Fortinet black logo

Handbook

Configuration overview

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:574017
Download PDF

Configuration overview

The following section consists of configuring the FortiGate unit and configuring the Cisco router.

Configuring the FortiGate unit

There are several steps to the GRE-over-IPsec configuration:

  • Enable overlapping subnets. This is needed because the IPsec and GRE tunnels will use the same addresses.
  • Configure a route-based IPsec VPN on the external interface.
  • Configure a GRE tunnel on the virtual IPsec interface. Set its local gateway and remote gateway addresses to match the local and remote gateways of the IPsec tunnel.
  • Configure security policies to allow traffic to pass in both directions between the GRE virtual interface and the IPsec virtual interface.
  • Configure security policies to allow traffic to pass in both directions between the protected network interface and the GRE virtual interface.
  • Configure a static route to direct traffic destined for the network behind the Cisco router into the GRE-over-IPsec tunnel.

Enabling overlapping subnets

By default, each FortiGate unit network interface must be on a separate network. The configuration described in this chapter assigns an IPsec tunnel end point and the external interface to the same network. Enable subnet overlap as follows:

config system settings

set allow-subnet-overlap enable

end

Configuring the IPsec VPN

A route-based VPN is required. It must use encryption and authentication algorithms compatible with the Cisco equipment to which it connects. In this chapter, preshared key authentication is shown.

Configuring the IPsec VPN - GUI
  1. Define the Phase 1 configuration needed to establish a secure connection with the remote Cisco device. Enter these settings in particular:
  2. Name

    Enter a name to identify the VPN tunnel, tocisco for example. This is the name of the virtual IPsec interface. It appears in Phase 2 configurations, security policies and the VPN monitor.

    Remote Gateway

    Select Static IP Address.

    IP Address

    Enter the IP address of the Cisco device public interface. For example, 192.168.5.113.

    Local Interface

    Select the FortiGate unit’s public interface. For example, 172.20.120.141.

    Mode

    Select Main (ID Protection).

    Authentication Method

    Preshared Key

    Pre-shared Key

    Enter the preshared key. It must match the preshared key on the Cisco device.

    Advanced

    Select the Advanced button to see the following settings.

    Phase 1 Proposal

    3DES-MD5

    At least one proposal must match the settings on the Cisco unit.

    For more information about these settings, see Phase 1 parameters.

  3. Define the Phase 2 parameters needed to create a VPN tunnel with the remote peer. For compatibility with the Cisco router, Quick Mode Selectors must be entered, which includes specifying protocol 47, the GRE protocol. Enter these settings in particular:
  4. Phase 2 Proposal

    3DES-MD5

    At least one proposal must match the settings on the Cisco unit.

    Quick Mode Selector

    Source Address

    Enter the GRE local tunnel end IP address.

    For example 172.20.120.141.

    Source Port

    0

    Destination Address

    Enter the GRE remote tunnel end IP address.

    For example 192.168.5.113.

    Destination Port

    0

    Protocol

    47

    For more information about these settings, see Phase 2 parameters.

  5. If the Cisco device is configured to use transport mode IPsec, you need to use transport mode on the FortiGate VPN. You can configure this only in the CLI. In your Phase 2 configuration, set encapsulation to transport-mode as follows:
  6. config vpn phase2-interface

    edit to_cisco_p2

    set encapsulation transport-mode

    end

Configuring the IPsec VPN - CLI

config vpn ipsec phase1-interface

edit tocisco

set interface port1

set proposal 3des-sha1 aes128-sha1

set remote-gw 192.168.5.113

set psksecret xxxxxxxxxxxxxxxx

end

config vpn ipsec phase2-interface

edit tocisco_p2

set phase1name "tocisco"

