Example: GRE tunnel over an IPSec tunnel

The Connect EZ 16/32 device can be configured as an advertised set of routes through an IPSec tunnel. This allows you to leverage the dynamic route advertisement of GRE tunnels through a secured IPSec tunnel.

The example configuration provides instructions for configuring the Connect EZ 16/32 device with a GRE tunnel through IPsec.

Connect EZ 16/32-1 configuration tasks

  1. Create an IPsec tunnel named ipsec_gre1 with:
    • A pre-shared key.
    • Remote endpoint set to the public IP address of the Connect EZ 16/32-2 device.
    • A policy with:
      • Local network set to the IP address and subnet of the local GRE tunnel, 172.30.0.1/32.
      • Remote network set to the IP address and subnet of the remote GRE tunnel, 172.30.0.2/32.
  2. Create an IPsec endpoint interface named ipsec_endpoint1:
    1. Zone set to Internal.
    2. Device set to Ethernet: Loopback.
    3. IPv4 Address set to the IP address of the local GRE tunnel, 172.30.0.1/32.
  3. Create a GRE tunnel named gre_tunnel1:
    1. Local endpoint set to the IPsec endpoint interface, Interface: ipsec_endpoint1.
    2. Remote endpoint set to the IP address of the GRE tunnel on Connect EZ 16/32-2, 172.30.0.2.
  4. Create an interface named gre_interface1 and add it to the GRE tunnel:
    1. Zone set to Internal.
    2. Device set to IP tunnel: gre_tunnel1.
    3. IPv4 Address set to a virtual IP address on the GRE tunnel, 172.31.0.1/30.

Connect EZ 16/32-2 configuration tasks

  1. Create an IPsec tunnel named ipsec_gre2 with:
    • The same pre-shared key as the ipsec_gre1 tunnel on Connect EZ 16/32-1.
    • Remote endpoint set to the public IP address of Connect EZ 16/32-1.
    • A policy with:
      • Local network set to the IP address and subnet of the local GRE tunnel, 172.30.0.2/32.
      • Remote network set to the IP address of the remote GRE tunnel, 172.30.0.1/32.
  2. Create an IPsec endpoint interface named ipsec_endpoint2:
    1. Zone set to Internal.
    2. Device set to Ethernet: Loopback.
    3. IPv4 Address set to the IP address of the local GRE tunnel, 172.30.0.2/32.
  3. Create a GRE tunnel named gre_tunnel2:
    1. Local endpoint set to the IPsec endpoint interface, Interface: ipsec_endpoint2.
    2. Remote endpoint set to the IP address of the GRE tunnel on Connect EZ 16/32-1, 172.30.0.1.
  4. Create an interface named gre_interface2 and add it to the GRE tunnel:
    1. Zone set to Internal.
    2. Device set to IP tunnel: gre_tunnel2.
    3. IPv4 Address set to a virtual IP address on the GRE tunnel, 172.31.0.2/30.

Configuration procedures

Configure the Connect EZ 16/32-1 device

  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights.
  2. Access the device configuration:

    1. Locate your device as described in Use Digi Remote Manager to view and manage your device.
    2. Click the Device ID.
    3. Click Settings.
    4. Click to expand Config.

    1. On the menu, click System. Under Configuration, click Device Configuration.

      The Configuration window is displayed.

  3. Click VPN > IPsec > Tunnels.
  4. For Add IPsec Tunnel, type ipsec_gre1 and click .

  5. Click to expand Authentication.
  6. For Pre-shared key, type testkey.

  7. Click to expand Remote endpoint.
  8. For Hostname, type public IP address of the Connect EZ 16/32-2 device.

  9. Click to expand Policies.
  10. For Add Policy, click to add a new policy.

  11. Click to expand Local network.
  12. For Type, select Custom network.
  13. For Address, type the IP address and subnet of the local GRE tunnel, 172.30.0.1/32.
  14. For Remote network, type the IP address and subnet of the remote GRE tunnel, 172.30.0.2/32.

  15. Click Apply to save the configuration and apply the change.
  1. Select the device in Remote Manager and click Actions > Open Console, or log into the Connect EZ 16/32 local command line as a user with full Admin access rights.

    Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  2. At the command line, type config to enter configuration mode:

    > config
(config)>

  3. Add an IPsec tunnel named ipsec_gre1:
    (config)> add vpn ipsec tunnel ipsec_gre1
(config vpn ipsec tunnel ipsec_gre1)>
  4. Set the pre-shared key to testkey:
    (config vpn ipsec tunnel ipsec_gre1)> auth secret testkey
(config vpn ipsec tunnel ipsec_gre1)>
  5. Set the remote endpoint to public IP address of the Connect EZ 16/32-2 device:
    (config vpn ipsec tunnel ipsec_gre1)> remote hostname 192.168.101.1
(config vpn ipsec tunnel ipsec_gre1)>
  6. Add a policy:
    (config vpn ipsec tunnel ipsec_gre1)> add policy end
(config vpn ipsec tunnel ipsec_gre1 policy 0)>
  7. Set the local network policy type to custom:
    (config vpn ipsec tunnel ipsec_gre1 policy 0)> local type custom
(config vpn ipsec tunnel ipsec_gre1 policy 0)>
  8. Set the local network address to the IP address and subnet of the local GRE tunnel, 172.30.0.1/32:
    (config vpn ipsec tunnel ipsec_gre1 policy 0)> local custom 172.30.0.1/32
(config vpn ipsec tunnel ipsec_gre1 policy 0)>
  9. Set the remote network address to the IP address and subnet of the remote GRE tunnel, 172.30.0.2/32:
    (config vpn ipsec tunnel ipsec_gre1 policy 0)> remote network 172.30.0.2/32
(config vpn ipsec tunnel ipsec_gre1 policy 0)>
  10. Save the configuration and apply the change.
    (config ipsec tunnel ipsec_gre1 policy 0)> save
Configuration saved.
>
  1. Click Network > Interface.
  2. For Add Interface, type ipsec_endpoint1 and click .

  3. For Zone, select Internal.
  4. For Device, select Ethernet: loopback.

  5. Click to expand IPv4.
  6. For Address, type the IP address of the local GRE tunnel, 172.30.0.1/32.

  7. Click Apply to save the configuration and apply the change.
  1. At the command line, type config to enter configuration mode:

    > config
(config)>

  2. Add an interface named ipsec_endpoint1:
    (config)> add network interface ipsec_endpoint1
(config network interface ipsec_endpoint1)>
  3. Set the zone to internal:
    (config network interface ipsec_endpoint1)> zone internal
(config network interface ipsec_endpoint1)>
  4. Set the device to /network/device/loopback:
    (config network interface ipsec_endpoint1)> device /network/device/loopback
(config network interface ipsec_endpoint1)>
  5. Set the IPv4 address to the IP address of the local GRE tunnel, 172.30.0.1/32:
    (config network interface ipsec_endpoint1)> ipv4 address 172.30.0.1/32
(config network interface ipsec_endpoint1)>
  6. Save the configuration and apply the change.
    (config vpn ipsec tunnel ipsec_endpoint1 policy 0)> save
Configuration saved.
>
  1. Click VPN > IP Tunnels.
  2. For Add IP Tunnel, type gre_tunnel1 and click .

  3. For Local endpoint, select the IPsec endpoint interface created in Task two (Interface: ipsec_endpoint1).
  4. For Remote endpoint, type the IP address of the GRE tunnel on Connect EZ 16/32-2, 172.30.0.2.

  5. Click Apply to save the configuration and apply the change.
  1. At the command line, type config to enter configuration mode:

    > config
(config)>

  2. Add a GRE tunnel named gre_tunnel1:
    (config)> add vpn iptunnel gre_tunnel1
(config vpn iptunnel gre_tunnel1)>
  3. Set the local endpoint to the IPsec endpoint interface created in Task two (/network/interface/ipsec_endpoint1):
    (config vpn iptunnel gre_tunnel1)> local /network/interface/ipsec_endpoint1
(config vpn iptunnel gre_tunnel1)>
  4. Set the remote endpoint to the IP address of the GRE tunnel on Connect EZ 16/32-2, 172.30.0.2:
    (config vpn iptunnel gre_tunnel1)> remote 172.30.0.2
(config vpn iptunnel gre_tunnel1)>
  5. Save the configuration and apply the change.
    (config vpn iptunnel gre_tunnel1)> save
Configuration saved.
>
  1. Click Network > Interfaces.
  2. For Add Interface, type gre_interface1 and click .

