IPSec virtual private network is used to provide secure IP communication between two endpoints, but it can only encrypt and transmit unicast data, and cannot encrypt and transmit voice, video, dynamic routing protocol information and other multicast data traffic. General Routing Encapsulation protocol (GRE) provides a mechanism to encapsulate the message of one protocol in another protocol message. It is a tunnel encapsulation technology. GRE can encapsulate multicast data and can be combined with IPSec to ensure the security of voice, video and other multicast services.
GRE can be used to encapsulate the messages of some network layer protocols, such as IPX, so that these encapsulated messages can be transmitted in another network layer protocol. GRE is the third layer tunneling protocol of virtual private network, that is, tunneling technology is used between protocol layers.
GRE itself does not support encryption, so the traffic transmitted through the GRE tunnel is not encrypted. Combining IPSec technology with GRE, we can first establish a GRE tunnel to encapsulate the message, and then establish an IPSec tunnel to encrypt the message, so as to ensure the integrity and privacy of message transmission.
When GRE encapsulates the message, the message before encapsulation is called payload, and the message protocol before encapsulation is called passenger protocol. Then GRE will encapsulate the GRE header, and GRE becomes the encapsulation protocol, also known as delivery protocol. Finally, the protocol responsible for forwarding the encapsulated message is called transmission protocol.
Keepalive Detection Mechanism of GRE
The keepalive detection function is used to detect whether the tunnel link is in the keepalive state, that is, whether the opposite end of the tunnel is reachable. If not, the tunnel connection will be closed in time to avoid the formation of a data black hole. After the keepalive detection function is turned on, the local end of the GRE tunnel will regularly send keepalive detection messages to the opposite end. If the opposite end is reachable, the local end will receive the response message from the opposite end. If the opposite end is unreachable, the response message of the opposite end cannot be received.
After the keepalive detection function is turned on, the GRE tunnel will create a counter and periodically send keepalive detection messages. If the source receives a reply message before the counter value reaches the preset value, it indicates that the opposite end is reachable, otherwise it is not reachable. If it is not reachable, the tunnel connection at the source end will be closed.
GRE Security Options
In order to improve the security of GRE tunnel, GRE also supports the user to select and set the identification key or key of tunnel interface, and perform end-to-end verification on the packets encapsulated in the tunnel.
Key verification refers to the verification of the tunnel interface. This security mechanism can prevent the wrong receipt of messages from other devices. If the key identification position in the GRE message header is 1, both the sender and the sender will verify the channel identification keywords. Only when the identification keywords set at both ends of the tunnel are completely consistent can they pass the verification, otherwise the message will be discarded.
If the checksum in the GRE message header identifies position 1, the checksum is valid. The sender will calculate the checksum according to the GRE header and payload information, and send the message containing the checksum to the opposite end. The receiver calculates the checksum of the received message and compares it with the checksum in the message. If it is consistent, the message will be further processed, otherwise it will be discarded.