GRE tunnel configuration on the USG6000

0

The USG6000 GRE scenarios are as follows:
1. Static route-based GRE tunnel
The NGFW adopts the dynamic routing protocol. Intranet users can transmit data that is not supported by certain public network devices over the GRE tunnel.
2. OSPF-based GRE tunnel
The NGFW adopts the OSPF routing protocol. Intranet users can transmit data that is not supported by certain public network devices over the GRE tunnel.
For specific scenarios and configuration cases, click Configuring a Static Route-based GRE Tunnel.

Other related questions:
Types of interfaces on both ends of the GRE tunnel for the USG6000
Interfaces on both ends of the GRE tunnel are tunnel interfaces, used to encapsulate and decapsulate packets. The physical interface used to transmit encapsulated packets is known as the tunnel source interface, and the peer interface used to receive the packets is known as the tunnel destination interface.

IPv6 over IPv4 GRE tunnel configuration
To configure an IPv6 over IPv4 GRE tunnel, perform the following steps: 1. Run the system-view command to enter the system view. 2. Run the interface tunnel interface-number command to create a tunnel interface and enter the tunnel interface view. 3. Run the tunnel-protocol gre command to set the tunnel encapsulation type to GRE tunnel. 4. Run the source { ipv4-address | interface-type interface-number } command to specify the source address or source interface of the GRE tunnel. Note: ?You can directly specify the IPv4 address of the interface used to connect to the IPv4 network as the source address or specify this interface as the source interface. ?You can specify a physical port or a logical interface such as the Loopback interface as the source interface of the tunnel. 5. Run the destination ipv4-address command to specify the destination address or domain name of the GRE tunnel. The destination address is the source address of the peer device. As shown in Figure 1, the destination address of FW_A is 1.1.2.1/24, while the destination address of FW_B is 1.1.1.1/24. 6. Run the ipv6 enable command to enable the IPv6 function on the tunnel interface. 7. Run the ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } command to configure the IPv6 address for the tunnel interface. 8. (Optional) Run the gre key key-number command to set the keyword in the GRE packet header. You can set the same key-number on both ends of the tunnel or do not set the key-number.

GRE over IPSec configuration on the USG6000
GRE over IPSec VPN configuration on the USG6000 Configuration procedure: 1. Complete basic interface configuration, for example, configuring the IP address and adding the physical port to the related zone. 2. Enable the inter-zone security policy. 2. Configure the IPSec tunnel. Set the source and destination addresses of the sensitive traffic carried by the IPSec tunnel to the source and destination addresses of the GRE tunnel. 2. Configure the GRE tunnel. Set the source and destination addresses of the GRE tunnel to the source and destination addresses of the sensitive traffic carried by the IPSec tunnel. Configuration example: Topology: Network A-----(10.1.1.1) NGFW_A-----INTERNET-----NGFW_B (10.1.2.1)------Network B Note: a. Network A (10.1.1.0/24) and network B (10.1.2.0/24) can mutually access each other. b. The public IP address of NGFW_A is 1.1.3.1, the public IP address of NGFW_B is 1.1.5.1, and the public route is accessible. c. The GRE over IPSec tunnel established between NGFW_A and NGFW_B can satisfy the IPSec security requirements and also transmit broadcast or multicast packets based on GRE. 1. Complete basic interface configuration, for example, configuring the IP address and adding the interface to the related zone. 2. Configure the IPSec. //Configure IPSec sensitive traffic.// [USG_A]acl 3000 [USG_A-acl-adv-3000]rule 5 permit ip source 1.1.3.1 0.0.0.0 destination 1.1.5.1 0.0.0.0 [USG_B]acl 3000 [USG_B-acl-adv-3000]rule 5 permit ip source 1.1.5.1 0.0.0.0 destination 1.1.3.1 0.0.0.0 //Configure the IKE proposal and IPSec proposal. Adopt the default parameters.// [USG_A-1]ike proposal 1 [USG_A-1-ike-proposal-1]quit [USG_A-1]ipsec proposal 1 [USG_A-1-ipsec-proposal-1]quit [USG_B-1]ike proposal 1 [USG_B-1-ike-proposal-1]quit [USG_B-1]ipsec proposal 1 [USG_B-1-ipsec-proposal-1]quit //Configure the IKE peer.// [USG_A-1]ike peer 1 [USG_A-1-ike-peer-1]pre-shared-key 123456 [USG_A-1-ike-peer-1]ike-proposal 1 [USG_A-1-ike-peer-1]remote-address 1.1.5.1 [USG_B-1]ike peer 1 [USG_B-1-ike-peer-1]pre-shared-key 123456 [USG_B-1-ike-peer-1]ike-proposal 1 [USG_B-1-ike-peer-1]remote-address 1.1.3.1 //Configure IPSec policies.// [USG_A-1]ipsec policy p1 1 isakmp [USG_A-1-ipsec-policy-isakmp-1-1] security acl 3000 [USG_A-1-ipsec-policy-isakmp-1-1]Ike peer 1 [USG_A-1-ipsec-policy-isakmp-1-1]proposal 1 [USG_A-1-ipsec-policy-isakmp-1-1]local-address 1.1.3.1 [USG_A-1-ipsec-policy-isakmp-1-1] interface GigabitEthernet1/0/1 [USG_A-1-GigabitEthernet1/0/1] ipsec policy p1 auto-neg [USG_B-1]ipsec policy p1 1 isakmp [USG_B-1-ipsec-policy-isakmp-1-1]security acl 3000 [USG_B-1-ipsec-policy-isakmp-1-1]Ike peer 1 [USG_B-1-ipsec-policy-isakmp-1-1]proposal 1 [USG_B-1-ipsec-policy-isakmp-1-1]local-address 1.1.5.1 [USG_B-1-ipsec-policy-isakmp-1-1] interface GigabitEthernet1/0/1 [USG_B-1-GigabitEthernet1/0/1] ipsec policy p1 auto-neg 3. Configure the GRE tunnel. [USG_A-1]interface Tunnel 0 [USG_A-1-Tunnel0] ip address 10.3.1.1 255.255.255.0 [USG_A-1-Tunnel0]tunnel-protocol gre [USG_A-1-Tunnel0] source 1.1.3.1 [USG_A-1-Tunnel0] destination 1.1.5.1 [USG_B-1]interface Tunnel 0 [USG_B-1-Tunnel0] ip address 10.3.1.2 255.255.255.0 [USG_B-1-Tunnel0]tunnel-protocol gre [USG_B-1-Tunnel0] source 1.1.5.1 [USG_B-1-Tunnel0] destination 1.1.3.1 4. Add the GRE tunnel to the security zone and configure a tunnel route. [USG_A-1]firewall zone untrust [USG_A-1-zone-untrust]add interface Tunnel 0 [USG_A-1]ip route-static ip route-static 10.1.2.0 255.255.255.0 Tunnel0 [USG_B-1]firewall zone untrust [USG_B-1-zone-untrust]add interface Tunnel 0 [USG_B-1]ip route-static ip route-static 10.1.1.0 255.255.255.0 Tunnel0

Whether source address (interface) and destination address (interface) are mandatory when a GRE tunnel is configured on the USG6000
The source address (interface) and destination address (interface) are mandatory when a GRE tunnel is configured.

Meaning of GRE for the USG6000
The Generic Routing Encapsulation (GRE) protocol encapsulates data packets of certain network-layer protocols, so that the encapsulated packets can travel through another network-layer protocol. GRE is one of the tunneling technologies and is an L3 tunneling protocol. The GRE provides a transmission path for encapsulated packets by establishing a virtual point-to-point connection.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top