Technical Tip: Configuring and verifying a GRE tunnel between two FortiGates (static routing)

rmetzger · ‎10-14-2009

Description

This article describes how to configure and troubleshoot a GRE tunnel between two FortiGates.

Additional information about GRE is available in the related articles at the end of this document or in the FortiGate CLI Reference or Administration guide at https://docs.fortinet.com

Scope

FortiGate or VDOM in NAT mode.

Support for GRE tunneling was added in FortiOS 3.0.

Diagram

The following topology is used:

   

Expectations, Requirements

- Establish a GRE tunnel between both FortiGates to be able to reach each remote LAN 10.x.x.x.

- The GRE interface will remain unnumbered and remote subnets reachable with static routes.

Configuration

CLI configuration of FortiGate 1

# config system interface

edit "port1"

set ip 198.51.100.1 255.255.255.0

set alias Internet

set ip 10.1.1.254 255.255.255.0

set alias LAN

# config system gre-tunnel
    edit "toFG2"
        set interface "port1"
        set local-gw 198.51.100.1
        set remote-gw 203.0.113.2
    next
end

# config firewall policy
    edit 0
        set srcintf "port2"
        set dstintf "toFG2"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ALL"
    next
    edit 0
        set srcintf "toFG2"
        set dstintf "port2"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ALL"
    next
end

# config router static
  edit 0
        set device "port1"
        set gateway 198.51.100.254

set comment "default-route to Internet ISP"
    next
edit 0
        set device "toFG2"
        set dst 10.2.2.0 255.255.255.0
    next
end

CLI configuration of FortiGate 2

# config system interface

edit "port1"

set ip 203.0.113.2 255.255.255.0

set alias Internet

set ip 10.2.2.254 255.255.255.0

set alias LAN

# config system gre-tunnel

edit "toFG1"

        set interface "port1"
        set local-gw 203.0.113.2
        set remote-gw 198.51.100.1
    next
end

# config firewall policy
edit 0
        set srcintf "port2"
        set dstintf "toFG1"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ALL"
    next
edit 0
        set srcintf "toFG1"
        set dstintf "port2"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ALL"
    next
end

# config router static

edit 0
set device "port1"
set gateway 203.0.113.254

set comment "default-route to Internet ISP"
next

edit 0
        set device "toFG1"
        set dst 10.1.1.0 255.255.255.0
    next
end

Verification

Routing table of FortiGate 1:

# get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*   0.0.0.0/0 [10/0] via 198.51.100.254, port1
C 10.1.1.0/24 is directly connected, port2
S 10.2.2.0/24 [10/0] is directly connected, toFG2
C 198.51.100.0/24 is directly connected, port1

Routing table of FortiGate 2:

# get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

S* 0.0.0.0/0 [10/0] via 203.0.113.254, port1
C 10.2.2.0/24 is directly connected, port2
S 10.1.1.0/24 [10/0] is directly connected, toFG1
C 203.0.113.0/24 is directly connected, port1

Note: Both routing tables show that the remote subnets 10.x.x.x appear as pseudo-connected (a static route appearing as directly connected and pointing to a local interface instead of a next-hop).

Verify the GRE tunnels:

# diag sys gre list

vd=0 devname=toFG1 devindex=3 ifindex=22
saddr=203.0.113.2 daddr=198.51.100.1 ref=0
key=0/0 flags=0/0

total tunnel = 1

# diag netlink interface list | grep -A1 "toFG1"

if=toFG1 family=00 type=778 index=22 mtu=1476 link=0 master=0

ref=12 state=off start fw_flags=0 flags=up p2p run noarp multicast

# get system interface

[...]

== [ toFG1 ]
name: toFG1 ip: 0.0.0.0 0.0.0.0 status: up netbios-forward: disable type: tunnel netflow-sampler: disable sflow-sampler: disable scan-botnet-connections: disable explicit-web-proxy: disable explicit-ftp-proxy: disable wccp: disable

Troubleshooting

While starting a ping from PC1 to PC2, take a sniffer trace on either FortiGate to see if the traffic reaches and is forwarded on all interfaces (see also the related article about using the sniffer on GRE interfaces).

