This article describes how to configure site to site IPSEC over GRE with 3rd party vendors.
In this example, we will establish the GRE tunnel between Versa FlexVNF with WAN IP address 120.0.0.1 and other side with WAN IP address 125.0.0.1 for underlay communication. Then we will establish route based VPN between Versa Flexvnf tvi (GRE end point) interface to peer GRE interface. ( 192.168.0.1 to 192.168.0.2 ).
In versa, we can use both interface IPSEC (tvi-0/1001) or GRE end point (tvi-0/501). In this example we used GRE end point IP which is tvi-0/501.
Please Note: This article describes only the configuration on Versa FlexVNF using Versa Director GUI.
The following diagram illustrates a simple setup of SD-WAN connectivity to non-SDWAN networks using IPSEC over GRE tunnel.
Versa WAN IP -- 120.0.0.1
Versa GRE endpoint IP -- 192.168.0.1
Versa IPSEC tunnel IP -- 172.16.0.1
Peer WAN IP -- 125.0.0.1
Peer GRE endpoint IP -- 192.168.0.2
Peer IPSEC loopback IP – 172.16.0.2
Prerequisites
- Versa headend is deployed and configured
- Underlay reachability from SD-WAN device to Non-SDWAN device.
Login to the Versa Director and navigate to the branch where you want to terminate the Site to Site IPSec tunnel
GRE Configuration
- Go to Networking > Interfaces and on the right pane select Tunnel and add a new TVI interface by clicking + in the right pane
- Select Tunnel Type as “GRE Point to Point”
- Then configure the source (120.0.0.1) and destination (125.0.0.1) for GRE tunnel
- Select the Routing Instance from which the Peer IP is reachable.
- Add a Sub-Interface and assign Tunnel interface IP address which can be used to run Routing protocol via GRE tunnel.
Interface configuration
- Create TVI interface for IPsec tunnel.
Note: Reduce the MTU size to 1300 for IPsec tvi interface.
- Add the tvi interfaces to corresponding Tenant under Others > Organization > Limits
- Also need to add this interfaces to LAN Zone and LAN routing instance.
IPsec Configuration
1.Navigate to Services > IPsec > VPN Profiles, then Add the Site-to-Site VPN profile by clicking on + in the right pane
- Create VPN profile > Add the Peer IP by clicking +
- Select the Routing Instance and Local Interface from which the Peer IP is reachable.
- Select the Tunnel Routing Instance and Interface will be used for Tunnel establishment
- Select Route Based option, as we are establishing Route based
- Navigate to IKE tab and configure Local Auth and Peer Auth with parameters
- Authentication Type: psk (as we are configuring it based on pre-shared key
- Shared Key: key to be configured for Local and Peer Auth
- Identity Type: We have used IP address as Identity Type
- Identity: Provide Local and Peer IP address (as we have selected Identity Type as IP address)
- Navigate to IPsec tab and configure parameters such as Transform, IPSec Rekey Time, Hello Interval etc. as per the requirement
Validation
You can view the configuration using cli
admin@B4-H1-cli> show configuration | display set | match To-FG
set orgs org-services sub-org ipsec vpn-profile To-FG vpn-type site-to-site
set orgs org-services sub-org ipsec vpn-profile To-FG local-auth-info
set orgs org-services sub-org ipsec vpn-profile To-FG local-auth-info auth-type psk
set orgs org-services sub-org ipsec vpn-profile To-FG local-auth-info id-type ip
set orgs org-services sub-org ipsec vpn-profile To-FG local-auth-info key versa123
set orgs org-services sub-org ipsec vpn-profile To-FG local-auth-info id-string 192.168.0.1
set orgs org-services sub-org ipsec vpn-profile To-FG local
set orgs org-services sub-org ipsec vpn-profile To-FG local interface-name tvi-0/501.0
set orgs org-services sub-org ipsec vpn-profile To-FG routing-instance sub-org-LAN-VR
set orgs org-services sub-org ipsec vpn-profile To-FG tunnel-routing-instance sub-org-LAN-VR
set orgs org-services sub-org ipsec vpn-profile To-FG tunnel-initiate automatic
set orgs org-services sub-org ipsec vpn-profile To-FG ipsec fragmentation pre-fragmentation
set orgs org-services sub-org ipsec vpn-profile To-FG ipsec force-nat-t disable
set orgs org-services sub-org ipsec vpn-profile To-FG ipsec transform esp-aes128-sha1
set orgs org-services sub-org ipsec vpn-profile To-FG ipsec mode tunnel
set orgs org-services sub-org ipsec vpn-profile To-FG ipsec pfs-group mod5
set orgs org-services sub-org ipsec vpn-profile To-FG ipsec anti-replay enable
set orgs org-services sub-org ipsec vpn-profile To-FG ipsec life duration 28800
