Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.
Back to discussions
Expand all | Collapse all

GRE

  • 1.  GRE

    Posted 10-12-2010 07:36

     

    Does SSG support GRE  ( not  GRE over IPSEC ) , i need only GRE

    can someone provide configuration sample

     



  • 2.  RE: GRE

    Posted 10-13-2010 00:14

    Hi,

    set interface "tunnel.1" zone "Untrust"

    set int tunnel.1 ip n.n.n.n/m

    set interface tunnel.1 tunnel encap gre

    set interface tunnel.1 tunnel local-if eth0/0 dst-ip x.x.x.x

    set interface tunnel.1 tunnel keep-alive interval 10 threshold 3

     

    eth0/0 would be your source interface (tunnel source).



  • 3.  RE: GRE

    Posted 10-13-2010 00:25

    Hi,

     

    Do you mean if SSG can be used as a PPTP Remote Access server like a Windows server? If so, the answer is "No".

     

    Kind regards,

    Edouard



  • 4.  RE: GRE

    Posted 10-13-2010 07:36

    No , i just want to configure GRE tunnel between SSG  & a cisco router



  • 5.  RE: GRE

    Posted 10-13-2010 23:56

    Hi,

     

    Unfortunatelly this is also impossible. SSG can transport GRE packets from a zone to another zone and encapsulate/decapsulate packets going into/from the IPsec tunnel. But SSG cannot be a termination point for a "pure" GRE-tunnel.

     

    Kind regards,

    Edouard



  • 6.  RE: GRE

    Posted 10-15-2010 04:54

    Thanks Echidov  That is exactly what i was looking for , Accepted solution

    So , the above provided configuration will not work ?Do you mean that the above tunnel.1 interafce should be associated with an IPSEC VPN



  • 7.  RE: GRE
    Best Answer

    Posted 10-15-2010 06:00

    Hi,

     

    I configured a  GRE tunnel between a Juniper SSG and a Cisco 2801 and it works fine like i told you the last post. If you bind the tunnel to an IPSEC VPN on juniper it won't work even if you have IPSEC VPN configured on Cisco.

     

     There are 2 ways to configure IPSEC VPNs between Cisco and Juniper:

     - normal IPSEC VPN on Juniper binded on tunnel.1 (in this case the tunnel doesn' t has an IP, it is "ip unnumbered" and associated to the WAN interface, eq eth0/0) and proxy id to atch the traffic you want AND crypto map on cisco with access-list to match the traffic (will be opposite to the proxy id on Juniper);

     - in this second case you create a tunnel, give it an IP but you don' t make it GRE; you now make on Juniper the exact IPSEC VPN as is the first case without proxy id AND on Cisco you have to configure a  IPSEC VPN with tunnel protection (tunnel on Cisco has the same network as tunnel on Juniper);

     

    You can not configure IPSEC VPN on Juniper with GRE tunnel binded to the VPN.



  • 8.  RE: GRE

    Posted 10-16-2010 03:07

    Hi Jordi , so you configured GRE ( not GRE over IPSEC ) using your above configuration ?

    i'm now confused ,  Echidov said above that  GRE cannot be configured on SSG without IPSEC  , does SSG support GRE ( without IPSEC) or not  ,  that is what i need to know



  • 9.  RE: GRE

    Posted 10-16-2010 04:54
      |   view attached

    I have not set this up, but I believe that  Jordy is correct and you can configure a GRE tunnel without IPSEC.  Check this section of the Concepts & Examples guides.  This example shows a GRE tunnel between the screenos and an upstream router interface.


    http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/index.html

     Volume 7 Routing - Chapter 7 Multicast Routing


    Configuring GRE on Tunnel Interfaces
    Security devices have platform-specific limitations on the number of outgoing interfaces through which they can transmit multicast packets. In large hub-and-spoke VPN environments where the security device is the hub, you can avoid this limitation by creating a GRE tunnel between the router upstream of the hub-site security device to security devices at the spokes.

    In Figure 24, Router-A is upstream of Device-A. Router-A has two GRE tunnels which terminate at Device-1 and Device-2. Device-A is connected to Device-1 and Device-2 through VPN tunnels. Before Router-A transmits multicast packets, it first encapsulates them in IPv4 unicast packets. Device-A receives these packets as unicast packets and sends them through to Device-1 and Device-2.

    In this example, you configure the tunnel interface on Device-1. You perform the following steps:

     

    1. Create the tunnel.1 interface and bind it to ethernet3 and to the Untrust zone on the trust-vr.
    2. Enable GRE encapsulation on tunnel.1.
    3. Specify the local and remote endpoints of the GRE tunnel.

    This example shows the GRE configuration for the security device only. (For
    information about VPNs, see Volume 5: Virtual Private Networks.)

    WebUI
    Network > Interfaces > New Tunnel IF: Enter the following, then click Apply:
    Tunnel Interface Name: tunnel.1
    Zone (VR): Untrust (trust-vr)
    Unnumbered: (select)
    Interface: ethernet3 (trust-vr)
    Network > Interfaces > Tunnel (tunnel.1): Enter the following, then click
    Apply:
    Encap: GRE (select)
    Local Interface: ethernet3
    Destination IP: 3.3.3.1


    CLI
    set interface tunnel.1 zone untrust
    set interface tunnel.1 ip unnumbered interface ethernet3
    set interface tunnel.1 tunnel encap gre
    set interface tunnel.1 tunnel local-if ethernet3 dst-ip 3.3.3.1
    save



  • 10.  RE: GRE

    Posted 10-18-2010 02:42

    HI,

    Yes, SSG supports GRE tunnel without IPSEC.



  • 11.  RE: GRE

    Posted 12-19-2014 04:45

    Hi Guys,

     

    I have found this post as we are currently trying to configure the GRE tunnel over IPSEC.

     

    I have route based VPN set up between 2 devices which works fine, as soon as I add the GRE config to my tunnel interface I have this message in the log:

     

    "Received a notification message for DOI 1 14 NO-PROPOSAL-CHOSEN

     

    I have disassosiated the tunnel interface from my VPN and the GRE seems to be working but it's not very secured.

     

    So just to confirm with you guy there is no way to get this workig or something has changed since?

     

    We are running firmware 6.3.0r17

     

     

    Thanks,

    Dom



  • 12.  RE: GRE

    Posted 12-19-2014 18:59

    For the GRE over IPSEC see kb3256 for the configuration example.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB3256



  • 13.  RE: GRE

    Posted 10-19-2010 20:40

    hi jordy and everyone,

    i'm a new memSmiley Indifferent, i have the configuration below:

     

    set interface ethernet0/0 ip 192.168.1.1/24

    set interface ethernet0/0 ip 10.0.0.1/24 secondary

    set interface "tunnel.1" zone "Untrust"

    set int tunnel.1 ip n.n.n.n/m

    set interface tunnel.1 tunnel encap gre

    set interface tunnel.1 tunnel local-if eth0/0 dst-ip x.x.x.x

    set interface tunnel.1 tunnel keep-alive interval 10 threshold 3

     

    eth0/0 would be your source interface (tunnel source).

     

    i want to create a "pure" GRE tunnel with a Cisco Router.

    if my SSG have one interface Ethernet, how can i use the sencondary ip on interface ethernet as the tunnel source.

     

    Thanks!

     

     

     



  • 14.  RE: GRE

    Posted 10-20-2010 00:34

    Hi,

    First, you can't add a secondary ip on an interface in "Untrust" zone, as i see your eth0/0 would be. Second,  I think if you specify on Cisco as "tunnel destination" your secondary ip on Juniper (only "Trust" and "DMZ" interface zones) the GRE will work (i haven't tested it).

    Hope it helps!