This article will show:
config vpn ipsec phase1-interface edit "vpnGREoverIPSEC" set interface "port2" set proposal 3des-sha1 aes128-sha1 set dhgrp 5 set remote-gw 192.168.152.252 set psksecret fortinet next end # Restrict IPSEC encryption domain to protocol GRE (47) config vpn ipsec phase2-interface edit "vpnGREoverIPSEC-P2" set encapsulation transport-mode set phase1name "vpnGREoverIPSEC" set proposal 3des-sha1 aes128-sha1 set dhgrp 5 set protocol 47 next end |
config system gre-tunnel edit "gre1" set interface "vpnGREoverIPSEC" set local-gw 192.168.152.128 set remote-gw 192.168.152.252 next end config router static edit 2 set dst 192.168.152.252 255.255.255.255 set device "vpnGREoverIPSEC" set comment "Reach GRE endpoint via IPsec tunnel" next end |
config firewall ippool edit "local-nat-pool" set endip 10.100.1.100 set startip 10.100.1.1 next end config firewall policy edit 1 set srcintf "port1" set dstintf "gre1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable set ippool enable set poolname "local-nat-pool" next edit 2 set srcintf "gre1" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 3 set srcintf "vpnGREoverIPSEC" set dstintf "vpnGREoverIPSEC" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set comments "No traffic flowing through this policy. Just an \'activator\' for IPsec" next end |
# Loopback address is used for BGP peering config system interface edit "Loopback1" set vdom "root" set ip 100.0.1.1 255.255.255.255 set allowaccess ping set type loopback next end # BGP peering address is reachable via the GRE tunnel config router static edit 3 set device "gre1" set dst 100.0.1.2 255.255.255.255 set comment "Reach BGP peer via GRE tunnel" next end # Firewall policies config firewall policy edit 6 set srcintf "gre1" set dstintf "Loopback1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set comments "Allow inbound BGP. No need for an outbound policy." next end |
# Create access-list to restrict route announcement to the NAT network config router access-list edit "bgpSentToCisco" config rule edit 1 set prefix 10.100.1.0 255.255.255.0 set exact-match enable next end next end config router bgp set as 65001 config neighbor edit "100.0.1.2" set ebgp-enforce-multihop enable set remove-private-as enable set distribute-list-out "bgpSentToCisco" set remote-as 65002 set update-source "Loopback1" next end config network // Announce NAT network edit 1 set prefix 10.100.1.0 255.255.255.0 next end set router-id 100.0.1.1 end |
config router static edit 4 set blackhole enable set dst 10.100.1.0 255.255.255.0 next end |
config firewall policy edit 1 set srcintf "port1" set dstintf "gre1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable set ippool enable set poolname "local-nat-pool" next end config firewall ippool edit "local-nat-pool" set endip 10.100.1.100 set startip 10.100.1.1 next end |
version 12.4 hostname R1 mode transport interface Tunnel1 interface Loopback1 interface FastEthernet0/1 router bgp 65002 ip route 10.200.1.0 255.255.255.0 Null0 access-list 20 permit 10.200.1.0 0.0.0.255 |
Fortigate-VM64 # get router info bgp summary
BGP router identifier 100.0.1.1, local AS number 65001 BGP table version is 2 2 BGP AS-PATH entries 0 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 100.0.1.2 4 65002 6 4 1 0 0 00:01:14 1 Total number of neighbors 1 |
Fortigate-VM64 # get router info bgp neighbors 100.0.1.2 advertised-routes
BGP table version is 2, local router ID is 100.0.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.100.1.0/24 100.0.1.1 100 32768 i Total number of prefixes 1 |
Fortigate-VM64 # get router info bgp neighbors 100.0.1.2 routes
BGP table version is 2, local router ID is 100.0.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.200.1.0/24 100.0.1.2 0 0 65002 i Total number of prefixes 1 |
Fortigate-VM64 # diagnose sniffer packet any 'proto 1' 4 0 a
interfaces=[any] filters=[proto 1] 2012-09-27 21:50:26.802786 port1 in 192.168.171.215 -> 10.200.1.1: icmp: echo request 2012-09-27 21:50:26.802905 gre1 out 10.100.1.12 -> 10.200.1.1: icmp: echo request 2012-09-27 21:50:26.874895 gre1 in 10.200.1.1 -> 10.100.1.12: icmp: echo reply 2012-09-27 21:50:26.874969 port1 out 10.200.1.1 -> 192.168.171.215: icmp: echo reply |
Fortigate-VM64 # diagnose sniffer packet any 'proto 47' 4 0 a
interfaces=[any] filters=[proto 47] 2012-09-27 21:48:02.140059 vpnGREoverIPSEC in 192.168.152.252 -> 192.168.152.128: ip-proto-47 44 2012-09-27 21:48:07.626742 vpnGREoverIPSEC out 192.168.152.128 -> 192.168.152.252: ip-proto-47 64 2012-09-27 21:48:07.670258 vpnGREoverIPSEC in 192.168.152.252 -> 192.168.152.128: ip-proto-47 64 2012-09-27 21:48:08.628379 vpnGREoverIPSEC out 192.168.152.128 -> 192.168.152.252: ip-proto-47 64 |
Related Articles
Technical Note: Configuring and verifying a GRE over IPsec tunnel
Technical Note: Configuring and verifying a GRE over IPsec tunnel using 'encapsulation gre'
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.