GRE Interfaces

Important - Scalable Platforms (Maestro and Chassis) do not support this feature (Known Limitation PMTR-60868).

This section shows you how to configure a GRE Interface in the Gaia PortalClosed Web interface for the Check Point Gaia operating system. and the Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..

Generic Routing Encapsulation (GRE) is an IP encapsulation protocol, which is used to transport IP packets over a network.

GRE allows routing of IP packets between private IPv4 networks, which are separated over public IPv4 Internet.

Notes:

For additional information, see sk169794.

Configuring GRE Interfaces in Gaia Portal

Step

Instructions

1

In the navigation tree, click Network Management > Network Interfaces.

2

Click Add > GRE.

3

On the IPv4 tab, enter the local IPv4 address and subnet mask for the GRE interface.

4

On the GRE Tunnel tab:

  1. In the GRE Interface ID field, enter or select the GRE Tunnel ID between 1 and 1024.

  2. In the Peer Address field, enter the IPv4 address for the GRE interface on the remote GRE peer.

  3. In the Local Address field, enter the IPv4 address of the applicable local physical interface.

  4. In the Remote Address field, enter the IPv4 address of the applicable physical interface on the remote GRE peer.

  5. In the TTL field, enter or select the Time-to-Live for the GRE packets between 0 and 255.

    Note - This value must be the same on the GRE peers.

5

Click OK.

Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. "GW1" and Security Gateway "GW2" create a GRE Tunnel over a network.

[GW1] (physical interface eth1) (GRE Tunnel configuration) <==>

<==> (network) <==>

<==> (GRE Tunnel configuration) (physical interface eth2 [GW2]

The GRE interface configuration on these GRE peers:

Setting

Security Gateway "GW1"

Security Gateway "GW2"

Local physical interface

eth1 with IPv4 10.10.10.11 / 24

eth2 with IPv4 172.30.40.22 / 24

(GRE) IPv4 Address

192.168.10.11 / 24

192.168.10.22 / 24

GRE Interface ID

33

33

Peer Address

192.168.10.22

192.168.10.11

Remote Address

172.30.40.22

10.10.10.11

Important - It is not supported to edit the settings of an existing GRE interface.

You must delete the existing GRE interface and create a new GRE interface.

Step

Instructions

1

In the navigation tree, click Network Management > Network Interfaces.

2

Select a GRE interface and click Delete.

3

Click OK to confirm.

Configuring GRE interfaces in Gaia Clish

Syntax

add gre id <GRE Tunnel ID> local <IPv4 address of local physical interface> remote <IPv4 address of physical interface on remote peer> ttl <TTL> ip <IPv4 address of local GRE interface> mask <IPv4 subnet mask of local GRE interface> peer <IPv4 address of GRE interface on remote peer>

show configuration gre

show gre id <GRE Tunnel ID>

Important - It is not supported to edit the settings of an existing GRE interface.

You must delete the existing GRE interface and create a new GRE interface.

delete gre id <GRE Tunnel ID>

Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently.

Parameter

Description

id <GRE Tunnel ID>

Specifies the GRE Tunnel ID between 1 and 1024.

remote <IPv4 address of physical interface on remote peer>

Specifies the IPv4 address of the applicable physical interface on the remote GRE peer.

ttl <TTL>

Specifies the Time-to-Live for the GRE packets between 1 and 255.

Note - This value must be the same on the GRE peers.

ip <IPv4 address of local GRE interface>

Specifies the local IPv4 address for the GRE interface.

mask <IPv4 subnet mask of local GRE interface>

Specifies the local IPv4 subnet mask for the GRE interface.

peer <IPv4 address of GRE interface on remote peer>

Specifies the IPv4 address for the GRE interface on the remote GRE peer.

Security Gateway "GW1" and Security Gateway "GW2" create a GRE Tunnel over a network.

[GW1] (physical interface eth1) (GRE Tunnel configuration) <==>

<==> (network) <==>

<==> (GRE Tunnel configuration) (physical interface eth2 [GW2]

The GRE interface configuration on these GRE peers:

Setting

Security Gateway "GW1"

Security Gateway "GW2"

Local physical interface

eth1 with IPv4 10.10.10.11 / 24

eth2 with IPv4 172.30.40.22 / 24

(GRE) IPv4 Address

192.168.10.11 / 24

192.168.10.22 / 24

GRE Interface ID

33

33

Peer Address

192.168.10.22

192.168.10.11

Remote Address

172.30.40.22

10.10.10.11

The GRE interface configuration on the Security Gateway "GW1":

gaia1> add gre id 33 remote 172.30.40.22 ttl <1-255> ip 192.168.10.11 mask 255.255.255.0 peer 192.168.10.22

The GRE interface configuration on the Security Gateway "GW2":

gaia2> add gre id 33 remote 10.10.10.11 ttl <1-255> ip 192.168.10.22 mask 255.255.255.0 peer 192.168.10.11

Configuring GRE Interfaces on Cluster Members

For more information, see the R81.20 ClusterXL Administration Guide.

In ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you have these options:

  1. Configure a GRE interface on all the Cluster Members.

    You must configure the same GRE Interface ID and Remote Address on each Cluster MemberClosed Security Gateway that is part of a cluster..

  2. Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

  3. From the left navigation panel, click Gateways & Servers.

  4. Double-click the cluster object.

  5. From the left tree, click Network Management.

  6. From the toolbar, click Get Interfaces > Get Interfaces With Topology and confirm.

    Make sure you see the new GRE interface from each Cluster Member.

  7. Select the new GRE interface and click Edit.

  8. From the left tree, click the General page.

  9. In the General section, in the Network Type field, select Cluster.

  10. In the IPv4 field, configure the applicable cluster Virtual IP address.

  11. In the Member IPs section, make sure the IPv4 address and its Net Mask are correct on each Cluster Member.

  12. Click OK.

  13. Publish the SmartConsole session.

  14. Install the Access Control Policy on this cluster object.

  1. Configure a GRE interface on a specific Cluster Member.

  2. Connect with SmartConsole to the Management Server.

  3. From the left navigation panel, click Gateways & Servers.

  4. Double-click the cluster object.

  5. From the left tree, click Network Management.

  6. From the toolbar, click Get Interfaces > Get Interfaces With Topology and confirm.

    Make sure you see the new GRE interface from the specific Cluster Member, on which you configured it.

  7. Select the new GRE interface and click Edit.

  8. From the left tree, click the General page.

  9. In the General section, in the Network Type field, select Private.

  10. Click OK.

  11. Publish the SmartConsole session.

  12. Install the Access Control Policy on this cluster object.