Question about GRE over IPSEC

Forum|Forum|7 years ago
August 30, 2018
1 reply
7481 views

Hi, Masters

I ran into a problem about GRE over IPSEC.

For Cisco, it's quite common for such situation:

router1 port1: 1.1.1.1/24 <----> router2 port1: 1.1.1.2/24

router1 tunnel0: 2.2.2.1/30 <---> router2 tunnel0: 2.2.2.2/30 (tunnel source and destination are port1 above)

After S2S vpn is created based on port1 connection, dynamic routing can be enabled on tunnel0 interface, for instance, OSPF neighbor can be created between 2.2.2.1 and 2.2.2.2.

However, for Fortigate, it doesn't seem to work like that.

I used the VPN wizard to create S2S VPN between 2 fortigates.

Then there will be "automatically" created ipsec tunnel interfaces on both sides. Based on documents I read, we can set ip addresses on these two tunnel interfaces right?

First problem is that we can only set "/32" for tunnel interface ip address...

After I set up /32 tunnel interfaces on both sides (router1: 2.2.2.1/32; router2: 2.2.2.2/32), I created one static route on both sides, for instance, on router1, there's:

destination 2.2.2.2/32, outgoing interface: ipsec tunnel interface (2.2.2.1)

There comes the 2nd problem (VPN already up):

From router1 CLI, I can't ping 2.2.2.2 from 2.2.2.1....

Could anyone please help answer the question? Or where did I do anything wrong? "Ping" option has been checked on both tunnel interfaces.

Thanks.

Ashik_Sheik

New Member

Hi,

Can you follow below link .

http://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-ipsecvpn-52/Protecting_OSPF_with_IPsec/OSPF_over_IPsec_Config.htm

Regds,

Ashik

Toshi_Esumi

SuperUser

As in ashik's link, you don't need GRE to set up OSPF or BGP peering over IPSec because FGT's default IPSec config is now interface-based (or route based in Cisco's term), which has end-point interface IP you can pear with or route toward. GRE is necessary when IPSec is policy-based. We don't use this much any more because GRE add quite significant overhead. Even with Cisco routers, you can use route-based (VTI based instead of cryptomap) IPsec to pass routing protocol over it without GRE tunnel.

ede_pfau

SuperUser

@OP:

1- why is a host address for a tunnel endpoint a problem? It's just for this tunnel end.

2- you don't need any static route to reach the remote tunnel end via it's IP address.

3- if ping doesn't work, it's probably because the source address used is not suitable for the tunnel (phase2 selectors). Use

exec ping-options source a.b.c.d

to change the source address used by the system.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded