How to Configure GRE Over IPSEC

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member
No ratings

This article is based on a discussion, How to Configure GRE over IPSEC?, posted by @ZhouYu. Read on to see the solution!

 

Hello 

 

Some implementations require multicast traffic to be encapsulated before IPSec encrypts it. If this is a requirement for your environment and the GRE tunnel and IPSec tunnel share the same IP address, add GRE Encapsulation when you set up the IPSec tunnel.

 

PAN-OS TechDocs: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/gre-tunnels/gre-tunnel-overview...

 

How do you configure GRE over IPSEC?

 

ZhouYu_0-1628158713548.png

 

ZhouYu_1-1628158764675.png

ZhouYu_2-1628158809447.png

 

How to configure?

 

@v.vittih's Accepted Solution:

 

Hi all! There is a working version of this GRE over IPSec.


According to the official manual from Palo Alto Networks, there are 2 options for creating this bundle. In the first case, when the source and destination addresses are the same (as in my case) and the source and destination addresses are different.

Let's start setting up:
Side A:
PanOS 10.2
WAN: 10.10.2.50
LAN: 192.168.50.0/24
VTI IP: 10.200.200.1/30

Side B:
Mikrotik:
RouterOS 7.6
WAN: 10.10.2.60
LAN: 192.168.10.0/24
GRE IP: 10.200.200.2/30

--------------------------------

Let's start with PaloAlto:
Create a tunnel (for example 1), add it to the default router and register the ip address 10.200.200.1/30 on it. Next, we create IKE Crypto, IPsec Crypto with the settings that you need.
Create IKE Gateways (I use IKEv2 only mode), then specify Local IP Address 10.10.2.50/24 and Peer Address 10.10.2.60, specify PSK, specify Local Identification 10.10.2.50 and Peer Identification 10.10.2.60. also do not forget to specify IKE Crypto Profile on the Advanced Options tab:

Next, we proceed to configuring IPsec Tunnels:
Select the previously created tunnel 1
Select the previously created IKE Gateway
Select Show Advanced Options and select Add GRE Encapsulation
Go to the Proxy IDs tab and add the IP addresses of our external interfaces:
Local 10.10.2.50 Remote 10.10.2.60

Don't forget to specify routes:
Virtual Router -> Static Routes:
add ->
Destination 192.168.10.0/24
Interface tunnel 1
Next Hop IP Address
10.200.200.2

Commit

----------------------------

Moving on to Mikrotik:
Interfaces -> GRE Tunnel
Creating a GRE tunnel
Specify Local Address 10.10.2.60
Specify Remote Address 10.10.2.50
OK
Next, add the IP address to the interface:
IP -> Addresses
add 10.200.200.2/30
ok
Moving on to creating IPsec:
IP-> IPSec

Creating a Profile
We specify the data we need

Creating Identites:
Specify the PSK
My ID Type Auto
Remote ID Type Auto

Creating Peers:
Specify Address: 10.10.2.50 (IP Address of party A)
Local Address: 10.10.2.60
Specify IKE profile
Exchange Mode IKE2

Creating a Proposal:
We specify the data we need

Creating Policies:
Specifying Peer
Select Tunnel
Src.Address 10.10.2.60
Dst.Address 10.10.2.50
Protocol 255(all)
On the Action tab, do not forget to specify the Proposal.
We specify the routes to the network we need (in my case it is 0.0.0.0/0 10.200.200.1 so that there is Internet access in the office via PaloAlto)
Within the current example 192.168.50.0/24 10.200.200.1
Profit.

Rate this article:
Comments
L1 Bithead

Hi @JayGolf

This is old configuration and this is not working now. When we assign one tunnel interface for both GRE and ipsec then it shows that configuration is invalid.

 

So can you share the configuration example again?

 

Thanks

Al Amin

  • 2974 Views
  • 1 comments
  • 1 Likes
Register or Sign-in
Labels
Article Dashboard
Version history
Last Updated:
‎11-15-2024 02:23 PM
Updated by: