Setting up a GRE over IPsec tunnel between RUTOS devices

From Teltonika Networks Wiki

Introduction[edit | edit source]

This article provides a configuration example with details on how to configure a GRE over IPsec connection between two RUTOS devices.

The information in this page is updated in accordance with the R_00.07.01 firmware version.

If you're having trouble finding this page or some of the parameters described here on your device's WebUI, you should turn on "Advanced WebUI" mode. You can do that by clicking the "Basic" button under "Mode", which is located at the top-right corner of the WebUI.

Networking rutx manual webui basic advanced mode.gif

Prerequisites[edit | edit source]

  • Two Teltonika routers/gateways with RUTOS support.
  • Both devices must have WAN access with a static public IP.
  • At least one end device (PC, Laptop) to configure the routers.

Configuration scheme[edit | edit source]

Networking rutos configuration example gre ipsec rutos configuration scheme v1.jpg

GRE tunnel configuration[edit | edit source]

First we will establish a GRE tunnel between our devices.

Router 1 GRE configuration[edit | edit source]

  1. Login to the Router 1 device's WebUI, navigate to the Services → VPN → GRE page.
  2. Add a new GRE1 instance by entering custom New configuration name and clicking Add button.

Networking rutos configuration example gre ipsec rutos device gre 1 v1.jpg

  1. A configuration window should appear. Configure the GRE instance accordingly:
    1. Enabled - ON.
    2. Tunnel source - select the network interface with Public IP which is used to establish GRE tunnel.
    3. Remote endpoint IP address - Public IP address of remote (Router 2) device.
    4. MTU - 1476
    5. Outbound key - 12345 (must match other device's Inbound key)
    6. Inbound key - 12345 (must match other device's Outbound key)
    7. Keep alive - ON
    8. Local GRE interface IP address - 10.0.0.1
    9. Local GRE interface IP netmask - 255.255.255.0
    10. Remote subnet IP address - 192.168.4.0
    11. Remote subnet netmask - 255.255.255.0

Networking rutos configuration example gre ipsec rutos device1 gre 2 v1.jpg

Router 2 GRE configuration[edit | edit source]

Router 2 configuration as very similar except for IP addresses. Create a new GRE2 instance and configure accordingly:

  1. Enabled - ON.
  2. Tunnel source - select the network interface with Public IP which is used to establish GRE tunnel.
  3. Remote endpoint IP address - Public IP address of remote (Router 1) device.
  4. MTU - 1476
  5. Outbound key - 12345 (must match other device's Inbound key)
  6. Inbound key - 12345 (must match other device's Outbound key)
  7. Keep alive - ON
  8. Local GRE interface IP address - 10.0.0.2
  9. Local GRE interface IP netmask - 255.255.255.0
  10. Remote subnet IP address - 192.168.2.0
  11. Remote subnet netmask - 255.255.255.0

Networking rutos configuration example gre ipsec rutos device2 gre 2 v1.jpg

Testing GRE tunnel[edit | edit source]

Connect to either device's CLI and run command ifconfig. Local GRE interface should be up:

Networking rutos configuration example gre ipsec rutos testing gre 1 v1.jpg

Remote GRE tunnel IP and remote LAN IP should be reachable:

Networking rutos configuration example gre ipsec rutos testing gre 2 v1.jpgNetworking rutos configuration example gre ipsec rutos testing gre 3 v1.jpg

IPsec configuration[edit | edit source]

Now we will setup an IPsec connection between our devices to encrypt all data going through the GRE tunnel. This configuration will work as a kill switch too as it will automatically disable GRE tunnel in case IPsec connection goes down.

Router 1 IPsec configuration[edit | edit source]

  1. Navigate to the Services → VPN → IPsec page and add a new IPSEC1 instance.
  2. In the new window, configure accordingly:
    1. Enabled - ON.
    2. Remote endpoint - public IP address of remote (Router 2) device. Only one side needs to have this configured
    3. Pre shared key - ipsec123 (must match on both devices)

Networking rutos configuration example gre ipsec rutos device1 ipsec 1 v1.jpg

  1. Connection Settings → General Settings section:
    1. Type - Transport
    2. Bind to - GRE1 (GRE)

Networking rutos configuration example gre ipsec rutos device1 ipsec 2 v1.jpg

  1. Connection Settings → Advanced Settings section:
    1. Locally allowed protocols - gre
    2. Remotely allowed protocols - gre

Networking rutos configuration example gre ipsec rutos device ipsec 2 v1.jpg

  1. Proposal Settings can be configured personally, but must match on both devices.

Router 2 IPsec configuration[edit | edit source]

Router 2 configuration is identical to Router 1 configuration, except for:

2.2. Remote endpoint - you may leave empty or enter Router 1 WAN IP.

3.2. Bind to - GRE2 (GRE)

Testing GRE over IPsec[edit | edit source]

Connect to either device's CLI and use command ipsec status, you should see IPsec tunnel via GRE interface is established.

Networking rutos configuration example gre ipsec rutos testing configuration 1 v1.jpg

To test kill switch functionality run command ipsec stop and then run command ifconfig. GRE interface should be no longer available until IPsec connection comes back up.

After GRE over IPsec connection gets established you should be able to reach all hosts in remote LAN network and vice versa.

Sometimes end devices might be unreachable even though GRE over IPsec connection is successfully established, to resolve this it might be needed to renew DHCP lease of end device or if it has multiple network adapters then increase metric priority of default gateway associated with RUT device.

Retrieved from "https://wiki.teltonika-networks.com/wikibase/index.php?title=Setting_up_a_GRE_over_IPsec_tunnel_between_RUTOS_devices&oldid=86436"