Setting up a GRE over IPsec tunnel between RUTOS devices

Main Page > General Information > Configuration Examples > VPN > Setting up a GRE over IPsec tunnel between RUTOS devices

Introduction

This article provides a configuration example with details on how to configure a GRE over IPsec connection between two RUTOS devices.

The information in this page is updated in accordance with firmware version 00.07.14.2

Prerequisites

Two Teltonika routers/gateways with RUTOS support.
Both devices must have WAN access with a static public IP.
At least one end device (PC, Laptop) to configure the routers.

Configuration scheme

GRE tunnel configuration

First we will establish a GRE tunnel between our devices.

Router 1 GRE configuration

Login to the Router 1 device's WebUI, navigate to the Services → VPN → GRE page.
Add a new GRE1 instance by entering custom New configuration name and clicking Add button.

A configuration window should appear. Configure the GRE instance accordingly:

Enabled - ON.
Tunnel source - select the network interface with Public IP which is used to establish GRE tunnel.
Remote endpoint IP address - Public IP address of remote (Router 2) device.
MTU - 1476
Outbound key - 12345 (must match other device's Inbound key)
Inbound key - 54321 (must match other device's Outbound key)
Keep alive - ON
Local GRE interface IP address - 10.0.0.1
Local GRE interface IP netmask - 255.255.255.248

Under the routing settings:

Click on "Add" button
Remote subnet IP address - 192.168.4.0
Remote subnet netmask - 255.255.255.0
Click on "Save & Apply"

Router 2 GRE configuration

Router 2 configuration as very similar except for IP addresses. Create a new GRE2 instance and configure accordingly:

Enabled - ON.
Tunnel source - select the network interface with Public IP which is used to establish GRE tunnel.
Remote endpoint IP address - Public IP address of remote (Router 1) device.
MTU - 1476
Outbound key - 12345 (must match other device's Inbound key)
Inbound key - 54321 (must match other device's Outbound key)
Keep alive - ON
Local GRE interface IP address - 10.0.0.2
Local GRE interface IP netmask - 255.255.255.0

Under the routing settings:

Click on "Add" button
Remote subnet IP address - 192.168.2.0
Remote subnet netmask - 255.255.255.0
Click on "Save & Apply"

Testing GRE tunnel

Connect to either device's CLI and run command route. You should be able to see routes created for the GRE tunnel interface:

Remote LAN IP should be reachable:

IPsec configuration

Now we will setup an IPsec connection between our devices to encrypt all data going through the GRE tunnel. This configuration will work as a kill switch too as it will automatically disable GRE tunnel in case IPsec connection goes down.

Router 1 IPsec configuration

Navigate to the Services → VPN → IPsec page and add a new IPSec1 instance.
In the new window, configure accordingly:

Enabled - ON.
Remote endpoint - public IP address of remote (Router 2) device. Only one side needs to have this configured
Authentication method - Pre-shared key
Pre shared key - ipsectest (must match on both devices)

Connection Settings → General Settings section:

Type - Transport
Bind to - GRE1 (GRE)

Connection Settings → Advanced Settings section:

Locally allowed protocols - gre
Remotely allowed protocols - gre

Proposal Settings can be configured personally, but must match on both devices.

Router 2 IPsec configuration

Router 2 configuration is identical to Router 1 configuration, except for:

2.2. Remote endpoint - you may leave empty or enter Router 1 WAN IP.

3.2. Bind to - GRE2 (GRE)

Testing GRE over IPsec

Connect to either device's CLI and use command swanctl -L, you should see IPsec tunnel via GRE interface is established.

Sometimes end devices might be unreachable even though GRE over IPsec connection is successfully established, to resolve this it might be needed to renew DHCP lease of end device or if it has multiple network adapters then increase metric priority of default gateway associated with RUT device.