Amer Networks E5Web GUI User Manual

The GRE protocol allows for an additional checksum over and above the IPv4 checksum. This
provides an extra check of data integrity.

The Virtual Routing options are used as with any other interface such as an Ethernet interface
(see Section 3.4.2, “Ethernet Interfaces”). The routing tables specified here apply to the traffic
carried by the tunnel and not the tunnel itself. The route lookup for the tunnel itself is specified
in the earlier option Outer PBR Table.

The Advanced settings for a GRE interface are:

•

Automatically add route for remote network - This option would normally be checked in
order that the routing table is automatically updated. The alternative is to manually create
the required route.

•

Address to use as source IP - It is possible to specify a particular IP address as the source
interface IP for the GRE tunnel. The tunnel setup will appear to be initiated by this IP address
instead of the IPv4 address of the interface that actually sets up the tunnel.

This might be done if, for example, if ARP publishing is being used and the tunnel is to be
setup using an ARP published IP address.

GRE and the IP Rule Set

An established GRE tunnel does not automatically mean that all traffic coming from or to that
GRE tunnel is trusted. On the contrary, network traffic coming from the GRE tunnel will be
transferred to the cOS Core IP rule set for evaluation. The source interface of the network traffic
will be the name of the associated GRE Tunnel.

The same is true for traffic in the opposite direction, that is, going into a GRE tunnel. Furthermore
a Route has to be defined so cOS Core knows what IP addresses should be accepted and sent
through the tunnel.

An Example GRE Scenario

The diagram above shows a typical GRE scenario, where two Clavister Security Gateways A and B
must communicate with each other through the intervening internal network 172.16.0.0/16.

Chapter 3: Fundamentals

176