[SOLVED] GRE/IPsec example help

I’m trying to reproduce GRE over IPsec example in GNS3, following GRE Over IPsec for Secure Tunneling - Knowledgebase / Interfaces - VyOS (following Configuration Using Just GRE/IPsec). Using exactly the same configuration, show vpn ipsec sa indicates the tunnel up and running. However, I cannot ping 10.2.2.1 from central-office-net.

Probably missing something obvious… Any hints?

Kind regards
Milos

Can you share your configuration?

Router 1:

interfaces {
    ethernet eth0 {
        address 10.1.1.1/24
        hw-id 0c:df:e9:cc:00:00
    }
    ethernet eth1 {
        address 203.0.113.2/24
        hw-id 0c:df:e9:cc:00:01
    }
    ethernet eth2 {
        hw-id 0c:df:e9:cc:00:02
    }
    loopback lo {
    }
    tunnel tun0 {
        address 10.1.1.5/32
        encapsulation gre
        multicast enable
        remote 192.51.100.2
        source-address 203.0.113.2
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 203.0.113.1 {
            }
        }
    }
}
system {
    config-management {
        commit-revisions 100
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name central-office-rtr
    login {
        user vyos {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
        }
    }
    ntp {
        server time1.vyos.net {
        }
        server time2.vyos.net {
        }
        server time3.vyos.net {
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }
}
vpn {
    ipsec {
        esp-group central-rtr-esp {
            compression disable
            lifetime 1800
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes256
                hash sha256
            }
        }
        ike-group central-rtr-ike {
            close-action none
            ikev2-reauth no
            key-exchange ikev1
            lifetime 3600
            proposal 1 {
                dh-group 2
                encryption aes256
                hash sha256
            }
        }
        ipsec-interfaces {
            interface eth1
        }
        site-to-site {
            peer 192.51.100.2 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                default-esp-group central-rtr-esp
                ike-group central-rtr-ike
                ikev2-reauth inherit
                local-address 203.0.113.2
                tunnel 0 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group central-rtr-esp
                    local {
                        prefix 10.1.1.0/24
                    }
                    protocol gre
                    remote {
                        prefix 10.2.2.0/24
                    }
                }
            }
        }
    }
}

Router 2:

interfaces {
    ethernet eth0 {
        address 10.2.2.1/24
        hw-id 0c:d0:6a:2e:00:00
    }
    ethernet eth1 {
        address 192.51.100.2/24
        hw-id 0c:d0:6a:2e:00:01
    }
    ethernet eth2 {
        hw-id 0c:d0:6a:2e:00:02
    }
    loopback lo {
    }
    tunnel tun0 {
        address 10.2.2.5/32
        encapsulation gre
        multicast enable
        remote 203.0.113.2
        source-address 192.51.100.2
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 192.51.100.1 {
            }
        }
    }
}
system {
    config-management {
        commit-revisions 100
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name remote-office-rtr
    login {
        user vyos {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
        }
    }
    ntp {
        server time1.vyos.net {
        }
        server time2.vyos.net {
        }
        server time3.vyos.net {
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }
}
vpn {
    ipsec {
        esp-group remote-rtr-esp {
            compression disable
            lifetime 1800
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes256
                hash sha256
            }
        }
        ike-group remote-rtr-ike {
            close-action none
            ikev2-reauth no
            key-exchange ikev1
            lifetime 3600
            proposal 1 {
                dh-group 2
                encryption aes256
                hash sha256
            }
        }
        ipsec-interfaces {
            interface eth1
        }
        site-to-site {
            peer 203.0.113.2 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                default-esp-group remote-rtr-esp
                ike-group remote-rtr-ike
                ikev2-reauth inherit
                local-address 192.51.100.2
                tunnel 0 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group remote-rtr-esp
                    local {
                        prefix 10.2.2.0/24
                    }
                    protocol gre
                    remote {
                        prefix 10.1.1.0/24
                    }
                }
            }
        }
    }
}

Your GRE interfaces have local /32 addresses. And you don’t have any route pointing over the vpn tunnel.
So no packet will ever be routed over vpn
Add interface route onto gre tunnel, or adjust gre tun0 addresses to be in the same /30 subnet.
Moreover, ipsec remote/local tunnel addresses should be local and remote gre tunnel addresses.
remote 203.0.113.2
source-address 192.51.100.2

Many thanks! Subnet /30 on tun0 and static routes corresponding subnets on the other side solved the problem. I am just wondering the purpose of /32 interfaces in GRE Over IPsec for Secure Tunneling - Knowledgebase / Interfaces - VyOS

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.