EdgeRouter - EoGRE Layer 2 Tunnel
Overview
Readers will learn how to create an Ethernet over GRE tunnel on an EdgeRouter. This type of tunnel allows the bridging of two separate L2 domains.
Table of Contents
Network Diagram
The EoGRE tunnel will be used to tunnel L2 traffic between the sites and allows the two 192.168.1.0/24 domains to communicate.
Setting up Ethernet over GRE
Follow the steps below to configure an EoGRE tunnel using bridged and tunnel interfaces:
1. Enter configuration mode.
configure
2. Create the bridged (br0) interface.
set interfaces bridge br0
3. Assign an IP address to the br0 interface.
set interfaces bridge br0 address 192.168.1.1/24
4. Create the tunnel interface and define the local and remote tunnel endpoints.
set interfaces tunnel tun0 local-ip 203.0.113.1
set interfaces tunnel tun0 remote-ip 192.0.2.1
5. Define the tunnel encapsulation method.
set interfaces tunnel tun0 encapsulation gre-bridge
6. Add the tunnel interface (tun0) and the LAN interface (eth1) to the bridge.
set interfaces tunnel tun0 bridge-group bridge br0
set interfaces ethernet eth1 bridge-group bridge br0
7. Commit the changes and save the configuration.
commit ; save
1. Enter configuration mode.
configure
2. Create the bridged (br0) interface.
set interfaces bridge br0
3. Assign an IP address to the br0 interface.
set interfaces bridge br0 address 192.168.1.2/24
4. Create the tunnel interface and define the local and remote tunnel endpoints.
set interfaces tunnel tun0 local-ip 192.0.2.1
set interfaces tunnel tun0 remote-ip 203.0.113.1
5. Define the tunnel encapsulation method.
set interfaces tunnel tun0 encapsulation gre-bridge
6. Add the tunnel interface (tun0) and the LAN interface (eth1) to the bridge.
set interfaces tunnel tun0 bridge-group bridge br0
set interfaces ethernet eth1 bridge-group bridge br0
7. Commit the changes and save the configuration.
commit ; save
Configuring EoGRE over IPsec
It is also possible to encrypt the EoGRE traffic using IPsec. Instead of setting up the EoGRE tunnel between the two WAN IP addresses, the tunnel endpoints will be exchanged via a Site-to-Site VPN. See our Policy-Based Site-to-Site IPsec VPN article for more information on these type of VPNs.
Follow the steps below to configure an EoGRE tunnel over IPsec using bridged and tunnel interfaces:
1. Enter configuration mode.
configure
2. Create the bridged (br0) interface.
set interfaces bridge br0
3. Assign an IP address to the br0 interface.
set interfaces bridge br0 address 192.168.1.1/24
4. Create a loopback interface that will be used for the local and remote tunnel endpoints.
set interfaces loopback lo address 10.255.12.1/32
5. Create the tunnel interface and define the local and remote tunnel endpoints.
set interfaces tunnel tun0 local-ip 10.255.12.1
set interfaces tunnel tun0 remote-ip 10.255.12.2
6. Define the tunnel encapsulation method.
set interfaces tunnel tun0 encapsulation gre-bridge
7. Add the tunnel interface (tun0) and the LAN interface (eth1) to the bridge.
set interfaces tunnel tun0 bridge-group bridge br0
set interfaces ethernet eth1 bridge-group bridge br0
8. Create the IPsec VPN and define the local and remote subnets that correspond with the tunnel endpoints.
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec
set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 local prefix 10.255.12.1/32
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 remote prefix 10.255.12.2/32
9. Commit the changes and save the configuration.
commit ; save
1. Enter configuration mode.
configure
2. Create the bridged (br0) interface.
set interfaces bridge br0
3. Assign an IP address to the br0 interface.
set interfaces bridge br0 address 192.168.1.2/24
4. Create a loopback interface that will be used for the local and remote tunnel endpoints.
set interfaces loopback lo address 10.255.12.2/32
5. Create the tunnel interface and define the local and remote tunnel endpoints.
set interfaces tunnel tun0 local-ip 10.255.12.2
set interfaces tunnel tun0 remote-ip 10.255.12.1
6. Define the tunnel encapsulation method.
set interfaces tunnel tun0 encapsulation gre-bridge
7. Add the tunnel interface (tun0) and the LAN interface (eth1) to the bridge.
set interfaces tunnel tun0 bridge-group bridge br0
set interfaces ethernet eth1 bridge-group bridge br0
8. Create the IPsec VPN and define the local and remote subnets that correspond with the tunnel endpoints.
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec site-to-site peer 203.0.113.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 203.0.113.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 203.0.113.1 description ipsec
set vpn ipsec site-to-site peer 203.0.113.1 ike-group FOO0
set vpn ipsec site-to-site peer 203.0.113.1 local-address 192.0.2.1
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 local prefix 10.255.12.2/32
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 remote prefix 10.255.12.1/32
9. Commit the changes and save the configuration.
commit ; save
Related Articles
Intro to Networking - How to Establish a Connection Using SSH