cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Passing GRE traffic

Hello.

 

Can someone advise exactly how Check Point stand with GRE support?

 

I understand they can’t build or terminate GRE tunnels, but can they pass the traffic through?

 

There is a VPN between 2 Cisco Routers who are trying to establish a tunnel however it isn’t coming up. After discussions, I realised they are using GRE over IPSEC VPN.

I have now concluded that this is the reason why it’s not coming up.

 Any suggestions?

0 Kudos
9 Replies

Re: Passing GRE traffic

We have been doing this for a long time now, they are most probably using DM-VPN (the Cisco version of a Mesh VPN).
The problem will be when you hide NAT one of the routers behind the Firewall. Always try to setup static NAT and tell them to use NAT-T.
Allow IPSEC as a group + IKE_NAT_TRAVERSAL (port 4500)
Regards, Maarten

Re: Passing GRE traffic

Also tell them to add the following command on the Tunnel interfaces:
ip tcp adjust-mss 1300
To make sure the tunnel will pass traffic without fragmentation.
Regards, Maarten
0 Kudos

Re: Passing GRE traffic

Hi, Static NAT is set up on the firewall.

500 and 4500 allowed through the firewall.

no drop logs.

all I see is router A sending UDP 500 to router B and vice versa.

Obviously the VPN is never getting past phase 1.

are you saying GRE traffic should pass without an issue then?

I will ask them to add the commands to the Cisco routers below.

0 Kudos

Re: Passing GRE traffic

You need to allow the IPSEC group, not only IKE, IP-Sec uses protocol 50 as well.
The GRE tunnel is inside the IP-Sec tunnel, so the CP will never see that traffic.
Regards, Maarten
0 Kudos

Re: Passing GRE traffic

Hmm.. Interesting. So, I have the IPSEC Group in the rules.

They are not used DMVPN. So now this is slightly more confusing.

I wonder now if the VPN config is the same on both routers
0 Kudos

Re: Passing GRE traffic

That will the question for the router guys to answer, your part is done when you added the IP-Sec group and the NAT Traversal ports. The rest is up to them. DM-VPN uses GRE over IP-Sec to allow the dynamic routing protocols to work, as you need an interface with the tunnel, which IP-Sec does not give you (similar to domain based VPN in CP).
Regards, Maarten

Re: Passing GRE traffic

Still seeing this issue. They are not using DM-VPN and MTU is set at 1400.

Since NAT is involved, I would of expected to see 4500, but only 500 packets.
0 Kudos

Re: Passing GRE traffic

On the Cisco's they really need to tell the tunnel that it needs NAT-T, to my limited Cisco knowledge.
Next to that lowering the MTU will also lower the MSS and should NOT be done, when you want to do anything get the MSS adjust going, never mess with the MTU, it just works counterproductive.
The MSS value is the actual number of bytes a packet can transfer, when you use and a IP-Sec tunnel with a header of 64 or more bytes and on top of that another GRE tunnel header of 32 bytes, you actually reduced the actual MSS with another 100 bytes.
Once the tunnel is up and running, test with tcpoptimiser, a freeware program what the actual MTU is they say can be used through the tunnel, reduce that by 40 (20 IP header + 20 TCP header) and use that as the MSS value.
For a very good document on MTU, MSS and fragmentation is this:
http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.ht...
Regards, Maarten
0 Kudos

Re: Passing GRE traffic

One other thing I was thinking about, are you sure they are not accidentally trying to use IP-Sec over GRE?
GRE cannot be NATted.
Regards, Maarten
0 Kudos