FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Purpose
This article describes how to configure and troubleshoot a GRE tunnel between two FortiGates.

Additional information about GRE is available in the related articles at the end of this document or in the FortiGate CLI Reference or Administration guide at http://docs.forticare.com/

Scope
FortiGate or VDOM in NAT mode.

Support for GRE tunneling was added in FortiOS 3.0

Diagram
The following topology is used:

PC1(.1) - 10.1.1.0/24-port2-[ FG1 ]-port1-(198.51.100.1) =====
                                                             I
                                            (Internet)       I GRE tunnel
                                                             I
PC2(.2) - 10.2.2.0/24-port2-[ FG2 ]-port1-(203.0.113.2) ====
==       

Expectations, Requirements
  • Establish a GRE tunnel between both FortiGates to be able to reach each remote LAN 10.x.x.x
  • The GRE interface will remain unnumbered and remote subnets reachable with static routes.

Configuration
CLI configuration of FortiGate 1

config system interface
   edit "port1"
        set ip 198.51.100.1 255.255.255.0
        set alias Internet
    next
   edit "port2"
        set ip 10.1.1.254 255.255.255.0
        set alias LAN
    next
end

config system gre-tunnel
   
edit "toFG2"
        set interface "port1"
        set local-gw 198.51.100.1
        set remote-gw 203.0.113.2
    next
end

config firewall policy
    edit 0
        set srcintf "port2"
        set dstintf "toFG2"
            set srcaddr "all" 
            set dstaddr "all" 
        set action accept
        set schedule "always"
            set service "ALL" 
    next
    edit 0
        set srcintf "toFG2"
        set dstintf "port2"
            set srcaddr "all" 
            set dstaddr "all"  
        set action accept
        set schedule "always"
            set service "ALL"  
    next
end

config router static
    edit 0
        set device "port1"
        set gateway 198.51.100.254
        set comment "default-route to Internet ISP"
    next
    edit 0
        set device "toFG2"
        set dst 10.2.2.0 255.255.255.0
    next
end

CLI configuration of FortiGate 2

config system interface
   edit "port1"
        set ip 203.0.113.2 255.255.255.0
        set alias Internet
    next
   edit "port2"
        set ip 10.2.2.254 255.255.255.0
        set alias LAN
    next
end

config system gre-tunnel
    edit "toFG1"
        set interface "port1"
        set local-gw 203.0.113.2
        set remote-gw 198.51.100.1
    next
end

config firewall policy
    edit 0
        set srcintf "port2"
        set dstintf "toFG1"
            set srcaddr "all" 
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ALL" 
    next
    edit 0 
        set srcintf "toFG1"
        set dstintf "port2"
            set srcaddr "all" 
            set dstaddr "all" 
        set action accept
        set schedule "always"
            set service "ALL"   
    next
end

config router static
    edit 0
        set device "port1"
        set gateway 203.0.113.254
        set comment "default-route to Internet ISP"
    next
    edit 0
        set device "toFG1"
        set dst 10.1.1.0 255.255.255.0
    next
end


Verification
Routing table of FortiGate 1:

FG1 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 198.51.100.254, port1
C
       10.1.1.0/24 is directly connected, port2
S
       10.2.2.0/24 [10/0] is directly connected, toFG2
C
       198.51.100.0/24 is directly connected, port1



Routing table of FortiGate 2:

FG2 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*
      0.0.0.0/0 [10/0] via 203.0.113.254, port1
C       10.2.2.0/24 is directly connected, port2
S       10.1.1.0/24 [10/0] is directly connected, toFG1
C
       203.0.113.0/24 is directly connected, port1


Note : Both routing tables show that the remote subnets 10.x.x.x appear as pseudo-connected (a static route appearing as directly connected and pointing to a local interface instead of a next-hop).


Verify the GRE tunnels:

FG2 # diag system gre list
vd=0 devname=toFG1 devindex=3 ifindex=22
saddr=203.0.113.2 daddr=198.51.100.1 ref=0
key=0/0 flags=0/0

total tunnel = 1


FG2 # diag netlink interface list | grep -A1 "toFG1"
if=toFG1 family=00 type=778 index=22 mtu=1476 link=0 master=0
ref=12 state=off start fw_flags=0 flags=up p2p run noarp multicast


FG2 # get system interface
[...]

== [ toFG1 ]
name: toFG1 
ip: 0.0.0.0 0.0.0.0   status: up    netbios-forward: disable    type: tunnel   netflow-sampler: disable    sflow-sampler: disable    scan-botnet-connections: disable    explicit-web-proxy: disable    explicit-ftp-proxy: disable    wccp: disable



Troubleshooting
While starting a ping from PC1 to PC2, take a sniffer trace on either FortiGate to see if the traffic reaches and is forwarded on all interfaces (see also the related article about using the sniffer on GRE interfaces)

FG1 # diagnose sniffer packet any "icmp" 4
interfaces=[any]
filters=[icmp]
2.901412 port2 in 10.1.1.1 -> 10.2.2.2: icmp: echo request
2.901429 toFG2 out 
10.1.1.1 -> 10.2.2.2: icmp: echo request
2.901954 toFG2 in 
10.2.2.2 -> 10.1.1.1: icmp: echo reply
2.901979 port2 out 
10.2.2.2 -> 10.1.1.1: icmp: echo reply


FG2 # diagnose sniffer packet any "icmp" 4
interfaces=[any]
filters=[icmp]
7.241465 toFG1 in 
10.1.1.1 -> 10.2.2.2: icmp: echo request
7.241529 port2 out 
10.1.1.1 -> 10.2.2.2: icmp: echo request
7.241815 port2 in 
10.2.2.2 -> 10.1.1.1: icmp: echo reply
7.241836 toFG1 out 
10.2.2.2 -> 10.1.1.1: icmp: echo reply

Related Articles

Technical Note: Restricting the built-in Sniffer to a GRE interface

Technical Note : Configuring OSPF on a GRE tunnel between two FortiGates

Technical Note: Configuring and verifying a GRE over IPsec tunnel

Technical Note: Configuring and verifying a GRE over IPsec tunnel using 'encapsulation gre'

Contributors