Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Configuring a secure GRE tunnel over IPsec

Written by
Updated at September 2, 2025

For secure communication between remote resources and data transmission over public communication channels, e.g., the internet, you can use secure connection technologies, such as the IPsec protocol. However, IPsec has significant limitations: it is only designed for IP packet transmission, does not support multicast delivery, and cannot be combined with other protocols within a single request.

To extend the capabilities of IPsec, you can configure GRE over it. GRE encapsulates network packets in IP packets, enabling you to transmit any traffic over IPsec.

In this example, you will create a secure GRE-over-IPsec tunnel between two Cisco CSR 1000v virtual routers hosted in different virtual networks and availability zones in Yandex Cloud.

You will configure IPsec in NAT-T (NAT Traversal mode, since Yandex Cloud employs NAT), while GRE does not support using ports. This mode enables the translation of router IP addresses over NAT when using a GRE-over-IPsec tunnel. This makes the tunnel configuration in our example suitable for both the Yandex Cloud infrastructure and remote resources placed behind the device that provides NAT.

To set up a secure tunnel between two virtual routers:

  1. Get your cloud ready.
  2. Create an SSH key pair.
  3. Create folders.
  4. Create two VMs with a Cisco Cloud Services Router.
  5. Configure IPSec protocols.
  6. Create tunnel interfaces.
  7. Configure routing.
  8. Test the tunnel.

If you no longer need the resources you created, delete them.

Getting started

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders here.

Alert

When using a Cisco CSR 1000v image without a license, the router throughput is limited to 100 Kbps. To remove this limitation, install a license.

The infrastructure support costs include:

Create an SSH key pair

To connect to a VM over SSH, you need a key pair: the public key resides on the VM, and the private one is kept by the user. This method is more secure than connecting with login and password.

Note

SSH connections using a login and password are disabled by default on public Linux images that are provided by Yandex Cloud.

Cisco Cloud Services Router (CSR) 1000v only supports keys generated using the RSA algorithm.

To create a key pair:

  1. Open the terminal.

  2. Use the ssh-keygen command to create a new key:

    ssh-keygen -t rsa -b 2048

    After you run the command, you will be asked to specify the names of files where the keys will be saved and enter the password for the private key. The default name is id_rsa. Keys are created in the ~/.ssh directory.

    The public part of the key will be saved in the <key_name>.pub file.

  1. Run cmd.exe or powershell.exe.

  2. Use the ssh-keygen command to create a new key:

    ssh-keygen -t rsa -b 2048

    After you run the command, you will be asked to specify the names of files where the keys will be saved and enter the password for the private key. The default name is id_rsa. The keys are created in C:\Users\<username>\.ssh\ or C:\Users\<username>\ depending on the command-line interface.

    The public part of the key will be saved to a file named <key name>.pub.

Create keys using the PuTTY app:

  1. Download and install PuTTY.

  2. Add the folder with PuTTY to the PATH variable:

    1. Click Start and type Change system environment variables in the Windows search bar.
    2. Click Environment Variables... at the bottom right.
    3. In the window that opens, find the PATH parameter and click Edit.
    4. Add your folder path to the list.
    5. Click OK.

  3. Launch the PuTTYgen app.

  4. Select RSA for the type of pair to generate and set the length to 2048. Click Generate and move the cursor in the field above it until key creation is complete.

    ssh_generate_key

  5. In Key passphrase, enter a strong password. Enter it again in the field below.

  6. Click Save private key and save the private key. Do not share its key phrase with anyone.

  7. Save the key to a text file. To do this, copy the public key from the text field to a text file named id_rsa.pub. Please note that the key must be written as a single line (no returns or line breaks).

Warning

Save the private key in a secure location, as you will not be able to connect to the VM without it.

Create folders

To test tunneling between two different virtual networks, place Yandex Cloud resources in different folders. To create a new folder:

  1. In the management console, select a cloud and click Create folder at the top right.
  2. Enter the folder name: site-d.
  3. Add a folder description if required.
  4. Select Create a default network.
  5. Click Create.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

Create a folder:

yc resource-manager folder create \
--name site-d \
--description "Folder for site-d"

To create a folder, use the create REST API method for the Folder resource or the FolderService/Create gRPC API call.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. In the configuration file, define the parameters of the resources you want to create:

    resource "yandex_resourcemanager_folder" "folder1" {
   cloud_id    = "<cloud_ID>"
   name        = "site-d"
   description = "Folder for site-d"
}

    For more information about the yandex_resourcemanager_folder settings, see this Terraform article.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the folder where you created the configuration file.

    2. Check the configuration using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      If the configuration description is correct, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm the creation of the resources: in the terminal, type yes and press Enter.

    This will create the folder in the specified cloud. You can check the new folder and its settings using the management console or this CLI command:

    yc resource-manager cloud list

Repeat these steps to create a second folder named site-b.

