Home

Forums

Stories

Knowledge Base

Business Community > Requests & Suggestions > Setup for GRE over IPSec fails

< Requests & Suggestions

Votes

Setup for GRE over IPSec fails

Votes

Setup for GRE over IPSec fails

Toshi11

2024-06-06 07:06:47 - last edited 2024-06-25 01:28:29

Posts: 5

Helpful: 1

Solutions: 0

Stories: 0

Registered: 2024-06-06

Setup for GRE over IPSec fails

2024-06-06 07:06:47 - last edited 2024-06-25 01:28:29

Hello,

I'm setting up VPN connection between our remote office LANs through GRE over IPsec.

First I tried to set it up following the steps in the user's guide in the link below.

https://static.tp-link.com/upload/manual/2023/202310/20231009/1910013510_ER605(UN)_UG.pdf

It says "To complete the GRE VPN configuration, make sure you have configured the IPsec VPN.", so I configured IPsec first, then tried GRE VPN configuration accordingly.

Once I tried to enable GRE configuration just after I entered the parameters, I got error, "For an IPsec policy with the same IP address at both ends, the parameters in Phase-1 should be kept the same" and it couldn't be enabled.

Most of GRE parameters including pre-shared key is set up in correspondence with the ones in IPsec configuration.
But for Phase-1 parameters, as in the error message, I couldn't see the parameters set up in this GRE configuration since there's no area to show them, so I'm not sure about what is expected to be set up to "keep the same" as IPsec configuration

Does anyone face the same issueand have any solution?

9 Reply

Toshi11

LV1

2024-06-06 07:29:12 - last edited 2024-06-25 01:28:29

Posts: 5

Helpful: 1

Solutions: 0

Stories: 0

Registered: 2024-06-06

Re:Setup for GRE over IPSec fails

2024-06-06 07:29:12 - last edited 2024-06-25 01:28:29

@Toshi11

In order to understand what needs to be set in the Phase-1 parameters to keep both IPsec and GRE settings the same, I tried to find out what is implicitly set in the GRE configuration.

First, I removed the IPsec configuration and successfully set up the GRE over IPsec configuration since there was no IPsec configuration to conflict with the GRE configuration.

Then I moved to the IPsec setup page and found a policy named "x_gre_1," which must be the policy implicitly created by the system.

However, I still couldn't see the Phase-1 parameters created by the GRE configuration. So, I checked it through the CLI command: :

show all ikev1 policy

and the result is as follows.

To keep the Phase-1 parameters the same in both IPsec and GRE over IPsec settings, I assume I need to set up the Phase-1 parameters in the IPsec setup as per the above output.

Here's the problem:

When I try to set up IPsec with the same encryption algorithm as above, I cannot find "aes." Instead, I find "aes128," "aes192," and "aes256."

It seems technically impossible to set both the IPsec and GRE configurations with the same Phase-1 parameters as required by the error message.

I would appreciate any hints or solutions you can provide.

Toshi11

LV1

2024-06-06 07:34:47 - last edited 2024-06-25 01:28:29

Posts: 5

Helpful: 1

Solutions: 0

Stories: 0

Registered: 2024-06-06

Re:Setup for GRE over IPSec fails

2024-06-06 07:34:47 - last edited 2024-06-25 01:28:29

@Toshi11

If we set up Phase-1 parameters with any of aes algorithms in IPsec setup, the result of "show all ikev1 policy" command will show the type of algorithm along with number of bits.

So I believe we don't have option to choose "aes", instead of "aes128", "aes192" or "aes256".

bambinotenchie

LV2

2024-06-24 08:33:52 - last edited 2024-06-25 01:28:29

Posts: 63

Helpful: 18

Solutions: 0

Stories: 0

Registered: 2018-03-30

Re:Setup for GRE over IPSec fails

2024-06-24 08:33:52 - last edited 2024-06-25 01:28:29

@Toshi11

I encountered the same issue as yours. I wanted to create GRE over IPSEC but failed due to the IPSEC policy being 'hard-coded'. Maybe TP-Link can change this behaviour to allow GRE over IPSEC in the future firmware release.

