Configuring GRE Keepalive Time
Generic routing encapsulation (GRE) tunnel interfaces do not have a built-in mechanism for detecting when a tunnel is down. Keepalive messages help the GRE tunnel interfaces to detect when a tunnel is down. The topics below discuss the working and configuration of GRE keepalive time.
Understanding GRE Keepalive Time
Generic routing encapsulation (GRE) tunnel interfaces do not have a built-in mechanism for detecting when a tunnel is down. You can enable keepalive messages to serve as the detection mechanism.
Keepalive times are only configurable for the ATM-over-ADSL interface, which is no longer supported on SRX300, SRX320, SRX340, SRX345, SRX380, and SRX550HM starting in Junos OS Release 15.1X49-D10. Keepalive times are enabled by default for other interfaces.
Keepalives can be configured on the physical or on the logical interface. If configured on the physical interface, keepalives are sent on all logical interfaces that are part of the physical interface. If configured on a individual logical interface, keepalives are only sent to that logical interface. In addition to configuring a keepalive, you must configure the hold time.
You can configure the keepalives on a generic routing encapsulation
(GRE) tunnel interface by including both the keepalive-time statement and the hold-time statement at the [edit
protocols oam gre-tunnel interface interface-name] hierarchy level.
For proper operation of keepalives on a GRE interface,
you must also include the family inet statement at the [edit interfaces interface-name unit unit] hierarchy level. If you do not include this
statement, the interface is marked as down.
See Also
Configuring GRE Keepalive Time
Keepalive times are only configurable for the ATM-over-ADSL interface, which is no longer supported on SRX300, SRX320, SRX340, SRX345, SRX380, and SRX550HM starting in Junos OS Release 15.1X49-D10.
- Configuring Keepalive Time and Hold time for a GRE Tunnel Interface
- Display GRE Keepalive Time Configuration
- Display Keepalive Time Information on a GRE Tunnel Interface
Configuring Keepalive Time and Hold time for a GRE Tunnel Interface
You can configure the keepalives on a generic routing
encapsulation (GRE) tunnel
interface by including both the keepalive-time statement
and the hold-time statement at the [edit
protocols oam gre-tunnel interface interface-name] hierarchy level.
For proper operation of keepalives on a GRE interface,
you must also include
the family inet statement at the [edit interfaces interface-name unit unit] hierarchy
level. If you do not include this
statement, the interface is marked as down.
To configure a GRE tunnel interface:
To configure keepalive time for a GRE tunnel interface:
Configure the Operation, Administration, and Maintenance (OAM) protocol at the
[edit protocols]hierarchy level for the GRE tunnel interface.[edit] user@host# edit protocols oam
Configure the GRE tunnel interface option for OAM protocol.
[edit protocols oam] user@host# edit gre-tunnel interface interface-name
Configure the keepalive time from 1 through 50 seconds for the GRE tunnel interface.
[edit protocols oam gre-tunnel interface interface-name] user@host# set keepalive-time seconds
Configure the hold time from 5 through 250 seconds. Note that the hold time must be at least twice the keepalive time.
[edit protocols oam gre-tunnel interface interface-name] user@host# set hold-time seconds
Display GRE Keepalive Time Configuration
Purpose
Display the configured keepalive time value as 10 and hold time value as 30 on a GRE tunnel interface (for example, gr-1/1/10.1):
Action
To display the configured values on the GRE tunnel interface,
run the show oam gre-tunnel command
at the [edit protocols] hierarchy level:
[edit protocols]
user@host# show oam gre-tunnel
interface gr-1/1/10.1 {
keepalive-time 10;
hold-time 30;
}
Display Keepalive Time Information on a GRE Tunnel Interface
Purpose
Display the current status information of a GRE tunnel interface when keepalive time and hold time parameters are configured on it and when the hold time expires.
Action
To verify the current status information on a GRE tunnel
interface (for example,
gr-3/3/0.3), run the show interfaces
gr-3/3/0.3 terse and show interfaces
gr-3/3/0.3 extensive operational commands.
