Chris Jones writes:
 > .... Fortigates and Netscreens both use GRE interaces as
 > "tunnel interfaces" when creating route-based VPN tunnels.

FortiGates do not use GRE interface when creating route-based VPN tunnels.
The route-based VPN on a FortiGate creates packets that are identical
to IPsec tunnel mode i.e. IP|ESP|IP.  As far as I'm aware, Netscreen do
the same.  Are you sure you don't have any Cisco's in your network?
They use GRE for IPsec unless you've got a farily recent version of
IOS that supports the virtual interface approach.


 > Right now I have a hub-and-spoke VPN network using static routes to route
 > traffic across the VPN. Each spoke endpoint has a static destination route
 > of 10.1.0.0/16 which is sent over GRE interface. The only exception to the
 > hub-and-spoke VPN is my OpenBSD firewall which I have to create VPN tunnels
 > to every spoke network I need access to (quite painfull). On my OpenBSD box
 > I would like to be able to use a single static destination route of
 > 10.1.0.0/16 to send this traffic over a GRE interface to get to the rest of
 > the VPN network.

Since the FortiGate doesn't use GRE for IPsec (unless you configured
it for some reason) then there is no need to use GRE on OpenBSD.  Just
define a normal tunnel based IPsec connection (as if the other end was
another OpenBSD box).  If you really want an interface so that you can
route over it, then you'd have better luck with a gif interface.  In
that case if you can get the tunnel to come up you could run
RIP/OSPF/iBGP on the OpenBSD gif interface and on the FortiGate IPsec
interface and not use static routing at all.

Reply via email to