Description:

In certain scenarios, two locations connected via VPN use networks with the same IP address range, so that communication takes place on layer 2 (MAC address) instead of layer 3 (routing). With a normal VPN connection the sites must have different IP address ranges, so linking these networks makes routing essential. With help of an EoGRE tunnel (Ethernet-over-GRE), two sites can be interconnected by a GRE tunnel (Generic Routing Encapsulation) and packets are transmitted on layer 2. This means that the same IP address range can be used at both sites.

Since a GRE tunnel operates unencrypted, LANCOM Systems recommends that the data traffic should be encrypted, for example by operating an IKEv2 connection within the EoGRE tunnel.

This article describes how two routers that use the same IP address range are set up to operate an EoGRE tunnel and an IKEv2 connection.

Please note that broadcast and multicast packets are sent over an EoGRE tunnel. This can increase the load on the network!



Requirements:


Scenario:

  • A company wishes to interconnect the local networks at their headquarters and at a branch office, both of which use the same IP address range, via a VPN connection.
  • The local network at the headquarters and the local network at the branch office both use the IP address range 192.168.1.0/24.
  • Both sites have a LANCOM router as their gateway and an Internet connection. The public IP address of the Headquarters is 80.80.80.80, and the branch office is 81.81.81.81.
  • The VPN connection is established from the branch office to the headquarters. All stations in the local networks are concealed behind masking IPs. At the headquarters the masking IP address is 193.1.1.1 and the branch office uses the address 193.1.1.2.
  • The two local networks are interconnected via an EoGRE tunnel (or layer-2 tunnel).



Procedure:

1) Setting up the IKEv2 connection on the two routers:

Use the setup wizard to set up the VPN connections on the two routers. This is described in the following Knowledge Base article:

Configuring an IKEv2 VPN connection between two LANCOM routers using the Setup Wizard (IPv4)



2) Configuring EoGRE tunnel on the router at the headquarters:

2.1) Using LANconfig, connect to the router at the headquarters, switch to the menu Interfaces → LAN → Ethernet ports and check which logical LAN interface is assigned to the Ethernet port used for the local network (in this example, the local network is connected with the port ETH 1; the physical port ETH 1 has the logical interface LAN-1 assigned to it).

2.2) Navigate to the menu Interfaces → LAN → LAN bridge.

2.3) Make sure that the option Connect by using a bridge (default) is selected. Then go to the Port table menu.

2.4) Make sure that the used logical LAN interface (see step 2.1) and the GRE tunnel (see step 2.6) are both set with the same bridge group (in this example BRG-1).

In the case of a WLAN router, the used WLAN interface also has to be in the same bridge group (assuming that the WLAN is operated in the network).

2.5) Switch to the menu Communication → Remote sites → GRE tunnel.

2.6) Click EoGRE tunnel and select a previously unused GRE tunnel (in this example GRE-Tunnel-1).

2.7) Activate the GRE tunnel and set the IP address to an address from a previously unused IP address range. This is the address where the end point of the GRE tunnel at the branch office should be reached (in this example 193.1.1.2).

 

2.8) Navigate to the menu Communication → Protocols → IP parameters.

2.9) Add a new entry, set the Remote site to the VPN connection set up in step 1 (in this example OFFICE) and set the Masquerading IP address to an IP address that is used to mask the local network via the EoGRE tunnel to the branch office (in this example 193.1.1.1).

Unlike IKEv1, IKEv2 does not use an extranet address, so masking with IKEv2 has to be implemented in the IP parameters.

2.10) Switch to the menu IPv4 → General → IP networks.

2.11) For the local network, make sure that the Interface assignment is set to the relevant bridge group (in this example BRG-1).

2.12) Navigate to the menu IP router → Routing → IPv4 routing table.

2.13) Choose the routing entry that was created for the VPN connection to the branch office and click Edit.

2.14) Change the following parameters:

  • IP address: Enter the IP address of the GRE tunnel end point for the branch office set in step 2.7 (in this example 193,1.1.2).
  • Netmask: Enter 255.255.255.255. This stands for a single IP address.

2.15) This concludes the configuration of the EoGRE tunnel for the router at the headquarters, so write the configuration back to the device.



3) Configuring EoGRE tunnel on the router at the branch office:

3.1) Using LANconfig, connect to the router at the branch office, switch to the menu Interfaces → LAN → Ethernet ports and check which logical LAN interface is assigned to the Ethernet port used for the local network (in this example, the local network is connected with the port ETH 1; the physical port ETH 1 has the logical interface LAN-1 assigned to it).

3.2) Navigate to the menu Interfaces → LAN → LAN bridge.

3.3) Make sure that the option Connect by using a bridge (default) is selected. Then go to the Port table menu.

3.4) Make sure that the logical LAN interface (see step 3.1) and the GRE tunnel (see step 3.6) are both set with the same bridge group (in this example BRG-1).

In the case of a WLAN router, the used WLAN interface also has to be in the same bridge group (assuming that the WLAN is operated in the network).

3.5) Switch to the menu Communication → Remote sites → GRE tunnel.

3.6) Click EoGRE tunnel and select a previously unused GRE tunnel (in this example GRE-Tunnel-1).

3.7) Activate the GRE tunnel and set the IP address to an address from the same IP address range assigned to the router in the headquarter in step 2.7. This is the address where the end point of the GRE tunnel at the headquarters should be reached (in this example 193.1.1.1).

3.8) Navigate to the menu Communication → Protocols → IP parameters.

3.9) Add a new entry, set the Remote site to the VPN connection set up in step 1 (in this example HEADQUARTERS) and set the Masquerading IP address to an IP address that is used to mask the local network via the EoGRE tunnel to the headquarters (in this example 193.1.1.2).

Unlike IKEv1, IKEv2 does not use an extranet address, so masking with IKEv2 has to be implemented in the IP parameters.

3.10) Switch to the menu IPv4 → General → IP networks.

3.11) For the local network, make sure that the Interface assignment is set to the relevant bridge group (in this example BRG-1).

3.12) Navigate to the menu IP router → Routing → IPv4 routing table.

3.13) Choose the routing entry that was created for the VPN connection to the headquarters and click Edit.

3.14) Change the following parameters:

  • IP address: Enter the IP address of the GRE tunnel end point for the branch office set in step 3.7 (in this example 193.1.1.1).
  • Netmask: Enter 255.255.255.255. This stands for a single IP address.

3.15) This concludes the configuration of the EoGRE tunnel for the router at the branch office, so write the configuration back to the device.