EdgeRouter - EoGRE Layer 2 Tunnel


Overview


Readers will learn how to create an Ethernet over GRE (EoGRE) tunnel on an EdgeRouter. This type of tunnel will allow the bridging of two separate Layer 2 domains.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information. Device used in this article:

Table of Contents


  1. Network Diagram
  2. Ethernet over GRE
  3. EoGRE over IPsec
  4. EoGRE over OpenVPN
  5. Related Articles

Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouters:

ER-R

  • eth0 (WAN) - 203.0.113.1
  • br0 - no address

ER-L

  • eth0 (WAN) - 192.0.2.1
  • br0 - no address

eogre.png


Ethernet over GRE


Back to Top 

CLI: Access the command line interface (CLI) on ER-R. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Create the bridged (br0) interface.

set interfaces bridge br0

3. Assign an IP address to the br0 interface.

set interfaces bridge br0 address 192.168.1.1/24

4. Create the tunnel interface and define the local and remote tunnel endpoints.

set interfaces tunnel tun0 local-ip 203.0.113.1
set interfaces tunnel tun0 remote-ip 192.0.2.1

5. Define the tunnel encapsulation method.

set interfaces tunnel tun0 encapsulation gre-bridge

6. Add the tunnel interface (tun0) and the LAN interface (eth1) to the bridge.

set interfaces tunnel tun0 bridge-group bridge br0
set interfaces ethernet eth1 bridge-group bridge br0

7. Commit the changes and save the configuration.

commit ; save

 

CLI: Access the command line interface (CLI) on ER-L. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Create the bridged (br0) interface.

set interfaces bridge br0

3. Assign an IP address to the br0 interface.

set interfaces bridge br0 address 192.168.1.2/24

4. Create the tunnel interface and define the local and remote tunnel endpoints.

set interfaces tunnel tun0 local-ip 192.0.2.1
set interfaces tunnel tun0 remote-ip 203.0.113.1

5. Define the tunnel encapsulation method.

set interfaces tunnel tun0 encapsulation gre-bridge

6. Add the tunnel interface (tun0) and the LAN interface (eth1) to the bridge.

set interfaces tunnel tun0 bridge-group bridge br0
set interfaces ethernet eth1 bridge-group bridge br0

7. Commit the changes and save the configuration.

commit ; save

EoGRE over IPsec


Back to Top 

It is also possible to use EoGRE to tunnel the L2 traffic over an IPsec tunnel. The tunnel endpoint IP addresses will be exchanged via a Site-to-Site VPN. Please see this article for more information on how to configure a Policy-Based Site-to-Site IPsec VPN.

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Create the bridged (br0) interface.

set interfaces bridge br0

3. Assign an IP address to the br0 interface.

set interfaces bridge br0 address 192.168.1.1/24

4. Create a loopback interface that will be used for the local and remote tunnel endpoints.

set interfaces loopback lo address 10.255.12.1/32

5. Create the tunnel interface and define the local and remote tunnel endpoints.

set interfaces tunnel tun0 local-ip 10.255.12.1
set interfaces tunnel tun0 remote-ip 10.255.12.2

5. Define the tunnel encapsulation method.

set interfaces tunnel tun0 encapsulation gre-bridge

6. Add the tunnel interface (tun0) and the LAN interface (eth1) to the bridge.

set interfaces tunnel tun0 bridge-group bridge br0
set interfaces ethernet eth1 bridge-group bridge br0

7. Create the IPsec VPN and define the local and remote subnets that correspond with the tunnel endpoints.

set vpn ipsec auto-firewall-nat-exclude enable

set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1

set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1

set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec
set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 local prefix 10.255.12.1/32
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 remote prefix 10.255.12.2/32

8. Commit the changes and save the configuration.

commit ; save

EoGRE over OpenVPN


Back to Top 

It is also possible to use EoGRE to tunnel the L2 traffic over an OpenVPN tunnel. Please see this article for more information on how to configure an OpenVPN Site-to-Site VPN.

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Generate a shared secret for the OpenVPN tunnel.

generate vpn openvpn-key /config/auth/secret

2. Enter configuration mode.

configure

3. Create the bridged (br0) interface.

set interfaces bridge br0

4. Assign an IP address to the br0 interface.

set interfaces bridge br0 address 192.168.1.1/24

5. Link the shared secret to the OpenVPN tunnel interface.

set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret

5. Create the tunnel interface and define the local and remote tunnel endpoints.

set interfaces openvpn vtun0 local-host 203.0.113.1
set interfaces openvpn vtun0 remote-host 192.0.2.1

5. Define the tunnel mode.

set interfaces openvpn vtun0 mode site-to-site 

6. Add the tunnel interface (vtun0) and the LAN interface (eth1) to the bridge.

set interfaces openvpn vtun0 bridge-group bridge br0 
set interfaces ethernet eth1 bridge-group bridge br0

7. Commit the changes and save the configuration.

commit ; save

Related Articles


Back to Top

Intro to Networking - How to Establish a Connection Using SSH

EdgeRouter - OpenVPN Site-to-Site

EdgeRouter - Policy-Based Site-to-Site IPsec VPN


We're sorry to hear that!