How to configure gre over ipsec?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to configure gre over ipsec?

L2 Linker

Hello 

 

For example, some implementations require multicast traffic to be encapsulated before IPSec encrypts it. If this is a requirement for your environment and the GRE tunnel and IPSec tunnel share the same IP address, Add GRE Encapsulation when you set up the IPSec tunnel.

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/gre-tunnels/gre-tunnel-overview...

How to configure gre over ipsec?

ZhouYu_0-1628158713548.png

ZhouYu_1-1628158764675.png

ZhouYu_2-1628158809447.png

How to configure?

 

 

1 accepted solution

Accepted Solutions

L0 Member

Hi all! There is a working version of this GRE over IPSec.
According to the official manual from PaloAlto, there are 2 options for creating this bundle. In the first case, when the source and destination addresses are the same (as in my case) and the source and destination addresses are different.

Let's start setting up:
Side A:
PanOS 10.2
WAN: 10.10.2.50
LAN: 192.168.50.0/24
VTI IP: 10.200.200.1/30

Side B:
Mikrotik:
RouterOS 7.6
WAN: 10.10.2.60
LAN: 192.168.10.0/24
GRE IP: 10.200.200.2/30

--------------------------------

Let's start with PaloAlto:
Create a tunnel (for example 1), add it to the default router and register the ip address 10.200.200.1/30 on it. Next, we create IKE Crypto, IPsec Crypto with the settings that you need.
Create IKE Gateways (I use IKEv2 only mode), then specify Local IP Address 10.10.2.50/24 and Peer Address 10.10.2.60, specify PSK, specify Local Identification 10.10.2.50 and Peer Identification 10.10.2.60. also do not forget to specify IKE Crypto Profile on the Advanced Options tab:

Next, we proceed to configuring IPsec Tunnels:
Select the previously created tunnel 1
Select the previously created IKE Gateway
Select Show Advanced Options and select Add GRE Encapsulation
Go to the Proxy IDs tab and add the IP addresses of our external interfaces:
Local 10.10.2.50 Remote 10.10.2.60

Don't forget to specify routes:
Virtual Router -> Static Routes:
add ->
Destination 192.168.10.0/24
Interface tunnel 1
Next Hop IP Address
10.200.200.2

Commit

----------------------------

Moving on to Mikrotik:
Interfaces -> GRE Tunnel
Creating a GRE tunnel
Specify Local Address 10.10.2.60
Specify Remote Address 10.10.2.50
OK
Next, add the IP address to the interface:
IP -> Addresses
add 10.200.200.2/30
ok
Moving on to creating IPsec:
IP-> IPSec

Creating a Profile
We specify the data we need

Creating Identites:
Specify the PSK
My ID Type Auto
Remote ID Type Auto

Creating Peers:
Specify Address: 10.10.2.50 (IP Address of party A)
Local Address: 10.10.2.60
Specify IKE profile
Exchange Mode IKE2

Creating a Proposal:
We specify the data we need

Creating Policies:
Specifying Peer
Select Tunnel
Src.Address 10.10.2.60
Dst.Address 10.10.2.50
Protocol 255(all)
On the Action tab, do not forget to specify the Proposal.
We specify the routes to the network we need (in my case it is 0.0.0.0/0 10.200.200.1 so that there is Internet access in the office via PaloAlto)
Within the current example 192.168.50.0/24 10.200.200.1
Profit.

View solution in original post

7 REPLIES 7

L0 Member

Hello,

Pleased to see your issue as I think I have the same problem, I am also confused and in need of light on this same issue. Need help tellthebell.

L7 Applicator

In that same document but in the next section is a whole area on configuring GRE: 

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/gre-tunnels/create-a-gre-tunnel...

 

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Hello Jdelio

 

This is configure GRE tunnel ,but I need configure gre over ipsec.

L0 Member

Should the GRE interface be on the PA side or will it be sufficient on the other side, for example on the Mikrotik or Cisco side?

Has anyone configured GRE over IPSEC between PA and Mikrotik? Please share an example of a working configuration.

did you find a solution ? 

L0 Member

Hi all! There is a working version of this GRE over IPSec.
According to the official manual from PaloAlto, there are 2 options for creating this bundle. In the first case, when the source and destination addresses are the same (as in my case) and the source and destination addresses are different.

Let's start setting up:
Side A:
PanOS 10.2
WAN: 10.10.2.50
LAN: 192.168.50.0/24
VTI IP: 10.200.200.1/30

Side B:
Mikrotik:
RouterOS 7.6
WAN: 10.10.2.60
LAN: 192.168.10.0/24
GRE IP: 10.200.200.2/30

--------------------------------

Let's start with PaloAlto:
Create a tunnel (for example 1), add it to the default router and register the ip address 10.200.200.1/30 on it. Next, we create IKE Crypto, IPsec Crypto with the settings that you need.
Create IKE Gateways (I use IKEv2 only mode), then specify Local IP Address 10.10.2.50/24 and Peer Address 10.10.2.60, specify PSK, specify Local Identification 10.10.2.50 and Peer Identification 10.10.2.60. also do not forget to specify IKE Crypto Profile on the Advanced Options tab:

Next, we proceed to configuring IPsec Tunnels:
Select the previously created tunnel 1
Select the previously created IKE Gateway
Select Show Advanced Options and select Add GRE Encapsulation
Go to the Proxy IDs tab and add the IP addresses of our external interfaces:
Local 10.10.2.50 Remote 10.10.2.60

Don't forget to specify routes:
Virtual Router -> Static Routes:
add ->
Destination 192.168.10.0/24
Interface tunnel 1
Next Hop IP Address
10.200.200.2

Commit

----------------------------

Moving on to Mikrotik:
Interfaces -> GRE Tunnel
Creating a GRE tunnel
Specify Local Address 10.10.2.60
Specify Remote Address 10.10.2.50
OK
Next, add the IP address to the interface:
IP -> Addresses
add 10.200.200.2/30
ok
Moving on to creating IPsec:
IP-> IPSec

Creating a Profile
We specify the data we need

Creating Identites:
Specify the PSK
My ID Type Auto
Remote ID Type Auto

Creating Peers:
Specify Address: 10.10.2.50 (IP Address of party A)
Local Address: 10.10.2.60
Specify IKE profile
Exchange Mode IKE2

Creating a Proposal:
We specify the data we need

Creating Policies:
Specifying Peer
Select Tunnel
Src.Address 10.10.2.60
Dst.Address 10.10.2.50
Protocol 255(all)
On the Action tab, do not forget to specify the Proposal.
We specify the routes to the network we need (in my case it is 0.0.0.0/0 10.200.200.1 so that there is Internet access in the office via PaloAlto)
Within the current example 192.168.50.0/24 10.200.200.1
Profit.

Hi Vittih,

 

Kindly let us know the GRE encapsulation configuration part. We followed and GRE Tunnel is showing up and also encapsulation happening in GRE Tunnel but not reaching to IPSec VPN and encryption is showing 0 in PaloAlto IPSEC. We followed all the steps but still IPSEC tunnel is up, GRE Tunnel also UP, but Encapsulation not happening. Any suggestion would appreciated.

  • 1 accepted solution
  • 8050 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!