You can introduce simple point-to-point tunnels with generic routing (GRE) or plain IP in IP encapsulation. IP tunnels are established at the box level and do not support peer authentication or encryption.
Configure an IP Tunnel
- Go to CONFIGURATION > Configuration Tree > Box > Network.
- In the left menu, expand Configuration Mode and click Switch to Advanced.
- In the left menu, click IP Tunneling.
- Click Lock.
- In the Tunnel Configuration table, click + to add an IP tunnel.
- Enter a Name.
- Click OK. The Tunnel Configuration window opens.
- Enter the IP tunnel settings. For more information on the settings, see the IP Tunnel Settings section below.
- Click OK.
- Click Send Changes and Activate.
IP Tunnel Settings
| Setting | Description |
|---|---|
Encapsulation Mode | The encapsulation mode for the tunnel. You can select:
|
| Tunnel TTL | (Optional) The TTL for encapsulated tunnel traffic. To use the standard behavior of TTL inherit and Nopmtudisc (no path MTU discovery), leave this field blank. |
Set Multicast Flag | To set the multicast flag for the tunnel interface, select yes. |
| Source IP Type | The source IP type. You can select:
|
| Source IP | If you selected BoxIP from the Source IP Type list, enter a local source IP address in this field. Specify a routable source IP address if the box itself will use the tunnel. The IP address is activated on the tunnel interface. |
| Source Mask | The netmask for the source IP address. A non-zero mask specifies a local network. |
Route Metric | If more than two routes exist for a target, enter a preference number for the route if one of the following scenarios also applies:
It is not a good idea to introduce redundant routes to a target network with a direct route being the preferred path. |
| Remote End IP | The IP address of the remote tunnel end. Make sure that this IP address can be accessed from the local tunnel end that is specified in the following Local End IP field. |
Check Reachability | To check the reachability of the remote tunnel end from the local tunnel end, select yes. If this check fails, the tunnel is not introduced. If verification is active already, you will not be able to send configuration changes. To disable this check, select no. Disable this check when the remote tunnel end is only accessible via a VPN route. |
| Local End IP | The IP address of the local tunnel end. Make sure that you have already introduced this IP address in the network configuration of the system. |
| Trust Level | Specifies the IP address type that is counted by the firewall for traffic on this interface. You can classify the interface as one of the following:
|
Target Networks | In this table, specify target networks that must be accessible through the tunnel. Use IP/mask notation. Add the target networks of routes that rely on the tunnel interface. Each specified target will rely on a corresponding direct route. |
Advertise Route | To advertise this route via dynamic routing protocols when the OSPF/RIP/BGP service is used, select yes. |
Use Policy Routing | To specify a routing table for tunnel routes from specific source networks, select yes. You can then configure the following policy routing settings: Table Placement, Use Table, and Source Networks. |
Table Placement | If you are using policy routing, specify where the table should be placed. You can select postmain (default), premain, or existing. Select existing if you want to use an existing table and specify the table in the following Use Table field. The rule preference of this table will be inherited. |
| Use Table | If you selected existing from the Table Placement list, specify the policy routing table in this field. Do not specify the local, main, or default tables. For each source network defined, an appropriate rule pointing to this table (with the table's original preference) is also appended. |
Source Networks | If the route from a network or single host must be looked up in the policy routing table specified in the Table Placement setting, add it to this table. |