FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 192841

Description


This article describes how to configure and troubleshoot a GRE tunnel between two FortiGates.

Additional information about GRE is available in the related articles at the end of this document or in the FortiGate CLI Reference or Administration guide at http://docs.forticare.com/

Scope


FortiGate or VDOM in NAT mode.

 
Support for GRE tunneling was added in FortiOS 3.0.


Diagram

 

The following topology is used:

PC1(.1) - 10.1.1.0/24-port2-[ FG1 ]-port1-(198.51.100.1) =====
                                                             I
                                            (Internet)       I GRE tunnel
                                                             I
PC2(.2) - 10.2.2.0/24-port2-[ FG2 ]-port1-(203.0.113.2) ====
==       
 
Expectations, Requirements
 

 

- Establish a GRE tunnel between both FortiGates to be able to reach each remote LAN 10.x.x.x.

 

- The GRE interface will remain unnumbered and remote subnets reachable with static routes.


Configuration

 

 

 

CLI configuration of FortiGate 1

# config system interface
   edit "port1"
        set ip 198.51.100.1 255.255.255.0
        set alias Internet
    next
   edit "port2"
        set ip 10.1.1.254 255.255.255.0
        set alias LAN
    next
end
 
# config system gre-tunnel
    edit "toFG2"
        set interface "port1"
        set local-gw 198.51.100.1
        set remote-gw 203.0.113.2
    next
end
 
# config firewall policy
    edit 0
        set srcintf "port2"
        set dstintf "toFG2"
            set srcaddr "all" 
            set dstaddr "all" 
        set action accept
        set schedule "always"
            set service "ALL" 
    next
    edit 0
        set srcintf "toFG2"
        set dstintf "port2"
            set srcaddr "all" 
            set dstaddr "all"  
        set action accept
        set schedule "always"
            set service "ALL"  
    next
end

# config router static
    edit 0
        set device "port1"
        set gateway 198.51.100.254
        set comment "default-route to Internet ISP"
    next
    edit 0
        set device "toFG2"
        set dst 10.2.2.0 255.255.255.0
    next
end

 

CLI configuration of FortiGate 2

 


# config system interface
   edit "port1"
        set ip 203.0.113.2 255.255.255.0
        set alias Internet
    next
   edit "port2"
        set ip 10.2.2.254 255.255.255.0
        set alias LAN
    next
end
 
# config system gre-tunnel
    edit "toFG1"
        set interface "port1"
        set local-gw 203.0.113.2
        set remote-gw 198.51.100.1
    next
end

# config firewall policy
    edit 0
        set srcintf "port2"
        set dstintf "toFG1"
            set srcaddr "all" 
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ALL" 
    next
    edit 0 
        set srcintf "toFG1"
        set dstintf "port2"
            set srcaddr "all" 
            set dstaddr "all" 
        set action accept
        set schedule "always"
            set service "ALL"   
    next
end

# config router static
    edit 0
        set device "port1"
        set gateway 203.0.113.254
        set comment "default-route to Internet ISP"
    next
    edit 0
        set device "toFG1"
        set dst 10.1.1.0 255.255.255.0
    next
end
 

 

Verification

Routing table of FortiGate 1:

 

# get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 198.51.100.254, port1
C       10.1.1.0/24 is directly connected, port2
S       10.2.2.0/24 [10/0] is directly connected, toFG2
C       198.51.100.0/24 is directly connected, port1

 

 

Routing table of FortiGate 2:

 

 

# get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 203.0.113.254, port1
C       10.2.2.0/24 is directly connected, port2
S       10.1.1.0/24 [10/0] is directly connected, toFG1
C       203.0.113.0/24 is directly connected, port1

 

 

Note: Both routing tables show that the remote subnets 10.x.x.x appear as pseudo-connected (a static route appearing as directly connected and pointing to a local interface instead of a next-hop).

 

Verify the GRE tunnels:

 
 

# diag sys gre list

vd=0 devname=toFG1 devindex=3 ifindex=22
saddr=203.0.113.2 daddr=198.51.100.1 ref=0
key=0/0 flags=0/0

total tunnel = 1

 

 
 
 
# diag netlink interface list | grep -A1 "toFG1"
if=toFG1 family=00 type=778 index=22 mtu=1476 link=0 master=0
ref=12 state=off start fw_flags=0 flags=up p2p run noarp multicast
 
 
 

 

# get system interface

[...]

== [ toFG1 ]
name: toFG1 ip: 0.0.0.0 0.0.0.0   status: up    netbios-forward: disable    type: tunnel   netflow-sampler: disable    sflow-sampler: disable    scan-botnet-connections: disable    explicit-web-proxy: disable    explicit-ftp-proxy: disable    wccp: disable

 

 

 

Troubleshooting

 

While starting a ping from PC1 to PC2, take a sniffer trace on either FortiGate to see if the traffic reaches and is forwarded on all interfaces (see also the related article about using the sniffer on GRE interfaces).

 

# diagnose sniffer packet any "icmp" 4

interfaces=[any]
filters=[icmp]
2.901412 port2 in 10.1.1.1 -> 10.2.2.2: icmp: echo request
2.901429 toFG2 out 10.1.1.1 -> 10.2.2.2: icmp: echo request
2.901954 toFG2 in 10.2.2.2 -> 10.1.1.1: icmp: echo reply
2.901979 port2 out 10.2.2.2 -> 10.1.1.1: icmp: echo reply

 



# diagnose sniffer packet any "icmp" 4

interfaces=[any]
filters=[icmp]
7.241465 toFG1 in 10.1.1.1 -> 10.2.2.2: icmp: echo request
7.241529 port2 out 10.1.1.1 -> 10.2.2.2: icmp: echo request
7.241815 port2 in 10.2.2.2 -> 10.1.1.1: icmp: echo reply
7.241836 toFG1 out 10.2.2.2 -> 10.1.1.1: icmp: echo reply

 

Additional info on GRE offloading  :

 

Use the # diagnose npu np6 npu-feature command to see the NP6 features that are enabled on the FortiGate and those that are not.

 

# diagnose npu np6 npu-feature

                    np_0      np_1     

------------------- --------- ---------

Fastpath            Enabled   Enabled  

HPE-type-shaping    Disabled  Disabled 

Standalone          No        No       

IPv4 firewall       Yes       Yes      

IPv6 firewall       Yes       Yes      

IPv4 IPSec          Yes       Yes      

IPv6 IPSec          Yes       Yes      

IPv4 tunnel         Yes       Yes      

IPv6 tunnel         Yes       Yes      

GRE tunnel          No        No       

GRE passthrough     Yes       Yes      

IPv4 Multicast      Yes       Yes      

IPv6 Multicast      Yes       Yes      

CAPWAP              Yes       Yes      

RDP Offload         Yes       Yes  

 

Some of these parameters are configurable, however, GRE is not one of them. (GRE tunnel cannot be enabled using a CLI command.)

 

GRE tunnel means, FortiGate offloading the GRE tunnel that is terminated on FortiGate.

GRE passthrough means, FortiGate offloading GRE traffic 'flowing' through FortiGate. 

 

Sample GRE tunnel session output :

 

# diagnose sys session list


session info: proto=47 proto_state=00 duration=54 expire=5 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty
statistic(bytes/packets/allow_err): org=704/11/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 12/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=31->10/10->31 gwy=10.5.50.36/0.0.0.0
hook=pre dir=org act=noop 10.5.51.89:0->10.5.50.36:0(0.0.0.0:0)
hook=post dir=reply act=noop 10.5.50.36:0->10.5.51.89:0(0.0.0.0:0)
misc=0 policy_id=8 auth_info=0 chk_client_info=0 vd=0
serial=005c9b23 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
npu_state=00000000
no_ofld_reason: npu-flag-off
total session 1

 

Sample GRE passthrough session output :

 

session info: proto=47 proto_state=00 duration=103 expire=8 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty npu f00
statistic(bytes/packets/allow_err): org=4488/51/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 43/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=23->10/10->23 gwy=10.5.50.36/0.0.0.0
hook=post dir=org act=snat 3.3.3.3:0->4.4.4.4:0(10.5.51.89:0)
hook=pre dir=reply act=dnat 4.4.4.4:0->10.5.51.89:0(3.3.3.3:0)
misc=0 policy_id=10 auth_info=0 chk_client_info=0 vd=0
serial=005d9f3b tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
npu_state=0x000400
npu info: flag=0x81/0x00, offload=8/0, ips_offload=0/0, epid=131/0, ipid=144/0, vlan=0x0000/0x0000
vlifid=144/0, vtag_in=0x0000/0x0000 in_npu=1/0, out_npu=1/0, fwd_en=0/0, qid=2/0
no_ofld_reason:

 

Looking at the outputs, it can be seen that the second session is offloaded.

 

Related Articles:

Technical Note: Restricting the built-in Sniffer to a GRE interface

Technical Note : Configuring OSPF on a GRE tunnel between two FortiGates

Technical Note: Configuring and verifying a GRE over IPsec tunnel

Technical Note: Configuring and verifying a GRE over IPsec tunnel using 'encapsulation gre'