set proposal 3des-md5

set encapsulation tunnel-mode // if tunnel mode

set encapsulation transport-mode // if transport mode

set protocol 47

set src-addr-type ip

set dst-start-ip 192.168.5.113

set src-start-ip 172.20.120.141

end

Adding IPsec tunnel end addresses

The Cisco configuration requires an address for its end of the IPsec tunnel. The addresses are set to match the GRE gateway addresses. Use the CLI to set the addresses, like this:

config system interface

edit tocisco

set ip 172.20.120.141 255.255.255.255

set remote-ip 192.168.5.113

end

Configuring the GRE tunnel

The GRE tunnel runs between the virtual IPsec public interface on the FortiGate unit and the Cisco router. You must use the CLI to configure a GRE tunnel. In the example, you would enter:

config system gre-tunnel

edit gre1

set interface tocisco

set local-gw 172.20.120.141

set remote-gw 192.168.5.113

end

interface is the virtual IPsec interface, local-gw is the FortiGate unit public IP address, and remote-gw is the remote Cisco device public IP address

Adding GRE tunnel end addresses

You will also need to add tunnel end addresses. The Cisco router configuration requires an address for its end of the GRE tunnel. Using the CLI, enter tunnel end addresses that are not used elsewhere on the FortiGate unit, like this:

config system interface

edit gre1

set ip 10.0.1.1 255.255.255.255

set remote-ip 10.0.1.2

end

Configuring security policies

Two sets of security policies are required:

  • Policies to allow traffic to pass in both directions between the GRE virtual interface and the IPsec virtual interface.
  • Policies to allow traffic to pass in both directions between the protected network interface and the GRE virtual interface.
Configuring security policies - GUI
  1. Define an ACCEPT firewall security policy to permit communications between the protected network and the GRE tunnel:
  2. Incoming Interface

    Select the interface that connects to the private network behind this FortiGate unit.

    Source Address

    All

    Outgoing Interface

    Select the GRE tunnel virtual interface you configured.

    Destination Address

    All

    Action

    ACCEPT

    Enable NAT

    Disable

  3. To permit the remote client to initiate communication, you need to define a firewall address security policy for communication in that direction:
  4. Incoming Interface

    Select the GRE tunnel virtual interface you configured.

    Source Address

    All

    Outgoing Interface

    Select the interface that connects to the private network behind this FortiGate unit.

    Destination Address

    All

    Action

    ACCEPT

    Enable NAT

    Disable

  5. Define a pair of ACCEPT firewall address security policies to permit traffic to flow between the GRE virtual interface and the IPsec virtual interface:
  6. Incoming Interface

    Select the GRE virtual interface. See Configuring the GRE tunnel.

    Source Address

    All

    Outgoing Interface

    Select the virtual IPsec interface you created. See Configuring the IPsec VPN.

    Destination Address

    All

    Action

    ACCEPT

    Enable NAT

    Disable

    Incoming Interface

    Select the virtual IPsec interface you created. See Configuring the IPsec VPN.

    Source Address

    All

    Outgoing Interface

    Select the GRE virtual interface. See Configuring the GRE tunnel.

    Destination Address

    All

    Action

    ACCEPT

    Enable NAT

    Disable

Configuring security policies - CLI

config firewall policy

edit 1 // LAN to GRE tunnel

set srcintf port2

set dstintf gre1

set srcaddr all

set dstaddr all

set action accept

set schedule always

set service ALL

next

edit 2 // GRE tunnel to LAN

set srcintf gre1

set dstintf port2

set srcaddr all

set dstaddr all

set action accept

set schedule always

set service ALL

next

edit 3 // GRE tunnel to IPsec interface

set srcintf "gre1"

set dstintf "tocisco"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

next

edit 4 // IPsec interface to GRE tunnel

set srcintf "tocisco"

set dstintf "gre1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

end

Configuring routing

Traffic destined for the network behind the Cisco router must be routed to the GRE tunnel. To do this, create a static route

  1. Go to Network > Static Routes and select Create New.
  2. Enter the following information and select OK.
  3. Destination IP/Mask

    Enter the IP address and netmask for the network behind the Cisco router. For example 10.21.101.0 255.255.255.0.

