Fortinet Document Library

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Cisco GRE-over-IPsec VPN

This is a sample configuration of a FortiGate VPN that is compatible with Cisco-style VPNs that use GRE in an IPsec tunnel. Cisco products with VPN support often use the GRE protocol tunnel over IPsec encryption. Cisco VPNs can use either transport mode or tunnel mode IPsec.

Topology

In this example, LAN1 users are provided with access to LAN2.

Configuring the FortiGate

There are five steps to configure GRE-over-IPsec with a FortiGate and Cisco router:

  1. Enable overlapping subnets.
  2. Configure a route-based IPsec VPN on the external interface.
  3. Configure a GRE tunnel on the virtual IPsec interface.
  4. Configure security policies.
  5. Configure the static route.
Enabling overlapping subnets

Overlapping subnets are required because the IPsec and GRE tunnels will use the same addresses. By default, each FortiGate network interface must be on a separate network. This configuration assigns an IPsec tunnel endpoint and the external interface to the same network.

To enable overlapping subnets:
config system settings
    set allow-subnet-overlap enable
    next
end
Configuring a route-based IPsec VPN

A route-based VPN that use encryption and authentication algorithms compatible with the Cisco router is required. Pre-shared key authentication is used in this configuration.

To configure route-based IPsec in the GUI:
  1. Go to VPN > IPsec Wizard and select the Custom template.
  2. Enter the tunnel name (tocisco) and click Next.
  3. Enter the following:

    Remote Gateway

    Static IP Address

    IP Address

    Cisco router public interface (192.168.5.113)

    Interface

    FortiGate public interface (172.20.120.141)

    Authentication Method

    Pre-shared Key

    Pre-shared Key

    Entry must match the pre-shared key on the Cisco router

    Mode

    Main (ID Protection)

    Phase 1 Proposal

    3DES-SHA1, AES128-SHA1 (at least one proposal must match the settings on the Cisco router)

    Local Address

    GRE local tunnel endpoint IP address (172.20.120.141)

    Remote Address

    GRE remote tunnel endpoint IP address (192.168.5.113)

    Phase 2 Proposal

    3DES-MD5 (at least one proposal must match the settings on the Cisco router)

    Local Port

    0

    Remote Port

    0

    Protocol

    47

  4. Click OK.
  5. If the Cisco router is configured to use transport mode IPsec, configure transport mode on the FortiGate:
    config vpn phase2-interface
        edit tocisco_p2
            set encapsulation transport-mode
        next
    end
To configure route-based IPsec in the CLI:
config vpn ipsec phase1-interface
    edit tocisco
        set interface port1
        set proposal 3des-sha1 aes128-sha1
        set remote-gw 192.168.5.113
        set psksecret xxxxxxxxxxxxxxxx
    next
end
config vpn ipsec phase2-interface
    edit tocisco_p2
        set phase1name tocisco
        set proposal 3des-md5
        set encapsulation [tunnel-mode | transport-mode]
        set protocol 47
        set src-addr-type ip
        set dst-start-ip 192.168.5.113
        set src-start-ip 172.20.120.141
    next
end
To add the IPsec tunnel end addresses:
config system interface
    edit tocisco
        set ip 172.20.120.141 255.255.255.255
        set remote-ip 192.168.5.113
    next
end
Configuring the GRE tunnel

The local gateway and remote gateway addresses must match the local and remote gateways of the IPsec tunnel. The GRE tunnel runs between the virtual IPsec public interface on the FortiGate unit and the Cisco router.

To configure the GRE tunnel:
config system gre-tunnel
    edit gre1
        set interface tocisco
        set local-gw 172.20.120.141
        set remote-gw 192.168.5.113
        set keepalive-interval <integer>
        set keepalive-failtimes <integer>
    next
end

The Cisco router configuration requires an address for its end of the GRE tunnel, so you need to add the tunnel end addresses.

To add the tunnel end addresses:
config system interface
    edit gre1
        set ip 10.0.1.1 255.255.255.255
        set remote-ip 10.0.1.2
    next
end
Configuring the security policies

Two sets of security policies are required:

  • Policies to allow traffic to pass in both directions between the GRE virtual interface and the IPsec virtual interface.
  • Policies to allow traffic to pass in both directions between the protected network interface and the GRE virtual interface.
To configure security policies in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.
  2. Enter the following to allow traffic between the protected network and the GRE tunnel:

    Name

    LANtoGRE

    Incoming Interface

    Interface that connects to the private network behind the FortiGate (port2)

    Outgoing Interface

    GRE tunnel virtual interface (gre1)

    Source

    All

    Destination

    All

    Action

    ACCEPT

    NAT

    Disable

  3. Click OK.
  4. Create a new policy and enter the following to allow traffic between the GRE tunnel and the protected network:

