FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akileshc
Staff
Staff
Article Id 191780
Description
This article explains  how to configure and verify an IPsec over GRE tunnel between two FortiGates

Scope
-    As GRE does not have its own mechanism to encrypt traffic it depends on IPsec for getting the encryption job done. As opposed to GRE over IPsec, which encrypts anything that is encapsulated by GRE, IPsec over GRE encrypts only the payload and not the routing protocols running over a GRE tunnel.

-    In IPsec over GRE, the GRE tunnel is established over the internet, neighborship is formed and routes are exchanged and all of this is in clear text. We are only concerned with encrypting the interesting traffic flowing between the two peers.

-    When securing the routing updates and routes isn’t a requirement and the major concern is to encrypt the information/payload flowing between the peers we use IPsec over GRE.

-    IPsec over GRE eliminates the additional overhead of encrypting the GRE header
Solution
The following topology is used:

PC1(.1) - 192.168.10.1/32 -port3-[FGT-A]-port1----(10.5.21.54) =======
                                                                  I
                                                 (Internet)       I  IPsec over GRE tunnel
                                                                  I
PC2(.2) - 172.31.128.0/20 -Port3-[FGT-B]-Port1 -(10.5.27.127) =======

- IPsec over GRE encrypts the Payload and not the GRE encapsulated packets.

- Interface for IPsec tunnel : The IPsec tunnel should be formed using the loopback interface IP. When using loopbacks, make sure the peer endpoints have a route for the loopback. This can be achieved by running another routing protocol to advertise the loopbacks and then forming an IPsec tunnel using the loopback IP address.

- Encryption Domain : The encryption domain specified is always between the source and destination subnets that are to be encrypted and not the GRE tunnel source/destination IPs which is the case with GRE over IPsec. In the above example, we are specifying the encryption domain for all IP traffic between 1.1.1.1 and 2.2.2.2.

- The GRE tunnel will not be encapsulated and only the traffic flowing through it will be encapsulated.

- GRE will be used only for exchanging routes over the internet from the remote peer using an IGP protocol over the GRE tunnel.

CLI configuration of the FGT-A: (Same configuration needs to be done on FGT-B with required IP changes)
config system gre-tunnel
    edit "gretunnel"
        set interface "port1"
        set remote-gw 10.5.27.127
        set local-gw 10.5.21.54
    next
end

config system interface
    edit "port1"
        set vdom "root"
        set ip 10.5.21.54 255.255.240.0
        set allowaccess ping https ssh http telnet fgfm
        set type physical
        set snmp-index 1
    next
    edit "port3"
        set vdom "root"
        set ip 192.168.10.1 255.255.255.255
        set allowaccess ping https ssh http telnet fgfm
        set type physical
        set snmp-index 3
    next
    edit "gretunnel"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 10.10.10.2 255.255.255.255
        set snmp-index 12
        set interface "port1"
    next
    edit "gre-loopback"
        set vdom "root"
        set ip 1.1.1.1 255.255.255.255
        set allowaccess ping https
        set type loopback
        set snmp-index 13
    next
    edit "IPsec-over-GRE"
        set vdom "root"
        set type tunnel
        set snmp-index 14
        set interface "gre-loopback"
    next
end

config vpn ipsec phase1-interface
    edit "IPsec-over-GRE"
        set interface "gre-loopback"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set comments "VPN: IPsec-over-GRE (Created by VPN wizard)"
        set wizard-type static-fortigate
        set remote-gw 2.2.2.2
        set psksecret ENC pduc/zfyvgjwMbmpd55iaXrzRLZ2AIdAyA9fEZX6ycBnEmMBac3/qCcQ5Q00Er0SoKBd/HIoycvM6FAGg0U5hE5WwLiJOrtcpeGIllFArn2TyBOwBOUvwYzXjxFjG4XDnAlq7+E9klI182TdaV4hLe94rTJimycJEVX32gySQ1k+/95gU8tU6GQnPpUKzXmu5i0wrA==
    next
end

config firewall address
    edit "IPsec-over-GRE_local_subnet_1"
        set uuid 00593076-4d54-51e9-7b90-977724a65a96
        set allow-routing enable
        set subnet 192.168.10.1 255.255.255.255
    next
    edit "IPsec-over-GRE_remote_subnet_1"
        set uuid 0097752a-4d54-51e9-7175-408603957372
        set allow-routing enable
        set subnet 172.31.128.0 255.255.240.0
    next
end