show interfaces gr-3/3/0.3 terse
user@host> show interfaces gr-3/3/0.3 terse
Interface Admin Link Proto Local Remote
gr-3/3/0.3 up up inet 200.1.3.1/24
mpls show interfaces gr-3/3/0.3 extensive
user@host> show interfaces gr-3/3/0.3 extensive
Logical interface gr-3/3/0.3 (Index 73) (SNMP ifIndex 594) (Generation 900)
Flags: Point-To-Point SNMP-Traps 0x4000 IP-Header 10.1.19.11:10.1.19.12:47:df:64:0000000000000000 Encapsulation: GRE-NULL
Gre keepalives configured: On, Gre keepalives adjacency state: down
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Traffic statistics:
Input bytes : 15629992
Output bytes : 15912273
Input packets: 243813
Output packets: 179476
Local statistics:
Input bytes : 15322586
Output bytes : 15621359
Input packets: 238890
Output packets: 174767
Transit statistics:
Input bytes : 307406 0 bps
Output bytes : 290914 0 bps
Input packets: 4923 0 pps
Output packets: 4709 0 pps
Protocol inet, MTU: 1476, Generation: 1564, Route table: 0
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Destination: 200.1.3/24, Local: 200.1.3.1, Broadcast: 200.1.3.255, Generation: 1366
Protocol mpls, MTU: 1464, Maximum labels: 3, Generation: 1565, Route table: 0When the hold time expires:
The GRE tunnel will stay up even though the interface cannot send or receive traffic.
The
Linkstatus will beUpand theGre keepalives adjacency statewill beDown.
Meaning
The current status information of a GRE tunnel interface with keepalive time and hold time parameters is displayed as expected when the hold time expires.
Example: Configure GRE Tunnel
Generic routing encapsulation (GRE) is an IP encapsulation protocol that is used to transport packets over a network. Information is sent from one network to the other through a GRE tunnel. GRE encapsulates a payload as a GRE packet. This GRE packet is encapsulated in an outer protocol (delivery protocol). GRE tunnel endpoints forward payloads into GRE tunnels for routing packets to the destination. After reaching the end point, GRE encapsulation is removed and the payload is transmitted to its final destination. The primary use of GRE is to carry non-IP packets through an IP network; however, GRE is also used to carry IP packets through an IP cloud.
Requirements
-
Configure a GRE (gr-) interface. The gr- interface contains a local address and destination address. It comes up as soon as it is configured. You can even configure an IP address on the gr- interface.
-
Configure a route to reach the destination subnet (end-to-end connectivity). You can configure either a static route through the gr- interface or use an interior gateway protocol (IGP) such as OSPF.
Overview
GRE tunnels are designed to be completely stateless, which means that each tunnel endpoint does not keep any information about the state or availability of the remote tunnel endpoint. Normally, a GRE tunnel interface comes up as soon as it is configured, and it stays up as long as there is a valid tunnel source address or interface that is up.
Configuration
By default, the local subnet interface is ge-0/0/0 with IPv4 address as 10.10.11.1/24. The destination subnet is 10.10.10.0/24 with the tunnel endpoint IPv4 interface as 10.10.10.1/24.
GRE configuration shows the default configuration between the tunnel interfaces on SRX Series Firewalls.
Configuring the Device Under Test (DUT)
Step-by-Step Procedure
You can either configure a static route through the gr- interface or by using IGP.
-
Configure the local subnet interface ge-0/0/0 interface.
[edit interfaces] user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.10.11.1/24
-
Configure the destination subnet.
[edit interfaces] user@host# set interfaces ge-0/0/1 unit 0 family inet address 10.1.12.1/24
-
Configure the gr- tunnel endpoints and specify the source address, destination address, and family as inet for the tunnel endpoints.
[edit interfaces] user@host# set interfaces gr-0/0/0 unit 0 tunnel source 192.168.1.1 destination 192.168.1.2 user@host# set interfaces gr-0/0/0 unit 0 family inet address 192.168.255.1
-
Bind the GRE tunnel interface gr-0/0/0 to a security zone.
[edit security zones security-zones trust] user@host# set host-inbound-traffic system-services all user@host# set host-inbound-traffic protocols all user@host# set interfaces gr-0/0/0.0
-
Configure a static route to the destination subnet with the GRE tunnel interface as the next-hop.
[edit interfaces] user@host# set routing options static route 10.10.10.0/24 next hop gr-0/0/0.0
-
In case you do not want to define a static route, configure OSPF or any other protocol between gr-0/0/0 interfaces on both the sides and internal subnet as passive neighbor, to receive all the internal routes.
[edit protocols] user@host# set protocols ospf area 0.0.0.0 interface gr-0/0/0.0 user@host# set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 passive
CLI Quick Configuration
set interfaces ge-0/0/0 unit 0 family inet address 10.10.11.1/24 set interfaces gr-0/0/0 unit 0 tunnel source 192.168.1.1 set interfaces gr-0/0/0 unit 0 tunnel destination 192.168.1.2 set interfaces gr-0/0/0 unit 0 family inet address 192.168.255.1/30 set interfaces ge-0/0/1 unit 0 family inet address 10.1.12.1/24 set protocols ospf area 0.0.0.0 interface gr-0/0/0.0 set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 passive set routing-options static route 10.10.10.0/24 next-hop gr-0/0/0.0 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces gr-0/0/0.0
Results
In configuration mode, confirm your configuration on the devices by entering
the show command. If the output does not display the
intended configuration, repeat the configuration instructions in this
example to correct it.
GRE configuration using the static route:
[edit interfaces]
root@SRX-1# show
ge-0/0/0 {
unit 0 {
family inet {
address 10.10.11.1/24;
}
}
}
gr-0/0/0 {
unit 0 {
tunnel {
source 192.168.1.1;
destination 192.168.1.2;
}
family inet {
address 192.168.255.1/30;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.1.12.1/24;
}
}
}
[edit security]
root@SRX-1# show
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
gr-0/0/0.0;
}
}
}
root@SRX-1# show routing-options
static {
route 10.10.10.0/24 next-hop gr-0/0/0.0;
}[edit protocols]
root@SRX-1# show
ospf {
area 0.0.0.0 {
interface gr-0/0/0.0;
interface ge-0/0/0.0 {
passive;
}
}
}Verification
To verify that the configuration of GRE on the SRX Series Firewall is successful, perform the following tasks:
- Verify the GRE Interface
- Verify Reachability to Destination Subnet
- Verify End-to-End Reachability Using the Ping Command
Verify the GRE Interface
Purpose
Verify that the GRE interface is up.
Action
Run the show interfaces command:
user@SRX-1>show interfaces gr-0/0/0 terse Interface Admin Link Proto Local Remote gr-0/0/0 up up gr-0/0/0.0 up up inet 192.168.255.1/30
Meaning
The GRE interface is up.
Verify Reachability to Destination Subnet
Purpose
Verify that the route for the destination network is reachable through the GRE tunnel interface.
Action
Run the show route forwarding-table matching
10.10.10.0/24
command at the [edit interfaces] hierarchy
level:
[edit interfaces] user@router# run show route forwarding-table matching 10.10.10.0/24 Routing table: default.inet Internet: .... Destination Type RtRef Next hop Type Index NhRef Netif 10.10.10.0/24 user 0 ucst 595 2 gr-0/0/0.0
Meaning
The destination network is reachable through the GRE tunnel interface.
Verify End-to-End Reachability Using the Ping Command
user@SRX-1> ping 10.10.10.2 source 10.10.11.1 rapid count 100 PING 10.10.10.2 (10.10.10.2): 56 data bytes !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! --- 10.10.10.2 ping statistics --- 100 packets transmitted, 100 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.831/1.033/10.033/1.286 ms
Configuring GRE over IPsec Tunnels
Overview
GRE tunnels offer minimal security, whereas an IPsec tunnel offers enhanced security in terms of confidentiality, data authentication, and integrity assurance. Also, IPsec cannot directly support multicast packets. However, if an encapsulated GRE tunnel is used first, an IPsec tunnel can then be used to provide security to the multicast packet. In a GRE over IPsec tunnel, all of the routing traffic (IP and non-IP) can be routed through. When the original packet (IP/non-IP) is GRE encapsulated, it has an IP header as defined by the GRE tunnel, normally the tunnel interface IP addresses. The IPsec protocol can understand the IP packet; so it encapsulates the GRE packet to make it GRE over IPsec.
The basic steps involved in configuring GRE over IPsec are as follows:
-
Configure the route-based IPsec tunnel.
-
Configure the GRE tunnel.
-
Configure a static route with the destination as the remote subnet through the gr- interface.
-
Configure the static route for the GRE endpoint with the st0 interface as next hop.
Configuration
In this example, the default configuration has the local subnet interface as ge-0/0/0 with the IPv4 address as 10.10.11.1/24. The destination subnet is 10.10.10.0/24. The gr-0/0/0 interface tunnel endpoints are loopback addresses on both the sides, with the local loopback IPv4 address as 192.168.0.1 and the remote loopback IPv4 address as 192.168.0.2. The gr-0/0/0, st0 and lo0 interfaces are bound to a security zone and policies are created accordingly.
Configuring a GRE interface over an IPsec tunnel
Step-by-Step Procedure
Configure the GRE at the
[set interfaces interface-name unit unit-number]hierarchy level, where the interface name is ge-0/0/0, and the family is set as inet.[edit interfaces] user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.10.11.1/24
Configure the gr- tunnel endpoints and specify the source address, destination address, and family as inet for the tunnel endpoints.
