Reply
New Member
Posts: 7
Registered: ‎06-22-2018
Solutions: 1
Accepted Solution

GRE Bridge over IPSEC site to site VPN with 2 Edgerouter 5 POEs

Hi

 

I was hoping I could get some help setting up an IPSEC encrypted GRE Bridge betwen two Edgerouter 5 POE units at different locations. Ive tried many configurations and examples I've seen online and havent had much success. I can establish an IPSEC VPN no problem, but I want the devices on both networks to be able to see one another on the same subnet for media sharing, dlna etc. & I would rather use IPSEC than openvpn for speed reasons.

My setup is basically:

 

    Laptop<ER5POE(1)><ETH0><MODEM><INTERNET><MODEM><ETH0><ER5POE(2)>Laptop

   on ETH1                           86.*.*.*                                                                82.*.*.*                                                        on ETH1

 

 

The cable modems give the ER5POE an external IP. This is just to get it up and running then I plan to add a unifi to each one for wireless devices.

I have tried the example setups from : https://help.ubnt.com/hc/en-us/articles/204961754-EdgeRouter-EoGRE-Layer-2-Tunnel

Ive also searched al the google hits from other people who have run into similar problems and had no luck. once configured as a gre bridge and eth0 and tun0 added to br0, eth1 is basically doing nothing anymore with anything plugged into it. Does anyone who has expreience with these setups think they could point me in the right direction? Any advice would be much appreciated, let me know if you need any more information.

 

Thanks

 

Mark


Accepted Solutions
New Member
Posts: 7
Registered: ‎06-22-2018
Solutions: 1

Re: GRE Bridge over IPSEC site to site VPN with 2 Edgerouter 5 POEs

All sorted finally! Although I had read practically all of the other threads on gre bridges with edgerouters and a lot of them suffered with the same issue, it turned out to be the MTU was too high so packets were being dropped. So using the MSS clamping wizard sorted it out straight away. Thanks to you 16again for helping me get the dhcp working and bridge up. Its now doing exactly what I need.

 

Mark

View solution in original post


All Replies
New Member
Posts: 7
Registered: ‎06-22-2018
Solutions: 1

Re: GRE Bridge over IPSEC site to site VPN with 2 Edgerouter 5 POEs

Hi,

Just to add the configuration files if its any help? Someone must have set this scenario up before or something similar. I have tried with a 192.168.1.*  address assigned to each bridge (br0), but when I plug a device into eth1 it never gets an ip address through DHCP, and windows assigns it a 169.*.*.* one so theres no connectivity. I'd be grateful for any suggestions.

 

Mark

Veteran Member
Posts: 7,221
Registered: ‎03-24-2016
Kudos: 1859
Solutions: 821

Re: GRE Bridge over IPSEC site to site VPN with 2 Edgerouter 5 POEs

First of all, try setting hosts to static IPs, and see if ping across tunnel works.

 

A working DHCP setup requires IP address on the bridge interface.  After setting IP address, restart DHCP service.  Also try switching between isc dhcpd and dhcp server inside dnsmasq

New Member
Posts: 7
Registered: ‎06-22-2018
Solutions: 1

Re: GRE Bridge over IPSEC site to site VPN with 2 Edgerouter 5 POEs

Hi 16again,

 

Thanks for your help, apologies, ive been away for work this week so haven't been able to do much until today. Adding 192.168.1.1 to site 1 and 192.168.1.2 to site 2 br0 and restarting DHCP at each end worked straight away and ETH1 now dishes out addresses (don't know why countless reboots never fixed it). I can now ping from each edgerouter to the other one and even clients at site 2 get ip addresses from the dhcp server in site 1. However I still can't actually access anything else. Other than pinging the edgerouters, I can't access anything on the other sides. Is there something else I should be looking at, firewall rules or anything?

