GRE Tunnel Between Fortigate and Juniper SRX Firewall

Topology: 


Fortigate Firewall:

GRE Tunnel Configuration:

++++++++++++++++++++++++++++++++++++

 config system gre-tunnel
    edit "GRE-FG-SRX-TUN"
        set interface "port1"
        set remote-gw 192.168.0.106
        set local-gw 192.168.0.108
    next
end

++++++++++++++++++++++++++++++++++++ 

Interface Configuration:

++++++++++++++++++++++++++++++++++++ 

FG-01 (GRE-FG-SRX-TUN) # show
config system interface
    edit "GRE-FG-SRX-TUN"
        set vdom "root"
        set ip 2.2.2.2 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 2.2.2.1 255.255.255.0
        set snmp-index 4
        set interface "port1"
    next
end

++++++++++++++++++++++++++++++++++++

Static Route:

++++++++++++++++++++++++++++++++ 

# Manually added Route

 FG-01 # config router static

FG-01 (static) # show
config router static
      edit 1
        set dst 33.33.33.33 255.255.255.255
        set device "GRE-FG-SRX-TUN"
    next
end


++++++++++++++++++++++++++++++++ 

# Security Policy:

 config firewall policy
    edit 1
        set name "GRE_Allow"
        set uuid 436e5546-266c-51ec-00c3-776eb872b18d
        set srcintf "GRE-FG-SRX-TUN"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "14.140.40.0"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set name "GRE_outbound"
        set uuid 50189f40-266c-51ec-8250-c617f4b4e9d7
        set srcintf "port2"
        set dstintf "GRE-FG-SRX-TUN"
        set srcaddr "14.140.40.0"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

++++++++++++++++++++++++++++++++

# Route to remote GRE Tunnel IP added automatically 

FG-01 # get router info routing-table details
Routing table for VRF=0
C       2.2.2.0/30 is directly connected, GRE-FG-SRX-TUN (By default this will be added)
C       2.2.2.2/32 is directly connected, GRE-FG-SRX-TUN

GRE Tunnel Statistics:
++++++++++++++++++++++++++++++++

FG-01 # diagnose sys gre list

FG-01 # diagnose sys gre list
IPv4:
vd=0 devname=GRE-FG-SRX-TUN devindex=3 ifindex=14
saddr=192.168.0.108 daddr=192.168.0.106 rpdb=0 ref=0
key=0/0 flags=0/0 dscp-copy=0 diffservcode=000000
  rpdb-ver: ffffffff rpdb-gwy: 0.0.0.0 rpdb-oif: 0

total tunnel = 1

++++++++++++++++++++++++++++++++ 

Ping Test:

Session :

 

SRX Firewall:

Interface Config : 

++++++++++++++++++++++++++++++++ 

set interfaces gr-0/0/0 unit 0 tunnel source 192.168.0.106
set interfaces gr-0/0/0 unit 0 tunnel destination 192.168.0.108
set interfaces gr-0/0/0 unit 0 family inet address 2.2.2.1/30

++++++++++++++++++++++++++++++++ 

Assign GRE tunnel interface to respective Zone: 


++++++++++++++++++++++++++++++++

set security zones security-zone untrust interfaces gr-0/0/0.0

set security zones security-zone untrust interfaces ge-0/0/0.0

++++++++++++++++++++++++++++++++ 

Configure static route to remote network via GRE tunnel interface:

set routing-options static route 14.140.40.108/32 next-hop gr-0/0/0.0

Security policy to allow the traffic (untrust to untrust in my case):

++++++++++++++++++++++++++++++++ 

 set security policies from-zone untrust to-zone untrust policy untrust_allow_ping match source-address any
set security policies from-zone untrust to-zone untrust policy untrust_allow_ping match destination-address any
set security policies from-zone untrust to-zone untrust policy untrust_allow_ping match application any
set security policies from-zone untrust to-zone untrust policy untrust_allow_ping then permit

++++++++++++++++++++++++++++++++

Allow inbound traffic on Zone:

set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all

Ping Test

 

 Session Information:

 

    


YouTube video reference:  





Comments

Popular posts from this blog

Configure IPsec site-to-site VPN in Linux Machine

TACACS+ Installation on Linux [CentOS]

Free Radius setup/configuration in Linux [Ubuntu/CentOS]