Setup for GRE over IPSec fails
Hello,
I'm setting up VPN connection between our remote office LANs through GRE over IPsec.
First I tried to set it up following the steps in the user's guide in the link below.
https://static.tp-link.com/upload/manual/2023/202310/20231009/1910013510_ER605(UN)_UG.pdf
It says "To complete the GRE VPN configuration, make sure you have configured the IPsec VPN.", so I configured IPsec first, then tried GRE VPN configuration accordingly.
Once I tried to enable GRE configuration just after I entered the parameters, I got error, "For an IPsec policy with the same IP address at both ends, the parameters in Phase-1 should be kept the same" and it couldn't be enabled.
Most of GRE parameters including pre-shared key is set up in correspondence with the ones in IPsec configuration.
But for Phase-1 parameters, as in the error message, I couldn't see the parameters set up in this GRE configuration since there's no area to show them, so I'm not sure about what is expected to be set up to "keep the same" as IPsec configuration
Does anyone face the same issueand have any solution?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
In order to understand what needs to be set in the Phase-1 parameters to keep both IPsec and GRE settings the same, I tried to find out what is implicitly set in the GRE configuration.
First, I removed the IPsec configuration and successfully set up the GRE over IPsec configuration since there was no IPsec configuration to conflict with the GRE configuration.
Then I moved to the IPsec setup page and found a policy named "x_gre_1," which must be the policy implicitly created by the system.
However, I still couldn't see the Phase-1 parameters created by the GRE configuration. So, I checked it through the CLI command: :
show all ikev1 policy
and the result is as follows.
To keep the Phase-1 parameters the same in both IPsec and GRE over IPsec settings, I assume I need to set up the Phase-1 parameters in the IPsec setup as per the above output.
Here's the problem:
When I try to set up IPsec with the same encryption algorithm as above, I cannot find "aes." Instead, I find "aes128," "aes192," and "aes256."
It seems technically impossible to set both the IPsec and GRE configurations with the same Phase-1 parameters as required by the error message.
I would appreciate any hints or solutions you can provide.
- Copy Link
- Report Inappropriate Content
If we set up Phase-1 parameters with any of aes algorithms in IPsec setup, the result of "show all ikev1 policy" command will show the type of algorithm along with number of bits.
So I believe we don't have option to choose "aes", instead of "aes128", "aes192" or "aes256".
- Copy Link
- Report Inappropriate Content
I encountered the same issue as yours. I wanted to create GRE over IPSEC but failed due to the IPSEC policy being 'hard-coded'. Maybe TP-Link can change this behaviour to allow GRE over IPSEC in the future firmware release.
We would like to propose an enhancement or change in GRE VPN behaviour to use 'encrypted' mode, which would allow us to manually modify the IPSEC policy.
Thanks.
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
bambinotenchie wrote
I encountered the same issue as yours. I wanted to create GRE over IPSEC but failed due to the IPSEC policy being 'hard-coded'. Maybe TP-Link can change this behaviour to allow GRE over IPSEC in the future firmware release.
We would like to propose an enhancement or change in GRE VPN behaviour to use 'encrypted' mode, which would allow us to manually modify the IPSEC policy.
Thanks.
Are you pairing this up with a different vendor's GRE?
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@Clive_A
Yes. In our case, it's Cisco.
- Copy Link
- Report Inappropriate Content
Hi @Toshi11
Thanks for posting in our business forum.
Then this is gonna be a request.
This will be moved to the request page.
- Copy Link
- Report Inappropriate Content
Linking ER605 with Fortigate or Cisco through GRE over IPSec may be new use case, but the error "For an IPsec policy with the same IP address at both ends, the parameters in Phase-1 should be kept the same" when setting up IPSec and GRE with encryption at the sametime does not seem specific to this use case.
This error appears regardless of the type of the router on the opposite side, and it seems there's no option to keep both the Phase-1 setting on IPSec page and the one GRE page synchronized.
I appreciate if you could clarify the background as to why this happens.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 551
Replies: 9