[edit interfaces] user@host# set interfaces gr-0/0/0 unit 0 tunnel source 172.20.1.1 destination 172.20.1.2 user@host# set interfaces gr-0/0/0 unit 0 family inet 192.168.1.1/24
Similarly configure the lo0 and st0 interface with the family set as inet.
[edit interfaces] user@host# set interfaces lo0 unit 0 family inet address 172.20.1.1/32
[edit interfaces] user@host# set interfaces st0 unit 0 family inet
Confifure the GRE interfaces with security zones. Use the
show zonescommand to view the zones, where the configured tunnel interfaces, lo0 and st0 are displayed.[edit security zones security-zones trust]] user@host# set host-inbound-traffic system-services all user@host# set host-inbound-traffic protocols all user@host# set interfaces gr-0/0/0.0 user@host# set zones zone names protocols all user@host# set interfaces lo0.0 user@host# set interfaces st0.0
[edit security zones security-zones untrust]] user@host# set host-inbound-traffic system-services all user@host# set host-inbound-traffic protocols all user@host# set interfaces gr-0/0/0.0.1 user@host# set interfaces lo0.0 user@host# set interfaces st0.0
Results
In configuration mode, confirm your interface configuration by entering the
show command. The configured interfaces are bound to a
security zone at the [edit security] hierarchy level. Use the
show zones command to view the zones, where the configured
interfaces (gr-, st0.0, and lo0) are displayed. If the output does not display
the intended configuration, repeat the configuration instructions in this
example to correct it.
Parameters for configuring the GRE interfaces:
user@host> show interfaces
ge-0/0/0 {
unit 0 {
family inet {
address 10.10.11.1/24;
}
}
}
gr-0/0/0 {
unit 0 {
tunnel {
source 172.20.1.1;
destination 172.20.1.2;
}
family inet {
address 192.168.1.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 172.20.1.1/32;
}
}
}
st0 {
unit 0 {
family inet;
}
}
[edit]
root@Juniper# show
routing-options {
static {
route 10.10.10.0/24 next-hop gr-0/0/0.0;
route 172.20.1.2/32 next-hop st0.0;
}
}
Parameters for configuring the GRE interfaces with security zones:
[edit security]
root@Juniper# show
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
gr-0/0/0.0;
lo0.0;
st0.0;
}
}
}
Configuring a GRE Tunnel When the Tunnel Destination Is in a Routing Instance
Overview
You can configure a GRE tunnel when the tunnel destination is in a default routing instance or non-default routing instance. Configuration of a GRE tunnel requires defining the tunnel source and the tunnel destination addresses. If the tunnel destination is in a routing instance, and there is more than one routing instance present, you need to specify the correct routing instance and also the routing table to be used to reach the configured tunnel destination address.
The tunnel destination address is by default considered to be reachable using the default routing table "inet.0".
Configuration
In this example, you can configure a GRE tunnel between the gr- interfaces on SRX Series Firewalls with two instances. The instances are when the tunnel destination is in a default routing instance and when the tunnel destination is in a non-default routing instance.
- Configuring a GRE Tunnel When the Tunnel Destination Is in a Default Routing Instance
- Configuring a GRE Tunnel When the Tunnel Destination Is in a Non-default Routing Instance
- Results
Configuring a GRE Tunnel When the Tunnel Destination Is in a Default Routing Instance
This example uses the default routing instance to reach the tunnel destination. Because of this, the routing table inet.0 is used by default.
Step-by-Step Procedure
Specify the source and destination address of the tunnel.
[edit interfaces] user@host# set interfaces gr-0/0/0 unit 0 tunnel source 172.16.0.1 destination 10.10.1.2 user@host# set interfaces gr-0/0/0 unit 0 family inet 192.168.100.1/30;
Configure the ge- interface and lo0 interface with the family set as inet.
[edit interfaces] user@host# set interfaces ge-0/0/0 unit 0 family inet address 172.30.73.56/24 user@host# set interfaces lo0 unit 0 family inet address 172.16.0.1/32
-
Configure the GRE tunnel interface for routing options as mentioned in the GRE configuration topic.
Configuring a GRE Tunnel When the Tunnel Destination Is in a Non-default Routing Instance
For a non-default routing instance, ensure that you have already configured the gr-0/0/0 interface.
Step-by-Step Procedure
Configure the GRE tunnel with the gr-0/00 interface and family set as inet.
[edit interfaces] user@host# set interfaces gr-0/00 unit 0 family inet address
Specify the source and destination address of the tunnel.
[edit interfaces] user@host# set interfaces gr-0/0/0 unit 0 tunnel source 172.16.0.1 tunnel destination 10.10.1.2 family inet 192.168.100.1/30;
Configure the ge- interface and lo0 interface with the family set as inet.
[edit interfaces] user@host# set interfaces ge-0/0/0 unit 0 family inet address 172.30.73.56/24 user@host# set interfaces lo0 unit 0 family inet address 172.16.0.1/32
Configure the routing instances used for the tunnel interface.
[edit routing-instances] user@host# set routing-instances test instance-type virtual-router user@host# set routing-instances test routing-options static route 10.10.1.2/32 next-hop 172.30.73.57 user@host# set routing-instances test interface ge-0/0/0.0
Configure the routing-instance for GRE tunnel interfaces.
[edit interfaces] user@host# set interfaces gr-0/0/0 unit 0 tunnel routing-instance destination test
Add the static route for tunnel destination.
[edit interfaces] user@host# set routing-options static route 10.10.1.2/32 next-table test.inet.0
Note:When the SRX Series Firewall is in packet mode, you do not need to configure a static route to make the tunnel destination reachable from inet.0. However, you still need to specify the correct routing instance under the gr-0/0/0 interface.
Results
In configuration mode, confirm your configuration on the devices by entering the show command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
When the tunnel destination is in a default routing instance:
interfaces {
gr-0/0/0 {
unit 0 {
tunnel {
source 172.16.0.1;
destination 10.10.1.2;
}
family inet {
address 192.168.100.1/30;
}
}
}
ge-0/0/0 {
unit 0 {
family inet {
address 172.30.73.56/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 172.16.0.1/32;
}
}
}
...
}
routing-options {
static {
route 10.10.1.2/32 next-hop 172.30.73.57; # Tunnel destination is reachable from default routing-instance
...
}
}
routing-instances {
test {
instance-type virtual-router;
interface gr-0/0/0.0;
routing-options {
...
}
}
}When the tunnel destination is in a non-default routing instance:
interfaces {
gr-0/0/0 {
unit 0 {
tunnel {
source 172.16.0.1;
destination 10.10.1.2;
routing-instance {
destination test; # Routing-instance to reach tunnel destination
}
}
family inet {
address 192.168.100.1/30;
}
}
}
ge-0/0/0 {
unit 0 {
family inet {
address 172.30.73.56/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 172.16.0.1/32;
}
}
}
...
}
routing-options {
static {
route 10.10.1.2/32 next-table test.inet.0; # Tunnel destination is reachable via test.inet.0
...
}
}
routing-instances {
test {
instance-type virtual-router;
interface ge-0/0/0;
routing-options {
static {
route 10.10.1.2/32 next-hop 172.30.73.57; # Tunnel destination is reachable from non-default routing-instance
...
}
}
}
}Verification
Verification of Static Route Use
Purpose
Verify that the static route is used.
Action
Run the show route forwarding table command.
user@host> show route forwarding-table table test
No Title
Routing table: test.inet
Internet:
Enabled protocols: Bridging,
Destination Type RtRef Next hop Type Index NhRef Netif
default perm 0 rjct 597 1
0.0.0.0/32 perm 0 dscd 590 1
10.10.1.2/32 user 1 172.30.73.57 hold 598 4 ge-0/0/0.0
172.16.0.1.10.10.1.2.47/72
dest 0 locl 617 1
172.30.73.0/24 intf 0 rslv 588 1 ge-0/0/0.0
172.30.73.0/32 dest 0 172.30.73.0 recv 586 1 ge-0/0/0.0
172.30.73.56/32 intf 0 172.30.73.56 locl 587 2
172.30.73.56/32 dest 0 172.30.73.56 locl 587 2
172.30.73.57/32 dest 0 172.30.73.57 hold 598 4 ge-0/0/0.0
172.30.73.255/32 dest 0 172.30.73.255 bcst 585 1 ge-0/0/0.0
224.0.0.0/4 perm 0 mdsc 596 1
224.0.0.1/32 perm 0 224.0.0.1 mcst 600 1
255.255.255.255/32 perm 0 bcst 601 1
Verification of Static Route Used in Default Instance
Purpose
Verify that the static route is used for the default instance.
Action
Run the show route forwarding table command.
user@host> show route forwarding-table matching 10.10.1.2 Routing table: default.inet Internet: Enabled protocols: Bridging, Destination Type RtRef Next hop Type Index NhRef Netif 10.10.1.2/32 user 0 rtbl 604 3