GRE over IPSec tunnel setup
Difficulty level: advanced
Minimum firmware: 18.10.225.15
Goal
To setup a GRE tunnel through a secure IPSec tunnel
Background
Digi ACL devices provide the option of setup up a GRE tunnel either as a standalone tunnel, or as an advertised set of routes through an IPSec tunnel. This allows users to leverage the dynamic route advertisement of GRE tunnels through a secured IPSec tunnel.
Setup
You will need to configure the ACL device to establish an inbound or outbound IPSec tunnel. For details on configuring the IPSec tunnel, see the following link.
Sample Configuration
The following configuration setting show a sample setup of a GRE tunnel paired with an IPSec tunnel, where the IPSec tunnel setup is named tunnel_name with a local tunnel network of 172.30.0.1/32 and a remote network of 172.30.0.2/32
- VPN > IPsec > Tunnels > tunnel name > Policies
Create or modify the IPsec tunnel to include a policy with specified remote and local network addresses.
Choosing 'Custom network' can be helpful here because you can see both IP addresses - Network > Interfaces > Add Interface
Add a IPsec loopback endpoint. - VPN > IP Tunnels > Add IP tunnel
The remote endpoint is the IPsec tunnel virtual IP at the other end and the local endpoint is the IPsec loopback endpoint interface we configured earlier. - Network > Interfaces > Add Interface
Add an interface to the IP tunnel device. In this step we are creating a virtual IP address on the GRE tunnel.