Fortinet black logo

Cookbook

GRE over IPsec

Copy Link
Copy Doc ID fed12558-14f5-11e9-b86b-00505692583a:799752
Download PDF

GRE over IPsec

This is an example of GRE over an IPsec tunnel using a static route over GRE tunnel and tunnel-mode in the phase2-interface settings.

To configure GRE over an IPsec tunnel:
  1. Enable subnet overlapping at both HQ1 and HQ2.
    config system settings
        set allow-subnet-overlap enable
    end
  2. Configure the WAN interface and static route.
    1. HQ1.
      config system interface 
          edit "port1"
              set ip 172.16.200.1 255.255.255.0
          next
          edit "dmz"
              set ip 10.1.100.1 255.255.255.0
          next  
      end
      config router static
          edit 1
              set gateway 172.16.200.3
              set device "port1"
          next
      end
    2. HQ2.
      config system interface
          edit "port25"
              set ip 172.16.202.1 255.255.255.0 
          next
          edit "port9"
              set ip 172.16.101.1 255.255.255.0 
          next     
      end
      config router static
          edit 1
              set gateway 172.16.202.2
              set device "port25"
          next
      end
  3. Configure IPsec phase1-interface and phase2-interface.
    1. HQ1.
      config vpn ipsec phase1-interface
          edit "greipsec"
              set interface "port1"
              set peertype any
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set remote-gw 172.16.202.1
              set psksecret sample
              next
      end
      config vpn ipsec phase2-interface
          edit "greipsec"
              set phase1name "greipsec"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
              set protocol 47
          next
      end
    2. HQ2.
      config vpn ipsec phase1-interface
          edit "greipsec"
              set interface "port25"
              set peertype any
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set remote-gw 172.16.200.1
              set psksecret sample
              next
      end
      config vpn ipsec phase2-interface
          edit "greipsec"
              set phase1name "greipsec"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
              set protocol 47
          next
      end
  4. Configure IPsec tunnel interface IP address.
    1. HQ1.
      config system interface
          edit "greipsec"
              set ip 10.10.10.1 255.255.255.255
              set remote-ip 10.10.10.2 255.255.255.255
          next
      end
    2. HQ2.
      config system interface
          edit "greipsec"
              set ip 10.10.10.2 255.255.255.255
              set remote-ip 10.10.10.1 255.255.255.255
          next
      end
  5. Configure the GRE tunnel.
    1. HQ1.
      config system gre-tunnel
          edit "gre_to_HQ2"
              set interface "greipsec"
              set remote-gw 10.10.10.2
              set local-gw 10.10.10.1
          next
      end
    2. HQ2.
      config system gre-tunnel
          edit "gre_to_HQ1"
              set interface "greipsec"
              set remote-gw 10.10.10.1
              set local-gw 10.10.10.2
          next
      end
  6. Configure the firewall policy.
    1. HQ1.
      config firewall policy
          edit 1
              set srcintf "dmz"
              set dstintf "gre_to_HQ2"
              set srcaddr "all"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
          next
          edit 2
              set srcintf "gre_to_HQ2"
              set dstintf "dmz"
              set srcaddr "all"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
          next
          edit 3
              set srcintf "greipsec"
              set dstintf "greipsec"
              set srcaddr "all"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
          next
      end
    2. HQ2.
      config firewall policy
          edit 1
              set srcintf "port9"
              set dstintf "gre_to_HQ1"
              set srcaddr "all"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
          next
          edit 2
              set srcintf "gre_to_HQ1"
              set dstintf "port9"
              set srcaddr "all"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
          next
          edit 3
              set srcintf "greipsec"
              set dstintf "greipsec"
              set srcaddr "all"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
          next
      end
  7. Configure the static route.
    1. HQ1.
      config router static
          edit 2
              set dst 172.16.101.0 255.255.255.0
              set device "gre_to_HQ2"
          next
      end
    2. HQ2.
      config router static
          edit 2
              set dst 10.1.100.0 255.255.255.0
              set device "gre_to_HQ1"
          next
      end
To view the VPN tunnel list on HQ1:
diagnose vpn tunnel list
list all ipsec tunnel in vd 0
----
name=greipsec ver=1 serial=1 172.16.200.1:0->172.16.202.1:0
bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/16 options[0010]=create_dev 
proxyid_num=1 child_num=0 refcnt=12 ilast=19 olast=861 ad=/0
stat: rxp=347 txp=476 rxb=58296 txb=51408
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=8
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=greipsec proto=47 sa=1 ref=2 serial=2
  src: 47:0.0.0.0/0.0.0.0:0
  dst: 47:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=10226 type=00 soft=0 mtu=1438 expire=41689/0B replaywin=2048
       seqno=15c esn=0 replaywin_lastseq=0000015c itn=0
  life: type=01 bytes=0/0 timeout=42898/43200
  dec: spi=9897bd09 esp=aes key=16 5a60e67bf68379309715bd83931680bf
       ah=sha1 key=20 ff35a329056d0d506c0bfc17ef269978a4a57dd3
  enc: spi=e362f336 esp=aes key=16 5574acd8587c5751a88950e1bf8fbf57
       ah=sha1 key=20 d57ec76ac3c543ac89b2e4d0545518aa2d06669b
  dec:pkts/bytes=347/37476, enc:pkts/bytes=347/58296
To view the static routing table on HQ1:
get router info routing-table static
Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 172.16.200.3, port1
S       172.16.101.0/24 [10/0] is directly connected, gre_to_HQ2

GRE over IPsec

This is an example of GRE over an IPsec tunnel using a static route over GRE tunnel and tunnel-mode in the phase2-interface settings.