  3. For Zone, select Internal.
  4. For Device, select the GRE tunnel created in Task three (IP tunnel: gre_tunnel1).

  5. Click to expand IPv4.
  6. For Address, type 172.31.0.1/30 for a virtual IP address on the GRE tunnel.

  7. Click Apply to save the configuration and apply the change.
  1. At the command line, type config to enter configuration mode:

    > config
(config)>

  2. Add an interface named gre_interface1:
    (config)> add network interface gre_interface1
(config network interface gre_interface1)>
  3. Set the zone to internal:
    (config network interface gre_interface1)> zone internal
(config network interface gre_interface1)>
  4. Set the device to the GRE tunnel created in Task three (/vpn/iptunnel/gre_tunnel1):
    (config network interface gre_interface1)> device /vpn/iptunnel/gre_tunnel1
(config network interface gre_interface1)>
  5. Set 172.31.0.1/30 as the virtual IP address on the GRE tunnel:
    (config network interface gre_interface1)> ipv4 address 172.31.0.1/30
(config network interface gre_interface1)>
  6. Save the configuration and apply the change.
    (config network interface gre_interface1)> save
Configuration saved.
>
  7. Type exit to exit the Admin CLI.

    Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device.

Configure the Connect EZ 16/32-2 device

  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights.
  2. Access the device configuration:

    1. Locate your device as described in Use Digi Remote Manager to view and manage your device.
    2. Click the Device ID.
    3. Click Settings.
    4. Click to expand Config.

    1. On the menu, click System. Under Configuration, click Device Configuration.

      The Configuration window is displayed.

  3. Click VPN > IPsec > Tunnels.
  4. For Add IPsec Tunnel, type ipsec_gre2 and click .

  5. Click to expand Authentication.
  6. For Pre-shared key, type the same pre-shared key that was configured for the Connect EZ 16/32-1 (testkey).

  7. Click to expand Remote endpoint.
  8. For Hostname, type public IP address of the Connect EZ 16/32-1 device.

  9. Click to expand Policies.
  10. For Add Policy, click to add a new policy.

  11. Click to expand Local network.
  12. For Type, select Custom network.
  13. For Address, type the IP address and subnet of the local GRE tunnel, 172.30.0.2/32.
  14. For Remote network, type the IP address and subnet of the remote GRE tunnel, 172.30.0.1/32.

  15. Click Apply to save the configuration and apply the change.
  1. Select the device in Remote Manager and click Actions > Open Console, or log into the Connect EZ 16/32 local command line as a user with full Admin access rights.

    Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

  2. At the command line, type config to enter configuration mode:

    > config
(config)>

  3. Add an IPsec tunnel named ipsec_gre2:
    (config)> add vpn ipsec tunnel ipsec_gre2
(config vpn ipsec tunnel ipsec_gre2)>
  4. Set the pre-shared key to the same pre-shared key that was configured for the Connect EZ 16/32-1 (testkey):
    (config vpn ipsec tunnel ipsec_gre2)> auth secret testkey
(config vpn ipsec tunnel ipsec_gre2)>
  5. Set the remote endpoint to public IP address of the Connect EZ 16/32-1 device:
    (config vpn ipsec tunnel ipsec_gre2)> remote hostname 192.168.100.1
(config vpn ipsec tunnel ipsec_gre2)>
  6. Add a policy:
    (config vpn ipsec tunnel ipsec_gre2)> add policy end
(config vpn ipsec tunnel ipsec_gre2 policy 0)>
  7. Set the local network policy type to custom:
    (config vpn ipsec tunnel ipsec_gre2 policy 0)> local type custom
(config vpn ipsec tunnel ipsec_gre2 policy 0)>
  8. Set the local network address to the IP address and subnet of the local GRE tunnel, 172.30.0.2/32:
    (config vpn ipsec tunnel ipsec_gre2 policy 0)> local custom 172.30.0.2/32
(config vpn ipsec tunnel ipsec_gre2 policy 0)>
  9. Set the remote network address to the IP address and subnet of the remote GRE tunnel, 172.30.0.1/32:
    (config vpn ipsec tunnel ipsec_gre2 policy 0)> remote network 172.30.0.1/32
(config vpn ipsec tunnel ipsec_gre2 policy 0)>
  10. Save the configuration and apply the change.
    (config vpn ipsec tunnel ipsec_gre2 policy 0)> save
Configuration saved.
>
  1. Click Network > Interfaces.
  2. For Add Interface, type ipsec_endpoint2 and click .

