Category     

NCOS: Setup a GRE Tunnel between two capable Cradlepoint routers

« Go Back

Information

 
Content

NCOS: Setup a GRE Tunnel between two capable Cradlepoint routers

Products Supported: AER31x0, AER21x0, MBR1400, IBR11x0, IBR6x0, IBR350. Click here to identify your router.

NCOS Version: 6.0 and later - for information on upgrading NCOS, click here.


Quick Links

Summary

Router One Configuration

Router Two Configuration

Use Cases

Troubleshooting

Related Articles


Summary

The purpose of this document is to provide directions to setup a basic GRE terminated tunnel between capable Cradlepoint Series 3 routers where both connections have static IP addresses.

Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol internetwork.


Configuration

Configuration Difficulty: Expert

Router ONE Configuration

  • Step 1: Log into the NCOS Setup Page. For help with logging in please click here.
  • Step 2: Click on the NETWORKING tab, select the Tunnels menu, and then select GRE.
  • Step 3: Click Add to create a new tunnel.

User-added image

  • Step 4: Configure the general tunnel settings and click Next.
    • Give the tunnel a unique name that does not contain spaces.
    • Enter a Local Endpoint and Remote Endpoint with a Subnet Mask.
    • Enter the WAN IP address of Router TWO as the Remote Gateway.
    • Ensure Tunnel Enabled is checked.
    • (Optional) Refer to Manual: Internet → GRE Tunnels for a summary of other available options to determine whether they might need to be used in your setup. In this setup Multicast has been enabled.

User-added image

  • Step 5: Click Add Route to add the LAN address of Router TWO. Click Save and then Next.

User-added image

  • Step 6: Place a check next to Enabled within the Keep Alive configuration to allow the router to actively monitor the status of this GRE tunnel.

User-added image

  • Step 7: Click Finish to save the tunnel settings, then click OK to accept the notification dialog.

User-added image

  • Step 8: Click the SECURITY tab, select Zone Firewall, and choose Zone Definition. Click Add under Zones

User-added image

  • Step 9: Name the zone in the Name field.

  • Step 10: Click Add and change the interface to be "GRE" "Name" "is" and for the final field select the GRE configuration name previously configured.

  • Step 11: Click Update at the top of the list and then Save at the bottom of the window.

User-added image

  • Step 12: From the left hand menu go to Zone Firewall > Zone Forwarding and click Add.

User-added image

  • Step 13: For the Source Zone select "Primary LAN Zone", for Destination Zone select the previously configured GRE zone, and for the Filter Policy select "Default Allow All".

User-added image        User-added image       User-added image

  • Step 14: Don't forget to place a check in the enabled box.

User-added image

  • Step 15: Select Update underneath the configured forwarding and Add again.

  • Step 16: For the Source Zone select the previously configured GRE zone, for Destination Zone select "Primary LAN Zone", and for the Filter Policy select "Default Allow All".

  • Step 17: Select Update underneath the configured forwarding

User-added image

  • Step 18: repeat steps 13 - 16 for each additional zone that needs to go through the GRE tunnel.

Router TWO Configuration

  • Step 1: Log into the NCOS Setup Page. For help with logging in please click here.
  • Step 2: Click on the NETWORKING tab, select the Tunnels menu, and then select GRE.
  • Step 3: Click Add to create a new tunnel.

User-added image

  • Step 4: Configure the general tunnel settings and click Next.
    • Give the tunnel a unique name that does not contain spaces.
    • Enter a Local Endpoint and Remote Endpoint with a Subnet Mask.
    • Enter the WAN IP address of Router ONE as the Remote Gateway.
    • Ensure Tunnel Enabled is checked.
    • (Optional) Refer to Manual: Internet → GRE Tunnels for a summary of other available options to determine whether they might need to be used in your setup. In this setup Multicast has been enabled.

User-added image

  • Step 5: Click Add Route to add the LAN address of Router ONE. Click Save and then Next.

User-added image

  • Step 6: Place a check next to Enabled within the Keep Alive configuration to allow the router to actively monitor the status of this GRE tunnel.

User-added image

  • Step 7: Click Finish to save the tunnel settings, then click OK to accept the notification dialog.

User-added image

  • Step 8: Click the SECURITY tab, select Zone Firewall, and choose Zone Definition. Click Add under Zones
  1. User-added image
  • Step 9: Name the zone in the Name field.

  • Step 10: Click Add and change the interface to be "GRE" "Name" "is" and for the final field select the GRE configuration name previously configured.

  • Step 11: Click Update at the top of the list and then Save at the bottom of the window.

User-added image

  • Step 12: From the left hand menu go to Zone Firewall > Zone Forwarding and click Add.

User-added image

  • Step 13: For the Source Zone select "Primary LAN Zone", for Destination Zone select the previously configured GRE zone, and for the Filter Policy select "Default Allow All".

User-added image        User-added image       User-added image

  • Step 14: Don't forget to place a check in the enabled box.

User-added image

  • Step 15: Select Update underneath the configured forwarding and Add again.

  • Step 16: For the Source Zone select the previously configured GRE zone, for Destination Zone select "Primary LAN Zone", and for the Filter Policy select "Default Allow All".

  • Step 17: Select Update underneath the configured forwarding

User-added image

  • Step 18: repeat steps 13 - 16 for each additional zone that needs to go through the GRE tunnel.

Use Cases

Network Topology

User-added image

Encrypting the tunnel

Setting up GRE over IPsec to add encryption to the tunnel.


Troubleshooting

Tunnel doesn't provide connectivity to networks routed behind the Cradlepoint

If the tunnel is built and you can ping the gateway of the tunnel on either side, but not the opposite routers LAN or routed network, you may need to setup a route for the remote network (like in step 5 above) even if it isn't a directly connected network.

Some networks work over GRE but others do not

If some networks on the Cradlepoint work over the tunnel you may not have the necessary firewall rules in place to allow the additional networks to access the GRE tunnel. Refer to the Zone Firewall configuration for help setting up firewall rules.

Troubleshooting

Ping the tunnel IP addresses and the LAN gateways of each Cradlepoint for basic connectivity across the tunnel.

Ping a client of the remote network that is across the Tunnel to determine full connectivity.

From a client on the local network, do a traceroute to a client on the remote network. For a basic network: the output should show the default gateway of the first Cradlepoint, the LAN gateway of the remote Cradlepoint, and finally the client itself.


Related Articles/Links


Published Date: 07/13/2017

This article not have what you need?  Not find what you were looking for?  Think this article can be improved?  Please let us know at suggestions@cradlepoint.com
 


 
Knowledge Home | Product