GRE Tunnel Between Fortigate and Juniper SRX Firewall
Topology:
Fortigate Firewall:
GRE Tunnel Configuration:
++++++++++++++++++++++++++++++++++++
config system gre-tunnel
edit "GRE-FG-SRX-TUN"
set interface "port1"
set remote-gw 192.168.0.106
set local-gw 192.168.0.108
next
end
++++++++++++++++++++++++++++++++++++
Interface Configuration:
++++++++++++++++++++++++++++++++++++
FG-01 (GRE-FG-SRX-TUN) # show
config system interface
edit "GRE-FG-SRX-TUN"
set vdom "root"
set ip 2.2.2.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 2.2.2.1 255.255.255.0
set snmp-index 4
set interface "port1"
next
end
++++++++++++++++++++++++++++++++++++
Static Route:
++++++++++++++++++++++++++++++++
# Manually added Route
FG-01 # config router static
FG-01 (static) # show
config router static
edit 1
set dst 33.33.33.33 255.255.255.255
set device "GRE-FG-SRX-TUN"
next
end
++++++++++++++++++++++++++++++++
# Security Policy:
config firewall policy
edit 1
set name "GRE_Allow"
set uuid 436e5546-266c-51ec-00c3-776eb872b18d
set srcintf "GRE-FG-SRX-TUN"
set dstintf "port2"
set srcaddr "all"
set dstaddr "14.140.40.0"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "GRE_outbound"
set uuid 50189f40-266c-51ec-8250-c617f4b4e9d7
set srcintf "port2"
set dstintf "GRE-FG-SRX-TUN"
set srcaddr "14.140.40.0"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
++++++++++++++++++++++++++++++++
# Route to remote GRE Tunnel IP added automatically
FG-01 # get router info routing-table details
Routing table for VRF=0
C 2.2.2.0/30 is directly connected, GRE-FG-SRX-TUN (By default this will be added)
C 2.2.2.2/32 is directly connected, GRE-FG-SRX-TUN
GRE Tunnel Statistics:
++++++++++++++++++++++++++++++++
FG-01 # diagnose sys gre list
FG-01 # diagnose sys gre list
IPv4:
vd=0 devname=GRE-FG-SRX-TUN devindex=3 ifindex=14
saddr=192.168.0.108 daddr=192.168.0.106 rpdb=0 ref=0
key=0/0 flags=0/0 dscp-copy=0 diffservcode=000000
rpdb-ver: ffffffff rpdb-gwy: 0.0.0.0 rpdb-oif: 0
total tunnel = 1
++++++++++++++++++++++++++++++++
Ping Test:
Session :
SRX Firewall:
Interface Config :
++++++++++++++++++++++++++++++++
set interfaces gr-0/0/0 unit 0 tunnel source 192.168.0.106
set interfaces gr-0/0/0 unit 0 tunnel destination 192.168.0.108
set interfaces gr-0/0/0 unit 0 family inet address 2.2.2.1/30
++++++++++++++++++++++++++++++++
Assign GRE tunnel interface to respective Zone:
++++++++++++++++++++++++++++++++
set security zones security-zone untrust interfaces gr-0/0/0.0
set security zones security-zone untrust interfaces ge-0/0/0.0
++++++++++++++++++++++++++++++++
Configure static route to remote network via GRE tunnel interface:
set routing-options static route 14.140.40.108/32 next-hop gr-0/0/0.0
Security policy to allow the traffic (untrust to untrust in my case):
++++++++++++++++++++++++++++++++
set security policies from-zone untrust to-zone untrust policy untrust_allow_ping match source-address any
set security policies from-zone untrust to-zone untrust policy untrust_allow_ping match destination-address any
set security policies from-zone untrust to-zone untrust policy untrust_allow_ping match application any
set security policies from-zone untrust to-zone untrust policy untrust_allow_ping then permit
++++++++++++++++++++++++++++++++
Allow inbound traffic on Zone:
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
Ping Test
Session Information:
YouTube video reference:
Comments
Post a Comment