Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SCSupport
Contributor

Passing GRE traffic

Hello.

 

Can someone advise exactly how Check Point stand with GRE support?

 

I understand they can’t build or terminate GRE tunnels, but can they pass the traffic through?

 

There is a VPN between 2 Cisco Routers who are trying to establish a tunnel however it isn’t coming up. After discussions, I realised they are using GRE over IPSEC VPN.

I have now concluded that this is the reason why it’s not coming up.

 Any suggestions?

0 Kudos
13 Replies
Maarten_Sjouw
Champion
Champion

We have been doing this for a long time now, they are most probably using DM-VPN (the Cisco version of a Mesh VPN).
The problem will be when you hide NAT one of the routers behind the Firewall. Always try to setup static NAT and tell them to use NAT-T.
Allow IPSEC as a group + IKE_NAT_TRAVERSAL (port 4500)
Regards, Maarten
Maarten_Sjouw
Champion
Champion

Also tell them to add the following command on the Tunnel interfaces:
ip tcp adjust-mss 1300
To make sure the tunnel will pass traffic without fragmentation.
Regards, Maarten
0 Kudos
SCSupport
Contributor

Hi, Static NAT is set up on the firewall.

500 and 4500 allowed through the firewall.

no drop logs.

all I see is router A sending UDP 500 to router B and vice versa.

Obviously the VPN is never getting past phase 1.

are you saying GRE traffic should pass without an issue then?

I will ask them to add the commands to the Cisco routers below.

0 Kudos
Maarten_Sjouw
Champion
Champion

You need to allow the IPSEC group, not only IKE, IP-Sec uses protocol 50 as well.
The GRE tunnel is inside the IP-Sec tunnel, so the CP will never see that traffic.
Regards, Maarten
0 Kudos
SCSupport
Contributor

Hmm.. Interesting. So, I have the IPSEC Group in the rules.

They are not used DMVPN. So now this is slightly more confusing.

I wonder now if the VPN config is the same on both routers
0 Kudos
Maarten_Sjouw
Champion
Champion

That will the question for the router guys to answer, your part is done when you added the IP-Sec group and the NAT Traversal ports. The rest is up to them. DM-VPN uses GRE over IP-Sec to allow the dynamic routing protocols to work, as you need an interface with the tunnel, which IP-Sec does not give you (similar to domain based VPN in CP).
Regards, Maarten
SCSupport
Contributor

Still seeing this issue. They are not using DM-VPN and MTU is set at 1400.

Since NAT is involved, I would of expected to see 4500, but only 500 packets.
0 Kudos
Maarten_Sjouw
Champion
Champion

On the Cisco's they really need to tell the tunnel that it needs NAT-T, to my limited Cisco knowledge.
Next to that lowering the MTU will also lower the MSS and should NOT be done, when you want to do anything get the MSS adjust going, never mess with the MTU, it just works counterproductive.
The MSS value is the actual number of bytes a packet can transfer, when you use and a IP-Sec tunnel with a header of 64 or more bytes and on top of that another GRE tunnel header of 32 bytes, you actually reduced the actual MSS with another 100 bytes.
Once the tunnel is up and running, test with tcpoptimiser, a freeware program what the actual MTU is they say can be used through the tunnel, reduce that by 40 (20 IP header + 20 TCP header) and use that as the MSS value.
For a very good document on MTU, MSS and fragmentation is this:
http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.ht...
Regards, Maarten
0 Kudos
Maarten_Sjouw
Champion
Champion

One other thing I was thinking about, are you sure they are not accidentally trying to use IP-Sec over GRE?
GRE cannot be NATted.
Regards, Maarten
0 Kudos
John_Fleming
Advisor

FYI ipsec on cisco defaults to NAT-T enabled. This has been the default for a very long time.

show run all

will show hidden defaults.

0 Kudos
Jochen_Waelkens
Explorer

I had a similar issue on a GRE tunnel that was not coming up between 2 GRE routers, that were communicating over an IPSec tunnel.

Creating a specific rule that allowed the GRE service (nevertheless there was an "allow any over IPSec" rule below it) solved it.

0 Kudos
Karan0587
Explorer

Hi Jochen,

Hope you are doing well, i have a similar setup with the customer, where he has Mikrotik routers in DC doing gre over ipsec with microtik on the remote sites.

did you connect the cisco router behind the checkpoint on lan or you directly connected them, could you share the rule and NAT config for the same as well ?

 

 

 

0 Kudos
Jochen_Waelkens
Explorer

Hi Karan,

The routers were connected at both sides behind the LAN port of the CP FW's. Between both CP's, an IPSec tunnel was implemented. Then, within the IPSec tunnel, a GRE tunnel between the routers was build (without NAT etc). In order to fix the gre issue, an explicit rule with service "gre" accept was created.

KR, jochen

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events