9,567
edits
Changes
Setting up a GRE over IPsec tunnel between RUTOS devices (view source)
Revision as of 17:45, 13 December 2021
, 17:45, 13 December 2021Created page with "__TOC__ ==Introduction== This article provides a configuration example with details on how to configure a GRE over IPsec connection between two RUTOS devices. <span style="..."
__TOC__
==Introduction==
This article provides a configuration example with details on how to configure a GRE over IPsec connection between two RUTOS devices.
<span style="color: red;">The information in this page is updated in accordance with the <i><b>R_00.07.01</b></i> firmware version.</span>
----
{{Template:Networking_rutos_manual_basic_advanced_webui_disclaimer
| series = RUTX
}}
==Prerequisites==
* Two Teltonika devices with RUTOS support.
* Both devices must have WAN access with a static public IP.
* At least one end device (PC, Laptop) to configure the routers.
==Configuration scheme==
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_configuration_scheme_v1.jpg|border|class=tlt-border]]
==GRE tunnel configuration==
First we will establish a GRE tunnel between our devices.
===Router 1 GRE configuration===
----
# Login to the <i>Router 1</i> device's WebUI, navigate to the '''Services → VPN → GRE''' page.
# Add a new <i>GRE1</i> instance by entering custom <b>New configuration name</b> and clicking <b>Add</b> button.
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device_gre_1_v1.jpg|border|class=tlt-border]]
<ol start="3">
<li>A configuration window should appear. Configure the GRE instance accordingly:</li>
<ol>
<li><b>Enabled</b> - ON.</li>
<li><b>Tunnel source</b> - select the network interface with Public IP which is used to establish GRE tunnel.</li>
<li><b>Remote endpoint IP address</b> - Public IP address of remote (<i>Router 1</i>) device.</li>
<li><b>MTU</b> - 1476</li>
<li><b>Outbound key</b> - 12345 (must match other device's Inbound key)</li>
<li><b>Inbound key</b> - 12345 (must match other device's Outbound key)</li>
<li><b>Keep alive</b> - ON</li>
<li><b>Local GRE interface IP address</b> - 10.0.0.2</li>
<li><b>Local GRE interface IP netmask</b> - 255.255.255.0</li>
<li><b>Remote subnet IP address</b> - 192.168.2.0</li>
<li><b>Remote subnet netmask</b> - 255.255.255.0</li>
</ol>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device1_gre_2_v1.jpg|border|class=tlt-border]]
===Router 2 GRE configuration===
----
Router 2 configuration as very similar except for IP addresses. Create a new <i>GRE2</i> instance and configure accordingly:
<ol>
<li><b>Enabled</b> - ON.</li>
<li><b>Tunnel source</b> - select the network interface with Public IP which is used to establish GRE tunnel.</li>
<li><b>Remote endpoint IP address</b> - Public IP address of remote (<i>Router 2</i>) device.</li>
<li><b>MTU</b> - 1476</li>
<li><b>Outbound key</b> - 12345 (must match other device's Inbound key)</li>
<li><b>Inbound key</b> - 12345 (must match other device's Outbound key)</li>
<li><b>Keep alive</b> - ON</li>
<li><b>Local GRE interface IP address</b> - 10.0.0.1</li>
<li><b>Local GRE interface IP netmask</b> - 255.255.255.0</li>
<li><b>Remote subnet IP address</b> - 192.168.4.0</li>
<li><b>Remote subnet netmask</b> - 255.255.255.0</li>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device2_gre_2_v1.jpg|border|class=tlt-border]]
==Testing GRE tunnel==
Connect to either device's CLI and run command '''ifconfig'''. Local GRE interface should be up:
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_testing_gre_1_v1.jpg|border|class=tlt-border]]
Remote GRE tunnel IP and remote LAN IP should be reachable:
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_testing_gre_2_v1.jpg|border|class=tlt-border]][[File:Networking_rutos_configuration_example_gre_ipsec_rutos_testing_gre_3_v1.jpg|border|class=tlt-border]]
==IPsec configuration==
Now we will setup an IPsec connection between our devices to encrypt all data going through the GRE tunnel. This configuration will work as a kill switch too as it will automatically disable GRE tunnel in case IPsec connection goes down.
