GRE tunnel with IPSec protection
© 2018 NETSHe Lab Ltd
Go to „Network→Interfaces» menu, scroll till „Add interface» box, fill gre tunnel name (.e.g. „tungre0“. First part „tungre“ is mandatory) and press „New“ button.
Tunnel interface page will be open.
Please specify zone for tunnel („Lan“ for most cases), outgoing interface, remote side address (DNS name is not allowed here), type of tunnel, local tunnel addresss and netmask and key for GRE tunnel as shown above.
Press „Save“ button and then return to the same page and switch to the tab „Routes through interface“.
Press „Plus“ icon and specify route to remote network which shall reachable through this tunnel.
Configuration of GRE tunnel is completed.
Please configure GRE tunnel at remote device accordingly (local netmask must be the same; local address must be different but from the same network; remote address must point to configured device; route must point to reliable network).
IPSec configuration stage is similar to another IPSec setups except local network value.
Go to „Network→Interfaces» menu, scroll till „Add interface» box, fill ipsec tunnel name (.e.g. „tunipsec0“. First part „tunipsec“ is mandatory) and press „New“ button.
You will be redirected to ipsec tunnel configuration page.
Specify outgoing interface for IPSec tunnel (must be the same as for configured GRE tunnel), specify remote side address (must be the same as for configured GRE tunnel), fill „gre“ as „local network to route through tunnel“, do not fill „remote network…“, specify another IPSec related values.
Press „Save“ button and reboot device.
Repeat the same configuration steps on remote side.
Troubleshooting in this case can be divided to two parts:
Troubleshooting of GRE tunnel contains verification for correct local addresses and netmask, zone, firewall rules for zone, outgoing interface, remote side address, routing rules and similar tunnel key.
With correct settings, packets from local network which routes through GRE tunnel, must reach existing adress on remote side (ping with correct local and destination addresses must be going through).
Please follow our IPSec troubleshooting guide with remarks below for IPSec troubleshooting.
Correctly configured GRE tunnels will pass traffic according to routes without IPSec tunnel too.
Thus, we recommend to setup GRE tunnel for first time, reboot device and debug packet exchange.
When you have got traffic exchange, you may shift to configure IPSec protection.
IPSec tunnel will be established „on denamd“. States „INSTALLED“ and „ESTABLISHED“ will be reached only when traffic is going through tunnel.