WatchGuard Support Center

Knowledge Base - Article

 Configure EoGRE over IPSec in Wi-Fi Cloud

How do I configure EoGRE over IPSec for Wi-Fi Cloud APs?

Tunneling provides a mechanism to transport packets of a protocol within another protocol. Generic Routing Encapsulation (GRE) is one of the available tunneling mechanisms that uses IP as the transport protocol to encapsulate other different protocols. The tunnels behave as a virtual point-to-point link that has two endpoints identified by the tunnel source and tunnel destination addresses at each endpoint.

For more information on using EoGRE in Wi-Fi Cloud, see Configure an EoGRE tunnel from a WatchGuard Wi-Fi Cloud AP to a GRE endpoint.

When you use EoGRE over IPSec, GRE encapsulates the layer 2 traffic and IPSec encrypts the traffic encapsulated by GRE. IPSec provides encryption security for IP packets to encrypt sensitive data, perform authentication, and protect against replay and data confidentiality. Use IPSec with GRE to provide a secure and flexible VPN solution.

EoGRE over IPSec provides support for both IKEv1 and IKEv2 using Tunnel and Transport mode.

To use EoGRE over IPSec in Wi-Fi Cloud:

  1. Open Manage.
  2. Select Configuration > Device Configuration > Network Interfaces.
  3. Click Add Network Interface Profile.
  4. Type a Profile Name and select EoGRE over IPSec as the Tunnel Type.
  5. In the Ethernet over GRE section, type the Remove Endpoint IP address/Hostname, the GRE Primary Key, and the Local Endpoint VLAN.
User-added image
  1. In the IPSec section, type the Remote Endpoint IP address/Hostname, and select the tunnel Mode (Tunnel or Transport).
User-added image
  1. Specify the IPSec Phase-I and Phase-II parameters:
  • Specify the authentication method for the AP and remote endpoint (PSK is used for this example).
  • (Optional) Type an identifier for the AP and endpoint. If not specified, the IP address is used. Type a corresponding PSK key input identifier. This must match for the AP and remote endpoint.
  • We recommend you use the default settings for the other options, of customize the settings for your deployment.
  1. Click Save to save the Network Interface Profile.

You must now add the Network Interface profile you created to an SSID Profile:

  1. Select Configuration > Device Configuration > SSID Profiles.
  2. Expand the Network section.
  3. Set the VLAN ID to the value you used as the Local Endpoint VLAN in the Network Interface Profile.
  4. Enable the Remote Bridging option. We recommend you also set Inter AP Coordination to Manage Server if Remote Bridging is enabled.
  5. From the Network Interface Profile drop-down list, select the the Network Interface Profile you created.
  6. Save the SSID Profile.
User-added image