how to create a site to site gre tunnel vpn using mikrotik routers or a mikrotik and a cisco router.

How To Create A Site To Site GRE Tunnel VPN Using Mikrotik Routers Or A Mikrotik And A Cisco Router.

The Generic Routing Encapsulation protocol (GRE) is a routing protocol that works on port 47 that was developed by Cisco Systems. It is primarily used to create point to point links between two network end points thereby allowing two peers share data that they would not be able to share over a public network such as the internet. GRE is a protocol that works by encapsulating data packets inside of GRE data packets i.e wrapping one data packet inside another data packet, just like putting a box inside another box. Mikrotik supports the GRE protocol and can create multiple GRE links to other Mikrotik Routers as well as third party routers such as those from CISCO. Read this tutorial to learn how to create a simple site – to – site GRE tunnel VPN between two Mikrotik routers or between a Mikrotik router and a CISCO router.

REQUIREMENTS

In order to complete this tutorial successfully the following items are required. Please ensure to have these items available before taking implementation action on this tutorial:
1) A desktop or laptop running Windows 7, 8 or 10
2) The Winbox app or a terminal emulation software such as solar putty
3) A Mikrotik router such as the Mikrotik RB951PGS or the Mikrotik RB3011UiAS
4) A public ip address configured on the WAN interface of the router.

OVERVIEW

1) Download the Winbox application or a terminal emulation software and connect to the router.
2) Go to interfaces, open the GRE tab and create a new GRE tunnel interface. Set the WAN ip address of the source and destination router
3) Go to IP > ADDRESSES and set an IP address for the GRE tunnel interface then go to IP > ROUTES and add a route to the remote LAN network
4) Configure the second routers GRE interface as well as the IP address for the GRE interface and the route.

Network Diagram.

The network diagram on the right depicts how the GRE tunnel VPN is configured. The GRE tunnel VPN is between two office routers that are located in different geographical locations. In the diagram the OFFICE A router connects to the internet using the ETHER1 interface and has the public IP address 197.211.100.10/30. The LAN interface is ETHER 2 and has the ip address of 192.168.4.254/24. The GRE interface has the IP address 172.16.1.1/30.

Since both OFFICE A and OFFICE B both have a public IP addresses that make it possible for traffic to be routed between the two end points, if OFFICE A needs to access a web server on http port 443 or a remote desktop on port 3389, the network packets are encapsulated with GRE header information and transmitted to the intended destination through the GRE tunnel. When the packets arrive at the destination router, the GRE headers are removed and packets are delivered to the destination LAN device / application.

The OFFICE B router connects to the internet using the ETHER1 interface and has the public IP address 197.211.200.22/30. The LAN interface is ETHER 2 and has the ip address of 192.168.7.254/24. The GRE interface has the IP address 172.16.1.2/30.

Step 1: Go To The Mikrotik Website And Download Winbox.

1) Go to www.mikrotik.com and click on the SOFTWARE link. There are two download options which are Winbox(64bit) and Winbox (32bit). If you computer is running a 32bit version of Windows click on the Winbox (32bit) option and if your computer is running a 64 bit version of Windows choose the Winbox (64bit) option.

Step 2: Connect To The Office A Router And Configure The GRE Tunnel Interface.

2) Once the Winbox download is complete open Winbox, type in the IP address, username and password for your Mikrotik router and click on CONNECT.

If you do not know what the IP address of the router is click on the NEIGHBOURS tab and Winbox will automatically scan your network for all available Mikrotik routers and list them here.

3) Click on the INTERFACES option and click on the GRE TUNNEL tab. Click on the blue “+” button to add a new GRE TUNNEL INTERFACE.

4) Type in any name to identify the GRE INTERFACE on the NAME text input box then type in the WAN IP address of the OFFICE A ROUTER on the LOCAL ADDRESS input box. Type in the WAN IP address of the OFFICE B ROUTER on the REMOTE ADDRESS input and if you would like IPSEC encryption on the GRE TUNNEL type in an IPSEC password on the IPSEC SECRET password field.

Click on APPLY then click on OK.

5) Set an IP address for the newly created GRE tunnel such that the GRE INTERFACE on OFFICE A ROUTER is on the same subnet as that of the GRE INTERFACE on the OFFICE B ROUTER.

Click on IP > ADDRESSES and click on the blue “+” button.

On the ADDRESS field type 172.16.1.1/30, set the NETWORK to 172.16.1.0 and select the GRE TUNNEL INTERFACE on the INTERFACE dropdown.

Click on APPLY then click on OK.

6) Next, create an IP route that will forward all network packets destined for the OFFICE B network. Click on IP > ROUTE and click on the blue “+” button to add a new route.

Set the DST. ADDRESS to 192.168.7.0/24 and select the GRE INTERFACE on the GATEWAY drop down menu.

Click on APPLY then click on OK.

Step 3: Connect To The Office B Router And Configure The GRE Interface.

7) Connect to the OFFICE B Mikrotik router, open INTERFACES and click on the GRE TUNNEL tab. Click on the blue “+” button.

Type in a descriptive name to identify the interface on the NAME text input box. Enter the WAN address of the OFFICE B router on the LOCAL ADDRESS input field and also the WAN address of the OFFICE A router on the REMOTE ADDRESS input field.

You can also type in an IPSEC password on the IPSEC SECRET input field then click on APPLY and OK.

8) Next, set an IP address on the GRE INTERFACE by clicking on IP > ADDRESSES. Click on the blue “+” button then type in the IP address 172.16.1.2/30 on the ADDRESS field. On the NETWORK field enter the IP address 172.16.1.0 and select the GRE TUNNEL interface on the INTERFACE drop down menu.

Click on APPLY then click on OK.

9) Add a route that will instruct the Mikrotik router to route all network packets destined for the OFFICE A network to the GRE interface. To do this click on IP > ROUTES and click on the blue “+” button.Type in the IP address 192.168.4.0/24 on the DST. ADDRESS input box and select the GRE TUNNEL INTERFACE on the GATEWAY drop down menu. Click on APPLY then click on OK.

Step 4: Configuring the GRE tunnel If Using A Mikrotik And A Cisco Router.

10) In the event that you have a Mikrotik router on OFFICE A and a CISCO router on OFFICE B. It is very much possible to create a VPN connection between the two devices.

Connect to the MIKROTIK router and create a GRE INTERFACE and an IP ROUTE in the same way that was outlined on STEP 2 above.

Connect to the CISCO router using an SSH client such as putty and type in the following commands:

interface tunnel1
ip address 172.16.1.2 255.255.255.252
tunnel source 197.211.200.22
tunnel destination 197.211.100.10
no shutdown

Create an IP ROUTE ON the CISCO router that will route network packets whose destination is the OFFICE A network to the tunnel interface:

ip route 192.168.4.0 255.255.255.0 tunnel1

Step 5: Test The VPN Connection

11) The next step is to test the VPN connection and see if you can reach devices on the OFFICE A network from the OFFICE B network and vice versa. This can be done by pinging the router LAN addresses.

On the OFFICE A router click on the TERMINAL option and type:

ping 192.168.7.254

You should see response messages as show in the image on the right.