Overview Generic Routing Encapsulation (GRE) is a simple IP packet encapsulation protocol, GRE tunnels are mainly used as a means to carry other routed protocols across a predominantly IP network. They remove the need of all protocols, except IP, for data transfer, thus reducing much overhead on the network administrators part. Non-IP protocols such as IPX and AppleTalk are tunnelled through the IP core via GRE.
Generally, GRE tunnels are used in the following scenarios:
- To carry Multicast traffic just like real network interface traffic. - To carry non-routable protocol traffic like NetBIOS or non-IP traffic over IP network. - To link two similar networks which are connected with different IP addressing Scenario Create an IPSec tunnel between a Head Office network and a Branch Office network. The clients at the Branch Office are to connect to the Head Office Media Server. So we have created GRE tunnel over the IPSec connection to allow transfer of multicast traffic between the Head Office and Branch Office. The network scenario is described in the diagram below.
How To Forward GRE Traffic over IPSec VPN Tunnel How To Forward GRE Traffic over IPSec VPN Tunnel
Network Schema Branch Office Head Office Cyberoam WAN IP Address 202.134.168.208 Cyberoam WAN IP Address 202.134.168.202 LAN IP 172.50.50.2 LAN IP 172.16.16.10 LAN Subnet 172.50.50.0/24 LAN Subnet 172.16.16.0/24 GRE Tunnel Virtual IP 5.5.5.1 GRE Tunnel Virtual IP 5.5.5.2
Media Server : Source IP 172.16.16.2 Multicast IP 225.0.0.1
Configuration To forward GRE traffic over IPSec VPN connection, follow the steps given below. The configuration is to be done from the Web Admin Console using Administrator profile.
Step 1: Create IPSec VPN Tunnel Create an IPSec VPN tunnel between the Head Office and Branch Office. To know how to create an IPSec VPN connection, refer to the article How To - Establish Site-to-Site IPSec Connection using Preshared Key.
Note:
In the IPSec configuration:
- Make sure that WAN IP of Head Office Cyberoam is included in the Trusted Local Subnet at the Head Office side and Trusted Remote Subnet at the Branch Office side.
- Similarly, Make sure that WAN IP of Branch Office Cyberoam is included in the Trusted Local Subnet at the Branch Office side and Trusted Remote Subnet at the Head Office side.
Step 2: Create GRE Tunnel Create a GRE Tunnel between the Head Office and the Branch Office. To know how to create a GRE tunnel, refer to the article How To Configure a GRE Tunnel on Cyberoam.
Step 3: Enable Multicast Forwarding in Cyberoam Enable Multicast Forwarding on Cyberoam by going to Network Static Route Multicast and checking Enable Multicast Forwarding as shown below.
How To Forward GRE Traffic over IPSec VPN Tunnel
Step 4: Add Static Multicast Routes Add static multicast routes both at the Head Office and Branch Office.
Head Office Go to Network Static Route Multicast and click Add to add a new multicast route using the parameters given below.
Parameter Description
Parameter Value Description Source IP Address 172.16.16.2 Specify Source IP Address. Source Interface PortA 172.16.16.10 Select Source Interface from the list. Multicast Address 225.0.0.1 Specify range of Multicast IP Address Destination Interface gre_tunnel_ho 5.5.5.2 Select Destination Interface from the list. You can select more than one destination interface. How To Forward GRE Traffic over IPSec VPN Tunnel
Branch Office Go to Network Static Route Multicast and click Add to add a new multicast route using the parameters given below.
How To Forward GRE Traffic over IPSec VPN Tunnel
Parameter Description
Parameter Value Description Source IP Address 172.16.16.2 Specify Source IP Address. Source Interface gre_tunnel_bo 5.5.5.1 Select Source Interface from the list. Multicast Address 225.0.0.1 Specify range of Multicast IP Address Destination Interface PortA-172.50.50.2 Select Destination Interface from the list. You can select more than one destination interface.
Note:
Make sure that Firewall Rules allowing traffic from LAN to VPN and vice versa are present. If they are not present, create them manually. They are necessary for the VPN connections to function properly.
The above configuration forwards all GRE traffic to the IPSec VPN connection between Head Office and Branch office.