config router static

   
edit 1
        set gateway 10.5.31.254
        set device "port1"
    next
    edit 2
        set dst 2.2.2.0 255.255.255.0
        set device "gretunnel"
    next
    edit 3
        set device "IPsec-over-GRE"
        set comment "VPN: IPsec-over-GRE (Created by VPN wizard)"
        set dstaddr "IPsec-over-GRE_remote"
    next
    edit 4
        set distance 254
        set comment "VPN: IPsec-over-GRE (Created by VPN wizard)"
        set blackhole enable
        set dstaddr "IPsec-over-GRE_remote"
    next
end

config firewall policy

    edit 1
        set name "gre-policy"
        set uuid 6cf1b338-4d50-51e9-6194-eac61476f8d1
        set srcintf "gretunnel"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set fsso disable
    next
    edit 2
        set name "loopback-gre"
        set uuid 8148bb4c-4d50-51e9-5c0f-fd7b1205baf9
        set srcintf "gre-loopback"
        set dstintf "gretunnel"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set fsso disable
    next
    edit 3
        set uuid 9e3b68f0-4d53-51e9-5506-94e05b3da3ce
        set srcintf "gretunnel"
        set dstintf "gre-loopback"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set fsso disable
        set comments "Reverse of loopback-gre"
    next
    edit 4
        set name "vpn_IPsec-over-GRE_local"
        set uuid 013ba046-4d54-51e9-0b30-c445edb0e4e5
        set srcintf "port3"
        set dstintf "IPsec-over-GRE"
        set srcaddr "IPsec-over-GRE_local"
        set dstaddr "IPsec-over-GRE_remote"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "VPN: IPsec-over-GRE (Created by VPN wizard)"
    next
    edit 5
        set name "vpn_IPsec-over-GRE_remote"
        set uuid 01607736-4d54-51e9-c7c3-8c1c83870f23
        set srcintf "IPsec-over-GRE"
        set dstintf "port3"
        set srcaddr "IPsec-over-GRE_remote"
        set dstaddr "IPsec-over-GRE_local"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "VPN: IPsec-over-GRE (Created by VPN wizard)"
    next
end

Verification:
# get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 10.5.31.254, port1
C       1.1.1.1/32 is directly connected, gre-loopback
S       2.2.2.0/24 [10/0] via 10.10.10.2, gretunnel
C       10.5.16.0/20 is directly connected, port1
C       10.10.10.1/32 is directly connected, gretunnel
C       10.10.10.2/32 is directly connected, gretunnel
S       172.31.128.0/20 [10/0] is directly connected, IPsec-over-GRE
C       192.168.10.1/32 is directly connected, port3

# di sys gre list
IPv4:

vd=0 devname=gretunnel devindex=3 ifindex=19
saddr=10.5.21.54 daddr=10.5.27.127 ref=0
key=0/0 flags=0/0

total tunnel = 1

# diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=IPsec-over-GRE ver=1 serial=2 1.1.1.1:0->2.2.2.2:0
bound_if=0 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
proxyid_num=1 child_num=0 refcnt=12 ilast=5 olast=1308 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=IPsec-over-GRE proto=0 sa=1 ref=2 serial=1
  src: 0:192.168.10.1/255.255.255.255:0
  dst: 0:172.31.128.0/255.255.240.0:0
  SA:  ref=3 options=10226 type=00 soft=0 mtu=1406 expire=40397/0B replaywin=2048
       seqno=1 esn=0 replaywin_lastseq=00000000 itn=0
  life: type=01 bytes=0/0 timeout=42928/43200
  dec: spi=84c792ec esp=aes key=16 ee6cdfbc1759d11dfebf8d015a4350ee
       ah=sha1 key=20 60a4481b0ffc86ce334a4a0c7c1052ab0746d399
  enc: spi=235d175d esp=aes key=16 74440ead279201c29185129525dbd29f
       ah=sha1 key=20 87c871e5a57110485c74ace0626926748a591c82
  dec:pkts/bytes=0/0, enc:pkts/bytes=0/0



Contributors