  3. For Zone, select Internal.
  4. For Device, select Ethernet: loopback.

  5. Click to expand IPv4.
  6. For Address, type the IP address of the local GRE tunnel, 172.30.0.2/32.

  7. Click Apply to save the configuration and apply the change.
  1. At the command line, type config to enter configuration mode:

    > config
(config)>

  2. Add an interface named ipsec_endpoint2:
    (config)> add network interface ipsec_endpoint2
(config network interface ipsec_endpoint2)>
  3. Set the zone to internal:
    (config network interface ipsec_endpoint2)> zone internal
(config network interface ipsec_endpoint2)>
  4. Set the device to /network/device/loopback:
    (config network interface ipsec_endpoint2)> device /network/device/loopback
(config network interface ipsec_endpoint2)>
  5. Set the IPv4 address to the IP address of the local GRE tunnel, 172.30.0.2/32:
    (config network interface ipsec_endpoint2)> ipv4 address 172.30.0.2/32
(config network interface ipsec_endpoint2)>
  6. Save the configuration and apply the change.
    (config vpn ipsec tunnel ipsec_endpoint2)> save
Configuration saved.
>
  1. Click VPN > IP Tunnels.
  2. For Add IP Tunnel, type gre_tunnel2 and click .

  3. For Local endpoint, select the IPsec endpoint interface created in Task two (Interface: ipsec_endpoint2).
  4. For Remote endpoint, type the IP address of the GRE tunnel on Connect EZ 16/32-1, 172.30.0.1.

  5. Click Apply to save the configuration and apply the change.
  1. At the command line, type config to enter configuration mode:

    > config
(config)>

  2. Add a GRE tunnel named gre_tunnel2:
    (config)> add vpn iptunnel gre_tunnel2
(config vpn iptunnel gre_tunnel2)>
  3. Set the local endpoint to the IPsec endpoint interface created in Task two (/network/interface/ipsec_endpoint2):
    (config vpn iptunnel gre_tunnel2)> local /network/interface/ipsec_endpoint2
(config vpn iptunnel gre_tunnel2)>
  4. Set the remote endpoint to the IP address of the GRE tunnel on Connect EZ 16/32-1, 172.30.0.1:
    (config vpn iptunnel gre_tunnel2)> remote 172.30.0.1
(config vpn iptunnel gre_tunnel2)>
  5. Save the configuration and apply the change.
    (config vpn iptunnel gre_tunnel2)> save
Configuration saved.
>
  1. Click Network > Interfaces.
  2. For Add Interface, type gre_interface2 and click .

  3. For Zone, select Internal.
  4. For Device, select the GRE tunnel created in Task three (IP tunnel: gre_tunnel2).

  5. Click to expand IPv4.
  6. For Address, type 172.31.0.2/30 for a virtual IP address on the GRE tunnel.

  7. Click Apply to save the configuration and apply the change.
  1. At the command line, type config to enter configuration mode:

    > config
(config)>

  2. Add an interface named gre_interface2:
    (config)> add network interface gre_interface2
(config network interface gre_interface2)>
  3. Set the zone to internal:
    (config network interface gre_interface2)> zone internal
(config network interface gre_interface2)>
  4. Set the device to the GRE tunnel created in Task three (/vpn/iptunnel/gre_tunnel2):
    (config network interface gre_interface2)> device /vpn/iptunnel/gre_tunnel2
(config network interface gre_interface2)>
  5. Set 172.31.0.2/30 as the virtual IP address on the GRE tunnel:
    (config network interface gre_interface2)> ipv4 address 172.31.0.2/30
(config network interface gre_interface2)>
  6. Save the configuration and apply the change.
    (config network interface gre_interface2)> save
Configuration saved.
>
  7. Type exit to exit the Admin CLI.

    Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device.