Creating the IPsec tunnel

On each firewall that is part of the GRETAP tunnel, in Configuration > VPN > IPsec VPN > Encryption policy – Tunnels tab:

  1. Click on Add.
  2. Select Site-to-site tunnel.
  3. For the Local network field: select the physical interface that hosts the GRE tunnel (Firewall_out in the example).
  4. For the Remote network field: select an object bearing the public IP address of the remote firewall (Remote_FW in the example).
  5. For the Peer selection field: create (or select if it already exists) a peer with a remote gateway that will be an object bearing the public IP address of remote firewall.
  6. Click on Finish.
For more details on creating peers that use pre-shared key or certificate-based authentication, refer to IPsec VPN - Authentication by pre-shared key and IPsec VPN - Authentication by certificate.

The version of the IKE protocol for this peer must be the same as:
  • The version used on the remote firewall,
  • The version on peers used in the other rules of the IPsec policy in question.
  1. To prevent IPsec tunnels from being set up for protocols other than GRE, and to prevent the encryption of traffic such as ICMP (pings), we recommend that you specify the GRE protocol in the Protocol column.
    If this column does not appear, scroll over the title of any column and expand the right-click menu by clicking on the arrow. Click on Column then select the Protocols checkbox.

Protocol column for Site-to-site tunnels

The IPsec VPN policy will then look like this:

Sample IPSec VPN policy

Since the firewall started sending GRE network packets, filter rules therefore do not need to be created for this protocol.