    Name

    GREtoLAN

    Incoming Interface

    GRE tunnel virtual interface (gre1)

    Outgoing Interface

    Interface that connects to the private network behind the FortiGate (port2)

    Source

    All

    Destination

    All

    Action

    ACCEPT

    NAT

    Disable

  5. Click OK.
  6. Create a new policy and enter the following to allow traffic between the GRE virtual interface and the IPsec virtual interface:

    Name

    GREtoIPsec

    Incoming Interface

    GRE tunnel virtual interface (gre1)

    Outgoing Interface

    Virtual IPsec interface (tocisco)

    Source

    All

    Destination

    All

    Action

    ACCEPT

    NAT

    Disable

  7. Click OK.
  8. Create a new policy and enter the following to allow traffic between the IPsec virtual interface and the GRE virtual interface:

    Name

    IPsectoGRE

    Incoming Interface

    Virtual IPsec interface (tocisco)

    Outgoing Interface

    GRE tunnel virtual interface (gre1)

    Source

    All

    Destination

    All

    Action

    ACCEPT

    NAT

    Disable

  9. Click OK.
To configure security policies in the CLI:
config firewall policy
    edit 1
        set name LANtoGRE
        set srcintf port2
        set dstintf gre1
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
    next
    edit 2
        set name GREtoLAN
        set srcintf gre1
        set dstintf port2
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
    next
    edit 3
        set name GREtoIPsec
        set srcintf gre1
        set dstintf tocisco
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
    next
    edit 4
        set name IPsectoGRE
        set srcintf tocisco
        set dstintf gre1
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
    next
end
Configuring routing

to direct traffic destined for the network behind the Cisco router into the GRE-over-IPsec tunnelTraffic destined for the network behind the Cisco router must be routed to the GRE tunnel. To do this, create a static route

To create the static route in the GUI:
  1. Go to Network > Static Routes and click Create New.
  2. Enter the following:

    Destination

    IP and netmask for the network behind the Cisco router (10.21.101.0 255.255.255.0)

    Interface

    GRE tunnel virtual interface (gre1)

    Administrative Distance

    Leave the default setting

  3. Click OK.
To create the static route in the CLI:
config router static
    edit 0
        set device gre1
        set dst 10.21.101.0 255.255.255.0
    next
end
Configuring the Cisco router

For more information, refer to Configuring and verifying a GRE over IPsec tunnel in the Fortinet Knowledge Base.

Cisco GRE-over-IPsec VPN

This is a sample configuration of a FortiGate VPN that is compatible with Cisco-style VPNs that use GRE in an IPsec tunnel. Cisco products with VPN support often use the GRE protocol tunnel over IPsec encryption. Cisco VPNs can use either transport mode or tunnel mode IPsec.

Topology

In this example, LAN1 users are provided with access to LAN2.

Configuring the FortiGate

There are five steps to configure GRE-over-IPsec with a FortiGate and Cisco router:

  1. Enable overlapping subnets.
  2. Configure a route-based IPsec VPN on the external interface.
  3. Configure a GRE tunnel on the virtual IPsec interface.
  4. Configure security policies.
  5. Configure the static route.
Enabling overlapping subnets

Overlapping subnets are required because the IPsec and GRE tunnels will use the same addresses. By default, each FortiGate network interface must be on a separate network. This configuration assigns an IPsec tunnel endpoint and the external interface to the same network.

To enable overlapping subnets:
config system settings
    set allow-subnet-overlap enable
    next
end
Configuring a route-based IPsec VPN

A route-based VPN that use encryption and authentication algorithms compatible with the Cisco router is required. Pre-shared key authentication is used in this configuration.

To configure route-based IPsec in the GUI:
  1. Go to VPN > IPsec Wizard and select the Custom template.
  2. Enter the tunnel name (tocisco) and click Next.
  3. Enter the following:

    Remote Gateway

    Static IP Address

    IP Address

    Cisco router public interface (192.168.5.113)

    Interface

    FortiGate public interface (172.20.120.141)

    Authentication Method

    Pre-shared Key

    Pre-shared Key

    Entry must match the pre-shared key on the Cisco router

    Mode

    Main (ID Protection)

    Phase 1 Proposal

    3DES-SHA1, AES128-SHA1 (at least one proposal must match the settings on the Cisco router)

    Local Address

    GRE local tunnel endpoint IP address (172.20.120.141)

    Remote Address

    GRE remote tunnel endpoint IP address (192.168.5.113)

    Phase 2 Proposal

    3DES-MD5 (at least one proposal must match the settings on the Cisco router)

