GRE Configuration and Interoperability Guide · GRE Configuration and Interoperability Guide..... 5 About GRE Tunnels..... 6 Deployment Scenarios .....7 ... Use the GRE tunnel to

GRE Configuration and

Interoperability Guide

GRE Guide, Rev. C Copyright © 2014 Zscaler - 2 -

Copyright

This document is protected by the United States copyright laws, and is proprietary to Zscaler Inc.

Copying, reproducing, integrating, translating, modifying, enhancing, recording by any information

storage or retrieval system or any other use of this document, in whole or in part, by anyone other

than the authorized employees, customers, users or partners (licensees) of Zscaler, Inc. without the

prior written permission from Zscaler, Inc. is prohibited.

Copyright© 2014 Zscaler

Trademark Statements

Zscaler and NanoLog are trademarks or registered trademarks of Zscaler, Inc.

All other trademarked names used herein are the properties of their respective owners, and are used

for identification purposes only.

GRE Configuration and Interoperability Guide, Rev. C



Contents Contents .................................................................................................................. 4

GRE Configuration and Interoperability Guide ................................................... 5

About GRE Tunnels................................................................................................. 6

Deployment Scenarios .................................................................................................. 7

Configuring a GRE Tunnel ...................................................................................... 9

Configuration Tasks .................................................................................................... 10

Step 1: Provision GRE Tunnels .................................................................................. 11

Step 2: Add a Gateway Location................................................................................ 12

Step 3: Configure the Router/Firewall ...................................................................... 13

Configuration Example: Cisco 881 ........................................................................ 13

Configure the Cisco 881 Router ......................................................................... 14

Troubleshooting the Cisco 881 Router Configuration .................................... 18

Configuration Example: Juniper SRX .................................................................... 22

Configure the Juniper SRX220 Router ............................................................... 23

Troubleshooting .................................................................................................. 30

Complete Sample Configurations ......................................................................... 35

Complete Sample Configuration for the Cisco 881 ........................................ 35

Sample Configuration for the Juniper SRX220................................................. 41


GRE Configuration and Interoperability Guide A GRE (Generic Routing Encapsulation) tunnel is ideal for forwarding HTTP and HTTPS traffic from

your corporate network to the Zscaler service. Use this guide to learn how to configure GRE tunnels

to forward traffic to the Zscaler service.

Learn about...

GRE Tunnels

Additionally, to learn about other supported traffic forwarding mechanisms, see Forwarding Traffic to

the Zscaler Service.

/docs/forwarding-traffic-zscaler-service

/docs/forwarding-traffic-zscaler-service


About GRE Tunnels GRE (Generic Routing Encapsulation) is a tunneling protocol for encapsulating packets inside a

transport protocol. A GRE capable router or firewall encapsulates a payload packet inside a GRE

packet, which it then encapsulates in a transport protocol, such as IP, as shown in the following

figure.

A GRE tunnel functions like a VPN but without the encryption; it transports packets from one

endpoint through the public network to another endpoint.

GRE tunnels typically use keepalive packets to determine if a tunnel is up. The GRE tunnel source

creates a keepalive request packet and a keepalive response packet that it encapsulates and sends to

the tunnel destination together with the response packet. When the tunnel destination receives the

request packet, it just decapsulates the original packet and forwards the inner response packet back

to the originating peer. For more information about GRE, refer to RFC 2784, Generic Routing

Encapsulation (GRE).

If your corporate firewall or router supports GRE and its egress port has a static IP address, Zscaler

recommends that you configure a GRE tunnel to forward HTTP and HTTPS traffic from your corporate

network to the Zscaler service. It provides the following benefits:

Supports both HTTP and HTTPS traffic.

Supports failover in case the primary ZEN becomes unavailable.

Requires minimal overhead

No configuration on computers or laptops.

Users on your corporate network cannot bypass the service.

Tunneling can provide internal IP address information to Zscaler for use in policy design and

logging

You can also configure PAC files to forward the traffic of users who go on the road and off the

corporate network. See Using PAC Files.

Learn about...

Deployment Scenarios

/docs/using-pac-files


Deployment Scenarios

The following are common GRE tunnel deployments:

GRE tunnels from the internal router to the ZENs.

Zscaler recommends that you configure two GRE tunnels from an internal router behind the firewall

to the ZENs; a primary tunnel from the router to a ZEN in one data center, and a secondary tunnel

from the router to a ZEN in another data center. This type of deployment provides visibility into the

internal IP addresses, which can be used for the Zscaler security policies and logging.

In this deployment, the GRE tunnel source IP address is a public IP address that is configured on the

loopback interface of the router. On the firewall, you'll need to define a rule that allows GRE traffic

from the router. Additionally, if your organization has redundant routers and/or ISPs, as shown in the

diagram below, you can configure the routers so failover to a redundant ISP is automatic.


GRE tunnels from the corporate firewall to the ZENs.

If your corporate firewall supports GRE, your organization can also configure two GRE tunnels from

the firewall to the ZENs; a primary tunnel from the firewall to a ZEN in one data center, and a

secondary tunnel from the firewall to a ZEN in another data center. On the firewall, you define one

rule to send HTTP and HTTPS traffic through the GRE tunnel to the ZENs. Like the first deployment

scenario, this type of deployment provides visibility into the internal IP addresses, which can be used

for the Zscaler security policies and logging. The firewall applies NAT on all the other traffic which it

sends directly to the Internet.

GRE tunnels from the border router to the ZENs.

If the first two deployments are not feasible, then you can configure a GRE tunnel from your border

router to the ZENs. This is the least preferred method because the internal IP addresses are not

visible. In this type of deployment, you will need to configure the border router to send HTTP and

HTTPS traffic to the ZEN and all other traffic to the Internet.

Learn about...

Configuring a GRE Tunnel


Configuring a GRE Tunnel Note the following guidelines when configuring a GRE tunnel to the Zscaler service:

Zscaler recommends configuring two separate GRE tunnels to two ZENs that are each located in

a different data center for high availability. If the primary GRE tunnel or an intermediate

connection goes down, all traffic is then rerouted through the backup GRE tunnel to the

secondary ZEN.

Ensure that if the primary tunnel goes down, that the router detects it and changes the routing

table or routing instance so that the secondary tunnel is used for traffic forwarding and vice

versa.

Use the GRE tunnel to forward only HTTP and HTTPS traffic to the service. Send all other traffic

directly to the Internet.

If supported, use policy based-routing (PBR) to ensure that only HTTP and HTTPS traffic is sent

through the GRE tunnel. PBR is a mechanism that enables a router or firewall to determine

where to forward packets based on configured policies. When you configure a GRE tunnel, you

can use PBR to ensure that only HTTP and HTTPS traffic is sent thru the tunnel. A policy typically

includes a match criteria and the action that the router or firewall takes on the traffic. Match

criteria can include the source and destination IP addresses and ports, and the protocol, such as

HTTP or HTTPS. The action specifies the next hop of the packets. When a packet arrives at a

router or firewall with PBR enabled, it determines if the packet matches a configured policy and

then routes it accordingly. PBR enables packets to take different paths based on the match

criteria.

If supported, enable GRE keepalives on the primary and secondary tunnels.

When you configure a GRE tunnel to the service, enable GRE keepalives so the traffic can switch

from the primary to the secondary tunnel in the event of a failure. Additionally, ensure that the

settings are neither too aggressive nor too slow in detecting when the tunnel is down.

If your router or firewall does not support GRE keepalives, you can configure ICMP probes

instead.