To configure GRE over an IPsec tunnel:
  1. Enable subnet overlapping at both HQ1 and HQ2.
    config system settings
        set allow-subnet-overlap enable
    end
  2. Configure the WAN interface and static route.
    1. HQ1.
      config system interface 
          edit "port1"
              set ip 172.16.200.1 255.255.255.0
          next
          edit "dmz"
              set ip 10.1.100.1 255.255.255.0
          next  
      end
      config router static
          edit 1
              set gateway 172.16.200.3
              set device "port1"
          next
      end
    2. HQ2.
      config system interface
          edit "port25"
              set ip 172.16.202.1 255.255.255.0 
          next
          edit "port9"
              set ip 172.16.101.1 255.255.255.0 
          next     
      end
      config router static
          edit 1
              set gateway 172.16.202.2
              set device "port25"
          next
      end
  3. Configure IPsec phase1-interface and phase2-interface.
    1. HQ1.
      config vpn ipsec phase1-interface
          edit "greipsec"
              set interface "port1"
              set peertype any
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set remote-gw 172.16.202.1
              set psksecret sample
              next
      end
      config vpn ipsec phase2-interface
          edit "greipsec"
              set phase1name "greipsec"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
              set protocol 47
          next
      end
    2. HQ2.
      config vpn ipsec phase1-interface
          edit "greipsec"
              set interface "port25"
              set peertype any
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set remote-gw 172.16.200.1
              set psksecret sample
              next
      end
      config vpn ipsec phase2-interface
          edit "greipsec"
              set phase1name "greipsec"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
              set protocol 47
          next
      end
  4. Configure IPsec tunnel interface IP address.
    1. HQ1.
      config system interface
          edit "greipsec"
              set ip 10.10.10.1 255.255.255.255
              set remote-ip 10.10.10.2 255.255.255.255
          next
      end
    2. HQ2.
      config system interface
          edit "greipsec"
              set ip 10.10.10.2 255.255.255.255
              set remote-ip 10.10.10.1 255.255.255.255
          next
      end
  5. Configure the GRE tunnel.
    1. HQ1.
      config system gre-tunnel
          edit "gre_to_HQ2"
              set interface "greipsec"
              set remote-gw 10.10.10.2
              set local-gw 10.10.10.1
          next
      end
    2. HQ2.
      config system gre-tunnel
          edit "gre_to_HQ1"
              set interface "greipsec"
              set remote-gw 10.10.10.1
              set local-gw 10.10.10.2
          next
      end
  6. Configure the firewall policy.
    1. HQ1.
      config firewall policy
          edit 1
              set srcintf "dmz"
              set dstintf "gre_to_HQ2"
              set srcaddr "all"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
          next
          edit 2
              set srcintf "gre_to_HQ2"
              set dstintf "dmz"
              set srcaddr "all"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
          next
          edit 3
              set srcintf "greipsec"
              set dstintf "greipsec"
              set srcaddr "all"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
          next
      end
    2. HQ2.
      config firewall policy
          edit 1
              set srcintf "port9"
              set dstintf "gre_to_HQ1"
              set srcaddr "all"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
          next
          edit 2
              set srcintf "gre_to_HQ1"
              set dstintf "port9"
              set srcaddr "all"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
          next
          edit 3
              set srcintf "greipsec"
              set dstintf "greipsec"
              set srcaddr "all"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
          next
      end
  7. Configure the static route.
    1. HQ1.
      config router static
          edit 2
              set dst 172.16.101.0 255.255.255.0
              set device "gre_to_HQ2"
          next
      end
    2. HQ2.
      config router static
          edit 2
              set dst 10.1.100.0 255.255.255.0
              set device "gre_to_HQ1"
          next
      end
To view the VPN tunnel list on HQ1:
diagnose vpn tunnel list
list all ipsec tunnel in vd 0
----
name=greipsec ver=1 serial=1 172.16.200.1:0->172.16.202.1:0
bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/16 options[0010]=create_dev 
proxyid_num=1 child_num=0 refcnt=12 ilast=19 olast=861 ad=/0
stat: rxp=347 txp=476 rxb=58296 txb=51408
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=8
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=greipsec proto=47 sa=1 ref=2 serial=2
  src: 47:0.0.0.0/0.0.0.0:0
  dst: 47:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=10226 type=00 soft=0 mtu=1438 expire=41689/0B replaywin=2048
       seqno=15c esn=0 replaywin_lastseq=0000015c itn=0
  life: type=01 bytes=0/0 timeout=42898/43200
  dec: spi=9897bd09 esp=aes key=16 5a60e67bf68379309715bd83931680bf
       ah=sha1 key=20 ff35a329056d0d506c0bfc17ef269978a4a57dd3
  enc: spi=e362f336 esp=aes key=16 5574acd8587c5751a88950e1bf8fbf57
       ah=sha1 key=20 d57ec76ac3c543ac89b2e4d0545518aa2d06669b
  dec:pkts/bytes=347/37476, enc:pkts/bytes=347/58296
To view the static routing table on HQ1:
get router info routing-table static
Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 172.16.200.3, port1
S       172.16.101.0/24 [10/0] is directly connected, gre_to_HQ2