Introduction of GRE tunnel-
GRE (Generic Routing Encapsulation) is a tunneling protocol for encapsulating packets inside a transport protocol. A GRE capable router or firewall encapsulates a payload packet inside a GRE packet, which it then encapsulates in a transport protocol, such as IP, as shown in the following figure.
Understanding GRE Tunnels
A GRE (Generic Routing Encapsulation) tunnel functions similarly to a VPN, but without encryption. It is used to transport packets from one endpoint through the public network to another endpoint.
Key Features of GRE Tunnels:
- No Encryption: Unlike VPNs, GRE tunnels do not encrypt the data they carry.
- Packet Transportation: GRE tunnels encapsulate packets from the source and send them across the public network to the destination.
Keepalive Packets in GRE Tunnels:
- GRE tunnels use keepalive packets to verify if the tunnel is active.
- The tunnel source creates a keepalive request and a response packet, encapsulates them, and sends them to the tunnel destination.
- Upon receiving the request packet, the tunnel destination decapsulates it and forwards the inner response packet back to the originating peer.
For more detailed information about GRE, you can refer to RFC 2784, Generic Routing Encapsulation (GRE).
Why Configure a GRE Tunnel for Your Corporate Network?
If your corporate firewall or router supports GRE and its egress port has a static IP address, Zscaler recommends configuring a GRE tunnel for forwarding HTTP and HTTPS traffic to the Zscaler service.
Benefits of Using GRE Tunnels:
- Supports HTTP and HTTPS Traffic: GRE tunnels are versatile in handling both types of traffic.
- Failover Support: In case the primary ZEN (Zscaler Enforcement Node) becomes unavailable, GRE tunnels support failover.
- Minimal Overhead: The configuration requires minimal resources and effort.
- No End-User Configuration Needed: No need to configure settings on individual computers or laptops.
- Enhanced Security: Users on your corporate network cannot bypass the service, ensuring consistent security policies.
- Policy Design and Logging: Tunneling can provide internal IP address information to Zscaler, which can be used in policy design and logging.
Deployment Scenarios for GRE Tunnels
When deploying GRE tunnels, there are several common scenarios to consider. Below is a recommended approach:
1. GRE Tunnels from the Internal Router to ZENs
Recommended Configuration:
- Dual GRE Tunnels:
- Configure two GRE tunnels from an internal router (located behind the firewall) to Zscaler Enforcement Nodes (ZENs).
- Primary Tunnel: Connects the router to a ZEN in one data center.
- Secondary Tunnel: Connects the router to a ZEN in another data center.
Benefits of This Deployment:
- Visibility: This setup provides visibility into internal IP addresses, which Zscaler can use for security policies and logging.
- Redundancy: Ensures continuous service by providing a backup path in case the primary ZEN becomes unavailable.
2. Configuration Details
- GRE Tunnel Source IP:
- The source IP for the GRE tunnel should be a public IP address configured on the loopback interface of the router.
- Firewall Configuration:
- A rule must be defined on the firewall to allow GRE traffic originating from the router.
- Support for Redundant Routers/ISPs:
- If your organization has redundant routers and/or ISPs, you can configure the routers to automatically failover to a redundant ISP. This ensures uninterrupted service even if the primary ISP fails
GRE Tunnels from the Corporate Firewall to ZENs
In this deployment scenario, if your corporate firewall supports GRE, you can establish GRE tunnels directly from the firewall to Zscaler Enforcement Nodes (ZENs). This approach is similar to the router-based GRE deployment but offers an alternative where the firewall plays a central role.
Configuration Overview:
- Dual GRE Tunnels:
- Primary Tunnel: Configure a GRE tunnel from the firewall to a ZEN in one data center.
- Secondary Tunnel: Configure a second GRE tunnel from the firewall to a ZEN in another data center for redundancy.
- Firewall Rules:
- Traffic Routing: Define a rule on the firewall to route HTTP and HTTPS traffic through the GRE tunnels to the ZENs.
- NAT and Direct Internet Traffic: The firewall applies NAT to all other types of traffic, which it sends directly to the Internet without passing through the GRE tunnels.
Benefits of This Deployment:
- Visibility: Just like the router-based deployment, this configuration provides visibility into internal IP addresses, allowing Zscaler to utilize this information for security policies and logging.
- Simplified Routing: By managing GRE tunnels directly from the firewall, you centralize traffic management, which can simplify your network architecture.
GRE Tunnels from the Border Router to ZENs
If deploying GRE tunnels from the internal router or the corporate firewall is not feasible, an alternative is to configure a GRE tunnel from your border router to Zscaler Enforcement Nodes (ZENs). However, this method is the least preferred due to the limitations it imposes.
Configuration Overview:
- Single GRE Tunnel:
- Primary Tunnel: Configure a GRE tunnel from the border router to a ZEN in a data center.
- Traffic Routing:
- HTTP and HTTPS Traffic: Configure the border router to send all HTTP and HTTPS traffic through the GRE tunnel to the ZEN.
- Other Traffic: All other traffic bypasses the GRE tunnel and is sent directly to the Internet.
Limitations:
- No Internal IP Visibility:
- Unlike the other deployment scenarios, this method does not provide visibility into internal IP addresses. This lack of visibility limits the effectiveness of Zscaler’s security policies and logging.
When to Use This Deployment:
- This method should only be considered if the internal router or corporate firewall-based GRE deployments are not feasible. It serves as a fallback option rather than the primary choice.
