How To Configure Mikrotik Site To Site Gre Tunnel Alongside Ipsec
GRE adds an outer header mentioning the entry betoken of the tunnel (SourceIP) too the move out betoken of the tunnel (DestinationIP) but the inner parcel is kept unmodified.
GRE tunnel alone encapsulates IP packets but does non supply authentication too encryption. GRE tunnel alongside IPsec ensures IP parcel encapsulation equally good equally authentication too encryption. IPsec usage makes your packets secure but it industrial plant piece of cake because of having extra authentication too encryption process. So, my persuasion is that if information safety is your concern, utilization GRE tunnel alongside IPsec but if information safety is non thus headache, utilization alone MikroTik GRE tunnel because it industrial plant thus faster.
The goal of this article is to blueprint a GRE VPN tunnel alongside IPsec. So, inwards this article I volition present how to create a GRE tunnel alongside IPsec to constitute a secure site to site VPN tunnel betwixt 2 Routers.
To configure a site to site GRE VPN Tunnel (with IPsec) betwixt 2 MikroTik Routers, I am next a network diagram above.
In this network, Office1 Router is connected to mesh through ether1 interface having IP address 192.168.70.2/30. In your existent network this IP address volition live on replaced alongside world IP address provided yesteryear your ISP. Office1 Router’s ether2 interface is connected to local network having IP network 10.10.11.0/24. After GRE tunnel configuration, an GRE tunnel interface volition live on created inwards Office 1 Router whose IP address volition live on assigned 172.22.22.1/30.
Similarly, Office 2 Router is connected to mesh through ether1 interface having IP address 192.168.80.2/30. In your existent network this IP address volition likewise live on replaced alongside world IP address. Office 2 Router’s ether2 interface is connected to local network having IP network 10.10.12.0/24. After GRE tunnel configuration an GRE tunnel interface volition likewise live on created inwards Office 2 Router whose IP address volition live on assigned 172.22.22.2/30.
We volition configure a site to site GRE Tunnel betwixt these 2 MikroTik Routers thus that local network of these routers tin communicate alongside each other through this VPN tunnel across world network.
Core Devices too IP Information
To configure a site to site GRE VPN betwixt 2 Routers, I am using 2 MikroTik RouterOS v6.38.1. IP information that I am using for this network configuration are given below.
Office 1 Router WAN IP: 192.168.70.2/30, LAN IP Block 10.10.11.0/24 too Tunnel interface IP 172.22.22.1/30
Office 2 Router WAN IP: 192.168.80.2/30, LAN IP Block 10.10.12.0/24 too Tunnel interface IP 172.22.22.2/30
This IP information is only for my RND purpose. Change this information according to your network requirements.
Site to Site EoIP Tunnel Configuration alongside IPsec</2>
We volition straight off outset our site to site GRE VPN configuration according to the to a higher house network diagram. Complete GRE configuration tin live on divided into 4 parts.
MikroTik RouterOS basic configuration
GRE tunnel configuration alongside IPsec
Assigning IP address on tunnel interface
Static road configuration
Part 1: MikroTik RouterOS Basic Configuration
Basic RouterOS configuration includes assigning WAN IP, LAN IP, DNS IP too Route, NAT configuration. According to our network diagram, nosotros volition straight off consummate these topics inwards our 2 MikroTik RouterOS (Office 1 Router too Office 2 Router).
Office 1 Router Basic Configuration
The next steps volition take away you lot how to perform basic configuration inwards your Office 1 RouterOS.
Login to Office 1 RouterOS using winbox too larn to IP > Addresses. In Address List window, click on PLUS SIGN (+). In New Address window, position WAN IP address (192.168.70.2/30) inwards Address input acre too select WAN interface (ether1) from Interface dropdown carte too click on Apply too OK button. Click on PLUS SIGN over again too position LAN IP (10.10.11.1/24) inwards Address input acre too select LAN interface (ether2) from Interface dropdown carte too click on Apply too OK button.
Go to IP > DNS too position DNS servers IP (8.8.8.8 or 8.8.4.4) inwards Servers input acre too click on Apply too OK button.
