.255 area 0

OSPF forms a neighborship across the tunnel as if R-A and R-B were directly connected. Pure IPsec can’t do that — GRE makes it possible.

MTU — the gotcha everyone hits

GRE adds 24 bytes of overhead (20-byte outer IP + 4-byte GRE header). The inner packet’s effective MTU drops:

Default MTU: 1500
- GRE overhead: -24
- IPsec overhead (if used): -52 (typical)
= Effective MTU inside tunnel: ~1424

If the inner packet is 1500 bytes with Don’t-Fragment set, the router must fragment it after encapsulation, and many networks block fragmented IPsec. Users see “everything works except large transfers” — classic MTU symptom.

Fix:

R-A(config-if)# ip mtu 1400
R-A(config-if)# ip tcp adjust-mss 1360                ! shrink TCP MSS for hosts

ip tcp adjust-mss is especially useful — the router rewrites TCP MSS in passing SYNs so endpoints negotiate a small-enough segment size. No user reconfiguration needed.

Verification

R-A# show interfaces Tunnel0
R-A# show ip route                          ! routes via tunnel
R-A# ping 10.99.99.2                        ! is the tunnel up?
R-A# show ip protocols                      ! OSPF running over tunnel

show interfaces Tunnel0 confirms the tunnel state — up/up means good. up/down usually means the tunnel destination is unreachable (verify with a ping to the destination’s public IP).

GRE over IPsec — the standard combo

In production you almost always want encryption. Two ways to combine:

Tunnel-mode IPsec (encrypts the GRE-wrapped packet):

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 14

crypto isakmp key supersecret address 203.0.113.50

crypto ipsec transform-set TS-AES esp-aes 256 esp-sha256-hmac

crypto ipsec profile MYPROFILE
 set transform-set TS-AES

interface Tunnel0
 ip address 10.99.99.1 255.255.255.252
 tunnel source 198.51.100.1
 tunnel destination 203.0.113.50
 tunnel protection ipsec profile MYPROFILE       ! the magic line

tunnel protection ipsec is the modern way — encrypts the tunnel without separate crypto-map ACL drudgery.

Common mistakes

  1. Forgetting MTU adjustment. Tunnel works for ping but breaks for HTTPS, file transfers, video. Always set ip mtu and ip tcp adjust-mss on the tunnel interface.

  2. Recursive routing loops. Tunnel source/destination are public IPs. If the router’s routing table sends those public IPs through the tunnel itself, you’ve created a loop. Symptom: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing. Fix: ensure tunnel endpoints are reachable via the underlying internet path, not via the tunnel.

  3. Identical tunnel interfaces on both sides (e.g. both /32). Use a small /30 or /31 — both ends need IPs in the same subnet.

  4. Trying to run multicast over IPsec without GRE. IPsec doesn’t natively carry multicast. Wrap in GRE first.

  5. Skipping tunnel mode gre ip. Default on Cisco IOS, but explicit is clearer. Other modes exist (ipv6, ipsec ipv4, gre multipoint) and the wrong one fails silently.

  6. Trusting GRE alone for sensitive data. GRE is plain text on the wire. Anyone capturing on the path can read everything. Always layer with IPsec for production.

Lab to try tonight

  1. Two routers in CML or any IPsec-capable simulator with “public” links between them and private LANs behind.
  2. Configure GRE Tunnel0 on both sides (without IPsec first).
  3. Confirm tunnel comes up: show interfaces Tunnel0up/up. Ping between tunnel IPs.
  4. Configure static routes through the tunnel. Verify end-to-end ping from LAN-A to LAN-B.
  5. Run OSPF area 0 across the tunnel. Confirm OSPF neighbor adjacency forms over Tunnel0.
  6. Now layer in IPsec with tunnel protection ipsec profile. Wireshark the public link and confirm ESP packets only (no inner addressing visible).
  7. Set ip mtu 1400 and test large-file transfer behavior.

Cheat strip

ConceptPlain English
GREWraps IP inside IP — creates virtual point-to-point links
Tunnel source / destinationThe routers’ public IPs
Tunnel interfaceVirtual L3 interface, gets its own IP
No encryptionGRE is plain text. Use IPsec for privacy.
GRE over IPsecThe standard combo for site VPNs with internal routing
MTU caveatSet ip mtu 1400 and ip tcp adjust-mss 1360
Recursive routingAvoid sending tunnel destination through the tunnel itself
OSPF worksRouting protocols run inside the tunnel as if directly connected
tunnel protection ipsecModern way to add IPsec encryption to a GRE tunnel
← Previous topic

SPAN, RSPAN & ERSPAN — Port Mirroring

How to copy traffic from one switch port to another for analysis. Covers local SPAN, RSPAN across switches via VLAN, ERSPAN over GRE for remote sites, and when each one is the right call.
Next topic →

VTP — VLAN Trunking Protocol

Cisco's protocol for sharing VLAN config across switches in the same VTP domain. Powerful, dangerous, and the reason every CCNA engineer learns the value of `vtp mode transparent`.
Master this on a real network

Want this drilled into reflex?

1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNP® exam blueprint. Free first session. No card on file until you decide.

Claim my free session →

Related topics

IP Connectivity

OSPF Single-Area

Definitive CCNA-level OSPF guide — link-state mental model, seven neighbor states, LSA types, DR/BDR election, cost tuning, authentication, route summarization, common debug patterns, and 8 worked scenarios.

 IP Connectivity

Static Routing

Definitive CCNA-level static routing guide — next-hop vs exit-interface vs fully-specified, default routes, floating statics, summary routes, recursive lookup, IPv6 statics, AD reference, 8 worked scenarios, and the static-routing debug workflow.

 Security Fundamentals

VPN Basics — IPsec & SSL

How two separated networks (or one user and a network) can talk privately over the public internet. Covers site-to-site IPsec, remote-access SSL/TLS VPNs, IKE phases, and what 'tunnel' actually means.

One topic per email, every fortnight

VLANs, OSPF, ACLs, subnetting, automation — written like this. Unsubscribe in one click.

We respect your inbox. One email per week, max. Unsubscribe any time.

Start typing — or browse popular topics below.

↑↓ navigate open Searches topics · labs · programs · pages