Cisco GRE-over-IPsec VPN

This is a sample configuration of a FortiGate VPN that is compatible with Cisco-style VPNs that use GRE in an IPsec tunnel. Cisco products with VPN support often use the GRE protocol tunnel over IPsec encryption. Cisco VPNs can use either transport mode or tunnel mode IPsec.


In this example, LAN1 users are provided with access to LAN2.

Configuring the FortiGate

There are five steps to configure GRE-over-IPsec with a FortiGate and Cisco router:

  1. Enable overlapping subnets.
  2. Configure a route-based IPsec VPN on the external interface.
  3. Configure a GRE tunnel on the virtual IPsec interface.
  4. Configure security policies.
  5. Configure the static route.
Enabling overlapping subnets

Overlapping subnets are required because the IPsec and GRE tunnels will use the same addresses. By default, each FortiGate network interface must be on a separate network. This configuration assigns an IPsec tunnel endpoint and the external interface to the same network.

To enable overlapping subnets:
config system settings
    set allow-subnet-overlap enable
Configuring a route-based IPsec VPN

A route-based VPN that use encryption and authentication algorithms compatible with the Cisco router is required. Pre-sha