GRE over IPsec (Cisco VPN)

GRE over IPsec (Cisco VPN)

This section describes how to configure a FortiGate VPN that is compatible with Cisco-style VPNs that use GRE in an IPsec tunnel.

The following topics are included in this section:

Configuration overview

Configuring the Cisco router

Keep-alive support for GRE

Cisco products that include VPN support often use Generic Routing Encapsulation (GRE) protocol tunnel over IPsec encryption. This chapter describes how to configure a FortiGate unit to work with this type of Cisco VPN.

Cisco VPNs can use either transport mode or tunnel mode IPsec. Before FortiOS 4.0 MR2, the FortiGate unit was compatible only with tunnel mode IPsec.

Example FortiGate to Cisco GRE-over-IPsec VPN

In this example, users on LAN1 are provided access to LAN2.

Configuration overview

The following section consists of configuring the FortiGate unit and configuring the Cisco router.

Configuring the FortiGate unit

There are several steps to the GRE-over-IPsec configuration:

  • Enable overlapping subnets. This is needed because the IPsec and GRE tunnels will use the same addresses. l Configure a route-based IPsec VPN on the external interface.
  • Configure a GRE tunnel on the virtual IPsec interface. Set its local gateway and remote gateway addresses to match the local and remote gateways of the IPsec tunnel.
  • Configure security policies to allow traffic to pass in both directions between the GRE virtual interface and the IPsec virtual interface.
  • Configure security policies to allow traffic to pass in both directions between the protected network interface and the GRE virtual interface.
  • Configure a static route to direct traffic destined for the network behind the Cisco router into the GRE-over-IPsec tunnel.

Enabling overlapping subnets

By default, each FortiGate unit network interface must be on a separate network. The configuration described in this chapter assigns an IPsec tunnel end point and the external interface to the same network. Enable subnet overlap as follows:

config system settings set allow-subnet-overlap enable

end

Configuring the IPsec VPN

A route-based VPN is required. It must use encryption and authentication algorithms compatible with the Cisco equipment to which it connects. In this chapter, preshared key authentication is shown.

Configuring the IPsec VPN – web-based manager
  1. Define the Phase 1 configuration needed to establish a secure connection with the remote Cisco device. Enter these settings in particular:
Name Enter a name to identify the VPN tunnel, tocisco for example. This is the name of the virtual IPsec interface. It appears in Phase 2 configurations, security policies and the VPN monitor.
Remote Gateway Select Static IP Address.
IP Address Enter the IP address of the Cisco device public interface. For example, 192.168.5.113.

Configuration overview

Local Interface Select the FortiGate unit’s public interface. For example, 172.20.120.141.
Mode Select Main (ID Protection).
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key. It must match the preshared key on the Cisco device.
Advanced Select the Advanced button to see the following settings.
Phase 1 Proposal 3DES-MD5

At least one proposal must match the settings on the Cisco unit.

For more information about these settings, see Phase 1 parameters on page 46.

  1. Define the Phase 2 parameters needed to create a VPN tunnel with the remote peer. For compatibility with the Cisco router, Quick Mode Selectors must be entered, which includes specifying protocol 47, the GRE protocol. Enter these settings in particular:
Phase 2 Proposal 3DES-MD5

At least one proposal must match the settings on the Cisco unit.

Quick Mode Selector  
Source Address Enter the GRE local tunnel end IP address.

For example 172.20.120.141.

Source Port 0
Destination Address Enter the GRE remote tunnel end IP address.

For example 192.168.5.113.

Destination Port 0
Protocol 47

For more information about these settings, see Phase 2 parameters on page 66.

  1. If the Cisco device is configured to use transport mode IPsec, you need to use transport mode on the FortiGate VPN. You can configure this only in the CLI. In your Phase 2 configuration, set encapsulation to transport-mode as follows:

config vpn phase2-interface edit to_cisco_p2 set encapsulation transport-mode

end

Configuring the IPsec VPN – CLI

config vpn ipsec phase1-interface edit tocisco

set interface port1 set proposal 3des-sha1 aes128-sha1 set remote-gw 192.168.5.113 set psksecret xxxxxxxxxxxxxxxx

end

config vpn ipsec phase2-interface edit tocisco_p2 set phase1name “tocisco” set proposal 3des-md5 set encapsulation tunnel-mode // if tunnel mode set encapsulation transport-mode // if transport mode

set protocol 47 set src-addr-type ip set dst-start-ip 192.168.5.113 set src-start-ip 172.20.120.141

end

Adding IPsec tunnel end addresses

The Cisco configuration requires an address for its end of the IPsec tunnel. The addresses are set to match the GRE gateway addresses. Use the CLI to set the addresses, like this:

config system interface edit tocisco set ip 172.20.120.141 255.255.255.255 set remote-ip 192.168.5.113

end

Configuring the GRE tunnel

The GRE tunnel runs between the virtual IPsec public interface on the FortiGate unit and the Cisco router. You must use the CLI to configure a GRE tunnel. In the example, you would enter:

config system gre-tunnel edit gre1 set interface tocisco set local-gw 172.20.120.141 set remote-gw 192.168.5.113

end

interface is the virtual IPsec interface, local-gw is the FortiGate unit public IP address, and remote-gw is the remote Cisco device public IP address

