You are here: Cookbook > VPN > Connection between Two Private Networks Using GRE over IPSec VPN

Connection between Two Private Networks Using GRE over IPSec VPN

This example introduces how to create GRE over IPSec VPN to protect the communication between the private network of the headquarters and the private network of the branch.

The topology is shown as below. Device A acts as the gateway of the headquarters and device B acts as the gateway of the branch. To protect the communication between two private networks, use GRE over IPSec VPN.

*Due to lab environment, use 10.89.16.0/22 to represent the public network segment.

The configuration process consists of five parts:

  • Configure basic settings
  • Configure IPSec VPN
  • Configure GRE VPN
  • Configure route and policies

Configuring Basic Settings

Step 1: Configuring interfaces for device A

Configuring the interface connected to the intranet

Select Network > Interface, and double-click ethernet0/0.

  • Binding Zone: Layer 3 Zone
  • Zone: trust
  • Type: Static IP
  • IP Address: 192.168.1.1
  • Netmask: 255.255.255.0
  • Keep the default of other parameters

Configuring the interface connected to Internet

Select Network > Interface, and double-click ethernet0/1.

  • Binding Zone: Layer 3 Zone
  • Zone: untrust
  • Type: Static IP
  • IP Address: 10.89.17.226
  • Netmask: 255.255.252.0
  • Keep the default of other parameters
Configuring the tunnel interface.

Select Network > Interface > New > Tunnel Interface.

  • Interface name: tunnel1
  • Binding Zone: Layer 3 Zone
  • Zone: trust
  • IP Address: 172.2.2.1
  • Netmask: 255.255.255.0
  • Keep the default of other parameters

Step 2: Configuring interfaces for device B

Configuring the interface connected to the intranet

Select Network > Interface, and double-click ethernet0/4.

  • Binding Zone: Layer 3 Zone
  • Zone: trust
  • Type: Static IP
  • IP Address: 192.168.2.1
  • Netmask: 255.255.255.0
  • Keep the default of other parameters

Configuring the interface connected to Internet

Select Network > Interface, and double-click ethernet0/1.

  • Binding Zone: Layer 3 Zone
  • Zone: untrust
  • Type: Static IP
  • IP Address: 10.89.18.131
  • Netmask: 255.255.252.0
  • Keep the default of other parameters
Configuring the tunnel interface.

Select Network > Interface > New > Tunnel Interface.

  • Interface name: tunnel1
  • Binding Zone: Layer 3 Zone
  • Zone: trust
  • IP Address: 172.2.2.2
  • Netmask: 255.255.255.0
  • Keep the default of other parameters

Configuring IPSec VPN

Step 1: Configuring IPSec VPN for device A

Create a P1 proposal and a P2 proposal.

Click Network > VPN > IPSec VPN. In the P1 Proposal tab, click New.

  • Proposal Name: p1forgre
  • Authentication: Pre-share
  • Hash: SHA
  • Encryption: 3DES
  • DH Group: Group2
  • Lifetime: 86400

In the P2 Proposal tab, click New.

  • Proposal Name: p2forl2tp
  • Protocol: ESP
  • HASH: SHA
  • Encryption: 3DES
  • Compression: None
  • PFS Group: No PFS
  • Lifetime: 28800

 

Configure a VPN peer.

Click Network > VPN > IPSec VPN. In the VPN Peer List tab, click New.

In the Basic tab, configure the following settings:

  • Name: center2branch1_ipsec
  • Interface: ethernet0/1
  • Mode: Main
  • Type: Static IP
  • Peer IP: 10.89.18.131
  • Proposal1: p1forgre
  • Pre-shared Key: hillstone
  • Keep the default of other parameters

Configure IKE VPN.

Click Network > VPN > IPSec VPN. In the IKE VPN List tab, click New.

In the Basic tab, configure the following settings:

  • Peer
    • Peer Name: center2branch1_ipsec
  • Tunnel
    • Name: center2branch1_ipsec_tunnel
    • Mode: tunnel
    • P2 proposal: p2forgre
  • Keep the default of other parameters

 

Step 2: Configuring IPSec VPN for device B

Create a P1 proposal and a P2 proposal.

Click Network > VPN > IPSec VPN. In the P1 Proposal tab, click New.