set orgs org-services sub-org ipsec vpn-profile To-FG ipsec hello-interval send-interval 10
set orgs org-services sub-org ipsec vpn-profile To-FG ike version v1
set orgs org-services sub-org ipsec vpn-profile To-FG ike mode main
set orgs org-services sub-org ipsec vpn-profile To-FG ike group mod2
set orgs org-services sub-org ipsec vpn-profile To-FG ike transform aes128-sha1
set orgs org-services sub-org ipsec vpn-profile To-FG ike lifetime 28800
set orgs org-services sub-org ipsec vpn-profile To-FG ike dpd-timeout 30
set orgs org-services sub-org ipsec vpn-profile To-FG peer-auth-info
set orgs org-services sub-org ipsec vpn-profile To-FG peer-auth-info auth-type psk
set orgs org-services sub-org ipsec vpn-profile To-FG peer-auth-info id-type ip
set orgs org-services sub-org ipsec vpn-profile To-FG peer-auth-info key versa123
set orgs org-services sub-org ipsec vpn-profile To-FG peer-auth-info id-string 192.168.0.2
set orgs org-services sub-org ipsec vpn-profile To-FG peer
set orgs org-services sub-org ipsec vpn-profile To-FG peer address [ 192.168.0.2 ]
set orgs org-services sub-org ipsec vpn-profile To-FG tunnel-interface tvi-0/1001.0
set orgs org-services sub-org ipsec vpn-profile To-FG hardware-accelerator any
GRE tunnel Config:
===============
admin@B4-H1-cli> show configuration | display set | match tvi-0/501
set interfaces tvi-0/501 description "GRE to FG"
set interfaces tvi-0/501 enable true
set interfaces tvi-0/501 mode ipsec
set interfaces tvi-0/501 type gre
set interfaces tvi-0/501 mtu 1400
set interfaces tvi-0/501 tunnel source 120.0.0.1
set interfaces tvi-0/501 tunnel destination 125.0.0.1
set interfaces tvi-0/501 tunnel routing-instance MPLS-Transport-VR
set interfaces tvi-0/501 unit 0 enable true
set interfaces tvi-0/501 unit 0 family
set interfaces tvi-0/501 unit 0 family inet
set interfaces tvi-0/501 unit 0 family inet address 192.168.0.1/30
set orgs org sub-org traffic-identification using [ ptvi2 ptvi3 tvi-0/100.0 tvi-0/1000.0 tvi-0/1001.0 tvi-0/1002.0 tvi-0/101.0 tvi-0/2.0 tvi-0/3.0 tvi-0/500.0 tvi-0/501.0 tvi-0/603.0 tvi-0/607.0 tvi-0/609.0 ]
set orgs org-services sub-org ipsec vpn-profile To-FG local interface-name tvi-0/501.0
set orgs org-services sub-org objects zones Intf-LAN1-Zone interface-list [ tvi-0/100.0 tvi-0/1000.0 tvi-0/1001.0 tvi-0/101.0 tvi-0/500.0 tvi-0/501.0 ]
set routing-instances sub-org-LAN-VR interfaces [ tvi-0/1000.0 tvi-0/1001.0 tvi-0/1002.0 tvi-0/501.0 tvi-0/603.0 tvi-0/607.0 tvi-0/609.0 ]
IPsec Tunnel Config:
================
admin@B4-H1-cli> show configuration | display set | match tvi-0/1001
set interfaces tvi-0/1001 description "Ipsec to FG"
set interfaces tvi-0/1001 enable true
set interfaces tvi-0/1001 mode ipsec
set interfaces tvi-0/1001 type ipsec
set interfaces tvi-0/1001 mtu 1300
set interfaces tvi-0/1001 unit 0 enable true
set interfaces tvi-0/1001 unit 0 family
set interfaces tvi-0/1001 unit 0 family inet
set interfaces tvi-0/1001 unit 0 family inet address 172.16.0.1/24
set orgs org sub-org traffic-identification using [ ptvi2 ptvi3 tvi-0/100.0 tvi-0/1000.0 tvi-0/1001.0 tvi-0/1002.0 tvi-0/101.0 tvi-0/2.0 tvi-0/3.0 tvi-0/500.0 tvi-0/501.0 tvi-0/603.0 tvi-0/607.0 tvi-0/609.0 ]
set orgs org-services sub-org ipsec vpn-profile To-FG tunnel-interface tvi-0/1001.0
set orgs org-services sub-org objects zones Intf-LAN1-Zone interface-list [ tvi-0/100.0 tvi-0/1000.0 tvi-0/1001.0 tvi-0/101.0 tvi-0/500.0 tvi-0/501.0 ]
set routing-instances sub-org-LAN-VR interfaces [ tvi-0/1000.0 tvi-0/1001.0 tvi-0/1002.0 tvi-0/501.0 tvi-0/603.0 tvi-0/607.0 tvi-0/609.0 ]
set routing-instances sub-org-LAN-VR routing-options static route 3.3.3.3/32 172.16.0.2 tvi-0/1001.0 preference 1
Note: You should add this static route to send the traffic via IPsec tunnel (Remote network address with next hop as IPsec Tunnel IP and IPsec tunnel interface )
Verification on Versa FlexVNF CPE
admin@B4-H1-cli> show gre tunnel-stats
SOURCE DEST RX RX RX RX RX TX TX TX TX TX
INTF NAME ENDPT ENDPT PACKETS PPS BYTES ERRORS BPS PACKETS PPS BYTES ERRORS BPS
----------------------------------------------------------------------------------------------------------
tvi-0/501.0 120.0.0.1 125.0.0.1 985 0 184000 0 0 1640 0 342383 0 0 ================= You can see the RX and TX Packet count
Traffic flow between Flex loopback to Fortinet loopback:
===============================================
admin@B4-H1-cli> ping 3.3.3.3 routing-instance sub-org-LAN-VR source 2.2.2.2
PING 3.3.3.3 (3.3.3.3) from 2.2.2.2 : 56(84) bytes of data.
