====== gre_ipsec ====== {{gre_ipsec.odt|Original file}} **GRE tunnel with IPSec protection ** **in NETSHe** **HOW TO** © 2018 NETSHe Lab Ltd ====== Setup GRE tunnel at device ====== ====== ====== Go to „Network→Interfaces» menu, scroll till „Add interface» box, fill gre tunnel name (.e.g. „tungre0“. First part „tungre“ is mandatory) and press „New“ button. {{настройка_gre_туннеля_с_ipsec_защитой_Image_0.png?642}} Tunnel interface page will be open. {{настройка_gre_туннеля_с_ipsec_защитой_Image_1.png?642}} Please specify zone for tunnel („Lan“ for most cases), outgoing interface, remote side address (DNS name is not allowed here), type of tunnel, local tunnel addresss and netmask and key for GRE tunnel as shown above. Press „Save“ button and then return to the same page and switch to the tab „Routes through interface“. {{настройка_gre_туннеля_с_ipsec_защитой_Image_2.png?642}} Press „Plus“ icon and specify route to remote network which shall reachable through this tunnel. {{настройка_gre_туннеля_с_ipsec_защитой_Image_3.png?642}} {{настройка_gre_туннеля_с_ipsec_защитой_Image_4.png?642}} Configuration of GRE tunnel is completed. Please configure GRE tunnel at remote device accordingly (local netmask must be the same; local address must be different but from the same network; remote address must point to configured device; route must point to reliable network). ====== IPSec protection for GRE tunnel ====== ====== ====== IPSec configuration stage is similar to another IPSec setups except local network value. Go to „Network→Interfaces» menu, scroll till „Add interface» box, fill ipsec tunnel name (.e.g. „tunipsec0“. First part „tunipsec“ is mandatory) and press „New“ button. You will be redirected to ipsec tunnel configuration page. Specify outgoing interface for IPSec tunnel (must be the same as for configured GRE tunnel), specify remote side address (must be the same as for configured GRE tunnel), fill „gre“ as „local network to route through tunnel“, do not fill „remote network...“, specify another IPSec related values. {{настройка_gre_туннеля_с_ipsec_защитой_Image_5.png?642}} Press „Save“ button and reboot device. Repeat the same configuration steps on remote side. ====== Troubleshooting ====== ====== ====== Troubleshooting in this case can be divided to two parts: * troubleshooting of tunnel and * troubleshhoting of IPSec. Troubleshooting of GRE tunnel contains verification for correct local addresses and netmask, zone, firewall rules for zone, outgoing interface, remote side address, routing rules and similar tunnel key. With correct settings, packets from local network which routes through GRE tunnel, must reach existing adress on remote side (ping with correct local and destination addresses must be going through). Please follow our IPSec troubleshooting guide with remarks below for IPSec troubleshooting. ===== Troubleshooting remarks ===== ===== ===== Correctly configured GRE tunnels will pass traffic according to routes without IPSec tunnel too. Thus, we recommend to setup GRE tunnel for first time, reboot device and debug packet exchange. When you have got traffic exchange, you may shift to configure IPSec protection. IPSec tunnel will be established „on denamd“. States „INSTALLED“ and „ESTABLISHED“ will be reached only when traffic is going through tunnel.