I like to work with GRE most of all because it's the easiest way to connect 2 firewalls/routers, in case there is no need for tough encryption
So lets create a tunnel in a Forti firewall,
· First must use the CLI to create the tunnel itself
config system gre-tunnel
edit "GRE-Test"
set interface "wan1"
set local-gw [WAN IP]
set remote-gw [Peers' IP]
next
end
the rest can be done via GUI, I will post both GUI and CLI versions.
Configuring via GUI will look like this :
· Configure the interface
· And add rules for the tunnel
To continue via CLI use:
config system interface
edit "GRE-Test"
set vdom "root"
set ip 1.1.1.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 1.1.1.2
set interface "wan1"
next
endconfig firewall policy
edit 3
set srcintf "GRE-Test"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set logtraffic-app disable
set schedule "always"
set service "ANY"
next
config firewall policy
edit 4
set srcintf "internal"
set dstintf "GRE-Test"
set srcaddr "all"
set dstaddr "all"
set action accept
set logtraffic-app disable
set schedule "always"
set service "ANY"
next
that’s it, I suggest adding a dynamic routing protocol to learn the networks on each end,
I prefer OSPF for this configuration, done from Router > Dynamic > OSPF
And using settings like this :
Now we have full connectivity between 2 sites without using encryption.
Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR
Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR
Hi, I know you write this long time ago, some days ago I tried your config, and I am pretty sure I get right config. Exist any method to check GRE tunel is up or not, or some kind of debug
ReplyDeleteI am connecting to an CISCO ASA.
We use a leased line (direct) to our end client.
Fortigate 200B -> PORT14 (192.168.0.2/30)
Static Route 192.168.0.4/30 -> 192.168.0.1
GRE LOCAL 192.168.0.2
GRE REMOTE 192.168.0.6
GREE TUNEL
LOCAL 10.1.0.10/32
REMOTE 10.1.0.9
I create the policy same like yours. My end request me to connect to a device with IP 172.16.0.X behind the tunnel.
I create a static route
172.16.0.x/24 -> GREE TUNNEL (is this correct)
We not use dynamic router and is not possible per connection rule. The policy to allow the traffic trought the tunel is NAT (becasue they only allow traffic from our tunnel IP 10.1.0.10)
I really need help to get this done, but I have not idea how to debug GRE in Fortigate :( or if I am doing bad :(
Hi Marco,
DeleteIn case you used the configuration I have posted the tunnel should be up and traffic should flow through, To make sure I would start a sniffer on the remote side to verify. you can also start a capture on the fortigate by using ' # diagnose sniffer'.
A small detail regarding the route you made, Is it pointing to the GRE interface itself or the remote IP of the tunnel ? I would use the remote IP just to be sure.
In case you still need help, Please post you're configuration ( preferably from both the Fortigate and the ASA ) you may send it via mail for more security.
Hi,
DeleteI have 2 isp which is connected in fortigate firwall client location and core level is juniper router, failover is not happening through gre tunnel since there is no keepalive option in foritage. Is there any option to make failover through gre tunne in fortigate.
Hi,
DeleteI have 2 isp which is connected in fortigate firwall client location and core level is juniper router, failover is not happening through gre tunnel since there is no keepalive option in foritage. Is there any option to make failover through gre tunne in fortigate.
Ok, here we go, this is my config (FORTIGATE)
ReplyDeletehere is the interface (phisical) config
edit 10
set device "port14"
set dst 10.49.1.0 255.255.255.252
set gateway 10.49.1.137
next
This is the static route create to communicate with remote peer:
edit 10
set device "port14"
set dst 10.49.1.0 255.255.255.252
set gateway 10.49.1.137
next
I have ping to the remote peer and they can ping to me back
Here is the GRE-TUNNEL config
config system gre-tunnel
edit "GRETUNNEL"
set interface "port14"
set local-gw 10.49.1.138
set remote-gw 10.49.1.2
next
end
here is the gre-tunnel interface config
edit "GRETUNNEL"
set vdom "root"
set ip 10.55.0.138 255.255.255.255
set allowaccess ping
set log enable
set type tunnel
set tcp-mss 1496
set remote-ip 10.55.0.137
set mtu 1496
set interface "port14"
next
about the static route, I agree with you, I believe I need to create the route similar to:
172.16.0.0/16 gw 10.55.0.137 (its ok?)
I have not access to the cisco router because its from one of our providers, I only can see that my device show interface with status (not show up or down arrow in the gui)
I believe its only one small thing to get this done, because its so simple, but debug is killing me, but I will try your advice
Greeting
Marco
Finally I got it, I make the debug, I never get traffic from the REMOTE-PEER, I call the network admin from the REMOTE-PEER, and he remove the "keep-alive" and inmediate I get GREE traffic and tunnel goes up. The main issue now is with "policies and the static route" but I believe now I am more "in" rather than "out". I send the config per email but now the issue is other, I will try to figure out, but anyhelp will be appreciate
ReplyDeleteHello Marco,
DeleteI've my configuration almost the same as yours between a FG 60D(fortiOS 5.4) to Cisco L3 4500, the tunnel in Cisco router is only with the source and destination... and on FG I've almost the same as your configuration except the "mtu", "tcp-mss" and "log" but the tunnel don't come up.
Regards,
AM
I am looking at GRE because I need to have a setup to stretch 1 network subnet over 2 offices? you think this would be possible?
ReplyDeleteHi, is it possible to set different ip segment for the local/remote gw ?
ReplyDeleteconfig system gre-tunnel
edit "GRETUNNEL"
set interface "port14"
set local-gw 172.16.1.1 <-- 172 segment
set remote-gw 10.39.52.1 <-- 10 segment
next
end
Hi Muhammad,
DeleteIt is possible, but you need to make sure they can reach each other and GRE is allowed between them on any gateway along the way :)
Hi,
ReplyDeleteI have 2 isp which is connected in fortigate firwall client location and core level is juniper router, failover is not happening through gre tunnel since there is no keepalive option in foritage. Is there any option to make failover through gre tunne in fortigate.
This comment has been removed by the author.
DeleteThis comment has been removed by a blog administrator.
ReplyDeleteplease help me out in order to delete the GRE tunnel from the fortigate 800c by CLI mode
ReplyDeleteThe primary thing you need to do when setting up a remote system is to give your system a SSID or "Security Set Identifier." netgear login
ReplyDelete