Help Center Help Articles Community RMA & Warranty Downloads Tech Specs

EdgeRouter - EoGRE Layer 2 Tunnel

Translated by AI

Overview

Readers will learn how to create an Ethernet over GRE tunnel on an EdgeRouter. This type of tunnel allows the bridging of two separate L2 domains.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
Device used in this article:

Table of Contents

  1. Network Diagram
  2. Setting up Ethernet over GRE
  3. Configuring EoGRE over IPsec
  4. Related Articles

Network Diagram

Back to Top

topology.png

The EoGRE tunnel will be used to tunnel L2 traffic between the sites and allows the two 192.168.1.0/24 domains to communicate.

Setting up Ethernet over GRE

Back to Top

Follow the steps below to configure an EoGRE tunnel using bridged and tunnel interfaces:

CLI: Access the Command Line Interface on ER-L.You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Create the bridged (br0) interface.

set interfaces bridge br0

3.  Assign an IP address to the br0 interface.

set interfaces bridge br0 address 192.168.1.1/24

4. Create the tunnel interface and define the local and remote tunnel endpoints.

set interfaces tunnel tun0 local-ip 203.0.113.1
set interfaces tunnel tun0 remote-ip 192.0.2.1

5. Define the tunnel encapsulation method.

set interfaces tunnel tun0 encapsulation gre-bridge

6. Add the tunnel interface (tun0) and the LAN interface (eth1) to the bridge.

set interfaces tunnel tun0 bridge-group bridge br0
set interfaces ethernet eth1 bridge-group bridge br0

7. Commit the changes and save the configuration.

commit ; save
CLI: Access the Command Line Interface on ER-R.

1. Enter configuration mode.

configure

2. Create the bridged (br0) interface.

set interfaces bridge br0

3.  Assign an IP address to the br0 interface.

set interfaces bridge br0 address 192.168.1.2/24

4. Create the tunnel interface and define the local and remote tunnel endpoints.

set interfaces tunnel tun0 local-ip 192.0.2.1
set interfaces tunnel tun0 remote-ip 203.0.113.1

5. Define the tunnel encapsulation method.

set interfaces tunnel tun0 encapsulation gre-bridge

6. Add the tunnel interface (tun0) and the LAN interface (eth1) to the bridge.

set interfaces tunnel tun0 bridge-group bridge br0
set interfaces ethernet eth1 bridge-group bridge br0

7. Commit the changes and save the configuration.

commit ; save

Configuring EoGRE over IPsec

Back to Top

It is also possible to encrypt the EoGRE traffic using IPsec. Instead of setting up the EoGRE tunnel between the two WAN IP addresses, the tunnel endpoints will be exchanged via a Site-to-Site VPN. See our Policy-Based Site-to-Site IPsec VPN article for more information on these type of VPNs.

Follow the steps below to configure an EoGRE tunnel over IPsec using bridged and tunnel interfaces:

CLI: Access the Command Line Interface on ER-L.You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Create the bridged (br0) interface.

set interfaces bridge br0

3.  Assign an IP address to the br0 interface.

set interfaces bridge br0 address 192.168.1.1/24

4. Create a loopback interface that will be used for the local and remote tunnel endpoints.

set interfaces loopback lo address 10.255.12.1/32

5. Create the tunnel interface and define the local and remote tunnel endpoints.

set interfaces tunnel tun0 local-ip 10.255.12.1
set interfaces tunnel tun0 remote-ip 10.255.12.2

6. Define the tunnel encapsulation method.

set interfaces tunnel tun0 encapsulation gre-bridge

7. Add the tunnel interface (tun0) and the LAN interface (eth1) to the bridge.

set interfaces tunnel tun0 bridge-group bridge br0
set interfaces ethernet eth1 bridge-group bridge br0

8. Create the IPsec VPN and define the local and remote subnets that correspond with the tunnel endpoints.

set vpn ipsec auto-firewall-nat-exclude enable

set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1

set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1

set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec
set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 local prefix 10.255.12.1/32
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 remote prefix 10.255.12.2/32

9. Commit the changes and save the configuration.

commit ; save
CLI: Access the Command Line Interface on ER-R.

1. Enter configuration mode.

configure

2. Create the bridged (br0) interface.

set interfaces bridge br0

3.  Assign an IP address to the br0 interface.

set interfaces bridge br0 address 192.168.1.2/24

4. Create a loopback interface that will be used for the local and remote tunnel endpoints.

set interfaces loopback lo address 10.255.12.2/32

5. Create the tunnel interface and define the local and remote tunnel endpoints.

set interfaces tunnel tun0 local-ip 10.255.12.2
set interfaces tunnel tun0 remote-ip 10.255.12.1

6. Define the tunnel encapsulation method.

set interfaces tunnel tun0 encapsulation gre-bridge

7. Add the tunnel interface (tun0) and the LAN interface (eth1) to the bridge.

set interfaces tunnel tun0 bridge-group bridge br0
set interfaces ethernet eth1 bridge-group bridge br0

8. Create the IPsec VPN and define the local and remote subnets that correspond with the tunnel endpoints.

set vpn ipsec auto-firewall-nat-exclude enable

set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1

set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1

set vpn ipsec site-to-site peer 203.0.113.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 203.0.113.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 203.0.113.1 description ipsec
set vpn ipsec site-to-site peer 203.0.113.1 ike-group FOO0
set vpn ipsec site-to-site peer 203.0.113.1 local-address 192.0.2.1
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 local prefix 10.255.12.2/32
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 remote prefix 10.255.12.1/32

9. Commit the changes and save the configuration.

commit ; save

Related Articles

Back to Top

Intro to Networking - How to Establish a Connection Using SSH

EdgeRouter - OpenVPN Layer 2 Tunnel

EdgeRouter - Policy-Based Site-to-Site IPsec VPN

Was this article helpful?
0 out of 0 found this helpful