About GRE Tunnels
GRE (Generic Routing Encapsulation) is a tunneling protocol designed to encapsulate packets inside a transport protocol. A GRE-capable router or firewall encapsulates a payload packet within a GRE packet, which is then further encapsulated in a transport protocol, such as IP. The process is illustrated in the following figure (insert appropriate image).
A GRE tunnel operates similarly to a VPN, but without encryption. It effectively transports packets from one endpoint to another through a public network.
Key Features of GRE Tunnels:
– GRE tunnels generally use keepalive packets to verify the tunnel’s status. The GRE tunnel source generates a keepalive request packet, encapsulates it with a response packet, and sends it to the tunnel destination. The destination then decapsulates the original packet and forwards the inner response packet back to the originating peer.
– For further reading, refer to [RFC 2784: Generic Routing Encapsulation (GRE)](https://www.rfc-editor.org/rfc/rfc2784).
If your corporate firewall or router supports GRE and its egress port has a static IP address, Zscaler recommends configuring a GRE tunnel to forward HTTP and HTTPS traffic from your corporate network to the Zscaler service. The benefits include:
– Support for HTTP and HTTPS traffic
– Failover support in case the primary ZEN becomes unavailable
– Minimal overhead
– No configuration needed on individual computers or laptops
– Prevents users on the corporate network from bypassing the service
– Provides internal IP address information to Zscaler for policy design and logging
For users who are frequently on the road or off the corporate network, PAC files can be configured to forward their traffic.
Deployment Scenarios
There are several common GRE tunnel deployment scenarios:
1. GRE Tunnels from the Internal Router to the ZENs:
– It’s recommended to configure two GRE tunnels from an internal router behind the firewall to the ZENs: a primary tunnel to a ZEN in one data center and a secondary tunnel to a ZEN in another data center. This setup provides visibility into the internal IP addresses, useful for Zscaler’s security policies and logging.
2. GRE Tunnels from the Corporate Firewall to the ZENs:
– If your corporate firewall supports GRE, you can configure two GRE tunnels from the firewall to the ZENs: one primary tunnel to a ZEN in one data center and a secondary tunnel to a ZEN in another data center. This setup, similar to the previous scenario, provides visibility into internal IP addresses for Zscaler policies and logging.
3. GRE Tunnels from the Border Router to the ZENs:
– If the first two scenarios are not feasible, a GRE tunnel can be configured from your border router to the ZENs. This method is the least preferred because internal IP addresses are not visible.
—
Configuring a GRE Tunnel
When configuring a GRE tunnel to the Zscaler service, keep the following in mind:
– High Availability: Configure two separate GRE tunnels to two different ZENs, located in separate data centers. Ensure that if the primary tunnel goes down, the router detects it and switches traffic to the secondary tunnel.
– Traffic Forwarding: Use the GRE tunnel to forward only HTTP and HTTPS traffic to the service, while sending all other traffic directly to the Internet. Policy-based routing (PBR) can be used to ensure that only HTTP and HTTPS traffic is sent through the GRE tunnel.
– NAT Considerations: If your firewall or router applies NAT before sending traffic through the tunnel, consider disabling NAT to allow the Zscaler service to see internal IP addresses, enabling more detailed logging and reporting.
– Sub-Locations: Configure sub-locations to identify internal networks whose outbound traffic is encapsulated in the GRE tunnel. This enables the service to apply custom policies to the traffic of internal networks.
– Firewall ACLs: If your firewall has an ACL blocking inbound connections, ensure that it allows GRE traffic (protocol 47).
—
Configuration Tasks
To configure GRE tunnels from your corporate network to the Zscaler service, follow these steps:
Step 1: Provision GRE Tunnels
Contact Zscaler Customer Support and provide the following information so Zscaler can provision the GRE tunnels:
– Public IP address of the tunnel source
– The physical location of your router or firewall
Zscaler will then assign VIPs (virtual IP addresses) for use as the source and destination addresses inside the tunnel. These addresses are assigned from a pool of non-routable address space that Zscaler manages to ensure that no two customers attempt to use the same IP addresses.
Here’s an example of what Zscaler might provide:
– Tunnel Source IP: 192.0.2.2
– Internal Range: 172.18.58.120 – 172.18.58.127
– Primary Destination: 216.66.5.49
– Internal Router IP: 172.18.58.121/30
– Internal ZEN IP: 172.18.58.122/30
– Secondary Destination: 199.168.149.79
– Internal Router IP: 172.18.58.125/30
– Internal ZEN IP: 172.18.58.126/30
When Zscaler assigns the VIPs, the Zscaler service binds the source and destination addresses to the specified primary and secondary ZENs.
—
Step 2: Add a Gateway Location
Once your IP addresses have been provisioned, log in to the Zscaler service portal and define your organization’s gateway location:
1. Go to Administration > Resources > Locations.
2. Click Add.
3. Enter general information about the location:
– Name
– Country
– State/Province (if applicable)
– Time Zone
When specifying the location in a policy, the service applies the policy according to the location’s time zone.
4. Choose the IP addresses for the location from the list provided by Zscaler.
5. Optionally, enable other features as needed.
—
Step 3: Configure the Router/Firewall
Next, configure your router or firewall to allow the GRE tunnel. Refer to the specific documentation for your device for detailed instructions. Below are some configuration examples for Cisco and Juniper devices:
– Configuration Example: Cisco 881
– Configuration Example: Juniper SRX
—
### Configuration Example: Cisco 881
This example demonstrates how to configure a GRE tunnel between a Cisco 881 router and ZENs in the Zscaler service. The following IP addresses are used for the GRE tunnels:
– Tunnel Source IP: 192.0.2.2
– Internal Range: 172.18.58.120 – 172.18.58.127
– Primary Destination: 216.66.5.49
– Internal Router IP: 172.18.58.121/30
– Internal ZEN IP: 172.18.58.122/30
– Secondary Destination: 199.168.149.179
– Internal Router IP: 172.18.58.125/30
– Internal ZEN IP: 172.18.58.126/30
Sample Configuration:
interface Tunnel2700
ip address 172.18.58.121 255.255.255.252
ip virtual-reassembly
ip tcp adjust-mss 1300
tunnel source FastEthernet4
tunnel destination 216.66.5.49
end
“`
“`shell
interface Tunnel2800
ip address 172.18.58.125 255.255.255.252
ip virtual-reassembly
ip tcp adjust-mss 1300
tunnel source FastEthernet4
tunnel destination 199.168.149.179
end
“`
Policy-Based Routing (PBR) Example:
`
“`
To monitor and troubleshoot the GRE tunnel, use the following Cisco IOS commands:
ping 172.18.58.122
show int tun 2800
“`
—
### Configuration Example: Juniper SRX
This example illustrates how to configure a GRE tunnel between a Juniper SRX220 router and ZENs in the Zscaler service. The router receives ingress traffic on port ge-0/0/4 and forwards outbound traffic to ge-0-0-0 in the Untrust Zone.
Sample Configuration:
“`
To ensure that the GRE tunnel is up and running, use the following
Juniper commands:
Troubleshooting
To troubleshoot the GRE tunnel configuration, use the following commands for both Cisco and Juniper devices:
– Cisco: ping, show ip sla statistics, show route-map zscaler-tunnel
– Juniper: ping, show services rpm probe-results, show services ip-monitoring status
Leave a Reply