GRE and GRE over IPSec: Use Cases, Configuration, and Considerations

1. GRE Tunnels

Generic Routing Encapsulation (GRE) is a tunneling protocol that encapsulates a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol internetwork. GRE tunnels are often used to:

Connect disjoint networks across an IP infrastructure.
Transport multicast traffic or routing protocols that are not supported over native IPsec tunnels.
Establish VPNs where IPsec is not feasible or required.

However, GRE tunnels lack inherent security features, making them unsuitable for transmitting sensitive data without additional protection.

2. GRE over IPSec

Combining GRE with IPSec leverages the flexibility of GRE with the security of IPSec. This setup is beneficial when:

Transmitting multicast traffic securely over a VPN.
Running routing protocols across secure tunnels.
Encapsulating non-IP protocols for secure transmission.

In this configuration, GRE encapsulates the original packets, and IPSec provides encryption and authentication for the GRE packets.

3. MTU and TCP MSS Considerations

When implementing GRE or GRE over IPSec tunnels, it's crucial to adjust the Maximum Transmission Unit (MTU) and TCP Maximum Segment Size (MSS) to prevent packet fragmentation, which can degrade performance.

GRE adds an overhead of 24 bytes; IPSec adds additional overhead depending on the encryption and authentication algorithms used.
To accommodate this overhead, reduce the MTU on the tunnel interface accordingly.
Adjust the TCP MSS to ensure that packets do not exceed the reduced MTU, preventing fragmentation.

For example, if the default MTU is 1500 bytes, and GRE adds 24 bytes, set the MTU to 1476 bytes and adjust the TCP MSS to 1436 bytes (1476 - 40 bytes for IP and TCP headers).

4. Configuration on Palo Alto Firewalls

To configure GRE or GRE over IPSec tunnels on Palo Alto Networks firewalls:

Define the tunnel interface and assign it to a virtual router and zone.
Configure the GRE tunnel with the appropriate local and remote tunnel endpoints.
Set the MTU on the tunnel interface to accommodate the GRE and IPSec overhead.
Enable TCP MSS adjustment on the interface to prevent fragmentation.

For detailed configuration steps, refer to the official Palo Alto Networks documentation.

5. PCNSE Exam Considerations

For the Palo Alto Networks Certified Network Security Engineer (PCNSE) exam, understand the following:

Use cases and configurations for GRE and GRE over IPSec tunnels.
Implications of MTU and MSS settings on tunnel performance.
How to configure and troubleshoot GRE and IPSec tunnels on Palo Alto firewalls.

Ensure you're familiar with the concepts and configurations to address related exam questions effectively.