  • Proposal Name: p1forgre
  • Authentication: Pre-share
  • Hash: SHA
  • Encryption: 3DES
  • DH Group: Group2
  • Lifetime: 86400

In the P2 Proposal tab, click New.

  • Proposal Name: p2forgre
  • Protocol: ESP
  • HASH: SHA
  • Encryption: 3DES
  • Compression: None
  • PFS Group: No PFS
  • Lifetime: 28800

 

Configure a VPN peer.

Click Network > VPN > IPSec VPN. In the VPN Peer List tab, click New.

In the Basic tab, configure the following settings:

  • Name: tocenter_ipsec
  • Interface: ethernet0/1
  • Mode: Main
  • Type: Static IP
  • Peer IP: 10.89.17.226
  • Proposal1: p1forgre
  • Pre-shared Key: hillstone
  • Keep the default of other parameters

Configure IKE VPN.

Click Network > VPN > IPSec VPN. In the IKE VPN List tab, click New.

In the Basic tab, configure the following settings:

  • Peer
    • Peer Name: tocenter_ipsec
  • Tunnel
    • Name: tocenter_ipsec_tunnel
    • Mode: tunnel
    • P2 proposal: p2forgre
  • Keep the default of other parameters

Configuring GRE VPN

GRE VPN configurations are not supported by WebUI. You need to use CLI to complete the following GRE VPN configurations.

Step 1: Configuring GRE VPN for device A

Create a GRE tunnel.

  1. In the global configuration mode, create a GRE tunnel:
    tunnel gre center2branch1
  2. Specify the source IP address of the tunnel:
    source 10.89.17.226
  3. Specify the destination IP address of the tunnel:
    destination 10.89.18.131
  4. Specify the egress interface of the tunnel:
    interface ethernet0/1
  5. Specify the IPSec VPN tunnel:
    next-tunnel ipsec center2branch1_ipsec_tunnel

 

Bind the GRE tunnl to the tunnel interface.

  1. Enter the interface configuration mode of tunnel1:
    int tunnel1
  2. Bind the GRE tunnel:
    tunnel gre center2branch1

 

Step 2: Configuring GRE VPN for device B

Create a GRE tunnel.

  1. In the global configuration mode, create a GRE tunnel:
    tunnel gre branch1
  2. Specify the source IP address of the tunnel:
    source 10.89.18.131
  3. Specify the destination IP address of the tunnel:
    destination 10.89.17.226
  4. Specify the egress interface of the tunnel:
    interface ethernet0/1
  5. Specify the IPSec VPN tunnel:
    next-tunnel ipsecto_center_tunnel

 

Bind the GRE tunnl to the tunnel interface.

  1. Enter the interface configuration mode of tunnel1: int tunnel1
  2. Bind the GRE tunnel: tunnel gre branch1

 

Configuring Route and Policies

Step 1: Configuring route and policies for device A

Configure routes.

Select Network > Routing > Destination Route. Click New.

  • Destination: 192.168.2.0
  • Subnet Mask: 255.255.255.0
  • Next Hop: Interface
  • Interface: tunnel1
  • Keep the default of other parameters

Configure a security policy that allows the traffic to flow from the Trust zone where the tunnel interface locates to the Trust zone where the internal server locates.

Select Policy > Security Policy. Click New.

  • Name: trust_to_trust
  • Source
    • Zone: trust
    • Address: Any
  • Destination
    • Zone: trust
    • Address: Any
  • Other
    • Service/Service Group: Any
  • Action: Permit

Step 2: Configuring route and policies for device B

Configure routes.

Select Network > Routing > Destination Route. Click New.

  • Destination: 192.168.1.0
  • Subnet Mask: 255.255.255.0
  • Next Hop: Interface
  • Interface: tunnel1
  • Keep the default of other parameters

Configure a security policy that allows the traffic to flow from the Trust zone where the tunnel interface locates to the Trust zone where the internal server locates.

Select Policy > Security Policy > New.

  • Name: trust_to_trust
  • Source
    • Zone: trust
    • Address: Any
  • Destination
    • Zone: trust
    • Address: Any
  • Other
    • Service/Service Group: Any
  • Action: Permit

Step 3: Verifying the connection between two private networks

After completing the above steps, the headquarters and branch can visit each other.