Fortinet Community

Expectations, Requirements

• Establish a GRE tunnel between both FortiGates to be able to reach each remote LAN 10.x.x.x
• The GRE interface will remain unnumbered and remote subnets reachable with static routes.

Configuration

CLI configuration of FortiGate 1 config system interface    edit "port1"         set ip 198.51.100.1 255.255.255.0         set alias Internet     next    edit "port2"         set ip 10.1.1.254 255.255.255.0         set alias LAN     next end config system gre-tunnel     edit "toFG2"         set interface "port1"         set local-gw 198.51.100.1         set remote-gw 203.0.113.2     next end config firewall policy     edit 0         set srcintf "port2"         set dstintf "toFG2"             set srcaddr "all"              set dstaddr "all"          set action accept         set schedule "always"             set service "ALL"      next     edit 0         set srcintf "toFG2"         set dstintf "port2"             set srcaddr "all"              set dstaddr "all"           set action accept         set schedule "always"             set service "ALL"       next end config router static     edit 0         set device "port1"         set gateway 198.51.100.254         set comment "default-route to Internet ISP"     next     edit 0         set device "toFG2"         set dst 10.2.2.0 255.255.255.0     next end

CLI configuration of FortiGate 2 config system interface    edit "port1"         set ip 203.0.113.2 255.255.255.0         set alias Internet     next    edit "port2"         set ip 10.2.2.254 255.255.255.0         set alias LAN     next end config system gre-tunnel     edit "toFG1"         set interface "port1"         set local-gw 203.0.113.2         set remote-gw 198.51.100.1     next end config firewall policy     edit 0         set srcintf "port2"         set dstintf "toFG1"             set srcaddr "all"              set dstaddr "all"         set action accept         set schedule "always"             set service "ALL"      next     edit 0          set srcintf "toFG1"         set dstintf "port2"             set srcaddr "all"              set dstaddr "all"          set action accept         set schedule "always"             set service "ALL"        next end config router static     edit 0         set device "port1"         set gateway 203.0.113.254         set comment "default-route to Internet ISP"     next     edit 0         set device "toFG1"         set dst 10.1.1.0 255.255.255.0     next end

Verification
Routing table of FortiGate 1:

FG1 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP        O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area        * - candidate default S*      0.0.0.0/0 [10/0] via 198.51.100.254, port1 C       10.1.1.0/24 is directly connected, port2 S       10.2.2.0/24 [10/0] is directly connected, toFG2 C       198.51.100.0/24 is directly connected, port1

Routing table of FortiGate 2:

FG2 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP        O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area        * - candidate default S*      0.0.0.0/0 [10/0] via 203.0.113.254, port1 C       10.2.2.0/24 is directly connected, port2 S       10.1.1.0/24 [10/0] is directly connected, toFG1 C       203.0.113.0/24 is directly connected, port1

Note : Both routing tables show that the remote subnets 10.x.x.x appear as pseudo-connected (a static route appearing as directly connected and pointing to a local interface instead of a next-hop).


Verify the GRE tunnels:

FG2 # diag system gre list

vd=0 devname=toFG1 devindex=3 ifindex=22 saddr=203.0.113.2 daddr=198.51.100.1 ref=0 key=0/0 flags=0/0 total tunnel = 1

FG2 # diag netlink interface list | grep -A1 "toFG1"

if=toFG1 family=00 type=778 index=22 mtu=1476 link=0 master=0 ref=12 state=off start fw_flags=0 flags=up p2p run noarp multicast

FG2 # get system interface

[...] == [ toFG1 ] name: toFG1 ip: 0.0.0.0 0.0.0.0   status: up    netbios-forward: disable    type: tunnel   netflow-sampler: disable    sflow-sampler: disable    scan-botnet-connections: disable    explicit-web-proxy: disable    explicit-ftp-proxy: disable    wccp: disable

Troubleshooting
While starting a ping from PC1 to PC2, take a sniffer trace on either FortiGate to see if the traffic reaches and is forwarded on all interfaces (see also the related article about using the sniffer on GRE interfaces)

FG1 # diagnose sniffer packet any "icmp" 4

interfaces=[any] filters=[icmp] 2.901412 port2 in 10.1.1.1 -> 10.2.2.2: icmp: echo request 2.901429 toFG2 out 10.1.1.1 -> 10.2.2.2: icmp: echo request 2.901954 toFG2 in 10.2.2.2 -> 10.1.1.1: icmp: echo reply 2.901979 port2 out 10.2.2.2 -> 10.1.1.1: icmp: echo reply

FG2 # diagnose sniffer packet any "icmp" 4

interfaces=[any] filters=[icmp] 7.241465 toFG1 in 10.1.1.1 -> 10.2.2.2: icmp: echo request 7.241529 port2 out 10.1.1.1 -> 10.2.2.2: icmp: echo request 7.241815 port2 in 10.2.2.2 -> 10.1.1.1: icmp: echo reply 7.241836 toFG1 out 10.2.2.2 -> 10.1.1.1: icmp: echo reply

Related Articles

Technical Note: Restricting the built-in Sniffer to a GRE interface

Technical Note : Configuring OSPF on a GRE tunnel between two FortiGates

Technical Note: Configuring and verifying a GRE over IPsec tunnel

Technical Note: Configuring and verifying a GRE over IPsec tunnel using 'encapsulation gre'