How To Configure a GRE

Tunnel Between IP
Appliances on IPSO

10 May 2012

Elena Shuster
 2012 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=10951
For additional technical information, visit the Check Point Support Center
(http://supportcenter.checkpoint.com).

Revision History
Date Description

5/10/2012 Initial version

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on How To Configure a GRE Tunnel
Between IP Appliances on IPSO ).
 Contents

Important Information .............................................................................................3

How To Configure GRE Tunnel Between IP Appliances on IPSO........................5
Objective .................................................................................................................5
Supported OS, Products and Versions ................................................................ 5
Before You Start .....................................................................................................5
Related Documentation ....................................................................................... 5
Impact on the Environment .................................................................................. 5
Configuring a GRE Tunnel Between IP Appliances ..............................................6
Verifying that the GRE Tunnel is Up ......................................................................9
Index ......................................................................................................................11
 How To Configure GRE Tunnel Between IP Appliances on IPSO

How To Configure GRE Tunnel

Between IP Appliances on IPSO
Objective
This document explains how to configure a GRE tunnel on the IPSO 6.X platform.

Supported OS, Products and Versions

Supported Operating System: IPSO 4.X and 6.X
Supported Products: IP Appliances
Supported Version: GRE Tunnel configuration is not related to the Firewall version

Before You Start

Related Documentation
IPSO 6.2 Network Voyager Reference Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=10293)
IPSO 4.2 Network Voyager Reference Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=9844)
SecureKnowledge solution sk41126 Why is the default MTU of a GRE tunnel interface set to 65535
(http://supportcontent.checkpoint.com/solutions?id=sk41126)

Impact on the Environment

GRE is not a recommended method for secure communication over the internet.

How To Configure a GRE Tunnel Between IP Appliances on IPSO | 5

 Configuring a GRE Tunnel Between IP Appliances

Configuring a GRE Tunnel Between

IP Appliances
The configuration described applies to the following network:

1. In the Network Voyager tree, select Configuration > Interface Configuration > Interfaces
In the diagram: IP APPLIANCE 1
2. In the Physical column, click Tunnels.

The Tunnels page opens.

How To Configure a GRE Tunnel Between IP Appliances on IPSO | 6

 Configuring a GRE Tunnel Between IP Appliances

3. In the Create New Tunnel Interface section of the page, select GRE.

4. Click Apply.
Each time you select a tunnel encapsulation and click Apply, the new tunnel appears in the logical
interfaces table.
5. Click the logical interface name in the Logical column of the Logical interfaces table to go to the
Interface page for the specified tunnel. For example: tun0c0

6. Enter the IP address of the local end of the GRE tunnel as the Local address.
The local address cannot be one of the systems interface addresses and must be the remote address
configured for the GRE tunnel at the remote router.
7. Enter the IP address of the remote end of the GRE tunnel as the Remote address.
The remote address cannot be one of the systems interface addresses and must be the local address
configured for the GRE tunnel at the remote router.
8. Enter the IP address of the local interface the GRE tunnel is bound to, as the Local endpoint.
The local endpoint must be one of the systems interface addresses and must be the remote endpoint
configured for the GRE tunnel at the remote router.

How To Configure a GRE Tunnel Between IP Appliances on IPSO | 7

 Configuring a GRE Tunnel Between IP Appliances

9. Enter the IP address of the remote interface the GRE tunnel is bound to, as the Remote endpoint.
The remote endpoint must not be one of the systems interface addresses and must be the local
endpoint configured for the GRE tunnel at the remote router.

10. In the Bind Tunnel to Local Endpoint section, bind the tunnel to the outgoing interface:
Strict means that all packets that egress through the tunnel will exit through the outgoing interface
(local endpoint). If the local endpoint link fails, traffic does not egress through the tunnel. You might
use this setting to prevent possible routing loops.
Loose means that all packets that egress through the tunnel can be routed through any interface.
Use this setting to allow the system to use a different interface in case the local endpoint link fails.

How To Configure a GRE Tunnel Between IP Appliances on IPSO | 8

 Verifying that the GRE Tunnel is Up

11. Click Save to make your changes permanent

Verifying that the GRE Tunnel is Up

To verify the GRE tunnel:
1. Run a ping that will invoke the traffic to be routed through the newly configured tunnel.
2. When the ping is started, use the following tcpdump command to view that the tunnel is up. This
command listens on the interface configured for the GRE tunnel and filters out everything except
protocol 47 which is GRE
#tcpdump i eth-<interface name> proto 47

How To Configure a GRE Tunnel Between IP Appliances on IPSO | 9

Index
B
Before You Start 5
C
Configuring a GRE Tunnel Between IP
Appliances 6
H
How To Configure GRE Tunnel Between IP
Appliances on IPSO 5
I
Impact on the Environment 5
Important Information 3
O
Objective 5
R
Related Documentation 5
S
Supported OS, Products and Versions 5
V
Verifying that the GRE Tunnel is Up 9