I’m trying to reproduce GRE over IPsec example in GNS3, following GRE Over IPsec for Secure Tunneling : VyOS Support Portal (following Configuration Using Just GRE/IPsec). Using exactly the same configuration, show vpn ipsec sa indicates the tunnel up and running. However, I cannot ping 10.2.2.1 from central-office-net.
Probably missing something obvious… Any hints?
Kind regards
Milos
Can you share your configuration?
Router 1:
interfaces {
ethernet eth0 {
address 10.1.1.1/24
hw-id 0c:df:e9:cc:00:00
}
ethernet eth1 {
address 203.0.113.2/24
hw-id 0c:df:e9:cc:00:01
}
ethernet eth2 {
hw-id 0c:df:e9:cc:00:02
}
loopback lo {
}
tunnel tun0 {
address 10.1.1.5/32
encapsulation gre
multicast enable
remote 192.51.100.2
source-address 203.0.113.2
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 203.0.113.1 {
}
}
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name central-office-rtr
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
}
}
ntp {
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}
vpn {
ipsec {
esp-group central-rtr-esp {
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha256
}
}
ike-group central-rtr-ike {
close-action none
ikev2-reauth no
key-exchange ikev1
lifetime 3600
proposal 1 {
dh-group 2
encryption aes256
hash sha256
}
}
ipsec-interfaces {
interface eth1
}
site-to-site {
peer 192.51.100.2 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
default-esp-group central-rtr-esp
ike-group central-rtr-ike
ikev2-reauth inherit
local-address 203.0.113.2
tunnel 0 {
allow-nat-networks disable
allow-public-networks disable
esp-group central-rtr-esp
local {
prefix 10.1.1.0/24
}
protocol gre
remote {
prefix 10.2.2.0/24
}
}
}
}
}
}
Router 2:
interfaces {
ethernet eth0 {
address 10.2.2.1/24
hw-id 0c:d0:6a:2e:00:00
}
ethernet eth1 {
address 192.51.100.2/24
hw-id 0c:d0:6a:2e:00:01
}
ethernet eth2 {
hw-id 0c:d0:6a:2e:00:02
}
loopback lo {
}
tunnel tun0 {
address 10.2.2.5/32
encapsulation gre
multicast enable
remote 203.0.113.2
source-address 192.51.100.2
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 192.51.100.1 {
}
}
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name remote-office-rtr
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
}
}
ntp {
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}
vpn {
ipsec {
esp-group remote-rtr-esp {
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha256
}
}
ike-group remote-rtr-ike {
close-action none
ikev2-reauth no
key-exchange ikev1
lifetime 3600
proposal 1 {
dh-group 2
encryption aes256
hash sha256
}
}
ipsec-interfaces {
interface eth1
}
site-to-site {
peer 203.0.113.2 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
default-esp-group remote-rtr-esp
ike-group remote-rtr-ike
ikev2-reauth inherit
local-address 192.51.100.2
tunnel 0 {
allow-nat-networks disable
allow-public-networks disable
esp-group remote-rtr-esp
local {
prefix 10.2.2.0/24
}
protocol gre
remote {
prefix 10.1.1.0/24
}
}
}
}
}
}
Your GRE interfaces have local /32 addresses. And you don’t have any route pointing over the vpn tunnel.
So no packet will ever be routed over vpn
Add interface route onto gre tunnel, or adjust gre tun0 addresses to be in the same /30 subnet.
Moreover, ipsec remote/local tunnel addresses should be local and remote gre tunnel addresses.
remote 203.0.113.2
source-address 192.51.100.2
Many thanks! Subnet /30 on tun0 and static routes corresponding subnets on the other side solved the problem. I am just wondering the purpose of /32 interfaces in GRE Over IPsec for Secure Tunneling : VyOS Support Portal…
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.