GRE tunnel configuration in SRX

I will configure GRE (Generic Routing Encapsulation) between two Juniper SRX firewal devices. If you want to learn more about the protocol see RFC2784. I will just demonstrate how two networks can be connected to each other via a tunnel. I will also show how SRX security policy should be configured in order to pass the traffic through. Here is my topology;

srx-gre-tunnel-topology

1) Configure GRE interfaces on both sides

Interface configuration is pretty obvious if you have a look at my topology.
source address is the real interface address facing towards the remote device.
destination address is the real interface address accepting the packets.

Documentation says that gre interface IP address e.g 10.10.10.1 isn’t mandatory i.e unnumbered GRE is possible but what I have seen is that if you leave it unassigned, routes that you forward to this interface as next-hop won’t be installed into the routing table.

Note: According to feedback from blog reader kroozo, setting “family inet” is sufficient for route to be installed.

2) Add routes towards the gre tunnel interfaces

3) Assign the gre interface to a zone, set the policy and address book entries

Basically on this step in jgw27 host, I am allowing traffic coming from 192.168.192.0 network destined to 192.168.2.0/24 network and forwarded through trust zone to gretunnel zone and the reverse traffic of course.

4) Check GRE interface

The thing is that UP status of a gre tunnel interface doesn’t tell you much here. Because even if the other side is down, you will still see the status UP. Check the MTU it is 1476. It is because of the extra 20 bytes tunnel IP header and 4 bytes GRE header.

5) ICMP TEST

Now I sent one ICMP echo (ping) from pc2

and captured it as below;

gre-header

You can see that original packet coming from 192.168.2.10 is now sourced from 192.168.200.1 in the outside header.

6) Traceroute test

Now I am showing a traceroute from pc1 to pc2

As you can see, traceroute only shows 3 hosts due to tunnel setup although path involves more.

I hope not to have made any mistake so far. Let me know if you find any…

10 thoughts on “GRE tunnel configuration in SRX

  1. ndphu

    hi,
    with this configuration, monitoring will not be corrupted by the tunnel interface is not configured keepalive parameters.
    What is the solution to overcome
    thks

    Reply
  2. kroozo

    “Documentation says that gre interface IP address e.g 10.10.10.1 isn’t mandatory but what I have seen is that if you leave it unassigned, routes that you forward to this interface as next-hop won’t be installed into the routing table.”

    I’ve been just playing with this — it does not have to have an address, but family inet must be present:
    gr-0/0/0 {
    unit 0 {
    tunnel {
    source 1.1.1.1;
    destination 2.2.2.2;
    }
    family inet;
    }
    }

    Reply
    1. rtoodtoo Post author

      Thanks for the feedback Kroozo. I have updated the post with your feedback. It is good to learn!

      Reply
  3. Ryan

    How could you modify this example, if you wanted to send all port 80 traffic across the gre tunnel?

    Reply
    1. kroozo

      Well, if its just firewalling you need, then it’s just a fix on the security polices, get rid of the from gretunnel to trust, and change the other to something like

      set security policies from-zone trust to-zone gretunnel policy allow-gre-traf match source-address any
      set security policies from-zone trust to-zone gretunnel policy allow-gre-traf match destination-address any
      set security policies from-zone trust to-zone gretunnel policy allow-gre-traf match application junos-http
      set security policies from-zone trust to-zone gretunnel policy allow-gre-traf then permit

      You might also want to route whatever else in the tunnel.


      However, if you meant that http has to go into the tunnel, but not http for the same destinations needs to go elswhere, then look for filter based forwarding

      Reply

You have a feedback?