Go to IP > Firewall too click on NAT tab too and then click on PLUS SIGN (+). Under General tab, select srcnat from Chain dropdown carte too click on Action tab too and then select masquerade from Action dropdown menu. Click on Apply too OK button.
Go to IP > Routes too click on PLUS SIGN (+). In New Route window, click on Gateway input acre too position WAN Gateway address (192.168.70.1) inwards Gateway input acre too click on Apply too OK button.
Basic RouterOS configuration has been completed inwards Office 1 Router. Now nosotros volition practice similar steps inwards Office 2
Office 2 Router Basic Configuration
The next steps volition take away you lot how to perform basic configuration inwards your Office 2 RouterOS.
Login to Office 2 RouterOS using winbox too larn to IP > Addresses. In Address List window, click on PLUS SIGN (+). In New Address window, position WAN IP address (192.168.80.2/30) inwards Address input acre too select WAN interface (ether1) from Interface dropdown carte too click on Apply too OK button. Click on PLUS SIGN over again too position LAN IP (10.10.12.1/24) inwards Address input acre too select LAN interface (ether2) from Interface dropdown carte too click on Apply too OK button.
Go to IP > DNS too position DNS servers IP (8.8.8.8 or 8.8.4.4) inwards Servers input acre too click on Apply too OK button.
Go to IP > Firewall too click on NAT tab too and then click on PLUS SIGN (+). Under General tab, select srcnat from Chain dropdown carte too click on Action tab too and then select masquerade from Action dropdown menu. Click on Apply too OK button.
Go to IP > Routes too click on PLUS SIGN (+). In New Route window, click on Gateway input acre too position WAN Gateway address (192.168.80.1) inwards Gateway input acre too click on Apply too OK button.
Basic RouterOS configuration has been completed inwards Office 2 Router. Now nosotros are going to outset EoIP tunnel configuration.
Part 2: GRE Tunnel Configuration alongside IPsec
After MikroTik Router basic configuration, nosotros volition straight off configure GRE tunnel alongside IPsec inwards both MikroTik RouterOS. In GRE tunnel configuration, nosotros volition specify local too remote IP address equally good equally shared surreptitious for IPsec.
GRE Tunnel Configuration inwards Office 1 Router
The next steps volition present how to configure GRE tunnel inwards your Office 1 Router.
Click on Interfaces carte exceptional from Winbox too click on GRE Tunnel tab too and then click on PLUS SIGN (+). New Interface window volition appear.
Put a meaningful GRE tunnel interface call (gre-tunnel-r1) inwards Name input field.
Put Office 1 Router’s WAN IP address (192.168.70.2) inwards Local Address input field.
Put Office 2 Router’s WAN IP address (192.168.80.2) inwards Remote Address input field.
Put IPsec shared surreptitious inwards IPsec Secret input acre if your router supports IPsec too you lot wishing to enable IPsec authentication too encryption. You should call upwardly that this IPsec Secret must live on same inwards both routers.
Also uncheck Allow Fast Path checkbox if it is checked too you lot desire to enable IPsec.
Click Apply too OK button.
You volition respect a novel GRE tunnel interface followed yesteryear your given call (gre-tunnel-r1) has been created inwards Interface List window.
GRE tunnel configuration inwards Office 1 Router has been completed. Now nosotros volition practice the similar steps inwards our Office 2 Router to create GRE tunnel interface.
GRE Tunnel Configuration inwards Office 2 Router
The next steps volition present how to configure GRE tunnel inwards your Office 2 Router.
Click on Interfaces carte exceptional from Winbox too click on GRE Tunnel tab too and then click on PLUS SIGN (+). New Interface window volition appear.
Put a meaningful GRE tunnel interface call (gre-tunnel-r2) inwards Name input field.
Put Office 2 Router’s WAN IP address (192.168.80.2) inwards Local Address input field.
Put Office 1 Routers WAN IP address (192.168.70.2) inwards Remote Address input field.
Put IPsec shared surreptitious inwards IPsec Secret input acre if your router supports IPsec too you lot wishing to enable IPsec authentication too encryption. You should call upwardly that this IPsec Secret must live on same inwards both routers.
