GRE over IPsec
This is an example of GRE over an IPsec tunnel using a static route over GRE tunnel and tunnel-mode in the phase2-interface settings.
To configure GRE over an IPsec tunnel:
- Enable subnet overlapping at both HQ1 and HQ2.
config system settings set allow-subnet-overlap enable end - Configure the WAN interface and static route.
- HQ1.
config system interface edit "port1" set ip 172.16.200.1 255.255.255.0 next edit "dmz" set ip 10.1.100.1 255.255.255.0 next end config router static edit 1 set gateway 172.16.200.3 set device "port1" next end - HQ2.
config system interface edit "port25" set ip 172.16.202.1 255.255.255.0 next edit "port9" set ip 172.16.101.1 255.255.255.0 next end config router static edit 1 set gateway 172.16.202.2 set device "port25" next end
- HQ1.
- Configure IPsec phase1-interface and phase2-interface.
- HQ1.
config vpn ipsec phase1-interface edit "greipsec" set interface "port1" set peertype any set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.202.1 set psksecret sample next end config vpn ipsec phase2-interface edit "greipsec" set phase1name "greipsec" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set protocol 47 next end - HQ2.
config vpn ipsec phase1-interface edit "greipsec" set interface "port25" set peertype any set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.200.1 set psksecret sample next end config vpn ipsec phase2-interface edit "greipsec" set phase1name "greipsec" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set protocol 47 next end
- HQ1.
- Configure IPsec tunnel interface IP address.
- HQ1.
config system interface edit "greipsec" set ip 10.10.10.1 255.255.255.255 set remote-ip 10.10.10.2 255.255.255.255 next end - HQ2.
config system interface edit "greipsec" set ip 10.10.10.2 255.255.255.255 set remote-ip 10.10.10.1 255.255.255.255 next end
- HQ1.
- Configure the GRE tunnel.
- HQ1.
config system gre-tunnel edit "gre_to_HQ2" set interface "greipsec" set remote-gw 10.10.10.2 set local-gw 10.10.10.1 next end - HQ2.
config system gre-tunnel edit "gre_to_HQ1" set interface "greipsec" set remote-gw 10.10.10.1 set local-gw 10.10.10.2 next end
- HQ1.
- Configure the firewall policy.
- HQ1.
config firewall policy edit 1 set srcintf "dmz" set dstintf "gre_to_HQ2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 2 set srcintf "gre_to_HQ2" set dstintf "dmz" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 3 set srcintf "greipsec" set dstintf "greipsec" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end - HQ2.
config firewall policy edit 1 set srcintf "port9" set dstintf "gre_to_HQ1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 2 set srcintf "gre_to_HQ1" set dstintf "port9" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 3 set srcintf "greipsec" set dstintf "greipsec" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end
- HQ1.
- Configure the static route.
- HQ1.
config router static edit 2 set dst 172.16.101.0 255.255.255.0 set device "gre_to_HQ2" next end - HQ2.
config router static edit 2 set dst 10.1.100.0 255.255.255.0 set device "gre_to_HQ1" next end
- HQ1.
To view the VPN tunnel list on HQ1:
diagnose vpn tunnel list
list all ipsec tunnel in vd 0
----
name=greipsec ver=1 serial=1 172.16.200.1:0->172.16.202.1:0
bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/16 options[0010]=create_dev
proxyid_num=1 child_num=0 refcnt=12 ilast=19 olast=861 ad=/0
stat: rxp=347 txp=476 rxb=58296 txb=51408
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=8
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=greipsec proto=47 sa=1 ref=2 serial=2
src: 47:0.0.0.0/0.0.0.0:0
dst: 47:0.0.0.0/0.0.0.0:0
SA: ref=3 options=10226 type=00 soft=0 mtu=1438 expire=41689/0B replaywin=2048
seqno=15c esn=0 replaywin_lastseq=0000015c itn=0
life: type=01 bytes=0/0 timeout=42898/43200
dec: spi=9897bd09 esp=aes key=16 5a60e67bf68379309715bd83931680bf
ah=sha1 key=20 ff35a329056d0d506c0bfc17ef269978a4a57dd3
enc: spi=e362f336 esp=aes key=16 5574acd8587c5751a88950e1bf8fbf57
ah=sha1 key=20 d57ec76ac3c543ac89b2e4d0545518aa2d06669b
dec:pkts/bytes=347/37476, enc:pkts/bytes=347/58296
To view the static routing table on HQ1:
get router info routing-table static Routing table for VRF=0 S* 0.0.0.0/0 [10/0] via 172.16.200.3, port1 S 172.16.101.0/24 [10/0] is directly connected, gre_to_HQ2