Create a GRE Tunnel
Create a Generic Routing Encapsulation (GRE) tunnel to connect two endpoints in a point-to-point, logical link.
- Create a tunnel interface.
- Adda tunnel and enter the tunnelInterface Namefollowed by a period and a number (range is 1 to 9,999). For example,tunnel.1.
- On theConfigtab, assign the tunnel interface to aVirtual Router.
- Assign the tunnel interface to aVirtual Systemif the firewall supports multiple virtual systems.
- Assign the tunnel interface to aSecurity Zone.
- Assign an IP address to the tunnel interface. (You must assign an IP address if you want to route to this tunnel or monitor the tunnel endpoint.) SelectIPv4orIPv6or configure both.This address and the corresponding address of the tunnel interface of the peer should be on the same subnet because it is a point-to-point, logical link.
- (IPv4 only) On theIPv4tab,Addan IPv4 address, select an address object, or clickNew Addressand specify theTypeof address and enter it. For example, enter192.168.2.1/25.
- (IPv6 only) On theIPv6tab,Enable IPv6 on the interface.
- ForInterface ID, selectEUI-64 (default 64-bit Extended Unique Identifier).
- Adda newAddress, select an IPv6 address object, or clickNew Addressand specify an addressName.Enable address on interfaceand clickOK.
- SelectTypeof address and enter the IPv6 address or FQDN and clickOKto save the new address.
- SelectEnable address on interfaceand clickOK.
- Create a GRE tunnel to force packets to traverse a specific point-to-point path.
- SelectandNetworkGRE TunnelsAdda tunnel byName.
- Select theInterfaceto use as the local GRE tunnel endpoint (source interface), which is an Ethernet interface or subinterface, an Aggregate Ethernet (AE) interface, a loopback interface, or a VLAN interface.
- Select theLocal Addressto beIPand select the IP address of the interface you just selected.
- Enter thePeer Address, which is the IP address of the opposite endpoint of the GRE tunnel.
- Select theTunnel Interfacethat you created in Step 1. (This identifies the tunnel when it is the egressInterfacefor routing.)
- Enter theTTLfor the IP packet encapsulated in the GRE packet (range is 1 to 255; default is 64).
- SelectCopy ToS Headerto copy the Type of Service (ToS) field from the inner IP header to the outer IP header of the encapsulated packets to preserve the original ToS information. Select this option if your network uses QoS and depends on the ToS bits for enforcing QoS policies.
- (Best Practice) Enable the Keep Alive function for the GRE tunnel.If Keep Alive is enabled, by default it takes three unreturned keepalive packets (Retries) at 10-second intervals for the GRE tunnel to go down and it takes five Hold Timer intervals at 10-second intervals for the GRE tunnel to come back up.
- SelectKeep Aliveto enable the keepalive function for the GRE tunnel (default is disabled).
- (Optional) Set theInterval (sec)(in seconds) between keepalive packets that the local end of the GRE tunnel sends to the tunnel peer. This is also the interval that, when multiplied by theHold Timer, is the length of time that the firewall must see successful keepalive packets before the GRE tunnel comes back up (range is 1 to 50; default is 10). Setting an interval too small will cause many keepalive packets that might be unnecessary in your environment and will require extra bandwidth and processing. Setting an interval too large can delay failover because error conditions might not be identified immediately.
- (Optional) Enter theRetrysetting, which is the number of intervals that keepalive packets are not returned before the firewall considers the tunnel peer down (range is 1 to 255; default is 3). When the tunnel is down, the firewall removes routes associated with the tunnel from the forwarding table. Configuring a retry setting helps avoid taking measures on a tunnel that is not really down.
- (Optional) Set theHold Timer, which is the number ofIntervalsthat keepalive packets are successful, after which the firewall re-establishes communication with the tunnel peer (range is 1 to 64; default is 5).
- Configure a routing protocol or static route to route traffic to the destination by way of the GRE tunnel. For example, Configure a Static Route to the network of the destination server and specify the egressInterfaceto be the local tunnel endpoint (tunnel.1). Configure the Next Hop to be the IP address of the tunnel at the opposite end. For example, 192.168.2.3.
- Commityour changes.
- Configure the opposite end of the tunnel with its public IP address, its local and peer IP addresses (that correspond to the peer and local IP addresses, respectively, of the GRE tunnel on the firewall), and its routing protocol or static route.
- Verify that the firewall can communicate with the tunnel peer over the GRE tunnel.
- >ping source 192.168.2.1 host 192.168.2.3
Recommended For You
Recommended videos not found.