Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

GRE over IPSEC with one side having a dynamic IP address

kasper123
Occasional Advisor

GRE over IPSEC with one side having a dynamic IP address

Hi,

 

I'm looking for a way to configure GRE over IPSEC with one side of the tunnel being a ADSL line with a dynamic IP address.

 

I successfully configured GRE over IPSEC with both sides having static IP addresses but if one side has a dynamic IP not sure what to use for a tunnel source / destination for the dynamic IP. 

 

Regards.

3 REPLIES
Mike_ES
Valued Contributor

Re: GRE over IPSEC with one side having a dynamic IP address

Hi,

What I can advice you is to check attached TCG and try to combine GRE and IPsec P2MP setup.

I hadn't this case, but you can try. Probably, you will have to migrate to pure IPsec to achieve dyamic WAN IP address alocation. Also you didn't mention which platform you have (Comware 5 or 7)?

 

Two attached files are:

 

HP MSR Router GRE over IPSec TCG v1.3_Jan2014.pdf

 

IPsec P2MP setup with zero touch in hub.pdf

 

ZIP file: 1,6M

 

Br,

Michal

kasper123
Occasional Advisor

Re: GRE over IPSEC with one side having a dynamic IP address

Hi Michal,

 

Thank you for your answer. The routers are brand new MSR routers (MSR3024 and MSR2003) with the latest software releases.

 

I saw the documents you sent but in the configurations they use the ip addresses of the public interfaces as endpoints but the problem is that one side will have a dynamic IP address so I can't use that information in the configuration.

 

Regards.

Mike_ES
Valued Contributor

Re: GRE over IPSEC with one side having a dynamic IP address

The P2MP doc  include IPsec solution dynamic IP without GRE, but I think there is only one part in your configuration to change:

 

Hub:

Create a keychain named key 1 and specify the pre-shared key. In this scenario, we create an open keychain with 1 password to any address. There could be more than 1 keychain with multiple passwords defined to address spaces.

 

ike keychain key1
 pre-shared-key address 0.0.0.0 0.0.0.0 key simple password

 

At Spoke side,  of course you need to provide static public IP for the HUB to setup the tunnel. I assume, on the Spoke/Remote site you have public IP but dynamically assigned by ISP (PPPoE).

 

Br,

Mike