GRE tunnel configuration in SRX

I will configure GRE (Generic Routing Encapsulation) between two Juniper SRX firewal devices. If you want to learn more about the protocol see RFC2784. I will just demonstrate how two networks can be connected to each other via a tunnel. I will also show how SRX security policy should be configured in order to pass the traffic through. Here is my topology;

srx-gre-tunnel-topology

1) Configure GRE interfaces on both sides

root@jgw27# show interfaces gr-0/0/0
unit 0 {
    tunnel {
        source 192.168.193.12;
        destination 192.168.200.1;
    }
    family inet {
        address 10.10.10.2/24;
    }
}
root@srx100-1# show interfaces gr-0/0/0
unit 0 {
    tunnel {
        source 192.168.200.1;
        destination 192.168.193.12;
    }
    family inet {
        address 10.10.10.1/24;
    }
}

Interface configuration is pretty obvious if you have a look at my topology.
source address is the real interface address facing towards the remote device.
destination address is the real interface address accepting the packets.

Documentation says that gre interface IP address e.g 10.10.10.1 isn’t mandatory i.e unnumbered GRE is possible but what I have seen is that if you leave it unassigned, routes that you forward to this interface as next-hop won’t be installed into the routing table.

Note: According to feedback from blog reader kroozo, setting “family inet” is sufficient for route to be installed.

2) Add routes towards the gre tunnel interfaces

root@jgw27# set routing-options static route 192.168.2.0/24 next-hop gr-0/0/0.0
root@srx100-1#set routing-options static route 192.168.192.0/24 next-hop gr-0/0/0.0

3) Assign the gre interface to a zone, set the policy and address book entries

set security policies from-zone trust to-zone gretunnel policy allow-gre-traf match source-address net_192.168.192.0
set security policies from-zone trust to-zone gretunnel policy allow-gre-traf match destination-address net_192.168.2
set security policies from-zone trust to-zone gretunnel policy allow-gre-traf match application any
set security policies from-zone trust to-zone gretunnel policy allow-gre-traf then permit
set security policies from-zone gretunnel to-zone trust policy allow-gre-traf-in match source-address net_192.168.2
set security policies from-zone gretunnel to-zone trust policy allow-gre-traf-in match destination-address net_192.168.192.0
set security policies from-zone gretunnel to-zone trust policy allow-gre-traf-in match application any
set security policies from-zone gretunnel to-zone trust policy allow-gre-traf-in then permit
set security zones security-zone gretunnel address-book address net_192.168.2 192.168.2.0/24
set security zones security-zone gretunnel interfaces gr-0/0/0.0

Basically on this step in jgw27 host, I am allowing traffic coming from 192.168.192.0 network destined to 192.168.2.0/24 network and forwarded through trust zone to gretunnel zone and the reverse traffic of course.


set security policies from-zone srx100-wan to-zone mytunnel policy gr-run-test match source-address wan_local
set security policies from-zone srx100-wan to-zone mytunnel policy gr-run-test match destination-address net192.168.192
set security policies from-zone srx100-wan to-zone mytunnel policy gr-run-test match application any
set security policies from-zone srx100-wan to-zone mytunnel policy gr-run-test then permit
set security policies from-zone mytunnel to-zone srx100-wan policy allow-gre-traf match source-address any
set security policies from-zone mytunnel to-zone srx100-wan policy allow-gre-traf match destination-address any
set security policies from-zone mytunnel to-zone srx100-wan policy allow-gre-traf match application any
set security policies from-zone mytunnel to-zone srx100-wan policy allow-gre-traf then permit
set security zones security-zone mytunnel address-book address net192.168.192 192.168.192.0/24
set security zones security-zone mytunnel interfaces gr-0/0/0.0

4) Check GRE interface

root@jgw27> show interfaces gr-0/0/0.0  
  Logical interface gr-0/0/0.0 (Index 73) (SNMP ifIndex 518)
    Flags: Point-To-Point SNMP-Traps 0x4000 IP-Header 192.168.200.1:192.168.193.12:47:df:64:0000000000000000 Encapsulation: GRE-NULL
    Gre keepalives configured: Off, Gre keepalives adjacency state: down
    Input packets : 73
    Output packets: 33
    Security: Zone: gretunnel
    Protocol inet, MTU: 1476
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 10.10.10/24, Local: 10.10.10.2, Broadcast: 10.10.10.255

The thing is that UP status of a gre tunnel interface doesn’t tell you much here. Because even if the other side is down, you will still see the status UP. Check the MTU it is 1476. It is because of the extra 20 bytes tunnel IP header and 4 bytes GRE header.

5) ICMP TEST

Now I sent one ICMP echo (ping) from pc2

root@pc2:~# ping -c 1 192.168.192.10
PING 192.168.192.10 (192.168.192.10) 56(84) bytes of data.
64 bytes from 192.168.192.10: icmp_req=1 ttl=62 time=2.60 ms

--- 192.168.192.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.600/2.600/2.600/0.000 ms

and captured it as below;

gre-header

You can see that original packet coming from 192.168.2.10 is now sourced from 192.168.200.1 in the outside header.

6) Traceroute test

Now I am showing a traceroute from pc1 to pc2

root@pc1:~# traceroute -n 192.168.2.10
traceroute to 192.168.2.10 (192.168.2.10), 30 hops max, 60 byte packets
 1  192.168.192.4  0.172 ms  0.174 ms  0.121 ms
 2  10.10.10.1  1.940 ms  1.878 ms  1.980 ms
 3  192.168.2.10  7.182 ms  7.320 ms  8.684 ms

As you can see, traceroute only shows 3 hosts due to tunnel setup although path involves more.

I hope not to have made any mistake so far. Let me know if you find any…

Tags:

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


10 thoughts on “GRE tunnel configuration in SRX”

  1. hi,
    with this configuration, monitoring will not be corrupted by the tunnel interface is not configured keepalive parameters.
    What is the solution to overcome
    thks

  2. “Documentation says that gre interface IP address e.g 10.10.10.1 isn’t mandatory but what I have seen is that if you leave it unassigned, routes that you forward to this interface as next-hop won’t be installed into the routing table.”

    I’ve been just playing with this — it does not have to have an address, but family inet must be present:
    gr-0/0/0 {
    unit 0 {
    tunnel {
    source 1.1.1.1;
    destination 2.2.2.2;
    }
    family inet;
    }
    }

    1. Thanks for the feedback Kroozo. I have updated the post with your feedback. It is good to learn!

  3. How could you modify this example, if you wanted to send all port 80 traffic across the gre tunnel?

    1. Well, if its just firewalling you need, then it’s just a fix on the security polices, get rid of the from gretunnel to trust, and change the other to something like

      set security policies from-zone trust to-zone gretunnel policy allow-gre-traf match source-address any
      set security policies from-zone trust to-zone gretunnel policy allow-gre-traf match destination-address any
      set security policies from-zone trust to-zone gretunnel policy allow-gre-traf match application junos-http
      set security policies from-zone trust to-zone gretunnel policy allow-gre-traf then permit

      You might also want to route whatever else in the tunnel.


      However, if you meant that http has to go into the tunnel, but not http for the same destinations needs to go elswhere, then look for filter based forwarding

You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading