Westermo RedFox Series User Manual
Page 780
Westermo OS Management Guide
Version 4.17.0-0
shows a GRE tunnel example. The IP addresses in the outer IP header
are the tunnel endpoints (a.b.c.d and e.f.g.h). The selection of IP addresses when
defining GRE tunnel endpoints depends on the use case. Two common examples
are described further in this section:
❼ Generic use of GRE tunnels: GRE can be used as a generic IP-in-IP tunnel.
E.g., if Alice and Bob are NAT gateways, a GRE tunnel can be used to tunnel
traffic between the local subnets (subnet-A and subnet-B.) The GRE tunnel
endpoints (a.b.c.d and e.f.g.h) should be routeable IP addresses, and would
typically be the public addresses of Alice and Bob (i.e., the Alice’s and Bob’s
IP addresses on their respective interface towards the Internet).
❼ Using GRE together with IPsec: GRE can be used together with IPsec to
enable an IPsec VPN to carry dynamic routing protocols such as OSPF. This
enables the creation of robust IPsec VPNs capable of automatic failover to a
redundant path if one connection fails. As of WeOS v4.17.0 redundant VPN
solutions can be achieved by running two VPN gateways (IPsec, GRE, and
OSPF) at each site as shown in
In this case the IP addresses used for GRE tunnel endpoints should not be
publicly routeable. Instead the IP address a.b.c.d’ used by Alice1 would
typically be an address within local subnet-A. To avoid problems when the
local interface goes up/down, Alice1 could assign IP address a.b.c.d’ as a
secondary address to her loopback interface.
Tunnel Endpoint
IP Address e.f.g.h’’
IP Address a.b.c.d’
Tunnel Endpoint
IP Address e.f.g.h’
Tunnel Endpoint
Tunnel Endpoint
IP Address a.b.c.d’’
Alice2
Bob2
Bob1
Alice1
Local
Subnet−A
Local
Subnet−B
Internet
Figure 34.2: Redundant VPN solutions can be achieved by running two VPN gate-
ways (IPsec/GRE/OSPF) at each site.
780
➞ 2015 Westermo Teleindustri AB