Create a GRE Tunnel
Focus
Focus

Create a GRE Tunnel

Table of Contents
End-of-Life (EoL)

Create a GRE Tunnel

Create a Generic Routing Encapsulation (GRE) tunnel to connect two endpoints in a point-to-point, logical link.
Create a Generic Routing Encapsulation (GRE) tunnel to connect two endpoints in a point-to-point, logical link.
  1. Create a tunnel interface.
    1. Select
      Network
      Interfaces
      Tunnel
      .
    2. Add
      a tunnel and enter the tunnel
      Interface Name
      followed by a period and a number (range is 1 to 9,999). For example,
      tunnel.1
      .
    3. On the
      Config
      tab, assign the tunnel interface to a
      Virtual Router
      .
    4. Assign the tunnel interface to a
      Virtual System
      if the firewall supports multiple virtual systems.
    5. Assign the tunnel interface to a
      Security Zone
      .
    6. Assign an IP address to the tunnel interface. (You must assign an IP address if you want to route to this tunnel or monitor the tunnel endpoint.) Select
      IPv4
      or
      IPv6
      or configure both.
      This address and the corresponding address of the tunnel interface of the peer should be on the same subnet because it is a point-to-point, logical link.
      • (
        IPv4 only
        ) On the
        IPv4
        tab,
        Add
        an IPv4 address, select an address object, or click
        New Address
        and specify the
        Type
        of address and enter it. For example, enter
        192.168.2.1/25
        .
      • (
        IPv6 only
        ) On the
        IPv6
        tab,
        Enable IPv6 on the interface
        .
        1. For
          Interface ID
          , select
          EUI-64 (default 64-bit Extended Unique Identifier)
          .
        2. Add
          a new
          Address
          , select an IPv6 address object, or click
          New Address
          and specify an address
          Name
          .
          Enable address on interface
          and click
          OK
          .
        3. Select
          Type
          of address and enter the IPv6 address or FQDN and click
          OK
          to save the new address.
        4. Select
          Enable address on interface
          and click
          OK
          .
    7. Click
      OK
      .
  2. Create a GRE tunnel to force packets to traverse a specific point-to-point path.
    1. Select
      Network
      GRE Tunnels
      and
      Add
      a tunnel by
      Name
      .
    2. Select the
      Interface
      to use as the local GRE tunnel endpoint (source interface), which is an Ethernet interface or subinterface, an Aggregate Ethernet (AE) interface, a loopback interface, or a VLAN interface.
    3. Select the
      Local Address
      to be
      IP
      and select the IP address of the interface you just selected.
    4. Enter the
      Peer Address
      , which is the IP address of the opposite endpoint of the GRE tunnel.
    5. Select the
      Tunnel Interface
      that you created in Step 1. (This identifies the tunnel when it is the egress
      Interface
      for routing.)
    6. Enter the
      TTL
      for the IP packet encapsulated in the GRE packet (range is 1 to 255; default is 64).
    7. Select
      Copy ToS Header
      to copy the Type of Service (ToS) field from the inner IP header to the outer IP header of the encapsulated packets to preserve the original ToS information. Select this option if your network uses QoS and depends on the ToS bits for enforcing QoS policies.
  3. (
    Best Practice
    ) Enable the Keep Alive function for the GRE tunnel.
    If Keep Alive is enabled, by default it takes three unreturned keepalive packets (Retries) at 10-second intervals for the GRE tunnel to go down and it takes five Hold Timer intervals at 10-second intervals for the GRE tunnel to come back up.
    1. Select
      Keep Alive
      to enable the keepalive function for the GRE tunnel (default is disabled).
    2. (
      Optional
      ) Set the
      Interval (sec)
      (in seconds) between keepalive packets that the local end of the GRE tunnel sends to the tunnel peer. This is also the interval that, when multiplied by the
      Hold Timer
      , is the length of time that the firewall must see successful keepalive packets before the GRE tunnel comes back up (range is 1 to 50; default is 10). Setting an interval too small will cause many keepalive packets that might be unnecessary in your environment and will require extra bandwidth and processing. Setting an interval too large can delay failover because error conditions might not be identified immediately.
    3. (
      Optional
      ) Enter the
      Retry
      setting, which is the number of intervals that keepalive packets are not returned before the firewall considers the tunnel peer down (range is 1 to 255; default is 3). When the tunnel is down, the firewall removes routes associated with the tunnel from the forwarding table. Configuring a retry setting helps avoid taking measures on a tunnel that is not really down.
    4. (
      Optional
      ) Set the
      Hold Timer
      , which is the number of
      Intervals
      that keepalive packets are successful, after which the firewall re-establishes communication with the tunnel peer (range is 1 to 64; default is 5).
  4. Click
    OK
    .
  5. Configure a routing protocol or static route to route traffic to the destination by way of the GRE tunnel. For example, Configure a Static Route to the network of the destination server and specify the egress
    Interface
    to be the local tunnel endpoint (tunnel.1). Configure the Next Hop to be the IP address of the tunnel at the opposite end. For example, 192.168.2.3.
  6. Commit
    your changes.
  7. Configure the opposite end of the tunnel with its public IP address, its local and peer IP addresses (that correspond to the peer and local IP addresses, respectively, of the GRE tunnel on the firewall), and its routing protocol or static route.
  8. Verify that the firewall can communicate with the tunnel peer over the GRE tunnel.
    1. >
      ping source 192.168.2.1 host 192.168.2.3

Recommended For You