9,567
edits
Changes
Setting up a GRE over IPsec tunnel between RUTOS and MikroTik device (view source)
Revision as of 17:45, 13 December 2021
, 17:45, 13 December 2021Created page with "__TOC__ ==Introduction== This article provides a configuration example with details on how to configure a GRE over IPsec connection between MikroTik and RUTOS devices. <spa..."
__TOC__
==Introduction==
This article provides a configuration example with details on how to configure a GRE over IPsec connection between MikroTik and RUTOS devices.
<span style="color: red;">The information in this page is updated in accordance with the <i><b>R_00.07.01</b></i> firmware version.</span>
----
{{Template:Networking_rutos_manual_basic_advanced_webui_disclaimer
| series = RUTX
}}
==Prerequisites==
* Teltonika device with RUTOS support.
* MikroTik device.
* Both devices must have WAN access with a static public IP.
* At least one end device (PC, Laptop) to configure the routers.
==Configuration scheme==
[[File:Networking_rutos_configuration_example_gre_ipsec_mikrotik_configuration_scheme_v1.jpg|border|class=tlt-border]]
==RUTOS device configuration==
# Login to the router's WebUI, navigate to the '''Services → VPN → GRE''' page.
# Add a new GRE instance by entering custom <b>New configuration name</b> and clicking <b>Add</b> button.
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device_gre_1_v1.jpg|border|class=tlt-border]]
<ol start="3">
<li>A configuration window should appear. Configure the GRE instance accordingly:</li>
<ol>
<li><b>Enabled</b> - ON.</li>
<li><b>Tunnel source</b> - select the network interface with Public IP which is used to establish GRE tunnel.</li>
<li><b>Remote endpoint IP address</b> - Public IP address of MikroTik device.</li>
<li><b>MTU</b> - 1476</li>
<li><b>Keep alive</b> - ON</li>
<li><b>Local GRE interface IP address</b> - 10.0.0.1</li>
<li><b>Local GRE interface IP netmask</b> - 255.255.255.0</li>
<li><b>Remote subnet IP address</b> - 192.168.88.0</li>
<li><b>Remote subnet netmask</b> - 255.255.255.0</li>
</ol>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device_gre_2_v1.jpg|border|class=tlt-border]]
<ol start="4">
<li>Navigate to '''Services → VPN → IPsec''' and create a new instance.</li>
<li>A configuration window should appear. Configure the IPsec instance accordingly:</li>
<ol>
<li><b>Enabled</b> - ON</li>
<li><b>Remote endpoint</b> - 192.168.1.138</li>
<li><b>Pre shared key</b> - ipsec123</li>
<li><b>Type</b> - Transport.</li>
<li><b>Bind to</b> - GRE1 (GRE).</li>
</ol>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device_ipsec_1_v1.jpg|border|class=tlt-border]]
<ol start="6">
<li>In the same configuration window, navigate to '''Connection Settings → Advanced Settings''':</li>
<ol>
<li><b>Locally allowed protocol</b> - gre</li>
<li><b>Remotely allowed protocol</b> - gre</li>
</ol>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device_ipsec_2_v1.jpg|border|class=tlt-border]]
<ol start="7">
<li><b>Proposal Settings</b> must match values configured on MikroTik device.</li>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device_ipsec_3_v1.jpg|border|class=tlt-border]]