For Cisco routers, you can use IP SLAs to monitor the tunnels. You can set a threshold so the

traffic can switch from the primary to the secondary tunnel when the threshold is exceeded. For

Juniper routers, you can use RPM (real-time performance monitoring) to monitor the VPNs.

Network Address Translation (NAT)

Most firewalls and routers apply the policy based route to redirect traffic to the tunnel before

they apply NAT to the traffic. Therefore, the internal client IP addresses of traffic routed through

the tunnel are preserved. If your firewall or router performs NAT before it sends traffic through

the tunnel, consider disabling NAT to allow the Zscaler service to see internal IP addresses. This

enables the service to use the internal IP addresses for logging and reporting. Additionally, you

can configure sub-locations to identify internal networks whose outbound traffic is encapsulated

in the GRE tunnel. When using sub-locations, the service can retrieve the IP addresses of the

internal networks and apply custom policies to the traffic of the internal networks. For more

information about sub-locations, refer to the Web and Mobile Security Administrator's Guide.

If your firewall has an ACL blocking inbound connections, configure a rule to allow GRE traffic

(protocol 47).

/docs/web-and-mobile-security-administrators-guide


Configuration Tasks

To configure GRE tunnels from your corporate network to the Zscaler service:

1. Contact your Zscaler representative or Customer Support to have a GRE tunnel provisioned for

your account. You will need the public IP address of your local gateway. See Step 1: Provision GRE

Tunnels.

2. Log in to the service portal and add your gateway location. See Step 2: Add a Gateway Location.

3. Configure your router or firewall to allow the GRE tunnel. Please refer to the documentation of

your router or firewall for configuration instructions. For configuration examples, see Step 3:

Configure the Router/Firewall .

Learn about...

Step 1: Provision GRE Tunnels

../../Content/Step%202%20Add%20a%20Gateway%20Location.htm#1751524655

../../Content/GRE%20Configuration%20Examples.htm#_GRE_Configuration_Examples

../../Content/GRE%20Configuration%20Examples.htm#_GRE_Configuration_Examples


Step 1: Provision GRE Tunnels

Contact Zscaler Customer Support and provide the following information so Zscaler can provision the

GRE tunnels:

Public IP address of the tunnel source

The physical location of your router or firewall.

Zscaler then assigns VIPs (virtual IP addresses) for use as the source and destination addresses inside

the tunnel. Zscaler assigns these addresses from a pool of non-routable address space

that Zscaler manages to ensure that no two customers attempt to use the same IP addresses. The

following is an example of what Zscaler sends to an organization that wants to configure GRE tunnels:

Tunnel Source IP1: 192.0.2.2

Internal Range2: 172.18.58.120 - 172.18.58.127

Primary Destination3: 216.66.5.49

Internal Router IP4: 172.18.58.121/30

Internal ZEN IP5: 172.18.58.122/30

Secondary Destination6: 199.168.149.79

Internal Router IP7: 172.18.58.125/30

Internal ZEN IP8: 172.18.58.126/30

When Zscaler assigns the VIPs, the Zscaler service binds the source and destination addresses to the

specified primary and secondary ZENs. The ZENs will be listening specifically for traffic from the

source VIP and addressed to its destination VIP. When your GRE tunnel sends traffic to the Zscaler

service, the ZEN associates the virtual source and destination addresses with your organization.

Learn about...

Step 2: Add a Gateway Location

1 The IP address of the tunnel source. This is provided by the customer. 2 The IP address range that Zscaler assigned to the organization. 3 The IP address of the ZEN that is the primary tunnel destination. Zscaler has ZENs

worldwide and selects the most appropriate ZENs as destinations for your tunnels. 4 The VIP of the tunnel source. 5 The VIP of the tunnel destination. 6 The IP address of the ZEN that is the secondary tunnel destination. Zscaler has ZENs

worldwide and selects the most appropriate ZENs as destinations for your tunnels. 7 The VIP of the tunnel source. 8 The VIP of the tunnel destination.


Step 2: Add a Gateway Location

After your IP addresses have been provisioned on the Zscaler service, log in to the service and define

your organization’s gateway location as follows:

1. Go to Administration > Resources > Locations. See screen.

2. Click Add.

3. Enter general information about the location:

Type in its Name

Choose the Country.

Enter a State/Province, if applicable.

Choose the Time Zone of the location.

When you specify the location in a policy, the service applies the policy according to the

location's time zone. For example, if a Cloud App Control policy blocks posting to Facebook

between 8 a.m. and 5 p.m., and the rule is applied to locations in Spain and California, users at

each location will be blocked during their respective daytime hours.

4. Choose the IP addresses for the location:

The Public IP Addresses list displays the IP addresses that you sent to Zscaler when it

provisioned your organization. Choose IP addresses for the location.

Optionally, enable the other features on this page. For more information about these features,

refer to the Web and Mobile Security Administrator's Guide.

5. Click Save and Activate.

Learn about...

Step 3: Configure the Router/Firewall

/docs/web-and-mobile-security-administrators-guide


Step 3: Configure the Router/Firewall

Configure your router or firewall to allow the GRE tunnel. Please refer to the documentation of your

router or firewall for configuration instructions. Click any of the following to view the configuration

example:

Configuration Example: Cisco 881

Configuration Example: Juniper SRX

Configuration Example: Cisco 881

This example illustrates how to configure a GRE tunnel between a Cisco 881 and ZENs in the Zscaler

service. As shown in the figure, two GRE tunnels are configured between the gateway WAN port, fa4,

which has a static public IP address, 192.0.2.2, and two ZENs in two different data centers

(216.66.5.49 and 199.168.149.179).

Zscaler has assigned the following IP addresses for the GRE tunnels:

Tunnel Source IP: 192.0.2.2

Internal Range: 172.18.58.120 - 172.18.58.127

Primary Destination: 216.66.5.49

Internal Router IP: 172.18.58.121/30

Internal ZEN IP: 1172.18.58.122/30

Secondary Destination: 199.168.149.179


Internal ZEN IP: 172.18.58.126/30

The router receives ingress traffic on ports fa0, fa1, fa2 and fa3. They forward HTTP and HTTPS traffic

to the WAN gateway port, fa4, which uses the GRE tunnel interfaces tunnel 2700 and tunnel 2800 to

send the HTTP and HTTPS traffic through the GRE tunnel to the Zscaler service. The router performs

NAT on the other traffic that it sends directly to the Internet.

../../Content/Config_Example_Cisco881.htm#_Configuration_Example:_Cisco

../../Content/Configuration%20Example%20Juniper.htm#_Configuration_Example:_


The following steps describe how to configure a GRE tunnel from the Cisco 881 router to the ZENs as

depicted in the illustration:

1. Add a gateway location to the Zscaler service.

2. Configure the router.

Configure the Cisco 881 Router

This section provides the steps and commands that were used to configure a tunnel from a a Cisco

881 router running iOS version 15.1 to ZENs in different data centers. Refer to the Cisco

documentation for information about the commands.

The sample configuration shows how to configure the following on two tunnel interfaces (tunnel 2700

and tunnel 2800) on the gateway WAN port FastEthernet4 (fa4). (Note that the tunnel names are

arbitrary and you can use different tunnel names in your configuration.):

tunnel 2700 with an IP address of 172.18.58.121 and its destination address is 216.66.5.49

tunnel 2800 with an IP address of 172.18.58.125 and its destination address is 199.168.149.179

Set the max segment size (mss) to an appropriate value, depending on your network. In this

example, the MSS value is set to 1300.

