GRE is mainly used to send the multicast over an unsecured network. The IPSec can not send multicast traffic, hence we need to from IPSec and also GRE. This is also know as IPSec over GRE
Here is the diagram for your understanding and which I recently accomplished for my customer:
(I have changed the IP address to random)
We need to send the multicast traffic over the IPSec through GRE.
ON HO:
1. Please Login to CLI using Telnet/SSH.
2. Select Option 4. .
3. Creating the GRE tunnel between HO and BO
console> cyberoam gre tunnel add name GRE_TUN0 local-gw portB remote-gw 81.23.XX.XX local-ip 1.1.1.1 remote-ip 1.1.1.2
GRE_TUN0 its just a name given to GRE tunnel. you can give any name you want
PortB if you have multiple ISP links choose the physical interface you want GRE traffic, choose the one on which IPSec is created.
Since GRE is point to point connection you need to have interfaces (logical/virtual) at each end within same subnet. so we have 1.1.1.1 and 1.1.1.2
ON BO:
console> cyberoam gre tunnel add name GRE_TUN0 local-gw portB remote-gw 91.23.XX.XX local-ip 1.1.1.2 remote-ip 1.1.1.1
on HO:
console> cyberoam gre route add net 192.168.1.25/255.255.255.255 tunnelname GRE_TUN0
on BO
console> cyberoam gre route add net 192.168.0.100/255.255.255.255 tunnelname GRE_TUN0
on HO GUI:
Then on GUI you need to enable the multicast:
Network-->static routes-->Multicast: fill in the information:
Source Network: 192.168.1.25
Source Interface: GRE_TUN0
Multicast address:239.225.225.225
Destination Interface: choose the interface on which the 192.168.0.100 is connected (here LAN/DMZ)
:-) it should work fine
Some appliances like CISCO,Juniper can work with shared interface IP address. I am not sure how to do it with Cyberoam. Need to contact cyberoam support
Here is the diagram for your understanding and which I recently accomplished for my customer:
We need to send the multicast traffic over the IPSec through GRE.
ON HO:
1. Please Login to CLI using Telnet/SSH.
2. Select Option 4. .
3. Creating the GRE tunnel between HO and BO
console> cyberoam gre tunnel add name GRE_TUN0 local-gw portB remote-gw 81.23.XX.XX local-ip 1.1.1.1 remote-ip 1.1.1.2
GRE_TUN0 its just a name given to GRE tunnel. you can give any name you want
PortB if you have multiple ISP links choose the physical interface you want GRE traffic, choose the one on which IPSec is created.
Since GRE is point to point connection you need to have interfaces (logical/virtual) at each end within same subnet. so we have 1.1.1.1 and 1.1.1.2
ON BO:
console> cyberoam gre tunnel add name GRE_TUN0 local-gw portB remote-gw 91.23.XX.XX local-ip 1.1.1.2 remote-ip 1.1.1.1
on HO:
console> cyberoam gre route add net 192.168.1.25/255.255.255.255 tunnelname GRE_TUN0
on BO
console> cyberoam gre route add net 192.168.0.100/255.255.255.255 tunnelname GRE_TUN0
on HO GUI:
Then on GUI you need to enable the multicast:
Network-->static routes-->Multicast: fill in the information:
Source Network: 192.168.1.25
Source Interface: GRE_TUN0
Multicast address:239.225.225.225
Destination Interface: choose the interface on which the 192.168.0.100 is connected (here LAN/DMZ)
:-) it should work fine
Some appliances like CISCO,Juniper can work with shared interface IP address. I am not sure how to do it with Cyberoam. Need to contact cyberoam support
No comments:
Post a Comment