EdgeRouter - EoGRE Layer 2 Tunnel


Overview


Readers will learn how to create an Ethernet over GRE (EoGRE) tunnel on an EdgeRouter. This type of tunnel will allow the bridging of two separate Layer 2 domains.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
 
Device used in this article:

Table of Contents


  1. Network Diagram
  2. Ethernet over GRE
  3. EoGRE over IPsec
  4. Related Articles

Network Diagram


Back to Top

The network topology is shown below:

topology.png

The EoGRE tunnel will be used to tunnel L2 traffic between the sites.


Ethernet over GRE


Back to Top 

CLI: Access the command line interface on ER-L. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Create the bridged (br0) interface.

set interfaces bridge br0

3. Assign an IP address to the br0 interface.

set interfaces bridge br0 address 192.168.1.1/24

4. Create the tunnel interface and define the local and remote tunnel endpoints.

set interfaces tunnel tun0 local-ip 203.0.113.1
set interfaces tunnel tun0 remote-ip 192.0.2.1

5. Define the tunnel encapsulation method.

set interfaces tunnel tun0 encapsulation gre-bridge

6. Add the tunnel interface (tun0) and the LAN interface (eth1) to the bridge.

set interfaces tunnel tun0 bridge-group bridge br0
set interfaces ethernet eth1 bridge-group bridge br0

7. Commit the changes and save the configuration.

commit ; save

CLI: Access the command line interface on ER-R. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Create the bridged (br0) interface.

set interfaces bridge br0

3. Assign an IP address to the br0 interface.

set interfaces bridge br0 address 192.168.1.2/24

4. Create the tunnel interface and define the local and remote tunnel endpoints.

set interfaces tunnel tun0 local-ip 192.0.2.1
set interfaces tunnel tun0 remote-ip 203.0.113.1

5. Define the tunnel encapsulation method.

set interfaces tunnel tun0 encapsulation gre-bridge

6. Add the tunnel interface (tun0) and the LAN interface (eth1) to the bridge.

set interfaces tunnel tun0 bridge-group bridge br0
set interfaces ethernet eth1 bridge-group bridge br0

7. Commit the changes and save the configuration.

commit ; save

EoGRE over IPsec


Back to Top 

It is also possible to use EoGRE to tunnel the L2 traffic over an IPsec tunnel. The tunnel endpoint IP addresses will be exchanged via a Site-to-Site VPN. Please see this article for more information on how to configure a Policy-Based Site-to-Site IPsec VPN.

CLI: Access the command line interface on ER-L. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Create the bridged (br0) interface.

set interfaces bridge br0

3. Assign an IP address to the br0 interface.

set interfaces bridge br0 address 192.168.1.1/24

4. Create a loopback interface that will be used for the local and remote tunnel endpoints.

set interfaces loopback lo address 10.255.12.1/32

5. Create the tunnel interface and define the local and remote tunnel endpoints.

set interfaces tunnel tun0 local-ip 10.255.12.1
set interfaces tunnel tun0 remote-ip 10.255.12.2

6. Define the tunnel encapsulation method.

set interfaces tunnel tun0 encapsulation gre-bridge

7. Add the tunnel interface (tun0) and the LAN interface (eth1) to the bridge.

set interfaces tunnel tun0 bridge-group bridge br0
set interfaces ethernet eth1 bridge-group bridge br0

8. Create the IPsec VPN and define the local and remote subnets that correspond with the tunnel endpoints.

set vpn ipsec auto-firewall-nat-exclude enable

set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1

set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1

set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec
set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 local prefix 10.255.12.1/32
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 remote prefix 10.255.12.2/32

9. Commit the changes and save the configuration.

commit ; save

CLI: Access the command line interface on ER-R. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Create the bridged (br0) interface.

set interfaces bridge br0

3. Assign an IP address to the br0 interface.

set interfaces bridge br0 address 192.168.1.2/24

4. Create a loopback interface that will be used for the local and remote tunnel endpoints.

set interfaces loopback lo address 10.255.12.2/32

5. Create the tunnel interface and define the local and remote tunnel endpoints.

set interfaces tunnel tun0 local-ip 10.255.12.2
set interfaces tunnel tun0 remote-ip 10.255.12.1

6. Define the tunnel encapsulation method.

set interfaces tunnel tun0 encapsulation gre-bridge

7. Add the tunnel interface (tun0) and the LAN interface (eth1) to the bridge.

set interfaces tunnel tun0 bridge-group bridge br0
set interfaces ethernet eth1 bridge-group bridge br0

8. Create the IPsec VPN and define the local and remote subnets that correspond with the tunnel endpoints.

set vpn ipsec auto-firewall-nat-exclude enable

set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1

set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1

set vpn ipsec site-to-site peer 203.0.113.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 203.0.113.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 203.0.113.1 description ipsec
set vpn ipsec site-to-site peer 203.0.113.1 ike-group FOO0
set vpn ipsec site-to-site peer 203.0.113.1 local-address 192.0.2.1
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 local prefix 10.255.12.2/32
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 remote prefix 10.255.12.1/32

9. Commit the changes and save the configuration.

commit ; save

Related Articles


Back to Top

Intro to Networking - How to Establish a Connection Using SSH

EdgeRouter - OpenVPN Layer 2 Tunnel

EdgeRouter - Policy-Based Site-to-Site IPsec VPN


We're sorry to hear that!