64 bytes from 3.3.3.3: icmp_seq=1 ttl=255 time=2.78 ms
64 bytes from 3.3.3.3: icmp_seq=2 ttl=255 time=2.57 ms
64 bytes from 3.3.3.3: icmp_seq=3 ttl=255 time=2.25 ms
64 bytes from 3.3.3.3: icmp_seq=4 ttl=255 time=25.1 ms
64 bytes from 3.3.3.3: icmp_seq=5 ttl=255 time=22.0 ms
admin@B4-H1-cli> tcpdump vni-0/0 filter "'proto 47 -vv'"
Starting capture on vni-0/0
tcpdump: listening on vs_trc_vni_0_0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:39:15.445627 52:54:00:1c:d3:3f > 52:54:00:a1:08:4b, ethertype IPv4 (0x0800), length 190: (tos 0x0, ttl 255, id 50241, offset 0, flags [none], proto GRE (47), length 176, bad cksum 0 (->1db)!)
120.0.0.1 > 125.0.0.1: GREv0, Flags [none], proto IPv4 (0x0800), length 156 ========> GRE tunnel
(tos 0x0, ttl 239, id 2048, offset 0, flags [none], proto ESP (50), length 152)
192.168.0.1 > 192.168.0.2: ESP(spi=0x991aec7a,seq=0x7), length 132 =======> Ipsec ESP packets
17:39:15.445637 52:54:00:a1:08:4b > 52:54:00:1c:d3:3f, ethertype IPv4 (0x0800), length 190: (tos 0x0, ttl 63, id 54589, offset 0, flags [none], proto GRE (47), length 176)
125.0.0.1 > 120.0.0.1: GREv0, Flags [none], proto IPv4 (0x0800), length 156
(tos 0x0, ttl 63, id 20885, offset 0, flags [none], proto ESP (50), length 152)
192.168.0.2 > 192.168.0.1: ESP(spi=0x02001a91,seq=0x7), length 132
17:39:16.422960 52:54:00:1c:d3:3f > 52:54:00:a1:08:4b, ethertype IPv4 (0x0800), length 190: (tos 0x0, ttl 255, id 1852, offset 0, flags [none], proto GRE (47), length 176, bad cksum 0 (->bee0)!)
120.0.0.1 > 125.0.0.1: GREv0, Flags [none], proto IPv4 (0x0800), length 156
(tos 0x0, ttl 239, id 2304, offset 0, flags [none], proto ESP (50), length 152)
192.168.0.1 > 192.168.0.2: ESP(spi=0x991aec7a,seq=0x8), length 132
17:39:16.422969 52:54:00:a1:08:4b > 52:54:00:1c:d3:3f, ethertype IPv4 (0x0800), length 190: (tos 0x0, ttl 63, id 54590, offset 0, flags [none], proto GRE (47), length 176)
125.0.0.1 > 120.0.0.1: GREv0, Flags [none], proto IPv4 (0x0800), length 156
(tos 0x0, ttl 63, id 20887, offset 0, flags [none], proto ESP (50), length 152)
192.168.0.2 > 192.168.0.1: ESP(spi=0x02001a91,seq=0x8), length 132
17:39:17.417655 52:54:00:1c:d3:3f > 52:54:00:a1:08:4b, ethertype IPv4 (0x0800), length 190: (tos 0x0, ttl 255, id 24783, offset 0, flags [none], proto GRE (47), length 176, bad cksum 0 (->654d)!)
120.0.0.1 > 125.0.0.1: GREv0, Flags [none], proto IPv4 (0x0800), length 156
(tos 0x0, ttl 239, id 2560, offset 0, flags [none], proto ESP (50), length 152)
192.168.0.1 > 192.168.0.2: ESP(spi=0x991aec7a,seq=0x9), length 132
Additional commands to verify
admin@B4-H1-cli> show orgs org-services versa ipsec vpn-profile IPsec-LAN-to-LAN ike history
admin@B4-H1-cli> show orgs org-services versa ipsec vpn-profile IPsec-LAN-to-LAN ipsec history
admin@B4-H1-cli> show orgs org-services versa ipsec vpn-profile IPsec-LAN-to-LAN security-associations detail