Setting up a GRE over IPsec tunnel between RUTOS and MikroTik device

From Teltonika Networks Wiki
Revision as of 16:48, 13 December 2021 by Gytispieze (talk | contribs)

(diff) ← Older revision | Approved revision (diff) | Latest revision (diff) | Newer revision → (diff)

Introduction

This article provides a configuration example with details on how to configure a GRE over IPsec connection between MikroTik and RUTOS devices.

The information in this page is updated in accordance with the R_00.07.01 firmware version.


If you're having trouble finding this page or some of the parameters described here on your device's WebUI, you should turn on "Advanced WebUI" mode. You can do that by clicking the "Advanced" button, located at the top of the WebUI.

Networking rutos manual webui basic advanced mode 75.gif

Prerequisites

  • Teltonika router/gateway with RUTOS support.
  • MikroTik device.
  • Both devices must have WAN access with a static public IP.
  • At least one end device (PC, Laptop) to configure the routers.

Configuration scheme

Networking rutos configuration example gre ipsec mikrotik configuration scheme v1.jpg

RUTOS device configuration

  1. Login to the router's WebUI, navigate to the Services → VPN → GRE page.
  2. Add a new GRE instance by entering custom New configuration name and clicking Add button.

Networking rutos configuration example gre ipsec rutos device gre 1 v1.jpg

  1. A configuration window should appear. Configure the GRE instance accordingly:
    1. Enabled - ON.
    2. Tunnel source - select the network interface with Public IP which is used to establish GRE tunnel.
    3. Remote endpoint IP address - Public IP address of MikroTik device.
    4. MTU - 1476
    5. Keep alive - ON
    6. Local GRE interface IP address - 10.0.0.1
    7. Local GRE interface IP netmask - 255.255.255.0
    8. Remote subnet IP address - 192.168.88.0
    9. Remote subnet netmask - 255.255.255.0

Networking rutos configuration example gre ipsec rutos device gre 2 v1.jpg

  1. Navigate to Services → VPN → IPsec and create a new instance.
  2. A configuration window should appear. Configure the IPsec instance accordingly:
    1. Enabled - ON
    2. Remote endpoint - 192.168.1.138
    3. Pre shared key - ipsec123
    4. Type - Transport.
    5. Bind to - GRE1 (GRE).

Networking rutos configuration example gre ipsec rutos device ipsec 1 v1.jpg

  1. In the same configuration window, navigate to Connection Settings → Advanced Settings:
    1. Locally allowed protocol - gre
    2. Remotely allowed protocol - gre

Networking rutos configuration example gre ipsec rutos device ipsec 2 v1.jpg

  1. Proposal Settings must match values configured on MikroTik device.

Networking rutos configuration example gre ipsec rutos device ipsec 3 v1.jpg

MikroTik configuration

  1. First we'll create GRE tunnel with PSK which will automatically generate IPsec instance as well. To create GRE interface access WebFig of your MikroTik device and navigate to Interfaces → GRE Tunnel and click on Add New button.
  2. Configure the instance accordingly:
    1. Name - gre-tunnel1
    2. MTU - 1476
    3. Local Address - Public IP of MikroTik device
    4. Remote address - Public IP of RUTOS device
    5. IPsec secret - ipsec123

Networking rutos configuration example gre ipsec mikrotik device gre 1 v1.jpg

  1. Navigate to WebFig → IP → IPsec and configure Proposals and Profiles to match proposal settings configured on RUTOS device.

Networking rutos configuration example gre ipsec mikrotik device ipsec 2 v1.jpg Networking rutos configuration example gre ipsec mikrotik device ipsec 1 v1.jpg

  1. Navigate to WebFig → IP → Addresses and add an IP address to GRE interface by clicking Add New:
    1. Address - 10.0.0.2/24
    2. Network - 10.0.0.0
    3. Interface - gre-tunnel1

Networking rutos configuration example gre ipsec mikrotik device gre 2 v1.jpg

  1. Finally, navigate to WebFig → IP → Routes and add a static route via GRE interface by clicking Add New:

Networking rutos configuration example gre ipsec mikrotik device gre 3 v1.jpg

Testing configuration

Connect to RUTOS CLI and use command ipsec status, you should see IPsec tunnel via GRE interface being established.

Networking rutos configuration example gre ipsec testing configuration 1 v1.jpg

You should be able to reach the remote device's GRE tunnel IP and LAN IP and vice-versa. RUTOS CLI:

Networking rutos configuration example gre ipsec testing configuration 2 v1.jpgNetworking rutos configuration example gre ipsec testing configuration 3 v1.jpg

MikroTik terminal:

Networking rutos configuration example gre ipsec testing configuration 4 v1.jpg