==MikroTik configuration==
<ol>
<li>First we'll create GRE tunnel with PSK which will automatically generate IPsec instance as well. To create GRE interface access WebFig of your MikroTik device and navigate to '''Interfaces → GRE Tunnel''' and click on Add New button.</li>
<li>Configure the instance accordingly:</li>
<ol>
<li><b>Name</b> - gre-tunnel1</li>
<li><b>MTU</b> - 1476</li>
<li><b>Local Address</b> - Public IP of MikroTik device</li>
<li><b>Remote address</b> - Public IP of RUTOS device</li>
<li><b>IPsec secret</b> - ipsec123</li>
</ol>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_mikrotik_device_gre_1_v1.jpg|border|class=tlt-border]]
<ol start="3">
<li>Navigate to '''WebFig → IP → IPsec''' and configure '''Proposals''' and '''Profiles''' to match proposal settings configured on RUTOS device.</li>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_mikrotik_device_ipsec_2_v1.jpg|border|class=tlt-border]]
[[File:Networking_rutos_configuration_example_gre_ipsec_mikrotik_device_ipsec_1_v1.jpg|border|class=tlt-border]]
<ol start="4">
<li>Navigate to '''WebFig → IP → Addresses''' and add an IP address to GRE interface by clicking '''Add New''':</li>
<ol>
<li><b>Address</b> - 10.0.0.2/24</li>
<li><b>Network</b> - 10.0.0.0</li>
<li><b>Interface</b> - gre-tunnel1</li>
</ol>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_mikrotik_device_gre_2_v1.jpg|border|class=tlt-border]]
<ol start="5">
<li>Finally, navigate to '''WebFig → IP → Routes''' and add a static route via GRE interface by clicking '''Add New''':</li>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_mikrotik_device_gre_3_v1.jpg|border|class=tlt-border]]
==Testing configuration==
Connect to RUTOS CLI and use command '''ipsec status''', you should see IPsec tunnel via GRE interface being established.
[[File:Networking_rutos_configuration_example_gre_ipsec_testing_configuration_1_v1.jpg|border|class=tlt-border]]
You should be able to reach the remote device's GRE tunnel IP and LAN IP and vice-versa. RUTOS CLI:
[[File:Networking_rutos_configuration_example_gre_ipsec_testing_configuration_2_v1.jpg|border|class=tlt-border]][[File:Networking_rutos_configuration_example_gre_ipsec_testing_configuration_3_v1.jpg|border|class=tlt-border]]
MikroTik terminal:
[[File:Networking_rutos_configuration_example_gre_ipsec_testing_configuration_4_v1.jpg|border|class=tlt-border]]
==Introduction==
This article provides a configuration example with details on how to configure a GRE over IPsec connection between MikroTik and RUTOS devices.
<span style="color: red;">The information in this page is updated in accordance with the <i><b>R_00.07.01</b></i> firmware version.</span>
----
{{Template:Networking_rutos_manual_basic_advanced_webui_disclaimer
| series = RUTX
}}
==Prerequisites==
* Teltonika device with RUTOS support.
* MikroTik device.
* Both devices must have WAN access with a static public IP.
* At least one end device (PC, Laptop) to configure the routers.
==Configuration scheme==
[[File:Networking_rutos_configuration_example_gre_ipsec_mikrotik_configuration_scheme_v1.jpg|border|class=tlt-border]]
