1
Votes

Setup for GRE over IPSec fails

 
1
Votes

Setup for GRE over IPSec fails

Setup for GRE over IPSec fails
Setup for GRE over IPSec fails
2024-06-06 07:06:47 - last edited 2 weeks ago

Hello,

 

I'm setting up VPN connection between our remote office LANs through GRE over IPsec.

 

First I tried to set it up following the steps in the user's guide in the link below.

https://static.tp-link.com/upload/manual/2023/202310/20231009/1910013510_ER605(UN)_UG.pdf

 

It says "To complete the GRE VPN configuration, make sure you have configured the IPsec VPN.", so I configured IPsec first, then tried GRE VPN configuration accordingly.

 

Once I tried to enable GRE configuration just after I entered the parameters, I got error, "For an IPsec policy with the same IP address at both ends, the parameters in Phase-1 should be kept the same" and it couldn't be enabled.

 

Most of GRE parameters including pre-shared key is set up in correspondence with the ones in IPsec configuration.
But for Phase-1 parameters, as in the error message, I couldn't see the parameters set up in this GRE configuration since there's no area to show them, so I'm not sure about what is expected to be set up to "keep the same" as IPsec configuration

 

Does anyone face the same issueand have any solution?

 

#1
Options
9 Reply
Re:Setup for GRE over IPSec fails
2024-06-06 07:29:12 - last edited 2 weeks ago

  @Toshi11 

In order to understand what needs to be set in the Phase-1 parameters to keep both IPsec and GRE settings the same, I tried to find out what is implicitly set in the GRE configuration.

 

First, I removed the IPsec configuration and successfully set up the GRE over IPsec configuration since there was no IPsec configuration to conflict with the GRE configuration.

Then I moved to the IPsec setup page and found a policy named "x_gre_1," which must be the policy implicitly created by the system.

 

However, I still couldn't see the Phase-1 parameters created by the GRE configuration. So, I checked it through the CLI command: : 

show all ikev1 policy

and the result is as follows.

 

To keep the Phase-1 parameters the same in both IPsec and GRE over IPsec settings, I assume I need to set up the Phase-1 parameters in the IPsec setup as per the above output.

Here's the problem:

 

 

When I try to set up IPsec with the same encryption algorithm as above, I cannot find "aes." Instead, I find "aes128," "aes192," and "aes256."

 

It seems technically impossible to set both the IPsec and GRE configurations with the same Phase-1 parameters as required by the error message.

I would appreciate any hints or solutions you can provide.

 

#2
Options
Re:Setup for GRE over IPSec fails
2024-06-06 07:34:47 - last edited 2 weeks ago

  @Toshi11 

 

If we set up Phase-1 parameters with any of aes algorithms in IPsec setup, the result of "show all ikev1 policy" command will show the type of algorithm along with number of bits.

So I believe we don't have option to choose "aes", instead of "aes128", "aes192" or "aes256".

 

#3
Options
Re:Setup for GRE over IPSec fails
2 weeks ago - last edited 2 weeks ago

  @Toshi11 

 

I encountered the same issue as yours. I wanted to create GRE over IPSEC but failed due to the IPSEC policy being 'hard-coded'. Maybe TP-Link can change this behaviour to allow GRE over IPSEC in the future firmware release.

 

@Clive_A 

 

We would like to propose an enhancement or change in GRE VPN behaviour to use 'encrypted' mode, which would allow us to manually modify the IPSEC policy.

 

 

Thanks.

 

 

Alex Kota Kinabalu, Sabah Malaysia
#4
Options
Re:Setup for GRE over IPSec fails
2 weeks ago - last edited 2 weeks ago

Hi @bambinotenchie 

Thanks for posting in our business forum.

bambinotenchie wrote

  @Toshi11 

 

I encountered the same issue as yours. I wanted to create GRE over IPSEC but failed due to the IPSEC policy being 'hard-coded'. Maybe TP-Link can change this behaviour to allow GRE over IPSEC in the future firmware release.

 

@Clive_A 

 

We would like to propose an enhancement or change in GRE VPN behaviour to use 'encrypted' mode, which would allow us to manually modify the IPSEC policy.

 

 

Thanks.

 

 

Are you pairing this up with a different vendor's GRE?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
#5
Options
Re:Setup for GRE over IPSec fails
2 weeks ago - last edited 2 weeks ago
Yes. With Fortigate to be exact.
Alex Kota Kinabalu, Sabah Malaysia
#6
Options
Re:Setup for GRE over IPSec fails
2 weeks ago - last edited 2 weeks ago

  @Clive_A 
Yes. In our case, it's Cisco.

#7
Options
Re:Setup for GRE over IPSec fails
2 weeks ago - last edited 2 weeks ago

Hi @Toshi11 

Thanks for posting in our business forum.
Then this is gonna be a request.

This will be moved to the request page.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
#8
Options
Re:Setup for GRE over IPSec fails
2 weeks ago

  @Clive_A 

 

Linking ER605 with Fortigate or Cisco through GRE over IPSec may be new use case, but the error "For an IPsec policy with the same IP address at both ends, the parameters in Phase-1 should be kept the same" when setting up IPSec and GRE with encryption at the sametime does not seem specific to this use case.

This error appears regardless of the type of the router on the opposite side, and it seems there's no option to keep both the Phase-1 setting on IPSec page and the one GRE page synchronized.

 

I appreciate if you could clarify the background as to why this happens.

 

#9
Options
RE:Setup for GRE over IPSec fails
2 weeks ago
I recommend this feature should be available. At the moment, configuring GRE with encryption (IPSEC) is limited. The encryption part (IPSEC) is 'hard-coded' to a specific encryption type. In the future firmware release, this 'hard-coded' or fixed encryption type should be changed to configurable.
Alex Kota Kinabalu, Sabah Malaysia
#10
Options

Information

Helpful: 1

Views: 307

Replies: 9

Voters 1

voter's avatar