I may have been mistaken. I just pulled this information from this document which Gregory Lebovitz from Netscreen co-authored back in 2003. On page 46 he talks about using GRE to create a virtual routing interfaces AKA tunnel interface. I have configure route-based VPNs between a Netscreen and FortiGate which interop just fine, which leads me to believe that they are using the same approach to tunnel interfaces.
I have yet to get this to work between an OpenBSD box and a FortiGate/Netscreen. I will look into the gif option to see if this will work. -Chris On 4/7/07, Stephen J. Bevan <[EMAIL PROTECTED]> wrote: > > Chris Jones writes: > > .... Fortigates and Netscreens both use GRE interaces as > > "tunnel interfaces" when creating route-based VPN tunnels. > > FortiGates do not use GRE interface when creating route-based VPN tunnels. > The route-based VPN on a FortiGate creates packets that are identical > to IPsec tunnel mode i.e. IP|ESP|IP. As far as I'm aware, Netscreen do > the same. Are you sure you don't have any Cisco's in your network? > They use GRE for IPsec unless you've got a farily recent version of > IOS that supports the virtual interface approach. > > > > Right now I have a hub-and-spoke VPN network using static routes to > route > > traffic across the VPN. Each spoke endpoint has a static destination > route > > of 10.1.0.0/16 which is sent over GRE interface. The only exception to > the > > hub-and-spoke VPN is my OpenBSD firewall which I have to create VPN > tunnels > > to every spoke network I need access to (quite painfull). On my OpenBSD > box > > I would like to be able to use a single static destination route of > > 10.1.0.0/16 to send this traffic over a GRE interface to get to the rest > of > > the VPN network. > > Since the FortiGate doesn't use GRE for IPsec (unless you configured > it for some reason) then there is no need to use GRE on OpenBSD. Just > define a normal tunnel based IPsec connection (as if the other end was > another OpenBSD box). If you really want an interface so that you can > route over it, then you'd have better luck with a gif interface. In > that case if you can get the tunnel to come up you could run > RIP/OSPF/iBGP on the OpenBSD gif interface and on the FortiGate IPsec > interface and not use static routing at all.