@Clive_A

We would like to propose an enhancement or change in GRE VPN behaviour to use 'encrypted' mode, which would allow us to manually modify the IPSEC policy.

Thanks.

Alex Kota Kinabalu, Sabah Malaysia

Clive_A

2024-06-24 08:59:50 - last edited 2024-06-25 01:28:29

Posts: 5655

Helpful: 2713

Solutions: 1273

Stories: 0

Registered: 2023-06-09

Re:Setup for GRE over IPSec fails

2024-06-24 08:59:50 - last edited 2024-06-25 01:28:29

Hi @bambinotenchie

Thanks for posting in our business forum.

bambinotenchie wrote

@Toshi11

I encountered the same issue as yours. I wanted to create GRE over IPSEC but failed due to the IPSEC policy being 'hard-coded'. Maybe TP-Link can change this behaviour to allow GRE over IPSEC in the future firmware release.

@Clive_A

We would like to propose an enhancement or change in GRE VPN behaviour to use 'encrypted' mode, which would allow us to manually modify the IPSEC policy.

Thanks.

Are you pairing this up with a different vendor's GRE?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update! ☛Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.

bambinotenchie

LV2

2024-06-24 09:01:20 - last edited 2024-06-25 01:28:29

Posts: 63

Helpful: 18

Solutions: 0

Stories: 0

Registered: 2018-03-30

Re:Setup for GRE over IPSec fails

2024-06-24 09:01:20 - last edited 2024-06-25 01:28:29

Yes. With Fortigate to be exact.

Alex Kota Kinabalu, Sabah Malaysia

Toshi11

LV1

2024-06-24 09:02:33 - last edited 2024-06-25 01:28:29

Posts: 5

Helpful: 1

Solutions: 0

Stories: 0

Registered: 2024-06-06

Re:Setup for GRE over IPSec fails

2024-06-24 09:02:33 - last edited 2024-06-25 01:28:29

@Clive_A
Yes. In our case, it's Cisco.

Clive_A

2024-06-25 01:28:20 - last edited 2024-06-25 01:28:29

Posts: 5655

Helpful: 2713

Solutions: 1273

Stories: 0

Registered: 2023-06-09

Re:Setup for GRE over IPSec fails

2024-06-25 01:28:20 - last edited 2024-06-25 01:28:29

Hi @Toshi11

Thanks for posting in our business forum.
Then this is gonna be a request.

This will be moved to the request page.

Toshi11

LV1

2024-06-25 03:21:56

Posts: 5

Helpful: 1

Solutions: 0

Stories: 0

Registered: 2024-06-06

Re:Setup for GRE over IPSec fails

2024-06-25 03:21:56

@Clive_A

Linking ER605 with Fortigate or Cisco through GRE over IPSec may be new use case, but the error "For an IPsec policy with the same IP address at both ends, the parameters in Phase-1 should be kept the same" when setting up IPSec and GRE with encryption at the sametime does not seem specific to this use case.

This error appears regardless of the type of the router on the opposite side, and it seems there's no option to keep both the Phase-1 setting on IPSec page and the one GRE page synchronized.

I appreciate if you could clarify the background as to why this happens.

bambinotenchie

LV2

2024-06-25 08:00:16

Posts: 63

Helpful: 18

Solutions: 0

Stories: 0

Registered: 2018-03-30

RE:Setup for GRE over IPSec fails

2024-06-25 08:00:16

I recommend this feature should be available. At the moment, configuring GRE with encryption (IPSEC) is limited. The encryption part (IPSEC) is 'hard-coded' to a specific encryption type. In the future firmware release, this 'hard-coded' or fixed encryption type should be changed to configurable.

Alex Kota Kinabalu, Sabah Malaysia

#10

Setup for GRE over IPSec fails

Setup for GRE over IPSec fails

Information

Voters 1

Tags