GRE over IPsec (Cisco VPN)
This section describes how to configure a FortiGate VPN that is compatible with Cisco-style VPNs that use GRE in an IPsec tunnel.
The following topics are included in this section:
Configuration overview
Configuring the Cisco router
Keep-alive support for GRE
Cisco products that include VPN support often use Generic Routing Encapsulation (GRE) protocol tunnel over IPsec encryption. This chapter describes how to configure a FortiGate unit to work with this type of Cisco VPN.
Cisco VPNs can use either transport mode or tunnel mode IPsec. Before FortiOS 4.0 MR2, the FortiGate unit was compatible only with tunnel mode IPsec.
Example FortiGate to Cisco GRE-over-IPsec VPN
In this example, users on LAN1 are provided access to LAN2.
Configuration overview
The following section consists of configuring the FortiGate unit and configuring the Cisco router.
Configuring the FortiGate unit
There are several steps to the GRE-over-IPsec configuration:
- Enable overlapping subnets. This is needed because the IPsec and GRE tunnels will use the same addresses. l Configure a route-based IPsec VPN on the external interface.
- Configure a GRE tunnel on the virtual IPsec interface. Set its local gateway and remote gateway addresses to match the local and remote gateways of the IPsec tunnel.
- Configure security policies to allow traffic to pass in both directions between the GRE virtual interface and the IPsec virtual interface.
- Configure security policies to allow traffic to pass in both directions between the protected network interface and the GRE virtual interface.
- Configure a static route to direct traffic destined for the network behind the Cisco router into the GRE-over-IPsec tunnel.
Enabling overlapping subnets
By default, each FortiGate unit network interface must be on a separate network. The configuration described in this chapter assigns an IPsec tunnel end point and the external interface to the same network. Enable subnet overlap as follows:
config system settings set allow-subnet-overlap enable
end
Configuring the IPsec VPN
A route-based VPN is required. It must use encryption and authentication algorithms compatible with the Cisco equipment to which it connects. In this chapter, preshared key authentication is shown.
Configuring the IPsec VPN – web-based manager
- Define the Phase 1 configuration needed to establish a secure connection with the remote Cisco device. Enter these settings in particular:
Name | Enter a name to identify the VPN tunnel, tocisco for example. This is the name of the virtual IPsec interface. It appears in Phase 2 configurations, security policies and the VPN monitor. |
Remote Gateway | Select Static IP Address. |
IP Address | Enter the IP address of the Cisco device public interface. For example, 192.168.5.113. |
Configuration overview
Local Interface | Select the FortiGate unit’s public interface. For example, 172.20.120.141. |
Mode | Select Main (ID Protection). |
Authentication Method | Preshared Key |
Pre-shared Key | Enter the preshared key. It must match the preshared key on the Cisco device. |
Advanced | Select the Advanced button to see the following settings. |
Phase 1 Proposal | 3DES-MD5
At least one proposal must match the settings on the Cisco unit. |
For more information about these settings, see Phase 1 parameters on page 46.
- Define the Phase 2 parameters needed to create a VPN tunnel with the remote peer. For compatibility with the Cisco router, Quick Mode Selectors must be entered, which includes specifying protocol 47, the GRE protocol. Enter these settings in particular:
Phase 2 Proposal | 3DES-MD5
At least one proposal must match the settings on the Cisco unit. |
Quick Mode Selector | |
Source Address | Enter the GRE local tunnel end IP address.
For example 172.20.120.141. |
Source Port | 0 |
Destination Address | Enter the GRE remote tunnel end IP address.
For example 192.168.5.113. |
Destination Port | 0 |
Protocol | 47 |
For more information about these settings, see Phase 2 parameters on page 66.
- If the Cisco device is configured to use transport mode IPsec, you need to use transport mode on the FortiGate VPN. You can configure this only in the CLI. In your Phase 2 configuration, set encapsulation to transport-mode as follows:
config vpn phase2-interface edit to_cisco_p2 set encapsulation transport-mode
end
Configuring the IPsec VPN – CLI
config vpn ipsec phase1-interface edit tocisco
set interface port1 set proposal 3des-sha1 aes128-sha1 set remote-gw 192.168.5.113 set psksecret xxxxxxxxxxxxxxxx
end
config vpn ipsec phase2-interface edit tocisco_p2 set phase1name “tocisco” set proposal 3des-md5 set encapsulation tunnel-mode // if tunnel mode set encapsulation transport-mode // if transport mode
set protocol 47 set src-addr-type ip set dst-start-ip 192.168.5.113 set src-start-ip 172.20.120.141
end
Adding IPsec tunnel end addresses
The Cisco configuration requires an address for its end of the IPsec tunnel. The addresses are set to match the GRE gateway addresses. Use the CLI to set the addresses, like this:
config system interface edit tocisco set ip 172.20.120.141 255.255.255.255 set remote-ip 192.168.5.113
end
Configuring the GRE tunnel
The GRE tunnel runs between the virtual IPsec public interface on the FortiGate unit and the Cisco router. You must use the CLI to configure a GRE tunnel. In the example, you would enter:
config system gre-tunnel edit gre1 set interface tocisco set local-gw 172.20.120.141 set remote-gw 192.168.5.113
end
interface is the virtual IPsec interface, local-gw is the FortiGate unit public IP address, and remote-gw is the remote Cisco device public IP address
Adding GRE tunnel end addresses
You will also need to add tunnel end addresses. The Cisco router configuration requires an address for its end of the GRE tunnel. Using the CLI, enter tunnel end addresses that are not used elsewhere on the FortiGate unit, like this:
config system interface edit gre1 set ip 10.0.1.1 255.255.255.255 set remote-ip 10.0.1.2
end
Configuring security policies
Two sets of security policies are required:
Configuration overview
- Policies to allow traffic to pass in both directions between the GRE virtual interface and the IPsec virtual interface.
