How to configure a GRE over IPSec tunnel

How to configure a GRE over IPSec tunnel

37257
Created On 09/02/22 13:48 PM - Last Modified 06/01/23 07:23 AM


Objective


  • Configure a tunnel GRE over IPSec where GRE and IPsec source and destination are the same.
  • Configure a tunnel GRE over IPsec where GRE and IPsec source and destination are different.

Environment


  • PAN-OS 9.0 and above.
  • Any Palo Alto NGFW device.
  • For this guide, VM-100 and PAN-OS 9.1.12 was used.

Procedure


GRE over IPsec using the same source and destination for both

  1. Create an IKE gateway like you would create it for a standard IPSec.   

    Example:
    image.png
    https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/vpns/set-up-site-to-site-vpn/set-up-an-ike-gateway#id47a6f121-466d-48fa-96f6-b122cd225c06

  2. Define an IPSec crypto profile with the cipher you want to use.             

    Example:
    image.png
    https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/vpns/set-up-site-to-site-vpn/define-cryptographic-profiles/define-ipsec-crypto-profiles#idf7dc1080-0595-40ef-9849-f3d4887f1b8a

  3. Create a tunnel interface bearing in mind zones, assigning an IP in case you need one, etc:                           

    Network > Interfaces > Tunnel
    Example:
    image.png                                       https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/vpns/site-to-site-vpn-concepts/tunnel-interface

  4. Once you have created the above, now you need to create an IPSec tunnel in a standard way but enabling "Add GRE encapsulation" inside "Show Advanced Options":

    image.png
     

Gre over IPsec using different source and destination

  1. Create an IKE gateway like you would create it for a standard IPSec.
  2. Define a IPSec crypto profile with the cipher you want to use.
  3. Create a tunnel interface bearing in mind zones, assigning an IP in case you need, etc but for this type of configuration, you will need two tunnel interfaces, 1 for GRE and the other 1 for IPSec.

  4. Create a GRE tunnel assigning one of the tunnel interfaces.  
    https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/gre-tunnels/create-a-gre-tunnel

  5. Create an IPSec tunnel assigning the second tunnel interface. 
  6. Take into account the routing and set static/dynamic routing according to your needs.
 

Additional Information


It is important to bear in mind that when you want to create a GRE over IPSec using the same source and destination for both, you will only need 1 tunnel interface and 1 IPSec with the option "Add GRE encapsulation". If you try to configure 1 tunnel interface and assign this tunnel interface to a GRE tunnel and IPSec tunnel, the commit will fail because one tunnel interface cannot be associated with two different encapsulations.

Regarding GRE over IPSec with different sources and destinations, basically, you will enable an IPSec to establish the VPN connection, and later, you will enable a GRE and from the GRE point of view, the underlay is transparent. 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sYyNCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail