Configure Generic Routing Encapsulation (GRE) Tunnels
Let us learn to configure GRE tunnels.
Prisma SD-WAN supports Generic Routing Encapsulation
(GRE) tunnels from branch or data center sites to standard VPN endpoints
to integrate with cloud security services. Due to the insecure nature
of GRE, as a best practice we strongly recommend applying a Zone
Based Firewall Policy to any traffic using GRE for transport over
an insecure transport, such as the Internet. Additionally, you should
also consider implementing Source Network Address Translation (NAT)
for any traffic going through a GRE tunnel to obscure the Internal
IP addressing scheme. Exposure of the internal addressing scheme
along with unencrypted data over GRE can significantly increase
attack vectors at a site.
- Log in to the Prisma SD-WAN web interface and navigate toand select a device.MapClaimed Devices
- From the ellipsis menu, selectConfigure the device.
- Navigate toInterfacesand click the+add icon to create a new interface asStandard VPN.
- On theConfigure Interface: New Standard VPNscreen, set up theMain Configurationfor the new interface.
- ForAdmin Up, selectYes.GRE tunnels are stateless by design, the GRE tunnel is established when the standard VPN interface is created, and the parent interface is up.When Keep-Alive is disabled, the standard VPN interface immediately enters the Up state when:
- The standard VPN interface is created.
- The parent interface is up.
- Admin Upis set toYes.
The standard VPN interface may later be moved to the down state due to the failure of a liveliness probe if one or more were configured on the standard VPN endpoint associated with this interface. We strongly recommend to have GRE keep-alives enabled and/or have a liveliness probe configured on the standard VPN endpoint such that a failure can be detected and avoid traffic being black-holed. - (Optional)Enter aName,Description, andTags.
- SelectGREas theStandard VPN Type.TheInterface Typemust display asStandard VPN.
- Select aParent Interfaceto establish the GRE tunnel.For a branch ION device any of the following ports can be used as a parent interface:
- Internet L3 Port
- Private WAN L3 Port
- Virtual Interface (private and public)
- PPPoE interface
- Bypass Pair - Internet and Private WAN ports
- Sub-Interfaces - Internet and Private WAN ports
For a data center ION device, any of the following ports can be used as a parent interface:- AnyConnect to Internetport
- AnyConnect to Peer Networkport
The following interfaces which do not have an IP address cannot be used as a parent interface:- A Private L2 port of a bypass pair
- A Loopback interface
- ToggleScopetoLocalorGlobal.
- Enter anInner Tunnel IP AddressorMask.The address is the address of the innermost envelope's payload. When the standard VPN peer receives the IP packet from the tunnel interface, the outer IP header and GRE header are removed. The packet is then routed based on the Inner Tunnel IP Address.
- (Optional)Enter values forChecksumandKeep Alive.The default value for Keep-Alive Interval is 10 seconds, which implies that a Keep-Alive is sent every 10 seconds. The default value for Keep-Alive Retry Count is 3 which means that the device try sending a keep alive three times before declaring the interface to be down.
- If you configure Keep-Alive on the ION device, the standard VPN peer device should be capable of replying to the Keep-Alive. If the ION device does not receive a response from the peer device within the configured Keep-Alive Retry Count, it will result in the interface being marked as down.
- Some devices act as remote service endpoints and do not support Prisma SD-WAN GRE Keep-alives. In such cases, you may need to use service endpoint liveliness probes.
- Prisma SD-WAN Data Center devices do not support service endpoint configuration. As a result liveliness probes cannot be configured and multiple remotes and remote selection cannot be used.
- NAT performed between the local and remote endpoints of the GRE Tunnel may disrupt the use of GRE Keep-Alives.
- if Checksum is configured on the ION device, the standard VPN peer device should also respond with a checksum in its GRE header. If the standard VPN peer device does not support Checksum, the packet drops as a Frame Error.
- Select aStandard VPN Endpointfrom theEndpointfield.The GRE tunnel can only be created if the standard VPN interface has an endpoint or Peer IP configured. The Peer IP must be available either through the endpoint or the Peer IP field.An endpoint must be configured when the ION device is being used at a branch site. This enables the endpoint to be used in path policies to direct traffic. Endpoints can, but are not required to, specify IP addresses or host names of the possible peer device(s).The Peer IP overrides any IP addresses provided by the endpoint. If the ION device is being used at a Data Center site, the Peer IP has to be provided.
- ClickCreate Standard VPN.
Recommended For You
Recommended Videos
Recommended videos not found.