Description
This article describes how to configure and troubleshoot a GRE tunnel between two FortiGates.
Scope
FortiGate
Solution
Topology.
Steps.
- Configure GRE-Tunnel.
- Configure GRE-Interface.
- Configure BGP.
- Configure policies bi-directional.
Configure GRE-Tunnel.
- Configure GRE-Interface.
- Configure BGP.
- Configure policies bi-directional.
Configure GRE-Tunnel.
# config system gre-tunnel
edit "GRE2"
set interface "wan1"
set local-gw 10.5.19.129
set remote-gw 10.5.25.13
next
end
edit "GRE2"
set interface "wan1"
set local-gw 10.5.19.129
set remote-gw 10.5.25.13
next
end
Configure GRE-Interface.
# edit "GRE2"
set ip 1.1.10.1 255.255.255.255
set type tunnel
set remote-ip 1.1.10.2
set interface "wan1"
next
end
set ip 1.1.10.1 255.255.255.255
set type tunnel
set remote-ip 1.1.10.2
set interface "wan1"
next
end
Configure BGP.
Chetu-FGT (bgp) # show
# config router bgp
set as 100
set router-id 1.1.10.1
set network-import-check disable
# config neighbor
edit "1.1.10.2"
set remote-as 101
next
end
# config router bgp
set as 100
set router-id 1.1.10.1
set network-import-check disable
# config neighbor
edit "1.1.10.2"
set remote-as 101
next
end
Configure respective policies.
- Create a reverse policy as well (shown below).
Chetu-FGT (policy) # show
config firewall policy
edit 3
set srcintf "GRE2"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set comments " (Copy of GREpolicy) (Reverse of GREpolicy)"
next
end
config firewall policy
edit 3
set srcintf "GRE2"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set comments " (Copy of GREpolicy) (Reverse of GREpolicy)"
next
end
Verification.
=============
Chetu-FGT # get system interface | grep "name: GRE2"
name: GRE2 ip: 1.1.10.1 255.255.255.255 status: up netbios-forward: disable type: tunnel netflow-samp
ler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy:
Chetu-FGT # get router info bgp summary
VRF 0 BGP router identifier 1.1.10.1, local AS number 101
BGP table version is 1
2 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.10.2 4 100 130 319 0 0 0 00:03:06 1
Total number of neighbors 1
Chetu-FGT # get system interface | grep "name: GRE2"
name: GRE2 ip: 1.1.10.1 255.255.255.255 status: up netbios-forward: disable type: tunnel netflow-samp
ler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy:
Chetu-FGT # get router info bgp summary
VRF 0 BGP router identifier 1.1.10.1, local AS number 101
BGP table version is 1
2 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.10.2 4 100 130 319 0 0 0 00:03:06 1
Total number of neighbors 1
