Hi all,
I have to create gre over IPSEC on ns5gt with screeos 5.4, my customer's partner send me configuration example, but it is for cisco.
Now I want to implement it on ns5gt:
On my router trust interface I have IP 192.168.x.x, but in this vpn I have to use 10.146.45.0/24
All parameters and my configuration are below:
I put IP 10.146.x.x on tunnel .2 interface with MIP:
set interface "tunnel.2" zone "VPN"
set interface tunnel.2 ip 10.146.45.1/24
set interface tunnel.2 tunnel encap gre
set interface tunnel.2 tunnel local-if loopback.1 dst-ip 10.146.254.1
set interface "tunnel.2" mip 10.146.45.1 host 192.168.248.1 netmask 255.255.255.248 vr "trust-vr"
IKE paremeters
• 3DES for key encryption
• a hash algorithm of MD5 for data integrity
• Diffie-Hellman group 1
• An SA lifetime of 86,400 seconds with no volume limit
• aggressive mode turned off
set ike gateway "VPN-GW" address 5.5.5.5 Main outgoing-interface "untrust" preshare "xxx" proposal "pre-g1-3des-md5"
• ESP-3DES for encryption and data integrity
• a hash algorithm of ESP-MD5 for data integrity
• no compression method
• a lifetime of 3600 seconds with a volume limit of 4,608,000 kilobytes
set vpn "VPN2" gateway "VPN-GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-md5"
set vpn "VPN2" id 11 bind interface tunnel.2
set vpn "VPN2" proxy-id local-ip 10.146.45.0/24 remote-ip 10.132.19.0/24 "ANY"
I create route for this VPN:
set route 10.132.19.0/24 interface tunnel.2 preference 20
And now follows difficult part for me, where I stuck :
GRE Tunnel1 Address: 10.146.1.142
GRE Tunnel2 Address: 10.146.1.141
The RP IP: 10.132.19.14
tunnel Source IP: 10.146.0.45 - I put this IP address on loopback interface and assign it to tunnel.2 int
tunnel dest IP: 10.146.254.1 -
Configure ip pim sparse-mode and multicast-routing in your configurations
ip route 10.135.70.0 255.255.255.0 (ip address of corporate internet router)
ip route 10.135.71.0 255.255.255.0 (ip address of corporate internet router)
access-list 100 permit ip 10.146.45.0 0.0.0.255 10.135.70.0 0.0.0.255
access-list 100 permit ip 10.146.45.0 0.0.0.255 10.135.71.0 0.0.0.255
Can you give me some advice or documentation, where I can finish this config.
Now in events I can see:
Phase 2: No policy exists for the proxy ID received: local ID (<10.146.0.45>/<255.255.255.255>, <47>, <0>) remote ID (<10.146.254.1>/<255.255.255.255>, <47>, <0>).
Thanks!