Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
scheehan_FTNT
Staff
Staff

Created on ‎04-21-2015 10:54 PM Edited on ‎03-25-2022 10:20 AM By Anonymous

Article Id 196591

Technical Tip : GRE over IPsec tunnel between FortiGate terminated on a Loopback interface

Description

This article illustrates the configuration of a GRE over IPsec tunnel between FortiGate unit with IPsec tunnel to be terminated on a Loopback interface.

To deploy this configuration on the FortiGate unit, it is mandatory to configure different IP addressing space for the GRE tunnel and the IPsec tunnel. Further more, Loopback interface IP need an egress point to reach peer device (static route).

In this particular setup, IPsec encapsulation needs to be configured in Tunnel Mode (Transport Mode is not supported) and allow-subnet-overlap at system settings needs to be enable.


Scope
Network Diagram

GRE_O_IPsec_v4.jpg


Solution
Trace route results:-



PING from client side:-
9.059806 port3 in 10.128.0.150 -> 10.137.0.158: icmp: echo request
9.059820 gre_tunnel out 10.128.0.150 -> 10.137.0.158: icmp: echo request
9.061283 gre_tunnel in 10.137.0.158 -> 10.128.0.150: icmp: echo reply
9.061553 port3 out 10.137.0.158 -> 10.128.0.150: icmp: echo reply

6.468882 gre_tunnel in 10.128.0.150 -> 10.137.0.158: icmp: echo request
6.469199 dmz out 10.128.0.150 -> 10.137.0.158: icmp: echo request
6.469564 dmz in 10.137.0.158 -> 10.128.0.150: icmp: echo reply
6.469707 gre_tunnel out 10.137.0.158 -> 10.128.0.150: icmp: echo reply

Routing table:-
C       10.128.0.0/23 is directly connected, port3
S       10.137.0.0/23 [10/0] via 81.137.0.1, gre_tunnel
C       81.128.0.1/32 is directly connected, gre_tunnel
C       81.137.0.1/32 is directly connected, gre_tunnel
C       172.128.0.1/32 is directly connected, ipsec_ph1
C       172.137.0.1/32 is directly connected, ipsec_ph1
C       192.168.16.0/24 is directly connected, wan1
C       192.168.16.128/32 is directly connected, lo1
S       192.168.16.137/32 [10/0] via 192.168.16.130, wan1

IPsec tunnel info:-
name=ipsec_ph1 ver=1 serial=1 192.168.16.128:0->192.168.16.137:0 lgwy=static tun=intf mode=auto bound_if=0
proxyid_num=1 child_num=0 refcnt=11 ilast=11576 olast=5
stat: rxp=22956 txp=14428 rxb=16279320 txb=2480008
dpd: mode=off on=0 idle=5000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=ipsec_ph2 proto=47 sa=1 ref=2 auto_negotiate=1 serial=2
  src: 47:0.0.0.0/0.0.0.0:0
  dst: 47:0.0.0.0/0.0.0.0:0
  SA: ref=6 options=0000002d type=00 soft=0 mtu=1436 expire=31645 replaywin=0 seqno=385d
  life: type=01 bytes=0/0 timeout=43149/43200
  dec: spi=b1624968 esp=3des key=24 d62bae210f7376e3bac04446acc8a9f931e861ff1d730fa6
       ah=sha1 key=20 4e70a4b0202baa45f8cf214cb01286757b85759f
  enc: spi=edb15dc7 esp=3des key=24 701c98ff3186ed547b00fe2e24b870c3a377cb6ac2559960
       ah=sha1 key=20 ccc18daba93f1031a7540a8b440788bc3abc65c5
  dec:pkts/bytes=22956/15063764, enc:pkts/bytes=14428/3257016
  npu_flag=00 npu_rgwy=192.168.16.137 npu_lgwy=192.168.16.128 npu_selid=1


PING from server side:-
2.567025 dmz in 10.137.0.158 -> 10.128.0.150: icmp: echo request
2.567233 gre_tunnel out 10.137.0.158 -> 10.128.0.150: icmp: echo request
2.568621 gre_tunnel in 10.128.0.150 -> 10.137.0.158: icmp: echo reply
2.568859 dmz out 10.128.0.150 -> 10.137.0.158: icmp: echo reply

5.652083 gre_tunnel in 10.137.0.158 -> 10.128.0.150: icmp: echo request
5.652362 port3 out 10.137.0.158 -> 10.128.0.150: icmp: echo request
5.652819 port3 in 10.128.0.150 -> 10.137.0.158: icmp: echo reply
5.652827 gre_tunnel out 10.128.0.150 -> 10.137.0.158: icmp: echo reply

Routing table:-
S       10.128.0.0/23 [10/0] via 81.128.0.1, gre_tunnel
C       10.137.0.0/23 is directly connected, dmz
C       81.128.0.1/32 is directly connected, gre_tunnel
C       81.137.0.1/32 is directly connected, gre_tunnel
C       172.128.0.1/32 is directly connected, ipsec_ph1
C       172.137.0.1/32 is directly connected, ipsec_ph1
C       192.168.16.0/24 is directly connected, wan1
S       192.168.16.128/32 [10/0] via 192.168.16.112, wan1
C       192.168.16.137/32 is directly connected, lo1

IPsec tunnel info:-
name=ipsec_ph1 ver=1 serial=1 192.168.16.137:0->192.168.16.128:0 lgwy=static tun=intf mode=auto bound_if=0
proxyid_num=1 child_num=0 refcnt=11 ilast=11645 olast=3
stat: rxp=14524 txp=23116 rxb=3279160 txb=15174980
dpd: mode=off on=0 idle=5000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=ipsec_ph2 proto=47 sa=1 ref=2 serial=1 auto-negotiate
  src: 47:0.0.0.0/0.0.0.0:0
  dst: 47:0.0.0.0/0.0.0.0:0
  SA: ref=6 options=0000002d type=00 soft=0 mtu=1446 expire=31604/0B replaywin=0 seqno=5a4d
  life: type=01 bytes=0/0 timeout=43177/43200
  dec: spi=edb15dc7 esp=3des key=24 701c98ff3186ed547b00fe2e24b870c3a377cb6ac2559960
       ah=sha1 key=20 ccc18daba93f1031a7540a8b440788bc3abc65c5
  enc: spi=b1624968 esp=3des key=24 d62bae210f7376e3bac04446acc8a9f931e861ff1d730fa6
       ah=sha1 key=20 4e70a4b0202baa45f8cf214cb01286757b85759f
  dec:pkts/bytes=14524/2496984, enc:pkts/bytes=23116/16399000
  npu_flag=00 npu_rgwy=192.168.16.128 npu_lgwy=192.168.16.137 npu_selid=0

 

server_side_FGT_settings_example.conf
client_side_FGT_settings_example.conf
Labels:
4476
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.