You can introduce simple point-to-point tunnels with generic routing (GRE) or plain IP in IP encapsulation. IP tunnels are established at the box level and do not support peer authentication or encryption.
Configure an IP tunnel
- Go to CONFIGURATION > Configuration Tree > Box > Network.
- In the left menu, expand Configuration Mode and click Switch to Advanced.
- In the left menu, click IP Tunneling.
- Click Lock.
- In the Tunnel Configuration table, click + to add an IP tunnel.
- Enter a Name.
- Click OK. The Tunnel Configuration window opens.
- Enter the IP tunnel settings. For more information on the settings, see the IP Tunnel Settings section below.
- Click OK.
- Click Send Changes and Activate.
IP tunnel settings
The encapsulation mode for the tunnel. You can select:
(Optional) The TTL for encapsulated tunnel traffic. To use the standard behavior of TTL inherit and Nopmtudisc (no path MTU discovery), leave this field blank.
Set Multicast Flag
To set the multicast flag for the tunnel interface, select yes.
|Source IP Type|
The source IP type. You can select:
If you selected BoxIP from the Source IP Type list, enter a local source IP address in this field. Specify a routable source IP address if the box itself will use the tunnel. The IP address is activated on the tunnel interface. In combination of with the Source Mask this is the network inside the IP tunnel.
The netmask for the source IP address. A non-zero mask specifies a local network.
If more than two routes exist for a target, enter a preference number for the route if one of the following scenarios also applies:
It is not a good idea to introduce redundant routes to a target network with a direct route being the preferred path.
|Remote End IP|
The IP address of the remote tunnel end. Make sure that this IP address can be accessed from the local tunnel end that is specified in the following Local End IP field. If you are connecting over the Internet this would be the public IP address of the remote router/firewall.
To check the reachability of the remote tunnel end from the local tunnel end, select yes. If this check fails, the tunnel is not introduced. If verification is active already, you will not be able to send configuration changes.
To disable this check, select no. Disable this check when the remote tunnel end is only accessible via a VPN route.
|Local End IP|
The IP address of the local tunnel end. Make sure that you have already introduced this IP address in the network configuration of the system. If you are connecting over the Internet this would be the public IP address of the firewall.
|Trust Level||Specifies the IP address type that is counted by the firewall for traffic on this interface. You can classify the interface as one of the following:|
In this table, specify target networks that must be accessible through the tunnel. Use IP/mask notation. Add the target networks of routes that rely on the tunnel interface. Each specified target will rely on a corresponding direct route.
To advertise this route via dynamic routing protocols when the OSPF/RIP/BGP service is used, select yes.
Use Policy Routing
To specify a routing table for tunnel routes from specific source networks, select yes. You can then configure the following policy routing settings: Table Placement, Use Table, and Source Networks.
If you are using policy routing, specify where the table should be placed. You can select postmain (default), premain, or existing. Select existing if you want to use an existing table and specify the table in the following Use Table field. The rule preference of this table will be inherited.
If you selected existing from the Table Placement list, specify the policy routing table in this field. Do not specify the local, main, or default tables. For each source network defined, an appropriate rule pointing to this table (with the table's original preference) is also appended.
If the route from a network or single host must be looked up in the policy routing table specified in the Table Placement setting, add it to this table.