# diagnose sniffer packet any "icmp" 4

interfaces=[any]
filters=[icmp]
2.901412 port2 in 10.1.1.1 -> 10.2.2.2: icmp: echo request
2.901429 toFG2 out 10.1.1.1 -> 10.2.2.2: icmp: echo request
2.901954 toFG2 in 10.2.2.2 -> 10.1.1.1: icmp: echo reply
2.901979 port2 out 10.2.2.2 -> 10.1.1.1: icmp: echo reply

# diagnose sniffer packet any "icmp" 4

interfaces=[any]
filters=[icmp]
7.241465 toFG1 in 10.1.1.1 -> 10.2.2.2: icmp: echo request
7.241529 port2 out 10.1.1.1 -> 10.2.2.2: icmp: echo request
7.241815 port2 in 10.2.2.2 -> 10.1.1.1: icmp: echo reply
7.241836 toFG1 out 10.2.2.2 -> 10.1.1.1: icmp: echo reply

Additional info on GRE offloading:

Use the # diagnose npu np6 npu-feature command to see the NP6 features that are enabled on the FortiGate and those that are not.

# diagnose npu np6 npu-feature

np_0 np_1

------------------- --------- ---------

Fastpath Enabled Enabled

HPE-type-shaping Disabled Disabled

Standalone No No

IPv4 firewall Yes Yes

IPv6 firewall Yes Yes

IPv4 IPSec Yes Yes

IPv6 IPSec Yes Yes

IPv4 tunnel Yes Yes

IPv6 tunnel Yes Yes

GRE tunnel No No

GRE passthrough Yes Yes

IPv4 Multicast Yes Yes

IPv6 Multicast Yes Yes

CAPWAP Yes Yes

RDP Offload Yes Yes

Some of these parameters are configurable, however, GRE is not one of them. (GRE tunnel cannot be enabled using a CLI command.)

GRE tunnel means, FortiGate offloading the GRE tunnel that is terminated on FortiGate.
GRE passthrough means, FortiGate offloading GRE traffic 'flowing' through FortiGate.

Sample GRE tunnel session output:

# diagnose sys session list

session info: proto=47 proto_state=00 duration=54 expire=5 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty
statistic(bytes/packets/allow_err): org=704/11/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 12/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=31->10/10->31 gwy=10.5.50.36/0.0.0.0
hook=pre dir=org act=noop 10.5.51.89:0->10.5.50.36:0(0.0.0.0:0)
hook=post dir=reply act=noop 10.5.50.36:0->10.5.51.89:0(0.0.0.0:0)
misc=0 policy_id=8 auth_info=0 chk_client_info=0 vd=0
serial=005c9b23 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
npu_state=00000000
no_ofld_reason: npu-flag-off
total session 1

Sample GRE passthrough session output:

session info: proto=47 proto_state=00 duration=103 expire=8 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty npu f00
statistic(bytes/packets/allow_err): org=4488/51/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 43/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=23->10/10->23 gwy=10.5.50.36/0.0.0.0
hook=post dir=org act=snat 3.3.3.3:0->4.4.4.4:0(10.5.51.89:0)
hook=pre dir=reply act=dnat 4.4.4.4:0->10.5.51.89:0(3.3.3.3:0)
misc=0 policy_id=10 auth_info=0 chk_client_info=0 vd=0
serial=005d9f3b tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
npu_state=0x000400
npu info: flag=0x81/0x00, offload=8/0, ips_offload=0/0, epid=131/0, ipid=144/0, vlan=0x0000/0x0000
vlifid=144/0, vtag_in=0x0000/0x0000 in_npu=1/0, out_npu=1/0, fwd_en=0/0, qid=2/0
no_ofld_reason:

Looking at the outputs, it can be seen that the second session is offloaded.

Related Articles:

Technical Note: Restricting the built-in Sniffer to a GRE interface

Technical Note: Configuring OSPF on a GRE tunnel between two FortiGates

Technical Note: Configuring and verifying a GRE over IPsec tunnel

Technical Note: Configuring and verifying a GRE over IPsec tunnel using 'encapsulation gre'