    Device

    Select the GRE virtual interface.

    Distance (Advanced)

    Leave setting at default value.

In the CLI, using the example values, you would enter

config router static

edit 0

set device gre1

set dst 10.21.101.0 255.255.255.0

end

Changing GRE over GRE tunnel interface attributes

Administrators can change GRE over GRE tunnel attributes, such as assigning an IP address for a specific configuration application, even if the child interface is not an IPsec tunnel interface.

IPv6 support for GRE tunnels

Support is provided for GRE tunnel termination using IPv6 addresses on both ends of the tunnel (similar to IPv4 functionality).

Syntax

config system gre-tunnel

edit <name>

set ip-version 6

set remote-gw6 11:1:1::1

set local-gw6 11:1:1::2

...

next

end

Configuring the Cisco router

Using Cisco IOS, you would configure the Cisco router as follows, using the addresses from the example:

config ter

crypto ipsec transform-set myset esp-3des esp-md5-hmac

no mode

exit

no ip access-list extended tunnel

ip access-list extended tunnel

permit gre host 192.168.5.113 host 172.20.120.141

exit

interface Tunnel1

ip address 10.0.1.2 255.255.255.0

tunnel source 192.168.5.113

tunnel destination 172.20.120.141

!

ip route 10.11.101.0 255.255.255.0 Tunnel1

end

clea crypto sa

clea crypto isakmp

For transport mode, change no mode to mode transport.

This is only the portion of the Cisco router configuration that applies to the GRE-over-IPsec tunnel. For more information, refer to the Cisco documentation.

Keep-alive support for GRE

The FortiGate can send a GRE keep-alive response to a Cisco device to detect a GRE tunnel. If it fails, it will remove any routes over the GRE interface.

Syntax

config system gre-tunnel

edit <id>

set keepalive-interval <value: 0-32767>

set keepalive-failtimes <value: 1-255>

next

end

Configuration overview

The following section consists of configuring the FortiGate unit and configuring the Cisco router.

Configuring the FortiGate unit

There are several steps to the GRE-over-IPsec configuration:

  • Enable overlapping subnets. This is needed because the IPsec and GRE tunnels will use the same addresses.
  • Configure a route-based IPsec VPN on the external interface.
  • Configure a GRE tunnel on the virtual IPsec interface. Set its local gateway and remote gateway addresses to match the local and remote gateways of the IPsec tunnel.
  • Configure security policies to allow traffic to pass in both directions between the GRE virtual interface and the IPsec virtual interface.
  • Configure security policies to allow traffic to pass in both directions between the protected network interface and the GRE virtual interface.
  • Configure a static route to direct traffic destined for the network behind the Cisco router into the GRE-over-IPsec tunnel.

Enabling overlapping subnets

By default, each FortiGate unit network interface must be on a separate network. The configuration described in this chapter assigns an IPsec tunnel end point and the external interface to the same network. Enable subnet overlap as follows:

config system settings

set allow-subnet-overlap enable

end

Configuring the IPsec VPN

A route-based VPN is required. It must use encryption and authentication algorithms compatible with the Cisco equipment to which it connects. In this chapter, preshared key authentication is shown.

Configuring the IPsec VPN - GUI
  1. Define the Phase 1 configuration needed to establish a secure connection with the remote Cisco device. Enter these settings in particular:
  2. Name

    Enter a name to identify the VPN tunnel, tocisco for example. This is the name of the virtual IPsec interface. It appears in Phase 2 configurations, security policies and the VPN monitor.

    Remote Gateway

    Select Static IP Address.

    IP Address

    Enter the IP address of the Cisco device public interface. For example, 192.168.5.113.

    Local Interface

    Select the FortiGate unit’s public interface. For example, 172.20.120.141.

    Mode

    Select Main (ID Protection).

    Authentication Method

    Preshared Key

    Pre-shared Key

    Enter the preshared key. It must match the preshared key on the Cisco device.

    Advanced

    Select the Advanced button to see the following settings.

    Phase 1 Proposal

    3DES-MD5

    At least one proposal must match the settings on the Cisco unit.

    For more information about these settings, see Phase 1 parameters.

  3. Define the Phase 2 parameters needed to create a VPN tunnel with the remote peer. For compatibility with the Cisco router, Quick Mode Selectors must be entered, which includes specifying protocol 47, the GRE protocol. Enter these settings in particular:
  4. Phase 2 Proposal

    3DES-MD5

    At least one proposal must match the settings on the Cisco unit.

    Quick Mode Selector

    Source Address

    Enter the GRE local tunnel end IP address.

    For example 172.20.120.141.

    Source Port

    0

    Destination Address

    Enter the GRE remote tunnel end IP address.

    For example 192.168.5.113.

    Destination Port

    0

    Protocol

    47

    For more information about these settings, see Phase 2 parameters.

  5. If the Cisco device is configured to use transport mode IPsec, you need to use transport mode on the FortiGate VPN. You can configure this only in the CLI. In your Phase 2 configuration, set encapsulation to transport-mode as follows:
  6. config vpn phase2-interface

    edit to_cisco_p2

    set encapsulation transport-mode

    end

Configuring the IPsec VPN - CLI

config vpn ipsec phase1-interface

edit tocisco

set interface port1

set proposal 3des-sha1 aes128-sha1

set remote-gw 192.168.5.113

set psksecret xxxxxxxxxxxxxxxx

end

config vpn ipsec phase2-interface

edit tocisco_p2

set phase1name "tocisco"

set proposal 3des-md5

set encapsulation tunnel-mode // if tunnel mode

set encapsulation transport-mode // if transport mode

set protocol 47

set src-addr-type ip

set dst-start-ip 192.168.5.113

set src-start-ip 172.20.120.141

end

Adding IPsec tunnel end addresses

The Cisco configuration requires an address for its end of the IPsec tunnel. The addresses are set to match the GRE gateway addresses. Use the CLI to set the addresses, like this:

config system interface

edit tocisco

set ip 172.20.120.141 255.255.255.255

set remote-ip 192.168.5.113

end

Configuring the GRE tunnel

The GRE tunnel runs between the virtual IPsec public interface on the FortiGate unit and the Cisco router. You must use the CLI to configure a GRE tunnel. In the example, you would enter:

config system gre-tunnel

edit gre1

set interface tocisco

set local-gw 172.20.120.141

set remote-gw 192.168.5.113

end

interface is the virtual IPsec interface, local-gw is the FortiGate unit public IP address, and remote-gw is the remote Cisco device public IP address

Adding GRE tunnel end addresses

You will also need to add tunnel end addresses. The Cisco router configuration requires an address for its end of the GRE tunnel. Using the CLI, enter tunnel end addresses that are not used elsewhere on the FortiGate unit, like this:

config system interface

edit gre1

set ip 10.0.1.1 255.255.255.255

set remote-ip 10.0.1.2

end

Configuring security policies

Two sets of security policies are required:

  • Policies to allow traffic to pass in both directions between the GRE virtual interface and the IPsec virtual interface.
  • Policies to allow traffic to pass in both directions between the protected network interface and the GRE virtual interface.
Configuring security policies - GUI
  1. Define an ACCEPT firewall security policy to permit communications between the protected network and the GRE tunnel:
  2. Incoming Interface

    Select the interface that connects to the private network behind this FortiGate unit.

    Source Address

    All

    Outgoing Interface

    Select the GRE tunnel virtual interface you configured.

    Destination Address

    All

    Action

    ACCEPT

    Enable NAT

    Disable

  3. To permit the remote client to initiate communication, you need to define a firewall address security policy for communication in that direction:
  4. Incoming Interface

    Select the GRE tunnel virtual interface you configured.

