Setting up a GRE over IPsec tunnel between RUTOS devices
Introduction
This article provides a configuration example with details on how to configure a GRE over IPsec connection between two RUTOS devices.
The information in this page is updated in accordance with firmware version 00.07.14.2
Prerequisites
- Two Teltonika routers/gateways with RUTOS support.
- Both devices must have WAN access with a static public IP.
- At least one end device (PC, Laptop) to configure the routers.
Configuration scheme

GRE tunnel configuration
First we will establish a GRE tunnel between our devices.
Router 1 GRE configuration
- Login to the Router 1 device's WebUI, navigate to the Services → VPN → GRE page.
- Add a new GRE1 instance by entering custom New configuration name and clicking Add button.
- A configuration window should appear. Configure the GRE instance accordingly:
- Enabled - ON.
- Tunnel source - select the network interface with Public IP which is used to establish GRE tunnel.
- Remote endpoint IP address - Public IP address of remote (Router 2) device.
- MTU - 1476
- Outbound key - 12345 (must match other device's Inbound key)
- Inbound key - 54321 (must match other device's Outbound key)
- Keep alive - ON
- Local GRE interface IP address - 10.0.0.1
- Local GRE interface IP netmask - 255.255.255.248
Under the routing settings:
- Click on "Add" button
- Remote subnet IP address - 192.168.4.0
- Remote subnet netmask - 255.255.255.0
- Click on "Save & Apply"

Router 2 GRE configuration
Router 2 configuration as very similar except for IP addresses. Create a new GRE2 instance and configure accordingly:
- Enabled - ON.
- Tunnel source - select the network interface with Public IP which is used to establish GRE tunnel.
- Remote endpoint IP address - Public IP address of remote (Router 1) device.
- MTU - 1476
- Outbound key - 12345 (must match other device's Inbound key)
- Inbound key - 54321 (must match other device's Outbound key)
- Keep alive - ON
- Local GRE interface IP address - 10.0.0.2
- Local GRE interface IP netmask - 255.255.255.0
Under the routing settings:
- Click on "Add" button
- Remote subnet IP address - 192.168.2.0
- Remote subnet netmask - 255.255.255.0
- Click on "Save & Apply"

Testing GRE tunnel
Connect to either device's CLI and run command route. You should be able to see routes created for the GRE tunnel interface:
Remote LAN IP should be reachable:
IPsec configuration
Now we will setup an IPsec connection between our devices to encrypt all data going through the GRE tunnel. This configuration will work as a kill switch too as it will automatically disable GRE tunnel in case IPsec connection goes down.
Router 1 IPsec configuration
- Navigate to the Services → VPN → IPsec page and add a new IPSec1 instance.
- In the new window, configure accordingly:
- Enabled - ON.
- Remote endpoint - public IP address of remote (Router 2) device. Only one side needs to have this configured
- Authentication method - Pre-shared key
- Pre shared key - ipsectest (must match on both devices)
- Connection Settings → General Settings section:
- Type - Transport
- Bind to - GRE1 (GRE)
- Connection Settings → Advanced Settings section:
- Locally allowed protocols - gre
- Remotely allowed protocols - gre
- Proposal Settings can be configured personally, but must match on both devices.
Router 2 IPsec configuration
Router 2 configuration is identical to Router 1 configuration, except for:
2.2. Remote endpoint - you may leave empty or enter Router 1 WAN IP.
3.2. Bind to - GRE2 (GRE)
Testing GRE over IPsec
Connect to either device's CLI and use command swanctl -L, you should see IPsec tunnel via GRE interface is established.
Sometimes end devices might be unreachable even though GRE over IPsec connection is successfully established, to resolve this it might be needed to renew DHCP lease of end device or if it has multiple network adapters then increase metric priority of default gateway associated with RUT device.