NAT is not configured on the interface so the Zscaler service can log internal IP addresses and

you can configure sub-locations.

Sample Configuration

interface Tunnel2700

ip address 172.18.58.121 255.255.255.252

ip virtual-reassembly

ip tcp adjust-mss 1300

tunnel source FastEthernet4

tunnel destination 216.66.5.49

end



ip address 172.18.58.125 255.255.255.252





end

In Cisco iOS routers, policy-based routing is implemented using route maps. The following sample

configuration creates an access list that specifies the outbound traffic and defines the route map that

sends that traffic over Tunnel 2700 first, then Tunnel 2800:


access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 443

route-map zscaler-tunnel permit 10

match ip address 101

set interface Tunnel2700 Tunnel2800

Note that you can exclude traffic from specific sources from being redirected to the GRE tunnel. The

following example excludes traffic from a host (192.168.1.1) from being redirected to the tunnel:


access-list 101 deny ip any host 192.168.1.1



In this example, we assume that the ingress traffic is received by the router on port fa-0 to fa-3 in

VLAN 2. The IP addresses on these ports are assigned by DHCP and their HTTP and HTTPS traffic is

forwarded to the GRE tunnels 2700 and 2800. NAT is performed on the remaining traffic.


interface FastEthernet0

switchport access vlan 2

!



!




!



!


description $ES_WAN$

ip address dhcp client-id FastEthernet4 hostname 10.35.3.41

ip access-group 80 in

ip access-group 80 out

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

no ip address




!

interface Vlan2

ip address 10.65.199.129 255.255.255.128

ip nat inside



ip policy route-map zscaler-tunnel

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list NAT interface FastEthernet4 overload


ip route 0.0.0.0 0.0.0.0 10.96.13.254

!

ip access-list extended NAT

permit ip 10.65.199.0 0.0.0.255 any

deny ip any any

!

logging esm config

access-list 23 permit 10.10.10.0 0.0.0.7



access-list 80 permit any

access-list 100 permit ip any any




access-list 180 permit ip 10.0.0.0 0.255.255.255 any

no cdp run




!

Enable IP SLAs to monitor the tunnels. You can set a threshold for HTTP page load times so traffic can

switch from the primary to the secondary tunnel when the threshold is exceeded. Zscaler

recommends that you use the ZEN IP address as the IP address that is used for monitoring, to ensure

that the IP address is reachable and routable through the tunnel. For example, you can specify the

Cloud Performance Monitor Test page of the ZEN at which the GRE tunnel terminates (zen_ip-

address/test, as shown in the sample configuration.


ip sla 1

http raw http://172.17.160.174

timeout 300

threshold 300

http-raw-request

GET http://216.66.5.49/test/ HTTP/1.0\r\n

User-Agent: Cisco IP SLA\r\n

end\r\n

\r\n


\r\n

\r\n

exit

ip sla reaction-configuration 1 react rtt threshold-value 300 1 threshold-

type consecutive 3

ip sla schedule 1 life forever start-time now

ip sla 2

http raw http://172.17.160.174

timeout 300

threshold 300

http-raw-request



end\r\n

\r\n

\r\n

\r\n

exit


type consecutive 3


access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq telnet

access-list 100 deny ip any any

!

Troubleshooting the Cisco 881 Router Configuration

Following are some sample commands that you can use to monitor and troubleshoot the GRE tunnel.

Ping the Zscaler internal tunnel IP address to validate the tunnel is up and routing is correct

ping 172.18.58.122

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.18.58.122, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

ping 172.18.58.126

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.18.58.126, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms


Ensure that the tunnel interface and protocol are up using show int tunnel command as shown

below:

show int tun 2800

Tunnel2800 is up, line protocol is up

Hardware is Tunnel

Internet address is 172.18.58.125/30

MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive set (5 sec), retries 3

Tunnel source 192.0.2.2 (FastEthernet4), destination 199.168.149.179

Tunnel Subblocks:

src-track:

Tunnel2800 source tracking subblock associated with FastEthernet4

Set of tunnels with source FastEthernet4, 19 members (includes

iterators), on interface <OK>

Tunnel protocol/transport GRE/IP

Key disabled, sequencing disabled

Checksumming of packets disabled

Tunnel TTL 255, Fast tunneling enabled

Tunnel transport MTU 1476 bytes

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Last input never, output 00:00:02, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

5450 packets input, 3690507 bytes, 0 no buffer

Received 0 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

588861 packets output, 29175729 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out


View the track status.

VPN-test#show track

Track 400

IP SLA 400 reachability

Reachability is Down

3 changes, last change 00:16:23

Latest operation return code: Timeout

Track 500

IP SLA 500 reachability

Reachability is Up

2 changes, last change 01:01:27

Latest operation return code: OK

Latest RTT (millisecs) 1

View the SLA statistics.

VPN-test#show ip sla statistics

IPSLAs Latest Operation Statistics

IPSLA operation id: 2

Number of successes: Unknown

Number of failures: Unknown

Operation time to live: 0


Latest RTT: NoConnection/Busy/Timeout

Latest operation start time: *02:29:07.511 UTC Sat May 19 2012

Latest operation return code: Timeout

Number of successes: 0

Number of failures: 2

Operation time to live: Forever


Latest RTT: 1 milliseconds

Latest operation start time: *02:29:10.719 UTC Sat May 19 2012

Latest operation return code: OK

Number of successes: 2


Number of failures: 0

Operation time to live: Forever

Ensure that the router applies the route-map to the appropriate traffic:

show route-map zscaler-tunnel

route-map zscaler-tunnel, permit, sequence 10

Match clauses:

ip address (access-lists): 101

Set clauses:

interface Tunnel700 Tunnel1500

Policy routing matches: 76258 packets, 17131024 bytes


Configuration Example: Juniper SRX

This example illustrates how to configure a GRE tunnel between a Juniper SRX220 running iOS version

11.4 and ZENs in the Zscaler service. As shown in the figure, primary and secondary GRE tunnels are

configured from the gateway port of the Juniper SRX to two ZENS in the Zscaler service. The public IP

address of the gateway port, ge-0/0/0 on the router is 192.0.2.2.

Zscaler has assigned the following IP addresses for the GRE tunnels:

Tunnel Source IP: 192.0.2.2

Internal Range: 172.18.58.120 - 172.18.58.127

Primary Destination: 216.66.5.49


Internal ZEN IP: 172.18.58.122/30

Secondary Destination: 199.168.149.179


Internal ZEN IP: 172.18.58.126/30

The router receives ingress traffic on port ge-0/0/4. It forwards outbound traffic to ge-0-0-0 in the

Untrust Zone, which uses the two sub interfaces unit0 and unit1 to send HTTP and HTTPS traffic

through the GRE tunnel to the Zscaler service. It performs NAT on the non-Web traffic that it sends

directly to the Internet.

To configure the Juniper SRX220:

1. Add a gateway location to the Zscaler service.

2. Configure the Juniper SRX220.


Configure the Juniper SRX220 Router

This section provides the sample configuration for configuring GRE tunnel interfaces on a Juniper

SRX220 router running iOS version 11.4. Refer to the Juniper documentation for information about

the commands.

Note that the Juniper SRX220 does not support GRE keepalives. So ICMP probes are used for

monitoring instead.

