Create a Fortigate GRE Tunnel (CLI)

Posted by keith.wirch at August 18, 2017

Category: Fortigate, Quick Notes

There isn’t really a way to create a GRE Tunnel in the Fortigate GUI but you can through a CLI.  I find this process to be FortiOS version agnostic.  Take the image below as reference.

Here is the CLI for Site 1:

config system global
edit "GRE-to-Site2"
set interface "wan"
set remote-gw 2.2.2.2    # Remote Firewall WAN IP
set local-gw 1.1.1.1    # Local Firewall IP
next
end

Once the GRE Tunnel is configured, you need to setup the actual interface as shown.

config system interface
edit "GRE-to-Site2"
set vdom "root"
set ip 192.168.6.1 255.255.255.255    # Local GRE Tunnel IP
set allowaccess ping    # Might just need ping for troubleshooting.
set type tunnel
set remote-ip 192.168.6.2    # GRE Tunnel IP for the Remote side
set interface "wan"
next
end

I will not cover it in the guide but you do need to create a route for 10.30.2.0/24 via the GRE tunnel.  Refer to Fortigate Documentation for creating a Static Route.  Do not forget to create a Firewall Policy to allow the traffic to traverse the tunnel.  Been there…  *shakes head*

Here is the CLI for Site 2:

The CLI here is very similar to Site 1.  Just flipped a little.

config system gre-tunnel
edit "GRE-to-Site1"
set interface "wan"
set remote-gw 1.1.1.1    # Remote Firewall WAN IP
set local-gw 2.2.2.2    # Local Firewall WAN IP
next
end

Now configure the actual interface since the GRE tunnel config is made.

config system interface
edit "GRE-to-Site1"
set vdom "root"
set ip 192.168.6.2 255.255.255.255    # Local GRE Tunnel IP
set allowaccess ping    # Ping can be helpful for troubleshooting
set type tunnel
set remote-ip 192.168.6.1    # Remote Firewall GRE Tunnel IP
set interface "wan"
next
end

Again, do not forget to create your routs and firewall policies to allow the traffic to flow.

NOTE:  I find GRE tunnels to be the PERFECT opportunity to use 169.254.0.0/16 addresses.  Use them on the actual tunnel IPs since they are not routeable and link-local according to RFC 5735.

Leave a comment

(required)
(required) (will not be published)