Create two VMs with Cisco Cloud Services Router

Create your first VM with Cisco Cloud Services Router

  1. In the management console, select site-d.

  2. Click Create resource and select Virtual machine instance.

  3. Select Advanced setup.

  4. Under Boot disk image, in the Product search field, enter Cisco CSR and select a Cisco CSR public image.

  5. Under Location, select the ru-central1-d availability zone.

  6. Under Computing resources, navigate to the Custom tab and specify the platform, number of vCPUs, and amount of RAM:

    • Platform: Intel Ice Lake
    • vCPU: 2
    • Guaranteed vCPU performance: 100%
    • RAM: 4 GB

  7. Under Network settings:

    • In the Subnet field, select the network and subnet to connect your VM to.
    • Under Public IP address, keep Auto for the VM to get a random external IP address from the Yandex Cloud pool, or select a static address from the list if you had reserved one.

  8. Under Access, select SSH key and specify the VM access credentials:

    • In the Login field, enter the username. Do not use root or other names reserved for the OS purposes. To perform operations requiring root privileges, use the sudo command.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no SSH keys in your profile or you want to add a new key:

      1. Click Add key.

      2. Enter a name for the SSH key.

      3. Select one of the following:

        • Enter manually: Paste the contents of the public SSH key. You need to create an SSH key pair on your own.

        • Load from file: Upload the public part of the SSH key. You need to create an SSH key pair on your own.

        • Generate key: Automatically create an SSH key pair.

          When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the /home/<user_name>/.ssh directory. In Windows, unpack the archive to the C:\Users\<user_name>/.ssh directory. You do not need additionally enter the public key in the management console.

      4. Click Add.

      The system will add the SSH key to your organization user profile. If the organization has disabled the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.

  9. Under General information, specify the VM name: cisco-router-d.

  10. Under Additional, enable Serial console access.

  11. Click Create VM.

It may take a few minutes to create your VM. When the VM status changes to RUNNING, you can use the serial console.

Set the host name for the router

  1. In the management console, select the folder containing your VM.

  2. Select Compute Cloud.

  3. In the VM list, select cisco-router-d.

  4. Go to the Serial console tab and click Connect.

  5. Wait for the operating system to fully start up.

  6. To switch to privileged mode, run this command in the serial console:

    enable

  7. Enter configuration mode and set the host name for the router:

    conf t
hostname cisco-router

    The router name at the beginning of the command line should change to cisco-router.

Create a user with administrator privileges

Create a user with administrator privileges and password authentication disabled:

In the serial console, run this command:

username test-user privilege 15

Prepare the key

If your public SSH key is longer than 72 characters, split it into chunks of 72 characters each:

  1. In your computer terminal, run this command:

    fold -bw 72 <public_key_file_path>

    This will output your public SSH key split into chunks of 72 characters each.

  2. Save the key hash:

    ssh-keygen -E md5 -lf <public_key_file_path>

Configure authentication using SSH keys

  1. In the serial console, enable VM access over SSH:

    conf t
aaa new-model
   ip ssh server algorithm authentication publickey 
   ip ssh pubkey-chain

  2. Create a user named test-user and provide your public SSH key in the chunks into which you split it at the previous step:

       username test-user
      key-string
         <public_key_row>
         ...
         <public_key_row>
         exit
      exit
   exit
exit

  3. Make sure the key has been added:

    show run | beg ip ssh

    Result:

    ip ssh pubkey-chain
  username test-user
   key-hash ssh-rsa <key_hash> <username_associated_with_this_key>
!
!
...

    Compare the SSH key hash on the router with the key hash on your computer.

  4. In the serial console, enter the password that enables privileged mode:

    cisco-router#configure terminal
cisco-router(config)#enable secret <password>

Check the SSH connection to the router

  1. Log in to the router via SSH by running this command in your computer terminal:

    ssh -i <private_key_file_path> test-user@<router_public_IP_address>

    If the configuration is correct, you will log in to the router as test-user. If these actions produce no connection, make sure the router configuration is correct in the serial console, i.e., check whether you ran the aaa new-model command, the key hashes are identical on your computer and the router, and password authorization is disabled for the test user. If still unable to locate the issue, repeat the previous steps.

  2. Switch to privileged mode. To do this, enter the enable command and your password. If the configuration is correct, you can proceed to configuring the router.

Set up and configure a second VM with a Cisco Cloud Services Router

  1. In the site-b folder, create a VM named cisco-router-b by following the above steps. Select ru-central1-b as its availability zone.
  2. Set up the VM in the same way as the cisco-router-d VM.

Configure the IPSec protocols

Warning

  • The settings are the same on both VMs, except as specifically mentioned.
  • You will configure the protocols in the terminal connected to the VM over SSH, in privileged mode.