===Router 1 IPsec configuration===
----
<ol>
<li>Navigate to the '''Services → VPN → IPsec''' page and add a new <i>IPSEC1</i> instance.</li>
<li>In the new window, configure accordingly:</li>
<ol>
<li><b>Enabled</b> - ON.</li>
<li><b>Remote endpoint</b> - public IP address of remote (<i>Router 2</i>) device. Only one side needs to have this configured</li>
<li><b>Pre shared key</b> - ipsec123 (must match on both devices)</li>
</ol>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device1_ipsec_1_v1.jpg|border|class=tlt-border]]
<ol start="3">
<li><b>Connection Settings → General Settings</b> section:</li>
<ol>
<li><b>Type</b> - Transport</li>
<li><b>Bind to</b> - GRE1 (GRE)</li>
</ol>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device1_ipsec_2_v1.jpg|border|class=tlt-border]]
<ol start="4">
<li><b>Connection Settings → Advanced Settings</b> section:</li>
<ol>
<li><b>Locally allowed protocols</b> - gre</li>
<li><b>Remotely allowed protocols</b> - gre</li>
</ol>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device_ipsec_2_v1.jpg|border|class=tlt-border]]
<ol start="5">
<li><b>Proposal Settings</b> can be configured personally, but must match on both devices.</li>
</ol>
===Router 2 IPsec configuration===
----
Router 2 configuration is identical to Router 1 configuration, except for:
3.2. <b>Bind to</b> - GRE2 (GRE)
==Testing GRE over IPsec==
Connect to either device's CLI and use command '''ipsec status''', you should see IPsec tunnel via GRE interface is established.
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_testing_configuration_1_v1.jpg|border|class=tlt-border]]
To test kill switch functionality run command '''ipsec stop''' and then run command '''ifconfig'''. GRE interface should be no longer available until IPsec connection comes back up.
After GRE over IPsec connection gets established you should be able to reach all hosts in remote LAN network and vice versa.
Sometimes end devices might be unreachable even though GRE over IPsec connection is successfully established, to resolve this it might be needed to '''renew DHCP lease''' of end device or if it has multiple network adapters then '''increase metric priority''' of default gateway associated with RUT device.
==Introduction==
This article provides a configuration example with details on how to configure a GRE over IPsec connection between two RUTOS devices.
<span style="color: red;">The information in this page is updated in accordance with the <i><b>R_00.07.01</b></i> firmware version.</span>
----
{{Template:Networking_rutos_manual_basic_advanced_webui_disclaimer
| series = RUTX
}}
==Prerequisites==
* Two Teltonika devices with RUTOS support.
* Both devices must have WAN access with a static public IP.
* At least one end device (PC, Laptop) to configure the routers.
==Configuration scheme==
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_configuration_scheme_v1.jpg|border|class=tlt-border]]
==GRE tunnel configuration==
First we will establish a GRE tunnel between our devices.