Configure the following sub- interfaces on ge-0/0/0 (192.0.2.2):

ge-0/0/0 unit0

Secondary tunnel interface

Its IP address is 172.18.58.125, and its destination address is 199.168.149.179

ge-0/0/0 unit1

Primary tunnel interface

Its IP address is 172.18.58.121, and its destination address is 216.66.5.49


root# run show configuration interfaces

..

..

ge-0/0/0 {

unit 0 {

family inet {

dhcp;

}

}

}

gr-0/0/0 {

unit 0 {

description backup-tunnel;

tunnel {

source 192.0.2.2;

destination 199.168.149.179;

}

family inet {

mtu 1500;

address 172.18.58.125/30;

}

}

unit 1 {


description primary-tunnel;

tunnel {

source 192.0.2.2;

destination 216.66.5.49;

}

family inet {

mtu 1500;

address 172.18.58.121/30;

}

}

Create a routing instance for the GRE tunnel. It will be used to redirect the HTTPS and HTTPS traffic to

the GRE tunnel. It will also be used for probing, if the probes do not use the source address. Ensure

that the route for the secondary tunnel, which is through gr-0/0/0.0, has a higher preference number

so that it will be given less preference in routing with respect to the primary route, which is through

gr-0/0/0.1.


root# run show configuration routing-instances

traffic_tunnel {

instance-type forwarding;

routing-options {

static {

route 0.0.0.0/0 {

qualified-next-hop gr-0/0/0.0 {

preference 200;

}

qualified-next-hop gr-0/0/0.1;

}

}

}

}

Ensure that the inet.0 routes are also added into the routing table of the GRE tunnel routing instance.

Sample Commands

root# run show configuration routing-options

interface-routes {

rib-group inet global-rib;

}

rib-groups {


global-rib {

import-rib [ inet.0 traffic_tunnel.inet.0 ];

}

}

At this point, the GRE tunnel has been created and the routes have been inserted. Create two ICMP-

based probes to monitor the GRE end points on the Zscaler service (172.18.58.122 and

172.18.58.126).

Sample Commands

root# run show configuration services rpm

probe icmp_gre {

test icmp {

probe-type icmp-ping;

target address 172.18.58.122;

probe-count 5;

probe-interval 5;

test-interval 10;

source-address 172.18.58.121;

thresholds {

successive-loss 5;

total-loss 5;

}

}

}

probe icmp_gre_backup {

test icmp_backup {



probe-count 5;

probe-interval 5;

test-interval 10;


thresholds {

successive-loss 5;

total-loss 5;

}

}

}


Enable IP monitoring for the probe, so if the probe to the primary interface at 172.18.58.122 fails,

then the other route (gr-0/0/0.0) is inserted in the GRE routing instance, ensuring that traffic is moved

from the primary to the secondary tunnel.

Sample Commands

root# run show configuration services ip-monitoring

policy failover {

match {

rpm-probe icmp_gre;

}

then {

preferred-route {

routing-instances traffic_tunnel {

route 0.0.0.0/0 {

next-hop 172.18.58.126;

}

}

}

}

}

policy failover_backup {

match {

rpm-probe icmp_gre_backup;

}

then {

preferred-route {


route 0.0.0.0/0 {

next-hop 172.18.58.122;

}

}

}

}

}

Use policy-options to configure a routing policy that specifies that HTTP and HTTPS traffic from the

internal network (192.168.0.0/16) will be sent through the GRE tunnel and all other traffic will use the

inet.0 routing instance.

Sample Commands

root# run show configuration policy-options

prefix-list zscalernoredirect {


13.13.13.0/24;

}

prefix-list zscalerredirect {

192.168.0.0/16;

}

[edit]

root# run show configuration firewall

filter zscalerredirect {

term zscalernoredirect {

from {

destination-prefix-list {

zscalernoredirect;

}

}

then accept;

}

term zscalerredirect {

from {

source-prefix-list {

zscalerredirect;

}

destination-port [ http https ];

}

then {

routing-instance traffic_tunnel;

}

}

term allow-everything-else {

from {

destination-port 0-65535;

}

then accept;

}

}

Ensure that the policy is applied on the interface that receives the ingress traffic that is to be sent

through the GRE tunnel. Note that this command will not work for the Ethernet-switching family, but

will work for inet family.



ge-0/0/4 {

unit 0 {

family inet {

filter {

input zscalerredirect;

}

address 192.168.1.101/24;

}

}

}

Ensure that all the security zones are created, and that they have the security policies that allow the

specified traffic from the Trust to the Untrust zone and vice versa.


root# run show configuration security zones

security-zone trust {

address-book {

address local-net 192.168.0.0/16;

}

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

}

interfaces {

vlan.0;

ge-0/0/4.0;

}

}

security-zone untrust {

screen untrust-screen;


system-services {

all;


}

}

interfaces {

ge-0/0/0.0 {


system-services {

dhcp;

tftp;

all;

}

}

}

gr-0/0/0.0;

gr-0/0/0.1;

}

}

Configure security policies that allow the specified traffic from the Trust to the Untrust zone and vice

versa.

Sample Configruation

Here are the security policies:

root# run show configuration security policies

from-zone untrust to-zone trust {

policy untrust-to-trust {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

}

}

from-zone trust to-zone untrust {

policy any-permit {

match {

source-address any;



application any;

}

then {

permit;

}

}

}

Troubleshooting

This section provides some sample commands that you can use to monitor and troubleshoot the GRE

tunnel.

Ensure that you can ping the GRE endpoints on the Zscaler service:

root# run ping 172.18.58.126 source 172.18.58.125

PING 172.18.58.126 (172.18.58.126): 56 data bytes

64 bytes from 172.18.58.126: icmp_seq=0 ttl=64 time=8.029 ms


^C

--- 172.18.58.126 ping statistics ---

2 packets transmitted, 2 packets received, 0% packet loss

round-trip min/avg/max/stddev = 2.107/5.068/8.029/2.961 ms

[edit]

root# run ping 172.18.58.122 source 172.18.58.121

PING 172.18.58.122 (172.18.58.122): 56 data bytes




^C

--- 172.18.58.122 ping statistics ---

3 packets transmitted, 3 packets received, 0% packet loss

round-trip min/avg/max/stddev = 2.257/2.339/2.423/0.068 ms

Ensure that ip-monitoring is working:

root# run show services ip-monitoring status

Policy - failover (Status: PASS)


RPM Probes:

Probe name Test Name Address Status

---------------------- --------------- ---------------- ---------

icmp_gre icmp 172.18.58.122 PASS

Route-Action:

route-instance route next-hop state

----------------- ----------------- ---------------- -------------

traffic_tunnel 0.0.0.0/0 172.18.58.126 NOT-APPLIED

Policy - failover_backup (Status: PASS)

RPM Probes:

Probe name Test Name Address Status

---------------------- --------------- ---------------- ---------

icmp_gre_backup icmp_backup 172.18.58.126 PASS

Route-Action:

route-instance route next-hop state

----------------- ----------------- ---------------- -------------

traffic_tunnel 0.0.0.0/0 172.18.58.122 NOT-APPLIED

[edit]

Check the routing table and the Zscaler GRE routing instance. In the following commands,

traffic_tunnel.inet.0 is used for GRE traffic routing. It is pointing to gr-0/0/0.1 as the primary route and

to gr-0/0/0.0 as the secondary route.

root# run show route

inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Access-internal/12] 05:34:30