    Source Address

    All

    Outgoing Interface

    Select the interface that connects to the private network behind this FortiGate unit.

    Destination Address

    All

    Action

    ACCEPT

    Enable NAT

    Disable

  5. Define a pair of ACCEPT firewall address security policies to permit traffic to flow between the GRE virtual interface and the IPsec virtual interface:
  6. Incoming Interface

    Select the GRE virtual interface. See Configuring the GRE tunnel.

    Source Address

    All

    Outgoing Interface

    Select the virtual IPsec interface you created. See Configuring the IPsec VPN.

    Destination Address

    All

    Action

    ACCEPT

    Enable NAT

    Disable

    Incoming Interface

    Select the virtual IPsec interface you created. See Configuring the IPsec VPN.

    Source Address

    All

    Outgoing Interface

    Select the GRE virtual interface. See Configuring the GRE tunnel.

    Destination Address

    All

    Action

    ACCEPT

    Enable NAT

    Disable

Configuring security policies - CLI

config firewall policy

edit 1 // LAN to GRE tunnel

set srcintf port2

set dstintf gre1

set srcaddr all

set dstaddr all

set action accept

set schedule always

set service ALL

next

edit 2 // GRE tunnel to LAN

set srcintf gre1

set dstintf port2

set srcaddr all

set dstaddr all

set action accept

set schedule always

set service ALL

next

edit 3 // GRE tunnel to IPsec interface

set srcintf "gre1"

set dstintf "tocisco"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

next

edit 4 // IPsec interface to GRE tunnel

set srcintf "tocisco"

set dstintf "gre1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

end

Configuring routing

Traffic destined for the network behind the Cisco router must be routed to the GRE tunnel. To do this, create a static route

  1. Go to Network > Static Routes and select Create New.
  2. Enter the following information and select OK.
  3. Destination IP/Mask

    Enter the IP address and netmask for the network behind the Cisco router. For example 10.21.101.0 255.255.255.0.

    Device

    Select the GRE virtual interface.

    Distance (Advanced)

    Leave setting at default value.

In the CLI, using the example values, you would enter

config router static

edit 0

set device gre1

set dst 10.21.101.0 255.255.255.0

end

Changing GRE over GRE tunnel interface attributes

Administrators can change GRE over GRE tunnel attributes, such as assigning an IP address for a specific configuration application, even if the child interface is not an IPsec tunnel interface.

IPv6 support for GRE tunnels

Support is provided for GRE tunnel termination using IPv6 addresses on both ends of the tunnel (similar to IPv4 functionality).

Syntax

config system gre-tunnel

edit <name>

set ip-version 6

set remote-gw6 11:1:1::1

set local-gw6 11:1:1::2

...

next

end

Configuring the Cisco router

Using Cisco IOS, you would configure the Cisco router as follows, using the addresses from the example:

config ter

crypto ipsec transform-set myset esp-3des esp-md5-hmac

no mode

exit

no ip access-list extended tunnel

ip access-list extended tunnel

permit gre host 192.168.5.113 host 172.20.120.141

exit

interface Tunnel1

ip address 10.0.1.2 255.255.255.0

tunnel source 192.168.5.113

tunnel destination 172.20.120.141

!

ip route 10.11.101.0 255.255.255.0 Tunnel1

end

clea crypto sa

clea crypto isakmp

For transport mode, change no mode to mode transport.

This is only the portion of the Cisco router configuration that applies to the GRE-over-IPsec tunnel. For more information, refer to the Cisco documentation.

Keep-alive support for GRE

The FortiGate can send a GRE keep-alive response to a Cisco device to detect a GRE tunnel. If it fails, it will remove any routes over the GRE interface.

Syntax

config system gre-tunnel

edit <id>

set keepalive-interval <value: 0-32767>

set keepalive-failtimes <value: 1-255>

next

end