PC1(.1) - 192.168.10.1/32 -port3-[FGT-A]-port1----(10.5.21.54) =======
I
(Internet) I IPsec over GRE tunnel
I
PC2(.2) - 172.31.128.0/20 -Port3-[FGT-B]-Port1 -(10.5.27.127) =======
- IPsec over GRE encrypts the Payload and not the GRE encapsulated packets.
- Interface for IPsec tunnel : The IPsec tunnel should be formed using the loopback interface IP. When using loopbacks, make sure the peer endpoints have a route for the loopback. This can be achieved by running another routing protocol to advertise the loopbacks and then forming an IPsec tunnel using the loopback IP address.
- Encryption Domain : The encryption domain specified is always between the source and destination subnets that are to be encrypted and not the GRE tunnel source/destination IPs which is the case with GRE over IPsec. In the above example, we are specifying the encryption domain for all IP traffic between 1.1.1.1 and 2.2.2.2.
- The GRE tunnel will not be encapsulated and only the traffic flowing through it will be encapsulated.
- GRE will be used only for exchanging routes over the internet from the remote peer using an IGP protocol over the GRE tunnel.
CLI configuration of the FGT-A: (Same configuration needs to be done on FGT-B with required IP changes)
config system gre-tunnel
edit "gretunnel"
set interface "port1"
set remote-gw 10.5.27.127
set local-gw 10.5.21.54
next
end
config system interface
edit "port1"
set vdom "root"
set ip 10.5.21.54 255.255.240.0
set allowaccess ping https ssh http telnet fgfm
set type physical
set snmp-index 1
next
edit "port3"
set vdom "root"
set ip 192.168.10.1 255.255.255.255
set allowaccess ping https ssh http telnet fgfm
set type physical
set snmp-index 3
next
edit "gretunnel"
set vdom "root"
set ip 10.10.10.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.10.10.2 255.255.255.255
set snmp-index 12
set interface "port1"
next
edit "gre-loopback"
set vdom "root"
set ip 1.1.1.1 255.255.255.255
set allowaccess ping https
set type loopback
set snmp-index 13
next
edit "IPsec-over-GRE"
set vdom "root"
set type tunnel
set snmp-index 14
set interface "gre-loopback"
next
end
config vpn ipsec phase1-interface
edit "IPsec-over-GRE"
set interface "gre-loopback"
set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: IPsec-over-GRE (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw 2.2.2.2
set psksecret ENC pduc/zfyvgjwMbmpd55iaXrzRLZ2AIdAyA9fEZX6ycBnEmMBac3/qCcQ5Q00Er0SoKBd/HIoycvM6FAGg0U5hE5WwLiJOrtcpeGIllFArn2TyBOwBOUvwYzXjxFjG4XDnAlq7+E9klI182TdaV4hLe94rTJimycJEVX32gySQ1k+/95gU8tU6GQnPpUKzXmu5i0wrA==
next
end
config firewall address
edit "IPsec-over-GRE_local_subnet_1"
set uuid 00593076-4d54-51e9-7b90-977724a65a96
set allow-routing enable
set subnet 192.168.10.1 255.255.255.255
next
edit "IPsec-over-GRE_remote_subnet_1"
set uuid 0097752a-4d54-51e9-7175-408603957372
set allow-routing enable
set subnet 172.31.128.0 255.255.240.0
next
end
config router static
edit 1
set gateway 10.5.31.254
set device "port1"
next
edit 2
set dst 2.2.2.0 255.255.255.0
set device "gretunnel"
next
edit 3
set device "IPsec-over-GRE"
set comment "VPN: IPsec-over-GRE (Created by VPN wizard)"
set dstaddr "IPsec-over-GRE_remote"
next
edit 4
set distance 254
set comment "VPN: IPsec-over-GRE (Created by VPN wizard)"
set blackhole enable
set dstaddr "IPsec-over-GRE_remote"
next
end
config firewall policy
edit 1
set name "gre-policy"
set uuid 6cf1b338-4d50-51e9-6194-eac61476f8d1
set srcintf "gretunnel"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
edit 2
set name "loopback-gre"
set uuid 8148bb4c-4d50-51e9-5c0f-fd7b1205baf9
set srcintf "gre-loopback"
set dstintf "gretunnel"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
edit 3
set uuid 9e3b68f0-4d53-51e9-5506-94e05b3da3ce
set srcintf "gretunnel"
set dstintf "gre-loopback"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
set comments "Reverse of loopback-gre"
next
edit 4
set name "vpn_IPsec-over-GRE_local"
set uuid 013ba046-4d54-51e9-0b30-c445edb0e4e5
set srcintf "port3"
set dstintf "IPsec-over-GRE"
set srcaddr "IPsec-over-GRE_local"
set dstaddr "IPsec-over-GRE_remote"
set action accept
set schedule "always"
set service "ALL"
set comments "VPN: IPsec-over-GRE (Created by VPN wizard)"
next
edit 5
set name "vpn_IPsec-over-GRE_remote"
set uuid 01607736-4d54-51e9-c7c3-8c1c83870f23
set srcintf "IPsec-over-GRE"
set dstintf "port3"
set srcaddr "IPsec-over-GRE_remote"
set dstaddr "IPsec-over-GRE_local"
set action accept
set schedule "always"
set service "ALL"
set comments "VPN: IPsec-over-GRE (Created by VPN wizard)"
next
end
Verification:
# get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 10.5.31.254, port1
C 1.1.1.1/32 is directly connected, gre-loopback
S 2.2.2.0/24 [10/0] via 10.10.10.2, gretunnel
C 10.5.16.0/20 is directly connected, port1
C 10.10.10.1/32 is directly connected, gretunnel
C 10.10.10.2/32 is directly connected, gretunnel
S 172.31.128.0/20 [10/0] is directly connected, IPsec-over-GRE
C 192.168.10.1/32 is directly connected, port3
# di sys gre list
IPv4:
vd=0 devname=gretunnel devindex=3 ifindex=19
saddr=10.5.21.54 daddr=10.5.27.127 ref=0
key=0/0 flags=0/0
total tunnel = 1
# diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=IPsec-over-GRE ver=1 serial=2 1.1.1.1:0->2.2.2.2:0
bound_if=0 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
proxyid_num=1 child_num=0 refcnt=12 ilast=5 olast=1308 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=IPsec-over-GRE proto=0 sa=1 ref=2 serial=1
src: 0:192.168.10.1/255.255.255.255:0
dst: 0:172.31.128.0/255.255.240.0:0
SA: ref=3 options=10226 type=00 soft=0 mtu=1406 expire=40397/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0
life: type=01 bytes=0/0 timeout=42928/43200
dec: spi=84c792ec esp=aes key=16 ee6cdfbc1759d11dfebf8d015a4350ee
ah=sha1 key=20 60a4481b0ffc86ce334a4a0c7c1052ab0746d399
enc: spi=235d175d esp=aes key=16 74440ead279201c29185129525dbd29f
ah=sha1 key=20 87c871e5a57110485c74ace0626926748a591c82
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.