> to 10.96.13.254 via ge-0/0/0.0

10.32.32.0/24 *[Static/5] 05:34:30

> to 10.96.13.254 via ge-0/0/0.0

10.96.13.0/24 *[Direct/0] 05:34:30

> via ge-0/0/0.0

192.0.2.2/32 *[Local/0] 05:34:30

Local via ge-0/0/0.0


98.139.183.0/24 *[Static/5] 02:23:05

> via gr-0/0/0.1

172.18.58.144/30 *[Direct/0] 01:28:06

> via gr-0/0/0.1

172.18.58.121/32 *[Local/0] 01:28:06

Local via gr-0/0/0.1

172.18.58.148/30 *[Direct/0] 01:28:06

> via gr-0/0/0.0

172.18.58.125/32 *[Local/0] 01:28:06


192.168.1.1/32 *[Local/0] 05:34:51

Reject

192.168.1.101/32 *[Local/0] 01:58:54

Reject

traffic_tunnel.inet.0: 9 destinations, 10 routes (9 active, 0 holddown, 0

hidden)

+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 02:23:05

> via gr-0/0/0.1

[Static/200] 05:34:41

> via gr-0/0/0.0

10.96.13.0/24 *[Direct/0] 05:34:30

> via ge-0/0/0.0

192.0.2.2/32 *[Local/0] 05:34:30

Local via ge-0/0/0.0

172.18.58.144/30 *[Direct/0] 01:28:06

> via gr-0/0/0.1

172.18.58.121/32 *[Local/0] 01:28:06


172.18.58.148/30 *[Direct/0] 01:28:06

> via gr-0/0/0.0

172.18.58.125/32 *[Local/0] 01:28:06


192.168.1.1/32 *[Local/0] 02:09:21

Reject

192.168.1.101/32 *[Local/0] 01:09:26


Reject

Check the probe status:

root# run show services rpm probe-results

Owner: icmp_gre, Test: icmp

Target address: 172.18.58.122, Source address: 172.18.58.121,

Probe type: icmp-ping, Test size: 5 probes

Probe results:

Response received, Thu May 16 10:35:10 2013, No hardware timestamps

Rtt: 7440 usec

Results over current test:

Probes sent: 3, Probes received: 3, Loss percentage: 0

Measurement: Round trip time

Samples: 3, Minimum: 2041 usec, Maximum: 7440 usec, Average: 3874

usec,

Peak to peak: 5399 usec, Stddev: 2522 usec, Sum: 11622 usec

Results over last test:


Test completed on Thu May 16 10:34:50 2013


Samples: 5, Minimum: 2102 usec, Maximum: 55952 usec,

Average: 13946 usec, Peak to peak: 53850 usec, Stddev: 21101 usec,

Sum: 69732 usec

Results over all tests:





Sum: 7771578 usec

Owner: icmp_gre_backup, Test: icmp_backup

Target address: 172.18.58.126, Source address: 172.18.58.125,

Probe type: icmp-ping, Test size: 5 probes

Probe results:

Response received, Thu May 16 10:35:10 2013, No hardware timestamps

Rtt: 2353 usec

Results over current test:





usec,


Results over last test:


Test completed on Thu May 16 10:34:45 2013



usec,


Results over all tests:





Sum: 5146145 usec

[edit]


Complete Sample Configurations

Click the following to view the complete configurations:

Cisco 881 Router

Juniper SRX Router

Complete Sample Configuration for the Cisco 881

Following is the complete set of commands that were used to configure the Cisco 881 router:

show run

Building configuration...

Current configuration : 16136 bytes

!

! Last configuration change at 14:48:00 UTC Tue Jul 16 2013 by admin

!

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname VPN-test

!

boot-start-marker

boot-end-marker

!

!

logging buffered 8096

no logging console

!

no aaa new-model

memory-size iomem 10

crypto pki token default removal timeout 0

!

crypto pki trustpoint tti

revocation-check crl

!


crypto pki trustpoint TP-self-signed-2721864363

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2721864363

revocation-check none

!

!

crypto pki certificate chain tti

crypto pki certificate chain TP-self-signed-2721864363

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32373231 38363433 3633301E 170D3133 30363132 31383239

32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37323138

36343336 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100B562 8F07F3C9 27A51798 A200FB7B 8831144D 079464DF E5CE2E69 7031F3A7

DFBF74A0 BB20E910 057F95DC 5384059C 2FDAB310 AFA9CA61 B745CA98 C987A664

E0FF66C0 11D0C069 F8BDE9C5 25291420 68A5316E 1B2153B7 2541C1EB 526F227B

B8E2F74B FAE66C82 B7F8347C 108DE12B 6824C1B2 7FF930A3 4A8650C8 0C5A99D2

277B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 1423C3EE 7927E46A FA1516B0 CDA87259 032CF389 7E301D06

03551D0E 04160414 23C3EE79 27E46AFA 1516B0CD A8725903 2CF3897E 300D0609

2A864886 F70D0101 04050003 818100AA F193C465 B04E1028 7B4F96FF B598D81B

CB8069D9 122E1974 7641B540 708068FB 869DCD34 4B9334DF C0AC2CDD D4C7C37D

F673374D C2454733 9364D0DB 631A73D6 A11005FB 475734F5 7130B6F2 9044D650

0278F955 78E27E0A 17839985 2207DAFA 188CA745 F772ACA7 2E6294D2 27426102

D79960C9 666D9DBC B942908C 87E9FF

quit

ip source-route

!

!

!

ip dhcp excluded-address 10.65.199.129

!

ip dhcp pool ccp-pool

import all

network 10.65.199.128 255.255.255.128


default-router 10.65.199.129

dns-server 10.32.112.10

lease 0 2

!

!

ip cef

ip domain name yourdomain.com

ip name-server 10.10.104.23

no ipv6 cef

!

!

parameter-map type inspect test

parameter-map type consent test

!

license udi pid CISCO881-K9 sn FCZ1510C25F

!

!

username root privilege 15 secret 5 $1$tNw1$LDdmzCh/UNWcL.odwKkyD1

username admin privilege 15 secret 5 $1$lXn2$gxtDItkOXiDydXTA0Netu.

username adminr privilege 15 secret 5 $1$ZnCs$B/0DfujHTS6.Kr/uIIYbq.

!

!

!

!

!

track 400 ip sla 400 reachability

!

track 500 ip sla 500 reachability

!

!

!

!

!

!

!



ip address 172.18.58.121 255.255.255.252





!


ip address 172.18.58.125 255.255.255.252





!



!



!



!



