What are GRE Tunnels?

Beverly McRae

Generic Routing Encapsulation (GRE) tunnels can be used to create a connection between two private networks. Most CradlePoint routers are enabled for both GRE and VPN tunnels. GRE tunnels are simpler to configure and more flexible for different kinds of packet exchanges, but VPN tunnels are much more secure.


In order to set up a tunnel you must configure the following:

  • Local Network and Remote Network addresses for the “Glue Network,” the network that is created by the administrator that serves as the “glue” between the networks of the tunnel. Each address must be a different IP address from the same private network, and these addresses together form the endpoints of the tunnel.
  • Remote Gateway, the public facing WAN IP address that the local gateway is going to connect to.
  • Routes that allow you to configure what network traffic from local host(s) will be allowed through the tunnel.
  • Optionally, you might also want to enable the tunnel Keep Alive feature to monitor the status of a tunnel and more accurately determine if the tunnel is alive or not.

Optionally, you might also want to enable the tunnel Keep Alive feature to monitor the status of a tunnel and more accurately determine if the tunnel is alive or not.

Click Add to configure a new GRE tunnel; click Edit to make changes to an existing tunnel.

Add/Edit Tunnel – General


Tunnel Name: Give the tunnel a name that uniquely identifies it.

Tunnel Key: Enables an ID key for a GRE tunnel, which can be used as an identifier for mGRE (Multipoint GRE).

Local Network: This is the local side of the “Glue Network,” a network created by the administrator to form the tunnel. The user creates the IP address inputted here. It must be different from the IP addresses of the networks it is gluing together. Choose any private IP address from the following three ranges that doesn’t match either network:

  • –
  • –
  • –

Remote Network: This is the remote side of the “Glue Network.” Again, the user must create an IP address that is distinct from the IP addresses of the networks that are being glued together. The Remote Network and Local Network values will be flipped when inputted for the other side of the tunnel configuration.

Subnet Mask: This is the subnet mask for the Glue Network. The Local and Remote Network addresses must fit with this mask. is a logical choice for most users.

Remote Gateway: This is the public facing, WAN-side IP address of the network that the local gateway is going to connect to.

TTL: Set the Time to Live (TTL), or hop limit, for the GRE tunnel.

MTU: Set the maximum transmission unit (MTU) for the GRE tunnel.

WAN Binding: WAN Binding is an optional parameter used to configure the GRE tunnel to ONLY operate when the specified WAN device(s) are available and connected. An example use case is when there is a router with both a primary and failover WAN device and the tunnel should only be used when the system has failed over to the backup connection.

Make a selection for “When,” “Condition,” and “Value” to create a WAN Binding. The condition will be in the form of these examples:

PortisUSB Port 1
Typeis notWiMAX
  • When:
    • Port – Select by the physical port on the router that you are plugging the modem into (e.g., “USB Port 2”).
    • Manufacturer – Select by the modem manufacturer (e.g., “CradlePoint Inc.”).
    • Model – Set your rule according to the specific model of modem.
    • Type – Select by type of Internet source (Ethernet, LTE, Modem, Wireless as WAN, WiMAX).
    • Serial Number – Select a 3G or LTE modem by the serial number.
    • MAC Address – Select a WiMAX modem by MAC Address.
    • Unique ID – Select by ID. This is generated by the router and displayed when the device is connected to the router.
  • Condition: Select “is,” “is not,” “starts with,” “contains,” or “ends with” to create your condition’s statement.
  • Value: If the correct values are available, select from the dropdown list. You may need to manually input the value.

Invert WAN Binding: Advanced option that inverts the meaning of WAN Binding to only establish this tunnel when the specified WAN Binding device(s) are NOT connected.

Tunnel Enabled: Select to activate the tunnel.

Add/Edit Tunnel – Routes

Adding routes allows you to configure what types of network traffic from the local host or hosts will be allowed through the tunnel.


Click Add Route to configure a new route. You will need to input the following information, defined by the remote network:

  • Network Address – This is the network address that is the destination of the route. This should be set to the network address at the remote side of the tunnel.
  • Netmask – This is the corresponding subnet mask of the network being defined (Default:

You can set the tunnel to connect to a range of IP addresses or to a single IP address. For example, you could input and255.255.255.0 to connect your tunnel to all the addresses of the remote network in the 192.168.0.x range. Alternatively, you could select a single address by inputting that address along with a Netmask of

Add/Edit Tunnel – Keep Alive

GRE keep-alive packets can be enabled to be sent through the tunnel in order to monitor the status of the tunnel and more accurately determine if the tunnel is alive or not.

GRE keep-alive packets may be sent from both sides of a tunnel, or from just one side.


Enabled: Select to enable GRE Keep Alive to continually send keep-alive packets to the remote peer.

Rate: Choose the length of time in seconds for each check (Default: 10 seconds. Range: 2 – 3600 seconds).

Retry: Select the number of attempts before the GRE tunnel is considered down or up (Default: 3. Range: 1 – 255).

Failover Tunnel and Failback Tunnel: Use these settings to create two tunnels – one as the primary tunnel and one as the backup tunnel. To configure tunnel failover/failback, complete the following steps:

  1. Create two tunnels: one for primary and one for backup. Make sure both tunnels have Keep Alive enabled.
  2. Choose one to be the primary tunnel. Open the editor for this tunnel and make sure Tunnel Enabled is selected. Then go to the Keep Alive page. Under Failover, Tunnel select the other tunnel you have created.
  3. Open the editor for the failover tunnel. Make sure Tunnel Enabled is not selected. On the Keep Alive page, set the Failback Tunnel to your primary tunnel.
Share Article: