5. HSA VPN tunnel
Generic Routing Encapsulation (GRE) is a tunnelling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network, and it can also be used to build Virtual Private Networks (VPN) between sites. However do note that, unlike IPSec tunnels, GRE tunnel only encapsulates data, and it doesn't encrypt data. So GRE is typically used in conjunction with IPsec tunnel. Because IPSec tunnel doesn't support multicast traffic (therefore not support routing protocols), we usually use GRE tunnel to encapsulate first, then use IPSec to encrypt GRE, usually call "GRE over IPSec".
Both CMG and HSA support GRE tunnels. This section only focuses on configuring GRE tunnel on HSA using Web GUI. Please refer to earlier section on CMG GRE tunnel configuration.
When configuring GRE tunnel, please take note:
- GRE tunnel does not encrypt data. It only "tunnels" data for a specific path. If this is good enough, then it's a good choice because it consumes little processing power; otherwise use IPSec tunnel or "GRE over IPSec"
- both peers must have static WAN IP address, and make sure they can reach each other (test by pinging WAN-WAN IP addresses)
- if there's a firewall in between, the firewall must permit GRE protocol (IP/47)
- we can have both ends being HSA or one end (eg. hub) being any other devices supporting GRE protocol (eg. Cisco router or CMG).
The guide below shows configuring GRE tunnel on HSA. If both ends are all HSA, then follow the same steps for both box. If hub end is CMG, follow the CMG CLI guide, or other vendor products user guide.
1. On HSA, configure GRE tunnel, Select GRE protocol and specify remote end point IP address.
2. Now create a static interface and map to the GRE tunnel. Note the "Custom interface name" has to match the earlier GRE tunnel name.
3. Add a static route to follow remote end network across GRE tunnel interface.
4. Configure firewall to allow GRE packets go through WAN interface