how to forward gre traffic over ipsec vpn tunnel
TRANSCRIPT
-
8/10/2019 How to Forward GRE Traffic Over IPSec VPN Tunnel
1/5
How ToForward GRE Traffic over IPSec VPN Tunnel
Applicable Version: 10.00 onwards
OverviewGeneric Routing Encapsulation (GRE) is a simple IP packet encapsulation protocol, GRE tunnels are
mainly used as a means to carry other routed protocols across a predominantly IP network. They
remove the need of all protocols, except IP, for data transfer, thus reducing much overhead on the
network administrators part.Non-IP protocols such as IPX and AppleTalk are tunnelled through the
IP core via GRE.
Generally, GRE tunnels are used in the following scenarios:
- To carry Multicast traffic just like real network interface traffic.
- To carry non-routable protocol traffic like NetBIOS or non-IP traffic over IP network.
- To link two similar networks which are connected with different IP addressing
Scenario
Create an IPSec tunnel between a Head Office network and a Branch Office network. The clients at
the Branch Office are to connect to the Head Office Media Server. So we have created GRE tunnel
over the IPSec connection to allow transfer of multicast traffic between the Head Office and Branch
Office. The network scenario is described in the diagram below.
How To Forward GRE Traffic over IPSec VPN
Tunnel
-
8/10/2019 How to Forward GRE Traffic Over IPSec VPN Tunnel
2/5
How ToForward GRE Traffic over IPSec VPN Tunnel
Network Schema
Branch Office Head Office
Cyberoam WAN IP Address202.134.168.208 Cyberoam WAN IP Address202.134.168.202
LAN IP172.50.50.2 LAN IP172.16.16.10
LAN Subnet172.50.50.0/24 LAN Subnet172.16.16.0/24
GRE Tunnel Virtual IP5.5.5.1 GRE Tunnel Virtual IP5.5.5.2
Media Server :
Source IP172.16.16.2
Multicast IP225.0.0.1
Configuration
To forward GRE traffic over IPSec VPN connection, follow the steps given below. The configuration is
to be done from the Web Admin Console using Administrator profile.
Step 1: Create IPSec VPN Tunnel
Create an IPSec VPN tunnel between the Head Office and Branch Office. To know how to create an
IPSec VPN connection, refer to the article How To - Establish Site-to-Site IPSec Connection using
Preshared Key.
Note:
In the IPSec configuration:
- Make sure that WAN IP of Head Office Cyberoam is included in the Trusted Local Subnet at the
Head Office side and Trusted Remote Subnet at the Branch Office side.
- Similarly, Make sure that WAN IP of Branch Office Cyberoam is included in the Trusted Local
Subnet at the Branch Office side and Trusted Remote Subnet at the Head Office side.
Step 2: Create GRE Tunnel
Create a GRE Tunnel between the Head Office and the Branch Office. To know how to create a GRE
tunnel, refer to the articleHow ToConfigure a GRE Tunnel on Cyberoam.
Step 3: Enable Multicast Forwarding in Cyberoam
Enable Multicast Forwarding on Cyberoam by going to NetworkStatic RouteMulticastand
checking Enable Multicast Forwardingas shown below.
http://kb.cyberoam.com/default.asp?id=1633&Lang=1&SID=http://kb.cyberoam.com/default.asp?id=1633&Lang=1&SID=http://kb.cyberoam.com/default.asp?id=1633&Lang=1&SID=http://kb.cyberoam.com/default.asp?id=2192&Lang=1&SID=http://kb.cyberoam.com/default.asp?id=2192&Lang=1&SID=http://kb.cyberoam.com/default.asp?id=2192&Lang=1&SID=http://kb.cyberoam.com/default.asp?id=2192&Lang=1&SID=http://kb.cyberoam.com/default.asp?id=2192&Lang=1&SID=http://kb.cyberoam.com/default.asp?id=2192&Lang=1&SID=http://kb.cyberoam.com/default.asp?id=1633&Lang=1&SID=http://kb.cyberoam.com/default.asp?id=1633&Lang=1&SID= -
8/10/2019 How to Forward GRE Traffic Over IPSec VPN Tunnel
3/5
How ToForward GRE Traffic over IPSec VPN Tunnel
Step 4: Add Static Multicast Routes
Add static multicast routes both at the Head Office and Branch Office.
Head Office
Go to NetworkStatic RouteMulticastand click Add to add a new multicast route using the
parameters given below.
Parameter Description
Parameter Value Description
Source IP Address 172.16.16.2 Specify Source IP Address.
Source Interface PortA 172.16.16.10 Select Source Interface from the list.
Multicast Address 225.0.0.1Specify range of Multicast IP
Address
Destination Interface gre_tunnel_ho 5.5.5.2
Select Destination Interface from the
list. You can select more than one
destination interface.
-
8/10/2019 How to Forward GRE Traffic Over IPSec VPN Tunnel
4/5
How ToForward GRE Traffic over IPSec VPN Tunnel
Branch Office
Go to NetworkStatic RouteMulticastand click Add to add a new multicast route using the
parameters given below.
-
8/10/2019 How to Forward GRE Traffic Over IPSec VPN Tunnel
5/5
How ToForward GRE Traffic over IPSec VPN Tunnel
Parameter Description
Parameter Value Description
Source IP Address 172.16.16.2 Specify Source IP Address.
Source Interface gre_tunnel_bo 5.5.5.1 Select Source Interface from the list.
Multicast Address 225.0.0.1Specify range of Multicast IP
Address
Destination Interface PortA-172.50.50.2
Select Destination Interface from the
list. You can select more than one
destination interface.
Note:
Make sure that Firewall Rules allowing traffic from LAN to VPN and vice versa are present. If they are
not present, create them manually. They are necessary for the VPN connections to function properly.
The above configuration forwards all GRE traffic to the IPSec VPN connection between Head Officeand Branch office.
Document Version: 2.0 07/05/2013