Menu

Fortigate GRE tunnel


I like to work with GRE most of all because it's the easiest way to connect 2 firewalls/routers, in case there is no need for tough encryption
So lets create a tunnel in a Forti firewall,
·         First must use the CLI to create the tunnel itself
config system gre-tunnel
    edit "GRE-Test"
        set interface "wan1"
        set local-gw [WAN IP]
        set remote-gw [Peers' IP]
    next
end

the rest can be done via GUI, I will post both GUI and CLI versions.

Configuring via GUI will look like this :
·         Configure the interface

·         And add rules for the tunnel

To continue via CLI use:
config system interface
    edit "GRE-Test"
        set vdom "root"
        set ip 1.1.1.1 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 1.1.1.2
        set interface "wan1"
    next

endconfig firewall policy
    edit 3
        set srcintf "GRE-Test"
        set dstintf "internal"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set logtraffic-app disable
        set schedule "always"
            set service "ANY"
    next
config firewall policy
    edit 4
        set srcintf "internal"
        set dstintf "GRE-Test"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set logtraffic-app disable
        set schedule "always"
            set service "ANY"
    next



that’s it, I suggest adding a dynamic routing protocol  to learn the networks on each end,
I prefer OSPF for this configuration, done from Router > Dynamic > OSPF
And using settings like this :


Now we have full connectivity between 2 sites without using encryption.

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

13 comments:

  1. Hi, I know you write this long time ago, some days ago I tried your config, and I am pretty sure I get right config. Exist any method to check GRE tunel is up or not, or some kind of debug

    I am connecting to an CISCO ASA.

    We use a leased line (direct) to our end client.

    Fortigate 200B -> PORT14 (192.168.0.2/30)
    Static Route 192.168.0.4/30 -> 192.168.0.1
    GRE LOCAL 192.168.0.2
    GRE REMOTE 192.168.0.6

    GREE TUNEL
    LOCAL 10.1.0.10/32
    REMOTE 10.1.0.9

    I create the policy same like yours. My end request me to connect to a device with IP 172.16.0.X behind the tunnel.

    I create a static route

    172.16.0.x/24 -> GREE TUNNEL (is this correct)

    We not use dynamic router and is not possible per connection rule. The policy to allow the traffic trought the tunel is NAT (becasue they only allow traffic from our tunnel IP 10.1.0.10)

    I really need help to get this done, but I have not idea how to debug GRE in Fortigate :( or if I am doing bad :(

    ReplyDelete
    Replies
    1. Hi Marco,

      In case you used the configuration I have posted the tunnel should be up and traffic should flow through, To make sure I would start a sniffer on the remote side to verify. you can also start a capture on the fortigate by using ' # diagnose sniffer'.

      A small detail regarding the route you made, Is it pointing to the GRE interface itself or the remote IP of the tunnel ? I would use the remote IP just to be sure.

      In case you still need help, Please post you're configuration ( preferably from both the Fortigate and the ASA ) you may send it via mail for more security.

      Delete
    2. Hi,

      I have 2 isp which is connected in fortigate firwall client location and core level is juniper router, failover is not happening through gre tunnel since there is no keepalive option in foritage. Is there any option to make failover through gre tunne in fortigate.

      Delete
    3. Hi,

      I have 2 isp which is connected in fortigate firwall client location and core level is juniper router, failover is not happening through gre tunnel since there is no keepalive option in foritage. Is there any option to make failover through gre tunne in fortigate.

      Delete
  2. Ok, here we go, this is my config (FORTIGATE)

    here is the interface (phisical) config

    edit 10
    set device "port14"
    set dst 10.49.1.0 255.255.255.252
    set gateway 10.49.1.137
    next

    This is the static route create to communicate with remote peer:

    edit 10
    set device "port14"
    set dst 10.49.1.0 255.255.255.252
    set gateway 10.49.1.137
    next

    I have ping to the remote peer and they can ping to me back

    Here is the GRE-TUNNEL config

    config system gre-tunnel
    edit "GRETUNNEL"
    set interface "port14"
    set local-gw 10.49.1.138
    set remote-gw 10.49.1.2
    next
    end

    here is the gre-tunnel interface config

    edit "GRETUNNEL"
    set vdom "root"
    set ip 10.55.0.138 255.255.255.255
    set allowaccess ping
    set log enable
    set type tunnel
    set tcp-mss 1496
    set remote-ip 10.55.0.137
    set mtu 1496
    set interface "port14"
    next

    about the static route, I agree with you, I believe I need to create the route similar to:

    172.16.0.0/16 gw 10.55.0.137 (its ok?)

    I have not access to the cisco router because its from one of our providers, I only can see that my device show interface with status (not show up or down arrow in the gui)

    I believe its only one small thing to get this done, because its so simple, but debug is killing me, but I will try your advice

    Greeting

    Marco

    ReplyDelete
  3. Finally I got it, I make the debug, I never get traffic from the REMOTE-PEER, I call the network admin from the REMOTE-PEER, and he remove the "keep-alive" and inmediate I get GREE traffic and tunnel goes up. The main issue now is with "policies and the static route" but I believe now I am more "in" rather than "out". I send the config per email but now the issue is other, I will try to figure out, but anyhelp will be appreciate

    ReplyDelete
    Replies
    1. Hello Marco,

      I've my configuration almost the same as yours between a FG 60D(fortiOS 5.4) to Cisco L3 4500, the tunnel in Cisco router is only with the source and destination... and on FG I've almost the same as your configuration except the "mtu", "tcp-mss" and "log" but the tunnel don't come up.

      Regards,
      AM

      Delete
  4. I am looking at GRE because I need to have a setup to stretch 1 network subnet over 2 offices? you think this would be possible?

    ReplyDelete
  5. Hi, is it possible to set different ip segment for the local/remote gw ?

    config system gre-tunnel
    edit "GRETUNNEL"
    set interface "port14"
    set local-gw 172.16.1.1 <-- 172 segment
    set remote-gw 10.39.52.1 <-- 10 segment
    next
    end

    ReplyDelete
    Replies
    1. Hi Muhammad,
      It is possible, but you need to make sure they can reach each other and GRE is allowed between them on any gateway along the way :)

      Delete
  6. Hi,

    I have 2 isp which is connected in fortigate firwall client location and core level is juniper router, failover is not happening through gre tunnel since there is no keepalive option in foritage. Is there any option to make failover through gre tunne in fortigate.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
  7. This comment has been removed by a blog administrator.

    ReplyDelete