==RUTOS device configuration==
# Login to the router's WebUI, navigate to the '''Services → VPN → GRE''' page.
# Add a new GRE instance by entering custom <b>New configuration name</b> and clicking <b>Add</b> button.
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device_gre_1_v1.jpg|border|class=tlt-border]]
<ol start="3">
<li>A configuration window should appear. Configure the GRE instance accordingly:</li>
<ol>
<li><b>Enabled</b> - ON.</li>
<li><b>Tunnel source</b> - select the network interface with Public IP which is used to establish GRE tunnel.</li>
<li><b>Remote endpoint IP address</b> - Public IP address of MikroTik device.</li>
<li><b>MTU</b> - 1476</li>
<li><b>Keep alive</b> - ON</li>
<li><b>Local GRE interface IP address</b> - 10.0.0.1</li>
<li><b>Local GRE interface IP netmask</b> - 255.255.255.0</li>
<li><b>Remote subnet IP address</b> - 192.168.88.0</li>
<li><b>Remote subnet netmask</b> - 255.255.255.0</li>
</ol>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device_gre_2_v1.jpg|border|class=tlt-border]]
<ol start="4">
<li>Navigate to '''Services → VPN → IPsec''' and create a new instance.</li>
<li>A configuration window should appear. Configure the IPsec instance accordingly:</li>
<ol>
<li><b>Enabled</b> - ON</li>
<li><b>Remote endpoint</b> - 192.168.1.138</li>
<li><b>Pre shared key</b> - ipsec123</li>
<li><b>Type</b> - Transport.</li>
<li><b>Bind to</b> - GRE1 (GRE).</li>
</ol>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device_ipsec_1_v1.jpg|border|class=tlt-border]]
<ol start="6">
<li>In the same configuration window, navigate to '''Connection Settings → Advanced Settings''':</li>
<ol>
<li><b>Locally allowed protocol</b> - gre</li>
<li><b>Remotely allowed protocol</b> - gre</li>
</ol>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device_ipsec_2_v1.jpg|border|class=tlt-border]]
<ol start="7">
<li><b>Proposal Settings</b> must match values configured on MikroTik device.</li>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_rutos_device_ipsec_3_v1.jpg|border|class=tlt-border]]
==MikroTik configuration==
<ol>
<li>First we'll create GRE tunnel with PSK which will automatically generate IPsec instance as well. To create GRE interface access WebFig of your MikroTik device and navigate to '''Interfaces → GRE Tunnel''' and click on Add New button.</li>
<li>Configure the instance accordingly:</li>
<ol>
<li><b>Name</b> - gre-tunnel1</li>
<li><b>MTU</b> - 1476</li>
<li><b>Local Address</b> - Public IP of MikroTik device</li>
<li><b>Remote address</b> - Public IP of RUTOS device</li>
<li><b>IPsec secret</b> - ipsec123</li>
</ol>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_mikrotik_device_gre_1_v1.jpg|border|class=tlt-border]]
<ol start="3">
<li>Navigate to '''WebFig → IP → IPsec''' and configure '''Proposals''' and '''Profiles''' to match proposal settings configured on RUTOS device.</li>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_mikrotik_device_ipsec_2_v1.jpg|border|class=tlt-border]]
[[File:Networking_rutos_configuration_example_gre_ipsec_mikrotik_device_ipsec_1_v1.jpg|border|class=tlt-border]]
<ol start="4">
<li>Navigate to '''WebFig → IP → Addresses''' and add an IP address to GRE interface by clicking '''Add New''':</li>
<ol>
<li><b>Address</b> - 10.0.0.2/24</li>
<li><b>Network</b> - 10.0.0.0</li>
<li><b>Interface</b> - gre-tunnel1</li>
</ol>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_mikrotik_device_gre_2_v1.jpg|border|class=tlt-border]]
<ol start="5">
<li>Finally, navigate to '''WebFig → IP → Routes''' and add a static route via GRE interface by clicking '''Add New''':</li>
</ol>
[[File:Networking_rutos_configuration_example_gre_ipsec_mikrotik_device_gre_3_v1.jpg|border|class=tlt-border]]
==Testing configuration==
Connect to RUTOS CLI and use command '''ipsec status''', you should see IPsec tunnel via GRE interface being established.
[[File:Networking_rutos_configuration_example_gre_ipsec_testing_configuration_1_v1.jpg|border|class=tlt-border]]
You should be able to reach the remote device's GRE tunnel IP and LAN IP and vice-versa. RUTOS CLI:
[[File:Networking_rutos_configuration_example_gre_ipsec_testing_configuration_2_v1.jpg|border|class=tlt-border]][[File:Networking_rutos_configuration_example_gre_ipsec_testing_configuration_3_v1.jpg|border|class=tlt-border]]
MikroTik terminal:
[[File:Networking_rutos_configuration_example_gre_ipsec_testing_configuration_4_v1.jpg|border|class=tlt-border]]
