GRE tunnel configuration in SRX
I will configure GRE (Generic Routing Encapsulation) between two Juniper SRX firewal devices. If you want to learn more about the protocol see RFC2784. I will just demonstrate how two networks can be connected to each other via a tunnel. I will also show how SRX security policy should be configured in order to pass the traffic through. Here is my topology;
1) Configure GRE interfaces on both sides
root@jgw27# show interfaces gr-0/0/0
unit 0 {
tunnel {
source 192.168.193.12;
destination 192.168.200.1;
}
family inet {
address 10.10.10.2/24;
}
}
root@srx100-1# show interfaces gr-0/0/0
unit 0 {
tunnel {
source 192.168.200.1;
destination 192.168.193.12;
}
family inet {
address 10.10.10.1/24;
}
}
Interface configuration is pretty obvious if you have a look at my topology.
source address is the real interface address facing towards the remote device.
destination address is the real interface address accepting the packets.
Documentation says that gre interface IP address e.g 10.10.10.1 isn’t mandatory i.e unnumbered GRE is possible but what I have seen is that if you leave it unassigned, routes that you forward to this interface as next-hop won’t be installed into the routing table.
Note: According to feedback from blog reader kroozo, setting “family inet” is sufficient for route to be installed.
2) Add routes towards the gre tunnel interfaces
root@jgw27# set routing-options static route 192.168.2.0/24 next-hop gr-0/0/0.0
root@srx100-1#set routing-options static route 192.168.192.0/24 next-hop gr-0/0/0.0
3) Assign the gre interface to a zone, set the policy and address book entries
set security policies from-zone trust to-zone gretunnel policy allow-gre-traf match source-address net_192.168.192.0 set security policies from-zone trust to-zone gretunnel policy allow-gre-traf match destination-address net_192.168.2 set security policies from-zone trust to-zone gretunnel policy allow-gre-traf match application any set security policies from-zone trust to-zone gretunnel policy allow-gre-traf then permit set security policies from-zone gretunnel to-zone trust policy allow-gre-traf-in match source-address net_192.168.2 set security policies from-zone gretunnel to-zone trust policy allow-gre-traf-in match destination-address net_192.168.192.0 set security policies from-zone gretunnel to-zone trust policy allow-gre-traf-in match application any set security policies from-zone gretunnel to-zone trust policy allow-gre-traf-in then permit set security zones security-zone gretunnel address-book address net_192.168.2 192.168.2.0/24 set security zones security-zone gretunnel interfaces gr-0/0/0.0
Basically on this step in jgw27 host, I am allowing traffic coming from 192.168.192.0 network destined to 192.168.2.0/24 network and forwarded through trust zone to gretunnel zone and the reverse traffic of course.
set security policies from-zone srx100-wan to-zone mytunnel policy gr-run-test match source-address wan_local set security policies from-zone srx100-wan to-zone mytunnel policy gr-run-test match destination-address net192.168.192 set security policies from-zone srx100-wan to-zone mytunnel policy gr-run-test match application any set security policies from-zone srx100-wan to-zone mytunnel policy gr-run-test then permit set security policies from-zone mytunnel to-zone srx100-wan policy allow-gre-traf match source-address any set security policies from-zone mytunnel to-zone srx100-wan policy allow-gre-traf match destination-address any set security policies from-zone mytunnel to-zone srx100-wan policy allow-gre-traf match application any set security policies from-zone mytunnel to-zone srx100-wan policy allow-gre-traf then permit set security zones security-zone mytunnel address-book address net192.168.192 192.168.192.0/24 set security zones security-zone mytunnel interfaces gr-0/0/0.0
4) Check GRE interface
root@jgw27> show interfaces gr-0/0/0.0
Logical interface gr-0/0/0.0 (Index 73) (SNMP ifIndex 518)
Flags: Point-To-Point SNMP-Traps 0x4000 IP-Header 192.168.200.1:192.168.193.12:47:df:64:0000000000000000 Encapsulation: GRE-NULL
Gre keepalives configured: Off, Gre keepalives adjacency state: down
Input packets : 73
Output packets: 33
Security: Zone: gretunnel
Protocol inet, MTU: 1476
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred Is-Primary
Destination: 10.10.10/24, Local: 10.10.10.2, Broadcast: 10.10.10.255
The thing is that UP status of a gre tunnel interface doesn’t tell you much here. Because even if the other side is down, you will still see the status UP. Check the MTU it is 1476. It is because of the extra 20 bytes tunnel IP header and 4 bytes GRE header.
5) ICMP TEST
Now I sent one ICMP echo (ping) from pc2
root@pc2:~# ping -c 1 192.168.192.10 PING 192.168.192.10 (192.168.192.10) 56(84) bytes of data. 64 bytes from 192.168.192.10: icmp_req=1 ttl=62 time=2.60 ms --- 192.168.192.10 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 2.600/2.600/2.600/0.000 ms
and captured it as below;
You can see that original packet coming from 192.168.2.10 is now sourced from 192.168.200.1 in the outside header.
6) Traceroute test
Now I am showing a traceroute from pc1 to pc2
root@pc1:~# traceroute -n 192.168.2.10 traceroute to 192.168.2.10 (192.168.2.10), 30 hops max, 60 byte packets 1 192.168.192.4 0.172 ms 0.174 ms 0.121 ms 2 10.10.10.1 1.940 ms 1.878 ms 1.980 ms 3 192.168.2.10 7.182 ms 7.320 ms 8.684 ms
As you can see, traceroute only shows 3 hosts due to tunnel setup although path involves more.
I hope not to have made any mistake so far. Let me know if you find any…
very very helpful, thank you so much. hope to see more useful works from you.
Sure, I will do my best Burak:)
thanks for taking the time to do this.
Very helpful
You’re welcome Dean. Glad to hear you liked it.
hi,
with this configuration, monitoring will not be corrupted by the tunnel interface is not configured keepalive parameters.
What is the solution to overcome
thks
Hi, According to http://kb.juniper.net/KB24370 keepalive isn’t supported on SRX.
“Documentation says that gre interface IP address e.g 10.10.10.1 isn’t mandatory but what I have seen is that if you leave it unassigned, routes that you forward to this interface as next-hop won’t be installed into the routing table.”
I’ve been just playing with this — it does not have to have an address, but family inet must be present:
gr-0/0/0 {
unit 0 {
tunnel {
source 1.1.1.1;
destination 2.2.2.2;
}
family inet;
}
}
Thanks for the feedback Kroozo. I have updated the post with your feedback. It is good to learn!
How could you modify this example, if you wanted to send all port 80 traffic across the gre tunnel?
Well, if its just firewalling you need, then it’s just a fix on the security polices, get rid of the from gretunnel to trust, and change the other to something like
set security policies from-zone trust to-zone gretunnel policy allow-gre-traf match source-address any
set security policies from-zone trust to-zone gretunnel policy allow-gre-traf match destination-address any
set security policies from-zone trust to-zone gretunnel policy allow-gre-traf match application junos-http
set security policies from-zone trust to-zone gretunnel policy allow-gre-traf then permit
You might also want to route whatever else in the tunnel.
—
However, if you meant that http has to go into the tunnel, but not http for the same destinations needs to go elswhere, then look for filter based forwarding