Adding GRE tunnel end addresses

You will also need to add tunnel end addresses. The Cisco router configuration requires an address for its end of the GRE tunnel. Using the CLI, enter tunnel end addresses that are not used elsewhere on the FortiGate unit, like this:

config system interface edit gre1 set ip 10.0.1.1 255.255.255.255 set remote-ip 10.0.1.2

end

Configuring security policies

Two sets of security policies are required:

Configuration overview

  • Policies to allow traffic to pass in both directions between the GRE virtual interface and the IPsec virtual interface.
  • Policies to allow traffic to pass in both directions between the protected network interface and the GRE virtual interface.
Configuring security policies – web-based manager
  1. Define an ACCEPT firewall security policy to permit communications between the protected network and the GRE tunnel:
Incoming Interface Select the interface that connects to the private network behind this FortiGate unit.
Source Address All
Outgoing Interface Select the GRE tunnel virtual interface you configured.
Destination Address All
Action ACCEPT
Enable NAT Disable
  1. To permit the remote client to initiate communication, you need to define a firewall address security policy for communication in that direction:
Incoming Interface Select the GRE tunnel virtual interface you configured.
Source Address All
Outgoing Interface Select the interface that connects to the private network behind this FortiGate unit.
Destination Address All
Action ACCEPT
Enable NAT Disable
  1. Define a pair of ACCEPT firewall address security policies to permit traffic to flow between the GRE virtual interface and the IPsec virtual interface:
Incoming Interface Select the GRE virtual interface. See Configuring the GRE tunnel on page 190.
Source Address All
Outgoing Interface Select the virtual IPsec interface you created. See Configuring the IPsec VPN on page 188.
Destination Address All
Action ACCEPT
Enable NAT Disable
Incoming Interface Select the virtual IPsec interface you created. See Configuring the IPsec VPN on page 188.
Source Address All
Outgoing Interface Select the GRE virtual interface.See Configuring the GRE tunnel on page 190.
Destination Address All
Action ACCEPT
Enable NAT Disable
Configuring security policies – CLI

config firewall policy edit 1 // LAN to GRE tunnel set srcintf port2 set dstintf gre1 set srcaddr all set dstaddr all set action accept set schedule always set service ANY

next edit 2 // GRE tunnel to LAN set srcintf gre1 set dstintf port2 set srcaddr all set dstaddr all set action accept set schedule always set service ANY

next edit 3 // GRE tunnel to IPsec interface

set srcintf “gre1” set dstintf “tocisco” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ANY”

next edit 4 // IPsec interface to GRE tunnel

set srcintf “tocisco” set dstintf “gre1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ANY” end

Configuring the Cisco router

Configuring routing

Traffic destined for the network behind the Cisco router must be routed to the GRE tunnel. To do this, create a static route

  1. Go to Network > Static Routes and select Create New.
  2. Enter the following information and select OK.
Destination IP/Mask Enter the IP address and netmask for the network behind the Cisco router. For example 10.21.101.0 255.255.255.0.
Device Select the GRE virtual interface.
Distance (Advanced) Leave setting at default value.

In the CLI, using the example values, you would enter

config router static edit 0 set device gre1

set dst 10.21.101.0 255.255.255.0

end

Changing GRE over GRE tunnel interface attributes

Administrators can change GRE over GRE tunnel attributes, such as assigning an IP address for a specific configuration application, even if the child interface is not an IPsec tunnel interface.

IPv6 support for GRE tunnels

Support is provided for GRE tunnel termination using IPv6 addresses on both ends of the tunnel (similar to IPv4 functionality).

Syntax

config system gre-tunnel edit <name> set ip-version 6 set remote-gw6 11:1:1::1 set local-gw6 11:1:1::2 …

next

end

Configuring the Cisco router

Using Cisco IOS, you would configure the Cisco router as follows, using the addresses from the example:

config ter crypto ipsec transform-set myset esp-3des esp-md5-hmac no mode exit

no ip access-list extended tunnel

 

Keep-alive support for GRE

ip access-list extended tunnel

permit gre host 192.168.5.113 host 172.20.120.141 exit interface Tunnel1 ip address 10.0.1.2 255.255.255.0 tunnel source 192.168.5.113 tunnel destination 172.20.120.141 ! ip route 10.11.101.0 255.255.255.0 Tunnel1 end clea crypto sa clea crypto isakmp

For transport mode, change no mode to mode transport.

This is only the portion of the Cisco router configuration that applies to the GRE-over-IPsec tunnel. For more information, refer to the Cisco documentation.

Keep-alive support for GRE

The FortiGate can send a GRE keep-alive response to a Cisco device to detect a GRE tunnel. If it fails, it will remove any routes over the GRE interface.

Syntax

config system gre-tunnel edit <id> set keepalive-interval <value: 0-32767> set keepalive-failtimes <value: 1-255>

next end

This entry was posted in Administration Guides, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “GRE over IPsec (Cisco VPN)

  1. djelouah mohamed

    hi ,am doing so sites to sites ipsec vpn i have multiple cisco routers connecting to fortigate in our HQ when using ospf or bgp from my HQ i can ping only one site but from the remote sites i can ping the HQ i wanna know why is that

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.