- Policies to allow traffic to pass in both directions between the protected network interface and the GRE virtual interface.
Configuring security policies – web-based manager
- Define an ACCEPT firewall security policy to permit communications between the protected network and the GRE tunnel:
Incoming Interface | Select the interface that connects to the private network behind this FortiGate unit. |
Source Address | All |
Outgoing Interface | Select the GRE tunnel virtual interface you configured. |
Destination Address | All |
Action | ACCEPT |
Enable NAT | Disable |
- To permit the remote client to initiate communication, you need to define a firewall address security policy for communication in that direction:
Incoming Interface | Select the GRE tunnel virtual interface you configured. |
Source Address | All |
Outgoing Interface | Select the interface that connects to the private network behind this FortiGate unit. |
Destination Address | All |
Action | ACCEPT |
Enable NAT | Disable |
- Define a pair of ACCEPT firewall address security policies to permit traffic to flow between the GRE virtual interface and the IPsec virtual interface:
Incoming Interface | Select the GRE virtual interface. See Configuring the GRE tunnel on page 190. |
Source Address | All |
Outgoing Interface | Select the virtual IPsec interface you created. See Configuring the IPsec VPN on page 188. |
Destination Address | All |
Action | ACCEPT |
Enable NAT | Disable |
Incoming Interface | Select the virtual IPsec interface you created. See Configuring the IPsec VPN on page 188. |
Source Address | All |
Outgoing Interface | Select the GRE virtual interface.See Configuring the GRE tunnel on page 190. |
Destination Address | All |
Action | ACCEPT |
Enable NAT | Disable |
Configuring security policies – CLI
config firewall policy edit 1 // LAN to GRE tunnel set srcintf port2 set dstintf gre1 set srcaddr all set dstaddr all set action accept set schedule always set service ANY
next edit 2 // GRE tunnel to LAN set srcintf gre1 set dstintf port2 set srcaddr all set dstaddr all set action accept set schedule always set service ANY
next edit 3 // GRE tunnel to IPsec interface
set srcintf “gre1” set dstintf “tocisco” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ANY”
next edit 4 // IPsec interface to GRE tunnel
set srcintf “tocisco” set dstintf “gre1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ANY” end
Configuring the Cisco router
Configuring routing
Traffic destined for the network behind the Cisco router must be routed to the GRE tunnel. To do this, create a static route
- Go to Network > Static Routes and select Create New.
- Enter the following information and select OK.
Destination IP/Mask | Enter the IP address and netmask for the network behind the Cisco router. For example 10.21.101.0 255.255.255.0. |
Device | Select the GRE virtual interface. |
Distance (Advanced) | Leave setting at default value. |
In the CLI, using the example values, you would enter
config router static edit 0 set device gre1
set dst 10.21.101.0 255.255.255.0
end
Changing GRE over GRE tunnel interface attributes
Administrators can change GRE over GRE tunnel attributes, such as assigning an IP address for a specific configuration application, even if the child interface is not an IPsec tunnel interface.
IPv6 support for GRE tunnels
Support is provided for GRE tunnel termination using IPv6 addresses on both ends of the tunnel (similar to IPv4 functionality).
Syntax
config system gre-tunnel edit <name> set ip-version 6 set remote-gw6 11:1:1::1 set local-gw6 11:1:1::2 …
next
end
Configuring the Cisco router
Using Cisco IOS, you would configure the Cisco router as follows, using the addresses from the example:
config ter crypto ipsec transform-set myset esp-3des esp-md5-hmac no mode exit
no ip access-list extended tunnel
Keep-alive support for GRE
ip access-list extended tunnel
permit gre host 192.168.5.113 host 172.20.120.141 exit interface Tunnel1 ip address 10.0.1.2 255.255.255.0 tunnel source 192.168.5.113 tunnel destination 172.20.120.141 ! ip route 10.11.101.0 255.255.255.0 Tunnel1 end clea crypto sa clea crypto isakmp
For transport mode, change no mode to mode transport.
This is only the portion of the Cisco router configuration that applies to the GRE-over-IPsec tunnel. For more information, refer to the Cisco documentation.
Keep-alive support for GRE
The FortiGate can send a GRE keep-alive response to a Cisco device to detect a GRE tunnel. If it fails, it will remove any routes over the GRE interface.
Syntax
config system gre-tunnel edit <id> set keepalive-interval <value: 0-32767> set keepalive-failtimes <value: 1-255>
next end
hi ,am doing so sites to sites ipsec vpn i have multiple cisco routers connecting to fortigate in our HQ when using ospf or bgp from my HQ i can ping only one site but from the remote sites i can ping the HQ i wanna know why is that