Sophos XG Firewall: How to configure a GRE tunnel


  • Generic Routing Encapsulation (GRE) is a simple IP packet encapsulation protocol. GRE tunnels are mainly used as a means to carry other routed protocols across a predominantly IP network. They remove the need for all protocols (except IP) for data transfers, reducing a lot of overhead on the network administrator’s part.
  • This tutorial will guide config GRE tunnel between 2 site is Head Office and Branch Office.

What to do

  • Create a GRE tunnel between a Head Office network and a Branch Office network. The clients at the Branch Office are to connect with the WINS Server at the Head Office over NETBIOS traffic for name registration and resolution. The network scenario is displayed in the diagram below.

  • Note:  GRE tunnels cannot be configured on Dynamic WAN interfaces like PPPoE and DHCP.
  • To create a GRE Tunnel between the Head Office Network and the Branch Office Network, follow the steps below. Configuration is to be done from the Sophos Firewall CLI with administrative access in both the Head Office and the Branch Office.

Create a GRE Tunnel:

  • Log in to CLI using Telnet/SSH.
  • Select Option 4. Device Console to access CLI.
  • Create a GRE Tunnel between the two sites by executing the following command:
  • Head Office:
    • system gre tunnel add name gre local-gw Port2 remote-gw local-ip remote-ip

  • Branch Office:
    • system gre tunnel add name gre local-gw Port2 remote-gw local-ip remote-ip

Configure the GRE Route

  • Configure the GRE route to define traffic between the two sites.
  • Login to the command line and type the following commands:
  • Head Office:
    • system gre route add net tunnelname gre

  • Branch Office: 
    • system gre route add host tunnelname gre

  • You can view the GRE Tunnel Configuration by entering the following command:
    • system gre tunnel show.

Add Firewall Rules

  • Add VPN-LAN and LAN-VPN Firewall Rules to both HO and BO SF to allow GRE traffic.
  • Navigate to Firewall and click +Add Firewall Rule. Create a new User/Network firewall rule as shown below.

Be the first to comment

Leave a Reply

Your email address will not be published.