Description:
LCOS as of version 9.10 provides a number of "Ethernet over GRE" tunnels (EoGRE) to transmit Ethernet packets via GRE. Since these Ethernet packets move on OSI layer 2, the EoGRE tunnel only functions as a bridge. This can be used to implement L2VPN (VPN as a simple level-2 bridge) or a transparent Ethernet bridge over WAN.
This configuration example shows you how to use an Ethernet-over-GRE tunnel to connect local area networks that use the same IP address range via an IPSec-secured VPN connection (IKEv1).


Requirements:
  • LCOS as of version 9.10 (download latest version)
  • LANtools as of version 9.10 (download latest version)
  • You can only implement this scenario with LANCOM routers that are equipped with the LAN bridge function:
    • This includes all of the LANCOM WLAN routers (e.g. 1781EW(+), 1781(V)AW, 1780EW-4G)
    • For LANCOM routers without WLAN, which are operated with an LCOS up to version 10.00 (e.g. 1781A(-4G), 1781VA(-4G), 1781EF+), the LAN bridge is only available if the devices are equipped with an activated WLC Basic option for routers.
    • As of LCOS version 10.12, the LAN bridge is enabled for all devices that support this firmware.


Scenario:
  • A company wishes to interconnect the local networks that both use the same IP address range at their headquarters and at a branch office by means of a site-to-site VPN connection.
  • The local network at the headquarters and the local network at the branch office both use the IP address range 192.168.1.0/24.
  • Both sites have a LANCOM router as their gateway and an Internet connection. The public IP address of the Headquarters is 80.80.80.80, and the branch office is 81.81.81.81.
  • The VPN connection is established from the branch office to the headquarters. All stations in the local network are masked behind VPN extranet addresses. At the headquarters the extranet IP is 193.1.1.1 and in the branch office uses the address 193.1.1.2. The extranet addresses can be chosen freely. For local IP addresses, make sure that they do not belong to the blocked routes as specified in the IP routing table.
  • The two local networks are connected to one another via an EoGRE tunnel (or layer-2 tunnel).

Please note that in this scenario, broadcasts are also transmitted through the EoGRE tunnel.



Procedure:
1) Configuring the VPN connection between the branch office and headquarters:
1.1) At each end of the connection, set up the VPN connection (IKEv1) with the LANconfig Setup Wizard.
1.2) The VPN connection works with extranet addresses and these are specified using the Setup Wizard at each end of the connection:
  • The router at the headquarters can be programmed with a random local ip-address. In this example we use the address 193.1.1.1.
  • The router at the branch office can be programmed with a random local ip-address. In this example we use the address 193.1.1.2.
1.3) Exit the Setup Wizard at each end with the Finish button. After writing the configuration back to the devices, the VPN connection is established between the branch and the headquarters.


2) Configuring the EoGRE connection at the headquarters:
2.1) Open the configuration for the router at the headquarters and switch to the menu item Communication → Remote sites → GRE tunnel → EoGRE tunnel.
2.2) Select a GRE tunnel. For this example we are using GRE-TUNNEL-1.
2.3) Enable the GRE tunnel and enter the extranet IP address of the router at the branch office into the IP address field. In this example, this is the IP address 193.1.1.2.
2.4) Navigate to the menu IP router → Routing → IPv4 routing table.
2.5) Make sure that a routing entry exists containing the extranet address of the branch office (193.1.1.2), netmask 255.255.255.255 as the destination address and with the VPN connection to the branch office set as the remote site.
2.6) Write the configuration back to the router.

The GRE tunnel needs to be located in the same bridge group as the local network. In this example, this is BRG-1. This is also the default setting. You can check or modify this in the menu Interfaces -> LAN-> Port table.

Make sure that the LAN-Bridge settings are operated in the default setting.



3) Configuring the EoGRE connection at the branch office:

3.1) Open the configuration for the router at the headquarters and switch to the menu item Communication → Remote sites → GRE tunnel → EoGRE tunnel.
3.2) Select a GRE tunnel. For this example we are using GRE-TUNNEL-1.
3.3) Enable the GRE tunnel and enter the extranet IP address of the router at the headquarters into the IP address field. In this example, this is the IP address 193.1.1.1.
3.4) Navigate to the menu IP router → Routing → IPv4 routing table.
3.5) Make sure that a routing entry exists containing the extranet address of the branch office (193.1.1.1), netmask 255.255.255.255 as the destination address and with the VPN connection to the headquarters set as the remote site.
3.6) Write the configuration back to the router.

The GRE tunnel needs to be located in the same bridge group as the local network. In this example, this is BRG-1. This is also the default setting. You can check or modify this in the menu Interfaces -> LAN-> Port table.

Make sure that the LAN-Bridge settings are operated in the default setting.