    Local Port

    0

    Remote Port

    0

    Protocol

    47

  4. Click OK.
  5. If the Cisco router is configured to use transport mode IPsec, configure transport mode on the FortiGate:
    config vpn phase2-interface
        edit tocisco_p2
            set encapsulation transport-mode
        next
    end
To configure route-based IPsec in the CLI:
config vpn ipsec phase1-interface
    edit tocisco
        set interface port1
        set proposal 3des-sha1 aes128-sha1
        set remote-gw 192.168.5.113
        set psksecret xxxxxxxxxxxxxxxx
    next
end
config vpn ipsec phase2-interface
    edit tocisco_p2
        set phase1name tocisco
        set proposal 3des-md5
        set encapsulation [tunnel-mode | transport-mode]
        set protocol 47
        set src-addr-type ip
        set dst-start-ip 192.168.5.113
        set src-start-ip 172.20.120.141
    next
end
To add the IPsec tunnel end addresses:
config system interface
    edit tocisco
        set ip 172.20.120.141 255.255.255.255
        set remote-ip 192.168.5.113
    next
end
Configuring the GRE tunnel

The local gateway and remote gateway addresses must match the local and remote gateways of the IPsec tunnel. The GRE tunnel runs between the virtual IPsec public interface on the FortiGate unit and the Cisco router.

To configure the GRE tunnel:
config system gre-tunnel
    edit gre1
        set interface tocisco
        set local-gw 172.20.120.141
        set remote-gw 192.168.5.113
        set keepalive-interval <integer>
        set keepalive-failtimes <integer>
    next
end

The Cisco router configuration requires an address for its end of the GRE tunnel, so you need to add the tunnel end addresses.

To add the tunnel end addresses:
config system interface
    edit gre1
        set ip 10.0.1.1 255.255.255.255
        set remote-ip 10.0.1.2
    next
end
Configuring the security policies

Two sets of security policies are required:

  • Policies to allow traffic to pass in both directions between the GRE virtual interface and the IPsec virtual interface.
  • Policies to allow traffic to pass in both directions between the protected network interface and the GRE virtual interface.
To configure security policies in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.
  2. Enter the following to allow traffic between the protected network and the GRE tunnel:

    Name

    LANtoGRE

    Incoming Interface

    Interface that connects to the private network behind the FortiGate (port2)

    Outgoing Interface

    GRE tunnel virtual interface (gre1)

    Source

    All

    Destination

    All

    Action

    ACCEPT

    NAT

    Disable

  3. Click OK.
  4. Create a new policy and enter the following to allow traffic between the GRE tunnel and the protected network:

    Name

    GREtoLAN

    Incoming Interface

    GRE tunnel virtual interface (gre1)

    Outgoing Interface

    Interface that connects to the private network behind the FortiGate (port2)

    Source

    All

    Destination

    All

    Action

    ACCEPT

    NAT

    Disable

  5. Click OK.
  6. Create a new policy and enter the following to allow traffic between the GRE virtual interface and the IPsec virtual interface:

    Name

    GREtoIPsec

    Incoming Interface

    GRE tunnel virtual interface (gre1)

    Outgoing Interface

    Virtual IPsec interface (tocisco)

    Source

    All

    Destination

    All

    Action

    ACCEPT

    NAT

    Disable

  7. Click OK.
  8. Create a new policy and enter the following to allow traffic between the IPsec virtual interface and the GRE virtual interface:

    Name

    IPsectoGRE

    Incoming Interface

    Virtual IPsec interface (tocisco)

    Outgoing Interface

    GRE tunnel virtual interface (gre1)

    Source

    All

    Destination

    All

    Action

    ACCEPT

    NAT

    Disable

  9. Click OK.
To configure security policies in the CLI:
config firewall policy
    edit 1
        set name LANtoGRE
        set srcintf port2
        set dstintf gre1
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
    next
    edit 2
        set name GREtoLAN
        set srcintf gre1
        set dstintf port2
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
    next
    edit 3
        set name GREtoIPsec
        set srcintf gre1
        set dstintf tocisco
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
    next
    edit 4
        set name IPsectoGRE
        set srcintf tocisco
        set dstintf gre1
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
    next
end
Configuring routing

to direct traffic destined for the network behind the Cisco router into the GRE-over-IPsec tunnelTraffic destined for the network behind the Cisco router must be routed to the GRE tunnel. To do this, create a static route

To create the static route in the GUI:
  1. Go to Network > Static Routes and click Create New.
  2. Enter the following:

    Destination

    IP and netmask for the network behind the Cisco router (10.21.101.0 255.255.255.0)

    Interface

    GRE tunnel virtual interface (gre1)

    Administrative Distance

    Leave the default setting

  3. Click OK.
To create the static route in the CLI:
config router static
    edit 0
        set device gre1
        set dst 10.21.101.0 255.255.255.0
    next
end
Configuring the Cisco router

For more information, refer to Configuring and verifying a GRE over IPsec tunnel in the Fortinet Knowledge Base.