===Router 1 GRE configuration===
----
# Login to the <i>Router 1</i> device's WebUI, navigate to the '''Services → VPN → GRE''' page.
# Add a new <i>GRE1</i> instance by entering custom <b>New configuration name</b> and clicking <b>Add</b> button.
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device_gre_1_v1.jpg|border|class=tlt-border]]
<ol start="3">
<li>A configuration window should appear. Configure the GRE instance accordingly:</li>
<ol>
<li><b>Enabled</b> - ON.</li>
<li><b>Tunnel source</b> - select the network interface with Public IP which is used to establish GRE tunnel.</li>
<li><b>Remote endpoint IP address</b> - Public IP address of remote (<i>Router 1</i>) device.</li>
<li><b>MTU</b> - 1476</li>
<li><b>Outbound key</b> - 12345 (must match other device's Inbound key)</li>
<li><b>Inbound key</b> - 12345 (must match other device's Outbound key)</li>
<li><b>Keep alive</b> - ON</li>
<li><b>Local GRE interface IP address</b> - 10.0.0.2</li>
<li><b>Local GRE interface IP netmask</b> - 255.255.255.0</li>
<li><b>Remote subnet IP address</b> - 192.168.2.0</li>
<li><b>Remote subnet netmask</b> - 255.255.255.0</li>
</ol>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device1_gre_2_v1.jpg|border|class=tlt-border]]
===Router 2 GRE configuration===
----
Router 2 configuration as very similar except for IP addresses. Create a new <i>GRE2</i> instance and configure accordingly:
<ol>
<li><b>Enabled</b> - ON.</li>
<li><b>Tunnel source</b> - select the network interface with Public IP which is used to establish GRE tunnel.</li>
<li><b>Remote endpoint IP address</b> - Public IP address of remote (<i>Router 2</i>) device.</li>
<li><b>MTU</b> - 1476</li>
<li><b>Outbound key</b> - 12345 (must match other device's Inbound key)</li>
<li><b>Inbound key</b> - 12345 (must match other device's Outbound key)</li>
<li><b>Keep alive</b> - ON</li>
<li><b>Local GRE interface IP address</b> - 10.0.0.1</li>
<li><b>Local GRE interface IP netmask</b> - 255.255.255.0</li>
<li><b>Remote subnet IP address</b> - 192.168.4.0</li>
<li><b>Remote subnet netmask</b> - 255.255.255.0</li>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device2_gre_2_v1.jpg|border|class=tlt-border]]
==Testing GRE tunnel==
Connect to either device's CLI and run command '''ifconfig'''. Local GRE interface should be up:
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_testing_gre_1_v1.jpg|border|class=tlt-border]]
Remote GRE tunnel IP and remote LAN IP should be reachable:
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_testing_gre_2_v1.jpg|border|class=tlt-border]][[File:Networking_rutos_configuration_example_gre_ipsec_rutos_testing_gre_3_v1.jpg|border|class=tlt-border]]
==IPsec configuration==
Now we will setup an IPsec connection between our devices to encrypt all data going through the GRE tunnel. This configuration will work as a kill switch too as it will automatically disable GRE tunnel in case IPsec connection goes down.
===Router 1 IPsec configuration===
----
<ol>
<li>Navigate to the '''Services → VPN → IPsec''' page and add a new <i>IPSEC1</i> instance.</li>
<li>In the new window, configure accordingly:</li>
<ol>
<li><b>Enabled</b> - ON.</li>
<li><b>Remote endpoint</b> - public IP address of remote (<i>Router 2</i>) device. Only one side needs to have this configured</li>
<li><b>Pre shared key</b> - ipsec123 (must match on both devices)</li>
</ol>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device1_ipsec_1_v1.jpg|border|class=tlt-border]]
<ol start="3">
<li><b>Connection Settings → General Settings</b> section:</li>
<ol>
<li><b>Type</b> - Transport</li>
<li><b>Bind to</b> - GRE1 (GRE)</li>
</ol>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device1_ipsec_2_v1.jpg|border|class=tlt-border]]
<ol start="4">
<li><b>Connection Settings → Advanced Settings</b> section:</li>
<ol>
<li><b>Locally allowed protocols</b> - gre</li>
<li><b>Remotely allowed protocols</b> - gre</li>
</ol>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device_ipsec_2_v1.jpg|border|class=tlt-border]]
<ol start="5">
<li><b>Proposal Settings</b> can be configured personally, but must match on both devices.</li>
</ol>
===Router 2 IPsec configuration===
----
Router 2 configuration is identical to Router 1 configuration, except for:
3.2. <b>Bind to</b> - GRE2 (GRE)
==Testing GRE over IPsec==
Connect to either device's CLI and use command '''ipsec status''', you should see IPsec tunnel via GRE interface is established.
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_testing_configuration_1_v1.jpg|border|class=tlt-border]]
To test kill switch functionality run command '''ipsec stop''' and then run command '''ifconfig'''. GRE interface should be no longer available until IPsec connection comes back up.
After GRE over IPsec connection gets established you should be able to reach all hosts in remote LAN network and vice versa.
Sometimes end devices might be unreachable even though GRE over IPsec connection is successfully established, to resolve this it might be needed to '''renew DHCP lease''' of end device or if it has multiple network adapters then '''increase metric priority''' of default gateway associated with RUT device.