!


description $ES_WAN$

ip address dhcp client-id FastEthernet4 hostname 10.35.3.41



ip nat outside


duplex auto

speed auto

!

interface Vlan1


description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

no ip address




!

interface Vlan2

ip address 10.65.199.129 255.255.255.128

ip nat inside



ip policy route-map zscaler-tunnel

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list NAT interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 10.96.13.254

!

ip access-list extended NAT

permit ip 10.65.199.0 0.0.0.255 any

deny ip any any

!ip sla 1

http raw http://172.17.160.170:9480

timeout 300

threshold 300

http-raw-request



end\r\n

\r\n


\r\n

\r\n

exit


type consecutive 3


ip sla 2

http raw http://172.17.160.174

timeout 300

threshold 300

http-raw-request



end\r\n

\r\n

\r\n

\r\n

exit


type consecutive 3


logging esm config




access-list 80 permit any





access-list 180 permit ip 10.0.0.0 0.255.255.255 any

no cdp run





Sample Configuration for the Juniper SRX220

Following is the complete set of commands that were used to configure the Juniper SRX220:

root# run show configuration

## Last commit: 2013-05-16 09:19:34 UTC by root

version 11.4R3.7;

system {

root-authentication {

encrypted-password "$1$kR7I/O3B$ZezY.j09/sk6IWYJWcEVm."; ## SECRET-

DATA

}

name-server {

10.35.3.41;

10.35.3.42;

}

services {

ssh {

root-login allow;

}

telnet;

xnm-clear-text;

web-management {

http {

interface [ vlan.0 ge-0/0/1.0 ge-0/0/0.0 ];

}

https {

system-generated-certificate;

interface vlan.0;

}

}

dhcp {

router {

192.168.1.1;

}

pool 192.168.1.0/24 {

address-range low 192.168.1.2 high 192.168.1.254;

}


propagate-settings ge-0/0/0.0;

}

}

syslog {

archive size 100k files 3;

user * {

any emergency;

}

file messages {

any critical;

authorization info;

}

file interactive-commands {

interactive-commands error;

}

}

max-configurations-on-flash 5;

max-configuration-rollbacks 5;

license {

autoupdate {

url https://ae1.juniper.net/junos/key_retrieval;

}

}

}

interfaces {

ge-0/0/0 {

unit 0 {

family inet {

dhcp;

}

}

}

gr-0/0/0 {

unit 0 {

description backup-tunnel;

tunnel {

source 192.0.2.2;


destination 199.168.149.179;

}

family inet {

mtu 1500;

address 172.18.58.125/30;

}

}

unit 1 {

description primary-tunnel;

tunnel {

source 192.0.2.2;

destination 216.66.5.49;

}

family inet {

mtu 1500;

address 172.18.58.121/30;

}

}

}

ge-0/0/1 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/2 {

unit 0 {


vlan {

members vlan-trust;

}

}

}

}


ge-0/0/3 {

unit 0 {


vlan {

members vlan-trust;

}

}

}

}

ge-0/0/4 {

unit 0 {

family inet {

filter {

input zscalerredirect;

}

address 192.168.1.101/24;

}

}

}

ge-0/0/5 {

unit 0 {


vlan {

members vlan-trust;

}

}

}

}

ge-0/0/6 {

unit 0 {


vlan {

members vlan-trust;

}

}

}

}


ge-0/0/7 {

unit 0 {


vlan {

members vlan-trust;

}

}

}

}

st0 {

unit 0 {

family inet;

}

unit 1 {

family inet;

}

}

st1 {

unit 0 {

family inet;

}

}

vlan {

unit 0 {

family inet {

address 192.168.1.1/24;

}

}

}

}

routing-options {

interface-routes {

rib-group inet global-rib;

}

static {

route 0.0.0.0/0 next-hop [ st0.0 st0.1 ];

route 10.32.32.0/24 next-hop 10.96.13.254;


route 98.139.183.0/24 next-hop gr-0/0/0.1;

}

rib-groups {

global-rib {

import-rib [ inet.0 traffic_tunnel.inet.0 ];

}

}

}

protocols {

stp;

}

policy-options {

prefix-list zscalernoredirect {

13.13.13.0/24;

}

prefix-list zscalerredirect {

192.168.0.0/16;

}

}

security {

ike {

proposal test {

authentication-method pre-shared-keys;

dh-group group2;

authentication-algorithm sha1;

encryption-algorithm aes-128-cbc;

lifetime-seconds 86400;

}

policy ike-policy1 {

mode aggressive;

proposals test;

pre-shared-key ascii-text "$9$rYllMXdVYoZj"; ## SECRET-DATA

}

policy test {

mode aggressive;

proposals test;

pre-shared-key ascii-text "$9$iHfz9Cu1Eyp0"; ## SECRET-DATA


}

gateway ike-gate {

ike-policy ike-policy1;

address 10.10.104.71;

dead-peer-detection {

always-send;

interval 20;

threshold 5;

}

nat-keepalive 20;

external-interface ge-0/0/0;

}

gateway ike-gate-secondary {

ike-policy ike-policy1;

address 10.10.104.235;

dead-peer-detection {

always-send;

interval 20;

threshold 5;

}

nat-keepalive 20;

external-interface ge-0/0/0;

}

}

ipsec {

vpn-monitor-options {

interval 30;

threshold 4;

}

proposal test {

protocol esp;

authentication-algorithm hmac-sha1-96;

lifetime-seconds 1800;

}

policy vpn-policy1 {

proposal-set standard;

}


vpn ike-vpn {

bind-interface st0.0;

df-bit set;

vpn-monitor {

optimized;

source-interface ge-0/0/0;

destination-ip 216.66.5.49;

}

ike {

gateway ike-gate;

idle-time 4000;

ipsec-policy vpn-policy1;

}

establish-tunnels immediately;

}

vpn ike-vpn-secondary {

bind-interface st0.1;

df-bit set;

vpn-monitor {

optimized;

source-interface ge-0/0/0;

destination-ip 10.10.104.246;

}

ike {

gateway ike-gate-secondary;

idle-time 4000;

ipsec-policy vpn-policy1;

}

establish-tunnels immediately;

}

}

flow {

tcp-mss {

ipsec-vpn {

mss 1300;

}

}


}

screen {

ids-option untrust-screen {

icmp {

ping-death;

}

ip {

source-route-option;

tear-drop;

}

tcp {

syn-flood {

alarm-threshold 1024;

attack-threshold 200;

source-threshold 1024;

destination-threshold 2048;

timeout 20;

}

land;

}

}

}

nat {

source {

rule-set nat-out {

from zone trust;

to zone untrust;

rule interface-nat {

match {

source-address 192.168.0.0/16;

destination-address 0.0.0.0/0;

}

then {

source-nat {

interface;

}

}


}

}

}

}

policies {

from-zone trust to-zone vpn {

policy vpn-tr-vpn {

match {

source-address local-net;

destination-address remote-net;

application any;

}

then {

permit;

}

}

}

from-zone vpn to-zone trust {

policy vpn-vpn-tr {

match {

source-address remote-net;

destination-address local-net;

application any;

}

then {

permit;

}

}

}

from-zone untrust to-zone trust {

policy untrust-to-trust {

match {

source-address any;


application any;

}

then {


permit;

}

}

}

from-zone trust to-zone untrust {

policy any-permit {

match {

source-address any;


application any;

}

then {

permit;

}

}

}

}

zones {

security-zone trust {

address-book {

address local-net 192.168.0.0/16;

}


system-services {

all;

}

protocols {

all;

}

}

interfaces {

vlan.0;

ge-0/0/4.0;

}

}

security-zone untrust {

screen untrust-screen;



system-services {

ike;

all;

}

}

interfaces {

ge-0/0/0.0 {


system-services {

dhcp;

tftp;

all;

}

}

}

gr-0/0/0.0;

gr-0/0/0.1;

}

}

security-zone vpn {

address-book {

address remote-net 0.0.0.0/0;

}

interfaces {

st0.0;

st0.1;

}

}

}

}

firewall {

filter zscalerredirect {

term zscalernoredirect {

from {

destination-prefix-list {

zscalernoredirect;


}

}

then accept;

}

term zscalerredirect {

from {

source-prefix-list {

zscalerredirect;

}

destination-port [ http https ];

}

then {


}

}

term allow-everything-else {

from {

destination-port 0-65535;

}

then accept;

}

}

}

routing-instances {

traffic_tunnel {

instance-type forwarding;

routing-options {

static {

route 0.0.0.0/0 {

qualified-next-hop gr-0/0/0.0 {

preference 200;

