Setup for GRE over IPSec fails
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Hello,
I'm setting up VPN connection between our remote office LANs through GRE over IPsec.
First I tried to set it up following the steps in the user's guide in the link below.
https://static.tp-link.com/upload/manual/2023/202310/20231009/1910013510_ER605(UN)_UG.pdf
It says "To complete the GRE VPN configuration, make sure you have configured the IPsec VPN.", so I configured IPsec first, then tried GRE VPN configuration accordingly.
Once I tried to enable GRE configuration just after I entered the parameters, I got error, "For an IPsec policy with the same IP address at both ends, the parameters in Phase-1 should be kept the same" and it couldn't be enabled.
Most of GRE parameters including pre-shared key is set up in correspondence with the ones in IPsec configuration.
But for Phase-1 parameters, as in the error message, I couldn't see the parameters set up in this GRE configuration since there's no area to show them, so I'm not sure about what is expected to be set up to "keep the same" as IPsec configuration
Does anyone face the same issueand have any solution?
In order to understand what needs to be set in the Phase-1 parameters to keep both IPsec and GRE settings the same, I tried to find out what is implicitly set in the GRE configuration.
First, I removed the IPsec configuration and successfully set up the GRE over IPsec configuration since there was no IPsec configuration to conflict with the GRE configuration.
Then I moved to the IPsec setup page and found a policy named "x_gre_1," which must be the policy implicitly created by the system.
However, I still couldn't see the Phase-1 parameters created by the GRE configuration. So, I checked it through the CLI command: :
show all ikev1 policy
and the result is as follows.
To keep the Phase-1 parameters the same in both IPsec and GRE over IPsec settings, I assume I need to set up the Phase-1 parameters in the IPsec setup as per the above output.
Here's the problem:
When I try to set up IPsec with the same encryption algorithm as above, I cannot find "aes." Instead, I find "aes128," "aes192," and "aes256."
It seems technically impossible to set both the IPsec and GRE configurations with the same Phase-1 parameters as required by the error message.
I would appreciate any hints or solutions you can provide.
If we set up Phase-1 parameters with any of aes algorithms in IPsec setup, the result of "show all ikev1 policy" command will show the type of algorithm along with number of bits.
So I believe we don't have option to choose "aes", instead of "aes128", "aes192" or "aes256".
