GRE over IPSec tunnel setup

Difficulty level: advanced

Minimum firmware: 18.10.225.15

Goal

To setup a GRE tunnel through a secure IPSec tunnel

Background

Digi ACL devices provide the option of setup up a GRE tunnel either as a standalone tunnel, or as an advertised set of routes through an IPSec tunnel.  This allows users to leverage the dynamic route advertisement of GRE tunnels through a secured IPSec tunnel.

Setup

You will need to configure the ACL device to establish an inbound or outbound IPSec tunnel.  For details on configuring the IPSec tunnel, see the following link.

VPN Access with IPSec tunnels

Sample Configuration

The following configuration setting show a sample setup of a GRE tunnel paired with an IPSec tunnel, where the IPSec tunnel setup is named tunnel_name with a local tunnel network of 172.30.0.1/32 and a remote network of 172.30.0.2/32

  1. VPN > IPsec > Tunnels > tunnel name > Policies
    Create or modify the IPsec tunnel to include a policy with specified remote and local network addresses.
    Choosing 'Custom network' can be helpful here because you can see both IP addresses
  2. Network > Interfaces > Add Interface
    Add a IPsec loopback endpoint.
  3. VPN > IP Tunnels > Add IP tunnel
    The remote endpoint is the IPsec tunnel virtual IP at the other end and the local endpoint is the IPsec loopback endpoint interface we configured earlier.
  4. Network > Interfaces > Add Interface
    Add an interface to the IP tunnel device. In this step we are creating a virtual IP address on the GRE tunnel.