GRE through a firewall

Unanswered Question
Jul 24th, 2007


i'm trying to set up a a GRE tunnel through a firewall but hitting some difficulties

i'm using loopback addresses at both ends and then an ip address per interface

i have routing between the two loopbacks and a trace from either to the other is hitting the firewall

i haven't put in any routes for the 2 physical addresses as they are both on the same 30 bit network and should see each other if the loopbacks can

is this right?

if not what else do i need to do and how can i check it out

i'm a bit curious as to how the two physical addresses are supposed to see each other

thanks to anyone taking the time to reply

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Paolo Bevilacqua Tue, 07/24/2007 - 14:54


can you do a litte diagram of you network with addresses and config snippet ?

Also importan have you configure the firewall to let gre pass ?

Richard Burts Tue, 07/24/2007 - 14:59


I am slightly confused about your situation. You describe the traffic from one interface to the other as going through a firewall and then you seem to describe tham as being on the same /30 subnet. How can they be in the same subnet and be going through a firewall?

You will probably need some access rule in the firewall. You could either just permit traffic from 1 IP to the other, or you could permit GRE which is IP protocol 47.

Perhaps you can clarify your topology and environment so that we can help give you better answers.



mulhollandm Tue, 07/24/2007 - 15:46

thought i have already responded to this but can't see it so here goes again!

i've attached a diagram with IPs suitably amended

i have 2 firewall rules from loopback to lookback for IP 47 and i can ping from one to the onther through the firewall

thanks for your help

Richard Burts Wed, 07/25/2007 - 18:31


I have looked at the diagram that you posted and it clarifies parts of what we need to know but leaves some questions. I see that the diagram shows the loopback addresses as /32 host addresses and this can be just fine. But the drawing shows the tunnel destination as the remote loopback with a /30 mask. I still do not understand that inconsistency. If the local router believes that the tunnel destination is is a subnet that is connected on the loopback interface then the packets for the GRE tunnel will never be transmitted outside of the router.

Perhaps you can clarify the addressing issue? It would also help if you could post the output of show ip route from both of the routers.



mulhollandm Thu, 07/26/2007 - 07:37


many thanks for your reply

i got the tunnel up by removing it and re configuring it

i also made a route changes so again thanks for your help - i think my diagram my be slightly out

i'm now looking the relevant command to troubleshoot traffic on the tunnel!

thanks again

Richard Burts Thu, 07/26/2007 - 07:52


I am glad that you now have the tunnel working. Sometimes removing and re-configuring is a good approach to resolve issues where something is not working. It sometimes helps you to rethink what you are trying to accomplish.




This Discussion