}

qualified-next-hop gr-0/0/0.1;

}

}

}

}


}

services {

rpm {

probe gre {

test gre-keepalive {

probe-type http-get;

target url http://216.66.5.49/test;

probe-count 3;

probe-interval 10;

test-interval 10;


thresholds {

successive-loss 3;

total-loss 6;

}

}

}

probe gre_backup {

test gre-keepalive {


target url http://98.139.183.24/;

probe-count 3;

probe-interval 10;

test-interval 10;


thresholds {

successive-loss 3;

total-loss 6;

}

}

}

probe icmp_gre {

test icmp {



probe-count 5;

probe-interval 5;


test-interval 10;


thresholds {

successive-loss 5;

total-loss 5;

}

}

}

probe icmp_gre_backup {

test icmp_backup {



probe-count 5;

probe-interval 5;

test-interval 10;


thresholds {

successive-loss 5;

total-loss 5;

}

}

}

probe trial {

test trial {


target url http://172.18.58.122/test;

probe-count 3;

probe-interval 10;

test-interval 10;


thresholds {

successive-loss 3;

total-loss 3;

}

}

}

}


ip-monitoring {

policy failover {

match {

rpm-probe icmp_gre;

}

then {

preferred-route {


route 0.0.0.0/0 {

next-hop 172.18.58.126;

}

}

}

}

}

policy failover_backup {

match {

rpm-probe icmp_gre_backup;

}

then {

preferred-route {


route 0.0.0.0/0 {

next-hop 172.18.58.122;

}

}

}

}

}

}

}

vlans {

vlan-trust {

vlan-id 3;

l3-interface vlan.0;

}

}


Following are the set commands used:

set version 11.4R3.7

set system root-authentication encrypted-password

"$1$kR7I/O3B$ZezY.j09/sk6IWYJWcEVm."

set system name-server 10.35.3.41

set system name-server 10.35.3.42

set system services ssh root-login allow

set system services telnet

set system services xnm-clear-text

set system services web-management http interface vlan.0

set system services web-management http interface ge-0/0/1.0

set system services web-management http interface ge-0/0/0.0

set system services web-management https system-generated-certificate

set system services web-management https interface vlan.0

set system services dhcp router 192.168.1.1

set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2

set system services dhcp pool 192.168.1.0/24 address-range high

192.168.1.254

set system services dhcp propagate-settings ge-0/0/0.0

set system syslog archive size 100k

set system syslog archive files 3

set system syslog user * any emergency

set system syslog file messages any critical

set system syslog file messages authorization info

set system syslog file interactive-commands interactive-commands error

set system max-configurations-on-flash 5

set system max-configuration-rollbacks 5

set system license autoupdate url

https://ae1.juniper.net/junos/key_retrieval

set interfaces ge-0/0/0 unit 0 family inet dhcp

set interfaces gr-0/0/0 unit 0 description backup-tunnel

set interfaces gr-0/0/0 unit 0 tunnel source 192.0.2.2

set interfaces gr-0/0/0 unit 0 tunnel destination 199.168.149.179

set interfaces gr-0/0/0 unit 0 family inet mtu 1500

set interfaces gr-0/0/0 unit 0 family inet address 172.18.58.125/30

set interfaces gr-0/0/0 unit 1 description primary-tunnel


set interfaces gr-0/0/0 unit 1 tunnel source 192.0.2.2

set interfaces gr-0/0/0 unit 1 tunnel destination 216.66.5.49

set interfaces gr-0/0/0 unit 1 family inet mtu 1500

set interfaces gr-0/0/0 unit 1 family inet address 172.18.58.121/30

set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-

trust


trust


trust

set interfaces ge-0/0/4 unit 0 family inet filter input zscalerredirect

set interfaces ge-0/0/4 unit 0 family inet address 192.168.1.101/24


trust


trust


trust

set interfaces st0 unit 0 family inet



set interfaces vlan unit 0 family inet address 192.168.1.1/24

set routing-options interface-routes rib-group inet global-rib

set routing-options static route 0.0.0.0/0 next-hop st0.0

set routing-options static route 0.0.0.0/0 next-hop st0.1

set routing-options static route 10.32.32.0/24 next-hop 10.96.13.254

set routing-options static route 98.139.183.0/24 next-hop gr-0/0/0.1

set routing-options rib-groups global-rib import-rib inet.0

set routing-options rib-groups global-rib import-rib traffic_tunnel.inet.0

set protocols stp

set policy-options prefix-list zscalernoredirect 13.13.13.0/24

set policy-options prefix-list zscalerredirect 192.168.0.0/16

set security ike proposal test authentication-method pre-shared-keys

set security ike proposal test dh-group group2

set security ike proposal test authentication-algorithm sha1

set security ike proposal test encryption-algorithm aes-128-cbc

set security ike proposal test lifetime-seconds 86400

set security ike policy ike-policy1 mode aggressive

set security ike policy ike-policy1 proposals test


set security ike policy ike-policy1 pre-shared-key ascii-text

"$9$rYllMXdVYoZj"

set security ike policy test mode aggressive

set security ike policy test proposals test

set security ike policy test pre-shared-key ascii-text "$9$iHfz9Cu1Eyp0"

