This link would probably help ;) http://www.isi.edu/div7/presentation_files/dynamic_routing.pdf
On 4/8/07, Chris Jones <[EMAIL PROTECTED]> wrote: > > I may have been mistaken. I just pulled this information from this > document which Gregory Lebovitz from Netscreen co-authored back in 2003. On > page 46 he talks about using GRE to create a virtual routing interfaces AKA > tunnel interface. I have configure route-based VPNs between a Netscreen and > FortiGate which interop just fine, which leads me to believe that they are > using the same approach to tunnel interfaces. > > I have yet to get this to work between an OpenBSD box and a > FortiGate/Netscreen. I will look into the gif option to see if this will > work. > > -Chris > > On 4/7/07, Stephen J. Bevan <[EMAIL PROTECTED]> wrote: > > > > Chris Jones writes: > > > .... Fortigates and Netscreens both use GRE interaces as > > > "tunnel interfaces" when creating route-based VPN tunnels. > > > > FortiGates do not use GRE interface when creating route-based VPN > > tunnels. > > The route-based VPN on a FortiGate creates packets that are identical > > to IPsec tunnel mode i.e. IP|ESP|IP. As far as I'm aware, Netscreen do > > the same. Are you sure you don't have any Cisco's in your network? > > They use GRE for IPsec unless you've got a farily recent version of > > IOS that supports the virtual interface approach. > > > > > > > Right now I have a hub-and-spoke VPN network using static routes to > > route > > > traffic across the VPN. Each spoke endpoint has a static destination > > route > > > of 10.1.0.0/16 which is sent over GRE interface. The only exception to > > the > > > hub-and-spoke VPN is my OpenBSD firewall which I have to create VPN > > tunnels > > > to every spoke network I need access to (quite painfull). On my > > OpenBSD box > > > I would like to be able to use a single static destination route of > > > 10.1.0.0/16 to send this traffic over a GRE interface to get to the > > rest of > > > the VPN network. > > > > Since the FortiGate doesn't use GRE for IPsec (unless you configured > > it for some reason) then there is no need to use GRE on OpenBSD. Just > > define a normal tunnel based IPsec connection (as if the other end was > > another OpenBSD box). If you really want an interface so that you can > > route over it, then you'd have better luck with a gif interface. In > > that case if you can get the tunnel to come up you could run > > RIP/OSPF/iBGP on the OpenBSD gif interface and on the FortiGate IPsec > > interface and not use static routing at all.
