How to Configure Security Policies to Allow GRE

GRE is a Layer 3 VPN encapsulation technology. Figure 9-4 shows the packet encapsulation and forwarding process of a GRE tunnel. After a packet enters Firewall_A, Firewall_A sends the packet to the tunnel interface to encapsulate the packet with a GRE header and a new IP header according to the routing table. The source IP address in the new IP header is specified using the source { source-ip-address | interface-type interface-number } command. Generally, the IP address is that of the local physical interface connected to the public network or the local loopback interface. The destination IP address in the new IP header is the source IP address specified by the peer end. After the encapsulation is complete, Firewall_A searches the routing table again based on the new IP header and forwards the packet to Firewall_B. After receiving the packet, Firewall_B identifies the GRE packet, sends it to the tunnel interface for decapsulation, and forwards the original packet.

Figure 9-4 GRE packet encapsulation and forwarding process

In this process, packets are transmitted across multiple security zones. Take Firewall_A as an example. As shown in Figure 9-5, an original packet enters the tunnel interface of Firewall_A from the intranet. The source and destination security zones of the original packet are Trust and DMZ, respectively. The packet encapsulated by GRE on the tunnel interface is then sent from Firewall_A to Firewall_B. The source and destination security zones of the GRE-encapsulated packet are Local and Untrust (security zone that connects to the public network), respectively. When Firewall_B receives the packets, the source and destination security zones are Untrust and Local.

Figure 9-5 Interzone relationship for service access initiated by Firewall_A

Table 9-4 describes the configuration for security policies.