Also uncheck Allow Fast Path checkbox if it is checked too you lot desire to enable IPsec.
Click Apply too OK button.
You volition respect a novel GRE tunnel interface followed yesteryear your given call (gre-tunnel-r2) has been created inwards Interface List window.
GRE tunnel configuration inwards Office 2 Router has been completed. Now nosotros volition assign IP address inwards our newly created GRE tunnel interface inwards our both RouterOS thus that both router tin communicate alongside each other through this VPN tunnel interface.
Part 3: Assigning IP Address inwards GRE Tunnel Interface
After GRE tunnel configuration, a novel GRE tunnel interface has been created inwards both routers. So, if nosotros assign same block IP inwards both interfaces, the both router volition live on able to communicate alongside each other through this EoIP tunnel. In this part, nosotros volition straight off assign IP address inwards our newly created tunnel interface.
Assigning IP Address on Office 1 Router’s GRE Tunnel Interface
The next steps volition present how to assign IP address on Office 1 Router’s tunnel interface
Go to IP > Address carte exceptional too click on PLUS SIGN (+).
Put a novel somebody IP Block IP (172.22.22.1/30) inwards Address input field.
Choose newly created tunnel interface (eoip-tunnel-r1) from Interface driblet downward menu.
Click Apply too OK button.
Assigning IP address on Office 1 Router’s tunnel interface has been completed. Similarly, nosotros volition straight off assign IP address on Office 2 Router’s tunnel interface.
Assigning IP Address on Office 2 Router’s GRE Tunnel Interface
The next steps volition present how to assign IP address inwards Office 2 Router’s tunnel interface.
Go to IP > Address carte exceptional too click on PLUS SIGN (+).
Put a novel somebody IP Block IP (172.22.22.2/30) inwards Address input field.
Choose newly created tunnel interface (eoip-tunnel-r2) from Interface driblet downward menu.
Click Apply too OK button.
Assigning IP address on Office 2 Router’s tunnel interface has been completed. In this phase both routers are straight off able to communicate alongside each other. But both routers’ LAN cannot communicate alongside each other without static routing configuration. So, inwards the side yesteryear side component subdivision nosotros volition configure static routing inwards our both Office Router.
Part 4: Static Route Configuration
We volition straight off configure static road inwards our both Office Router thus that each router’s LAN tin communicate alongside each other through GRE tunnel.
Static Route Configuration inwards Office 1 Router
The next steps volition present how to configure static road inwards Office 1 Router.
Go to IP > Routes too click on PLUS SIGN (+). New Route window volition appear.
In New Route window, position destination IP Block (10.10.12.0/24) inwards Dst. Address input field.
Put the Gateway address (172.22.22.2) inwards Gateway input field.
Click Apply too OK button.
Static road configuration inwards Office 1 Router has been completed. Now nosotros volition configure static road inwards Office 2 Router.
Static Route Configuration inwards Office 2 Router
The next steps volition present how to configure static road inwards Office 2 Router.
Go to IP > Routes too click on PLUS SIGN (+). New Route window volition appear.
In New Route window, position destination IP Block (10.10.11.0/24) inwards Dst. Address input field.
Put the Gateway address (172.22.22.1) inwards Gateway input field.
Click Apply too OK button.
Static road configuration inwards Office 2 Router has been completed. Now both router equally good equally its LAN tin communicate alongside each other through GRE tunnel across world network.
To banking corporation jibe your configuration, practice a ping asking from whatever router or whatever local network machine to other local network machine. If everything is OK, your ping asking volition live on success.
GRE VPN Tunnel Configuration alongside IPsec has been explained inwards this article. I promise you lot volition live on able to configure GRE tunnel alongside IPsec betwixt your 2 role routers. However, if you lot facial expression upwardly whatever confusion to configure GRE tunnel inwards your MikroTik Router, experience gratis to hash out inwards comment or contact me from Contact page. I volition endeavor my best to remain alongside you.
0 Response to "How To Configure Mikrotik Site To Site Gre Tunnel Alongside Ipsec"
Post a Comment