Description
This article describes how to configure a GRE tunnel with policy routing on a FortiGate.
Scope
FortiGate.
Solution
In the following scenario, network traffic for LAN users targeting the specific destination 1.1.1.1/32 is segregated and forwarded through a GRE tunnel. All other traffic is routed through the Port1 interface, which connects to the ISP for internet access.
Refer to the below steps :
Step 1: Configure GRE Tunnel:
Technical Tip: Configuring and verifying a GRE tunnel between two FortiGates (static routing)
FortiGate # show sys interface port1
config system interface
edit "port1"
set vdom "root"
set ip 10.5.26.3 255.255.240.0
set allowaccess ping https ssh http telnet
set type physical
set snmp-index 1
next
end
FortiGate # show sys gre-tunnel
config system gre-tunnel
edit "GreTunnel1"
set interface "port1"
set remote-gw 10.5.26.6
set local-gw 10.5.26.3
next
end
In the current configuration, there is only a single default route configured, which is directed towards the Port1 interface (underlay).
FortiGate # get router info routing-table details 0.0.0.0
Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* 10.5.31.254, via port1 distance 0
No route is configured toward the GRE tunnel.
Step 2: Configure policy route for GRE tunnel:
CLI :
config router policy
edit 1
set input-device "port2"
set src "0.0.0.0/0.0.0.0"
set dst "1.1.1.1/255.255.255.255"
set output-device "GreTunnel1"
next
end
GUI :
If encounter an error such as 'Invalid IPv4 address' while configuring a policy route, configure the route via the command line. Otherwise, configure the IP address to the GRE tunnel interface and set the remote IP to the gateway address.
If the gateway address is configured as 0.0.0.0, it is essential to create a route pointing to the GRE tunnel.
Example.
Scenario 1: In policy route gateway is configured as 0.0.0.0 and no route toward the GRE tunnel.
Result:
Traffic is sent via port1, policy route is not working.
Configuration :
FortiGate # show router policy
config router policy
edit 1
set input-device "port2"
set src "0.0.0.0/0.0.0.0"
set dst "1.1.1.1/255.255.255.255"
set output-device "GreTunnel1"
next
end
Logs :
FortiGate # dia sniffer packet any "host 1.1.1.1 and icmp" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 1.1.1.1 and icmp]
2024-12-26 22:12:35.537329 port2 in 172.31.131.36 -> 1.1.1.1: icmp: echo request
2024-12-26 22:12:35.537341 port1 out 10.5.26.3 -> 1.1.1.1: icmp: echo request
Scenario 2: In policy route gateway is configured 0.0.0.0 and the default route is added towards the GRE tunnel.
Result :
Traffic is sent via the GRE tunnel and the policy route is triggered.
Configuration:
FortiGate (4) # show
config router static
edit 4
set device "GreTunnel1"
next
end
FortiGate # show router policy
config router policy
edit 1
set input-device "port2"
set src "0.0.0.0/0.0.0.0"
set dst "1.1.1.1/255.255.255.255"
set output-device "GreTunnel1"
next
end
Logs:
FortiGate # get router info routing-table details 0.0.0.0
Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* 10.5.31.254, via port1 distance 0
* directly connected, GreTunnel1 distance 0
FortiGate # dia sniffer packet any "host 1.1.1.1 and icmp" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 1.1.1.1 and icmp]
2024-12-26 22:08:05.694667 port2 in 172.31.131.36 -> 1.1.1.1: icmp: echo request
2024-12-26 22:08:05.695368 GreTunnel1 out 10.5.26.3 -> 1.1.1.1: icmp: echo request
2024-12-26 22:08:10.308041 port2 in 172.31.131.36 -> 1.1.1.1: icmp: echo request
2024-12-26 22:08:10.308053 GreTunnel1 out 10.5.26.3 -> 1.1.1.1: icmp: echo request
Or else:
Scenario 3: Assign IP address on GRE tunnel interface and configure gateway as remote next-hop IP address, no additional route is configured (no static and dynamic route towards the destination).
Result :
Traffic is sent via the GRE tunnel and the policy route is triggered.
Configuration:
FortiGate # show sys interface GreTunnel1
config system interface
edit "GreTunnel1"
set vdom "root"
set ip 10.10.10.1 255.255.255.255 <-- Assigned /32 IP address on tunnel interface.
set type tunnel
set remote-ip 10.10.10.2 255.255.255.252 <-- Assigned /30 subnet as a remote next-hop IP address.
set snmp-index 11
set interface "port1"
next
end
FortiGate # show router policy
config router policy
edit 1
set input-device "port2"
set src "0.0.0.0/0.0.0.0"
set dst "1.1.1.1/255.255.255.255"
set gateway 10.10.10.2 <-- Configure the Gateway IP address.
set output-device "GreTunnel1"
next
end
Logs:
FortiGate # dia sniffer packet any "host 1.1.1.1 and icmp" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 1.1.1.1 and icmp]
2024-12-26 23:12:04.649824 port2 in 172.31.131.36 -> 1.1.1.1: icmp: echo request
2024-12-26 23:12:04.649976 GreTunnel1 out 10.10.10.1 -> 1.1.1.1: icmp: echo request
2024-12-26 23:12:13.144266 port2 in 172.31.131.36 -> 1.1.1.1: icmp: echo request
2024-12-26 23:12:13.144282 GreTunnel1 out 10.10.10.1 -> 1.1.1.1: icmp: echo request