set security ike gateway ike-gate ike-policy ike-policy1

set security ike gateway ike-gate address 10.10.104.71

set security ike gateway ike-gate dead-peer-detection always-send

set security ike gateway ike-gate dead-peer-detection interval 20

set security ike gateway ike-gate dead-peer-detection threshold 5

set security ike gateway ike-gate nat-keepalive 20

set security ike gateway ike-gate external-interface ge-0/0/0

set security ike gateway ike-gate-secondary ike-policy ike-policy1

set security ike gateway ike-gate-secondary address 10.10.104.235

set security ike gateway ike-gate-secondary dead-peer-detection always-send

set security ike gateway ike-gate-secondary dead-peer-detection interval 20

set security ike gateway ike-gate-secondary dead-peer-detection threshold 5

set security ike gateway ike-gate-secondary nat-keepalive 20

set security ike gateway ike-gate-secondary external-interface ge-0/0/0

set security ipsec vpn-monitor-options interval 30

set security ipsec vpn-monitor-options threshold 4

set security ipsec proposal test protocol esp

set security ipsec proposal test authentication-algorithm hmac-sha1-96

set security ipsec proposal test lifetime-seconds 1800

set security ipsec policy vpn-policy1 proposal-set standard

set security ipsec vpn ike-vpn bind-interface st0.0

set security ipsec vpn ike-vpn df-bit set

set security ipsec vpn ike-vpn vpn-monitor optimized

set security ipsec vpn ike-vpn vpn-monitor source-interface ge-0/0/0

set security ipsec vpn ike-vpn vpn-monitor destination-ip 216.66.5.49

set security ipsec vpn ike-vpn ike gateway ike-gate

set security ipsec vpn ike-vpn ike idle-time 4000

set security ipsec vpn ike-vpn ike ipsec-policy vpn-policy1

set security ipsec vpn ike-vpn establish-tunnels immediately

set security ipsec vpn ike-vpn-secondary bind-interface st0.1

set security ipsec vpn ike-vpn-secondary df-bit set

set security ipsec vpn ike-vpn-secondary vpn-monitor optimized


set security ipsec vpn ike-vpn-secondary vpn-monitor source-interface ge-

0/0/0

set security ipsec vpn ike-vpn-secondary vpn-monitor destination-ip

10.10.104.246

set security ipsec vpn ike-vpn-secondary ike gateway ike-gate-secondary

set security ipsec vpn ike-vpn-secondary ike idle-time 4000

set security ipsec vpn ike-vpn-secondary ike ipsec-policy vpn-policy1

set security ipsec vpn ike-vpn-secondary establish-tunnels immediately

set security flow tcp-mss ipsec-vpn mss 1300

set security screen ids-option untrust-screen icmp ping-death

set security screen ids-option untrust-screen ip source-route-option

set security screen ids-option untrust-screen ip tear-drop

set security screen ids-option untrust-screen tcp syn-flood alarm-threshold

1024

set security screen ids-option untrust-screen tcp syn-flood attack-

threshold 200

set security screen ids-option untrust-screen tcp syn-flood source-

threshold 1024

set security screen ids-option untrust-screen tcp syn-flood destination-

threshold 2048

set security screen ids-option untrust-screen tcp syn-flood timeout 20

set security screen ids-option untrust-screen tcp land

set security nat source rule-set nat-out from zone trust

set security nat source rule-set nat-out to zone untrust

set security nat source rule-set nat-out rule interface-nat match source-

address 192.168.0.0/16

set security nat source rule-set nat-out rule interface-nat match

destination-address 0.0.0.0/0

set security nat source rule-set nat-out rule interface-nat then source-nat

interface

set security policies from-zone trust to-zone vpn policy vpn-tr-vpn match

source-address local-net


destination-address remote-net


application any

set security policies from-zone trust to-zone vpn policy vpn-tr-vpn then

permit

set security policies from-zone vpn to-zone trust policy vpn-vpn-tr match

source-address remote-net


destination-address local-net



application any

set security policies from-zone vpn to-zone trust policy vpn-vpn-tr then

permit

set security policies from-zone untrust to-zone trust policy untrust-to-

trust match source-address any


trust match destination-address any


trust match application any


trust then permit

set security policies from-zone trust to-zone untrust policy any-permit

match source-address any


match destination-address any


match application any


then permit

set security zones security-zone trust address-book address local-net

192.168.0.0/16

set security zones security-zone trust host-inbound-traffic system-services

all

set security zones security-zone trust host-inbound-traffic protocols all

set security zones security-zone trust interfaces vlan.0

set security zones security-zone trust interfaces ge-0/0/4.0

set security zones security-zone untrust screen untrust-screen

set security zones security-zone untrust host-inbound-traffic system-

services ike

set security zones security-zone untrust host-inbound-traffic system-

services all

set security zones security-zone untrust interfaces ge-0/0/0.0 host-

inbound-traffic system-services dhcp


inbound-traffic system-services tftp


inbound-traffic system-services all

set security zones security-zone untrust interfaces gr-0/0/0.0

set security zones security-zone untrust interfaces gr-0/0/0.1

set security zones security-zone vpn address-book address remote-net

0.0.0.0/0

set security zones security-zone vpn interfaces st0.0

set security zones security-zone vpn interfaces st0.1


set firewall filter zscalerredirect term zscalernoredirect from

destination-prefix-list zscalernoredirect

set firewall filter zscalerredirect term zscalernoredirect then accept

set firewall filter zscalerredirect term zscalerredirect from source-

prefix-list zscalerredirect

set firewall filter zscalerredirect term zscalerredirect from destination-

port http

set firewall filter zscalerredirect term zscalerredirect from destination-

port https

set firewall filter zscalerredirect term zscalerredirect then routing-

instance traffic_tunnel

set firewall filter zscalerredirect term allow-everything-else from

destination-port 0-65535

set firewall filter zscalerredirect term allow-everything-else then accept

set routing-instances traffic_tunnel instance-type forwarding

set routing-instances traffic_tunnel routing-options static route 0.0.0.0/0

qualified-next-hop gr-0/0/0.0 preference 200

set routing-instances traffic_tunnel routing-options static route 0.0.0.0/0

qualified-next-hop gr-0/0/0.1

set services rpm probe gre test gre-keepalive probe-type http-get

set services rpm probe gre test gre-keepalive target url

http://216.66.5.49/test

set services rpm probe gre test gre-keepalive probe-count 3

set services rpm probe gre test gre-keepalive probe-interval 10

set services rpm probe gre test gre-keepalive test-interval 10

set services rpm probe gre test gre-keepalive routing-instance

traffic_tunnel

set services rpm probe gre test gre-keepalive thresholds successive-loss 3

set services rpm probe gre test gre-keepalive thresholds total-loss 6

set services rpm probe gre_backup test gre-keepalive probe-type http-get

set services rpm probe gre_backup test gre-keepalive target url

http://98.139.183.24/

set services rpm probe gre_backup test gre-keepalive probe-count 3

set services rpm probe gre_backup test gre-keepalive probe-interval 10

set services rpm probe gre_backup test gre-keepalive test-interval 10

set services rpm probe gre_backup test gre-keepalive routing-instance

traffic_tunnel

set services rpm probe gre_backup test gre-keepalive thresholds successive-

loss 3

set services rpm probe gre_backup test gre-keepalive thresholds total-loss

6

set services rpm probe icmp_gre test icmp probe-type icmp-ping


set services rpm probe icmp_gre test icmp target address 172.18.58.122

set services rpm probe icmp_gre test icmp probe-count 5

set services rpm probe icmp_gre test icmp probe-interval 5

set services rpm probe icmp_gre test icmp test-interval 10

set services rpm probe icmp_gre test icmp source-address 172.18.58.121

set services rpm probe icmp_gre test icmp thresholds successive-loss 5

set services rpm probe icmp_gre test icmp thresholds total-loss 5

set services rpm probe icmp_gre_backup test icmp_backup probe-type icmp-

ping

set services rpm probe icmp_gre_backup test icmp_backup target address

172.18.58.126

set services rpm probe icmp_gre_backup test icmp_backup probe-count 5

set services rpm probe icmp_gre_backup test icmp_backup probe-interval 5

set services rpm probe icmp_gre_backup test icmp_backup test-interval 10

set services rpm probe icmp_gre_backup test icmp_backup source-address

172.18.58.125

set services rpm probe icmp_gre_backup test icmp_backup thresholds

successive-loss 5

set services rpm probe icmp_gre_backup test icmp_backup thresholds total-

loss 5

set services rpm probe trial test trial probe-type http-get

set services rpm probe trial test trial target url

http://172.18.58.122/test

set services rpm probe trial test trial probe-count 3

set services rpm probe trial test trial probe-interval 10

set services rpm probe trial test trial test-interval 10

set services rpm probe trial test trial source-address 172.18.58.121

set services rpm probe trial test trial thresholds successive-loss 3

set services rpm probe trial test trial thresholds total-loss 3

set services ip-monitoring policy failover match rpm-probe icmp_gre

set services ip-monitoring policy failover then preferred-route routing-

instances traffic_tunnel route 0.0.0.0/0 next-hop 172.18.58.126

set services ip-monitoring policy failover_backup match rpm-probe

icmp_gre_backup

set services ip-monitoring policy failover_backup then preferred-route

routing-instances traffic_tunnel route 0.0.0.0/0 next-hop 172.18.58.122

set vlans vlan-trust vlan-id 3

set vlans vlan-trust l3-interface vlan.0

Documents

GRE Configuration and Interoperability Guide · GRE Configuration and Interoperability Guide..... 5 About GRE Tunnels..... 6 Deployment Scenarios .....7 ... Use the GRE tunnel to