  1. Configure the global parameters for IKEv2:

    conf t
crypto logging ikev2
crypto ikev2 nat keepalive 900
crypto ikev2 dpd 10 2 periodic

  2. Configure an IKEv2 proposal:

    crypto ikev2 proposal MY_IKEV2_PROPOSAL
   encryption aes-cbc-256
   integrity sha256
   group 2
   exit

  3. Configure an IKEv2 policy:

    crypto ikev2 policy MY_IKEV2_POLICY
   proposal MY_IKEV2_PROPOSAL
   exit

  4. Set a secret key:

    crypto ikev2 keyring MY_IKEV2_KEYRING
   peer SiteB
   address cisco-router-b
   pre-shared-key <secret_key>
   exit

    crypto ikev2 keyring MY_IKEV2_KEYRING
   peer SiteA
   address cisco-router-d
   pre-shared-key <secret_key>
   exit

    Where:

    • <secret_key>: Encryption key that is at least 16 characters long, e.g., MySecretKey12345. Use the same key on both VMs.

  5. Create an IKEv2 profile:

    crypto ikev2 profile MY_IKEV2_PROFILE
   match address local interface GigabitEthernet1
   match identity remote address cisco-router-b
   authentication remote pre-share
   authentication local pre-share
   keyring local MY_IKEV2_KEYRING
   lifetime 28800
   dpd 20 2 periodic
   exit

    crypto ikev2 profile MY_IKEV2_PROFILE
   match address local interface GigabitEthernet1
   match identity remote address cisco-router-d
   authentication remote pre-share
   authentication local pre-share
   keyring local MY_IKEV2_KEYRING
   lifetime 28800
   dpd 20 2 periodic
   exit

    Note

    For testing purposes, you can use the 0.0.0.0 template rather than IP addresses to provide access to any IP.
    You can also set up separate profiles for different peers.

  6. Add the IKEv2 profile to the IPsec profile:

    crypto ipsec transform-set ESP_AES128_SHA256 esp-aes esp-sha-hmac
   mode tunnel
   exit
crypto ipsec profile MY_IPSEC_PROFILE
   set transform-set ESP_AES128_SHA256
   set ikev2-profile MY_IKEV2_PROFILE
   exit
exit

Create tunnel interfaces

Warning

  • The settings are the same on both VMs, except as specifically mentioned.
  • You will configure the protocols in the terminal connected to the VM over SSH, in privileged mode.

  1. Configure the GRE tunnel:

    conf t
int tu192
   ip address 192.168.0.1 255.255.255.0
   no ip redirects
   no ip proxy-arp
   ip mtu 1400
   ip tcp adjust-mss 1360
   tunnel source GigabitEthernet1
   tunnel destination cisco-router-b
   tunnel mode ipsec ipv4
   tunnel protection ipsec profile MY_IPSEC_PROFILE

    conf t
int tu192
   ip address 192.168.0.2 255.255.255.0
   no ip redirects
   no ip proxy-arp
   ip mtu 1400
   ip tcp adjust-mss 1360
   tunnel source GigabitEthernet1
   tunnel destination cisco-router-d
   tunnel mode ipsec ipv4
   tunnel protection ipsec profile MY_IPSEC_PROFILE

  2. Check whether the tunnel is there:

    show crypto ikev2 sa remote cisco-router-b

    show crypto ikev2 sa remote cisco-router-d

    Result:

    Tunnel-id Local                 Remote                fvrf/ivrf            Status
4         10.128.0.32/4500      51.250.***.***/4500   none/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 28800/23528 sec

    You can also view tunnel logs by running these commands:

    debug crypto ikev2
conf t
do sh log

Configure routing

Warning

  • The settings are the same on both VMs, except as specifically mentioned.
  • You will configure the protocols in the terminal connected to the VM over SSH, in privileged mode.

  1. To make sure the requests get responses, configure a Loopback interface:

    conf t
int lo10
   ip address 10.1.1.1 255.255.255.255
   exit

    conf t
int lo10
   ip address 10.1.1.2 255.255.255.255
   exit

  2. To enable dynamic routing, configure the Border Gateway Protocol (BGP):

    router bgp 65001
   bgp log-neighbor-changes
   neighbor 192.168.0.2 remote-as 65002
   address-family ipv4
      network 10.1.1.1 mask 255.255.255.255
      neighbor 192.168.0.2 activate
      exit
   exit
exit

    router bgp 65002
   bgp log-neighbor-changes
   neighbor 192.168.0.1 remote-as 65001
   address-family ipv4
      network 10.1.1.2 mask 255.255.255.255
      neighbor 192.168.0.1 activate
      exit
   exit
exit

Test the GRE tunnel

Make sure this resulted in sending and returning the packets. To do this, run this command on the cisco-router-d VM:

ping 10.1.1.2 source lo10

Result:

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/11 ms

For GRE tunnel performance diagnostics, you can also run these commands:

show ip int brief
show ip bgp summary
show ip bgp
show ip route bgp

How to delete the resources you created

To stop paying for the resources you created:

  • Delete the VM.
  • Delete the static public IP if you reserved one.
Previous
Cloud infrastructure segmentation with the Check Point next-generation firewall
Next
Creating a bastion host