Configure Generic Routing Encapsulation (GRE) Tunnels

Let us learn to configure GRE tunnels.
Prisma SD-WAN supports Generic Routing Encapsulation (GRE) tunnels from branch or data center sites to standard VPN endpoints to integrate with cloud security services. Due to the insecure nature of GRE, as a best practice we strongly recommend applying a Zone Based Firewall Policy to any traffic using GRE for transport over an insecure transport, such as the Internet. Additionally, you should also consider implementing Source Network Address Translation (NAT) for any traffic going through a GRE tunnel to obscure the Internal IP addressing scheme. Exposure of the internal addressing scheme along with unencrypted data over GRE can significantly increase attack vectors at a site.
  1. Log in to the Prisma SD-WAN web interface and navigate to
    Claimed Devices
    and select a device.
  2. From the ellipsis menu, select
    Configure the device
  3. Navigate to
    and click the
    add icon to create a new interface as
    Standard VPN
  4. On the
    Configure Interface: New Standard VPN
    screen, set up the
    Main Configuration
    for the new interface.
    1. For
      Admin Up
      , select
      GRE tunnels are stateless by design, the GRE tunnel is established when the standard VPN interface is created, and the parent interface is up.
      When Keep-Alive is disabled, the standard VPN interface immediately enters the Up state when:
      • The standard VPN interface is created.
      • The parent interface is up.
      • Admin Up
        is set to
      The standard VPN interface may later be moved to the down state due to the failure of a liveliness probe if one or more were configured on the standard VPN endpoint associated with this interface. We strongly recommend to have GRE keep-alives enabled and/or have a liveliness probe configured on the standard VPN endpoint such that a failure can be detected and avoid traffic being black-holed.
    2. (Optional)
      Enter a
      , and
    3. Select
      as the
      Standard VPN Type
      Interface Type
      must display as
      Standard VPN
    4. Select a
      Parent Interface
      to establish the GRE tunnel.
      For a branch ION device any of the following ports can be used as a parent interface:
      • Internet L3 Port
      • Private WAN L3 Port
      • Virtual Interface (private and public)
      • PPPoE interface
      • Bypass Pair - Internet and Private WAN ports
      • Sub-Interfaces - Internet and Private WAN ports
      For a data center ION device, any of the following ports can be used as a parent interface:
      • Any
        Connect to Internet
      • Any
        Connect to Peer Network
      The following interfaces which do not have an IP address cannot be used as a parent interface:
      • A Private L2 port of a bypass pair
      • A Loopback interface
    5. Toggle
    6. Enter an
      Inner Tunnel IP Address
      The address is the address of the innermost envelope's payload. When the standard VPN peer receives the IP packet from the tunnel interface, the outer IP header and GRE header are removed. The packet is then routed based on the Inner Tunnel IP Address.
    7. (Optional)
      Enter values for
      Keep Alive
      The default value for Keep-Alive Interval is 10 seconds, which implies that a Keep-Alive is sent every 10 seconds. The default value for Keep-Alive Retry Count is 3 which means that the device try sending a keep alive three times before declaring the interface to be down.
      • If you configure Keep-Alive on the ION device, the standard VPN peer device should be capable of replying to the Keep-Alive. If the ION device does not receive a response from the peer device within the configured Keep-Alive Retry Count, it will result in the interface being marked as down.
      • Some devices act as remote service endpoints and do not support Prisma SD-WAN GRE Keep-alives. In such cases, you may need to use service endpoint liveliness probes.
      • Prisma SD-WAN Data Center devices do not support service endpoint configuration. As a result liveliness probes cannot be configured and multiple remotes and remote selection cannot be used.
      • NAT performed between the local and remote endpoints of the GRE Tunnel may disrupt the use of GRE Keep-Alives.
      • if Checksum is configured on the ION device, the standard VPN peer device should also respond with a checksum in its GRE header. If the standard VPN peer device does not support Checksum, the packet drops as a Frame Error.
    8. Select a
      Standard VPN Endpoint
      from the
      The GRE tunnel can only be created if the standard VPN interface has an endpoint or Peer IP configured. The Peer IP must be available either through the endpoint or the Peer IP field.
      An endpoint must be configured when the ION device is being used at a branch site. This enables the endpoint to be used in path policies to direct traffic. Endpoints can, but are not required to, specify IP addresses or host names of the possible peer device(s).
      The Peer IP overrides any IP addresses provided by the endpoint. If the ION device is being used at a Data Center site, the Peer IP has to be provided.
    9. Click
      Create Standard VPN

Recommended For You