How to Configure GRE Over IPSEC

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member
No ratings

This article is based on a discussion, How to Configure GRE over IPSEC?, posted by @ZhouYu. Read on to see the solution!




Some implementations require multicast traffic to be encapsulated before IPSec encrypts it. If this is a requirement for your environment and the GRE tunnel and IPSec tunnel share the same IP address, add GRE Encapsulation when you set up the IPSec tunnel.


PAN-OS TechDocs:


How do you configure GRE over IPSEC?







How to configure?


@v.vittih's Accepted Solution:


Hi all! There is a working version of this GRE over IPSec.

According to the official manual from Palo Alto Networks, there are 2 options for creating this bundle. In the first case, when the source and destination addresses are the same (as in my case) and the source and destination addresses are different.

Let's start setting up:
Side A:
PanOS 10.2

Side B:
RouterOS 7.6


Let's start with PaloAlto:
Create a tunnel (for example 1), add it to the default router and register the ip address on it. Next, we create IKE Crypto, IPsec Crypto with the settings that you need.
Create IKE Gateways (I use IKEv2 only mode), then specify Local IP Address and Peer Address, specify PSK, specify Local Identification and Peer Identification also do not forget to specify IKE Crypto Profile on the Advanced Options tab:

Next, we proceed to configuring IPsec Tunnels:
Select the previously created tunnel 1
Select the previously created IKE Gateway
Select Show Advanced Options and select Add GRE Encapsulation
Go to the Proxy IDs tab and add the IP addresses of our external interfaces:
Local Remote

Don't forget to specify routes:
Virtual Router -> Static Routes:
add ->
Interface tunnel 1
Next Hop IP Address



Moving on to Mikrotik:
Interfaces -> GRE Tunnel
Creating a GRE tunnel
Specify Local Address
Specify Remote Address
Next, add the IP address to the interface:
IP -> Addresses
Moving on to creating IPsec:
IP-> IPSec

Creating a Profile
We specify the data we need

Creating Identites:
Specify the PSK
My ID Type Auto
Remote ID Type Auto

Creating Peers:
Specify Address: (IP Address of party A)
Local Address:
Specify IKE profile
Exchange Mode IKE2

Creating a Proposal:
We specify the data we need

Creating Policies:
Specifying Peer
Select Tunnel
Protocol 255(all)
On the Action tab, do not forget to specify the Proposal.
We specify the routes to the network we need (in my case it is so that there is Internet access in the office via PaloAlto)
Within the current example

Rate this article:
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎11-16-2022 10:00 AM
Updated by: