GRE over IPsec (Cisco VPN)

Leave a reply

To configure security policies – CLI

config firewall policy

edit 1 // LAN to GRE tunnel

set srcintf port2 set dstintf gre1 set srcaddr all set dstaddr all set action accept

set schedule always set service ANY

next

edit 2 // GRE tunnel to LAN

set srcintf gre1 set dstintf port2 set srcaddr all set dstaddr all set action accept

set schedule always set service ANY

next

edit 3 // GRE tunnel to IPsec interface

set srcintf “gre1”

set dstintf “tocisco” set srcaddr “all”

set dstaddr “all” set action accept

set schedule “always” set service “ANY”

next

edit 4 // IPsec interface to GRE tunnel

set srcintf “tocisco” set dstintf “gre1”

set srcaddr “all”

set dstaddr “all” set action accept

set schedule “always” set service “ANY”

end

 

Configuring routing

Traffic destined for the network behind the Cisco router must be routed to the GRE tunnel. To do this, create a static route

1. Go to Network > Static Routes and select Create New.

2. Enter the following information and select OK.

 

Destination IP/Mask                 Enter the IP address and netmask for the network behind the Cisco router. For example 10.21.101.0 255.255.255.0.

Device                                         Select the GRE virtual interface.

Distance (Advanced)                Leave setting at default value.

 

In the CLI, using the example values, you would enter

config router static edit 0

set device gre1

set dst 10.21.101.0 255.255.255.0 end

 

Configuring the Cisco router

Using Cisco IOS, you would configure the Cisco router as follows, using the addresses from the example:

config ter

crypto ipsec transform-set myset esp-3des esp-md5-hmac no mode

exit

no ip access-list extended tunnel ip access-list extended tunnel

permit gre host 192.168.5.113 host 172.20.120.141 exit

interface Tunnel1

ip address 10.0.1.2 255.255.255.0 tunnel source 192.168.5.113

tunnel destination 172.20.120.141

!

ip route 10.11.101.0 255.255.255.0 Tunnel1 end

clea crypto sa

clea crypto isakmp

For transport mode, change no mode to mode transport.

 

This is only the portion of the Cisco router configuration that applies to the GRE-over-IPsec tunnel. For more information, refer to the Cisco documentation.

Pages: 1 2 3 4
This entry was posted in FortiOS 5.4 Handbook and tagged on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.