- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
on 11-16-2022 10:00 AM - edited on 11-15-2024 02:23 PM by emgarcia
This article is based on a discussion, How to Configure GRE over IPSEC?, posted by @ZhouYu. Read on to see the solution!
Hello
Some implementations require multicast traffic to be encapsulated before IPSec encrypts it. If this is a requirement for your environment and the GRE tunnel and IPSec tunnel share the same IP address, add GRE Encapsulation when you set up the IPSec tunnel.
PAN-OS TechDocs: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/gre-tunnels/gre-tunnel-overview...
How do you configure GRE over IPSEC?
How to configure?
Hi all! There is a working version of this GRE over IPSec.
According to the official manual from Palo Alto Networks, there are 2 options for creating this bundle. In the first case, when the source and destination addresses are the same (as in my case) and the source and destination addresses are different.Let's start setting up:
Side A:
PanOS 10.2
WAN: 10.10.2.50
LAN: 192.168.50.0/24
VTI IP: 10.200.200.1/30Side B:
Mikrotik:
RouterOS 7.6
WAN: 10.10.2.60
LAN: 192.168.10.0/24
GRE IP: 10.200.200.2/30--------------------------------
Let's start with PaloAlto:
Create a tunnel (for example 1), add it to the default router and register the ip address 10.200.200.1/30 on it. Next, we create IKE Crypto, IPsec Crypto with the settings that you need.
Create IKE Gateways (I use IKEv2 only mode), then specify Local IP Address 10.10.2.50/24 and Peer Address 10.10.2.60, specify PSK, specify Local Identification 10.10.2.50 and Peer Identification 10.10.2.60. also do not forget to specify IKE Crypto Profile on the Advanced Options tab:Next, we proceed to configuring IPsec Tunnels:
Select the previously created tunnel 1
Select the previously created IKE Gateway
Select Show Advanced Options and select Add GRE Encapsulation
Go to the Proxy IDs tab and add the IP addresses of our external interfaces:
Local 10.10.2.50 Remote 10.10.2.60Don't forget to specify routes:
Virtual Router -> Static Routes:
add ->
Destination 192.168.10.0/24
Interface tunnel 1
Next Hop IP Address
10.200.200.2Commit
----------------------------
Moving on to Mikrotik:
Interfaces -> GRE Tunnel
Creating a GRE tunnel
Specify Local Address 10.10.2.60
Specify Remote Address 10.10.2.50
OK
Next, add the IP address to the interface:
IP -> Addresses
add 10.200.200.2/30
ok
Moving on to creating IPsec:
IP-> IPSecCreating a Profile
We specify the data we needCreating Identites:
Specify the PSK
My ID Type Auto
Remote ID Type AutoCreating Peers:
Specify Address: 10.10.2.50 (IP Address of party A)
Local Address: 10.10.2.60
Specify IKE profile
Exchange Mode IKE2Creating a Proposal:
We specify the data we needCreating Policies:
Specifying Peer
Select Tunnel
Src.Address 10.10.2.60
Dst.Address 10.10.2.50
Protocol 255(all)
On the Action tab, do not forget to specify the Proposal.
We specify the routes to the network we need (in my case it is 0.0.0.0/0 10.200.200.1 so that there is Internet access in the office via PaloAlto)
Within the current example 192.168.50.0/24 10.200.200.1
Profit.
Hi @JayGolf
This is old configuration and this is not working now. When we assign one tunnel interface for both GRE and ipsec then it shows that configuration is invalid.
So can you share the configuration example again?
Thanks
Al Amin