 

Thanks

 

Mark

Veteran Member
Posts: 7,221
Registered: ‎03-24-2016
Kudos: 1859
Solutions: 821

Re: GRE Bridge over IPSEC site to site VPN with 2 Edgerouter 5 POEs

Seems like ARP requests don't make it over the bridge.

 

Using tcpdump on eth br0 , gre-tunnel....you can see how far they get

New Member
Posts: 7
Registered: ‎06-22-2018
Solutions: 1

Re: GRE Bridge over IPSEC site to site VPN with 2 Edgerouter 5 POEs

Hi,

 

Looks like theres no gre traffic at all.

 

I tried sudo tcpdump -i br0 proto GRE


tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type EN10MB (Ethernet), capture size 262144 bytes

 

and there was no output when i ping from either end or try anything else like ssh or the management interface.

 

Its hard to troubleshoot this, Ubiquitis' example setup guide seems simple enough, and I've basically copied it with just my ip addresses changed but it just doesent seem to work in the real world. There aren't many other threads about GRE bridge on here either other than a few who also gave up. I would like to persevere though so If you or anyone else has anyother  ideas, or someone who has actually managed to set this up has any tips I'd appreciate it.

 

Thanks

 

Mark

 

 

Veteran Member
Posts: 7,221
Registered: ‎03-24-2016
Kudos: 1859
Solutions: 821

Re: GRE Bridge over IPSEC site to site VPN with 2 Edgerouter 5 POEs

 on br0 , eth1 and tun0, only LAN traffic should be present

 

The GRE traffic lives on WAN interface, but is IPSEC encrypted

 

Your WAN interface sees incoming ipsec traffic twice: 

-IPSEC encrypted (ESP or udp4500)

-Decrypted.  That's where you can see GRE packets (but only incoming)

So tcpdump on WAN should show some GRE

 

Outgoing traffic is only seen once, encrypted.  (For die-hards, you could save tcpdump output to file, and use phase 2 decryption key to decode ipsec traffic in wireshark. Use "show vpn ipsec state" to see those keys)

 

 

New Member
Posts: 7
Registered: ‎06-22-2018
Solutions: 1

Re: GRE Bridge over IPSEC site to site VPN with 2 Edgerouter 5 POEs

Hi,

 

Ok, when I run on site 2 : sudo tcpdump -i eth0 proto gre

and at the same time on site 1 I tried: ping 192.168.1.2 followed by ssh 192.168.1.2

 

I do get gre traffic across, but it seems other than ping replys which do work, nothing else seems to happen, some traffic seems to get across but the ssh session never connects and says no route to host. Http requests generate more of the arp requests of who has 192.168.1.2

Ive attached the outputs below.

 

Thanks

 

Mark

Highlighted
Veteran Member
Posts: 7,221
Registered: ‎03-24-2016
Kudos: 1859
Solutions: 821

Re: GRE Bridge over IPSEC site to site VPN with 2 Edgerouter 5 POEs

Focus your tcpdump on lan port, br0 and tun0

New Member
Posts: 7
Registered: ‎06-22-2018
Solutions: 1

Re: GRE Bridge over IPSEC site to site VPN with 2 Edgerouter 5 POEs

Hi,

 

I dont see any gre traffice on either sides  br0 or tun0, only on eth0 on both sides. When left idle they seem to be responding to one another as can be seen in the attachment, What I have noticed is that I can access the other router using the lo loopback address (10.255.12.x), so I can get to the other side albeit not through the GRE tunnel.

New Member
Posts: 7
Registered: ‎06-22-2018
Solutions: 1

Re: GRE Bridge over IPSEC site to site VPN with 2 Edgerouter 5 POEs

All sorted finally! Although I had read practically all of the other threads on gre bridges with edgerouters and a lot of them suffered with the same issue, it turned out to be the MTU was too high so packets were being dropped. So using the MSS clamping wizard sorted it out straight away. Thanks to you 16again for helping me get the dhcp working and bridge up. Its now doing exactly what I need.

 

Mark

Reply