Netskope Help

GRE

Generic Routing Encapsulation (GRE) is a tunneling protocol for encapsulating packets inside a transport protocol. A GRE tunnel functions like a VPN but without encryption; it transports packets from one endpoint to another endpoint. A GRE capable router, like Cisco or Juniper, encapsulates a payload packet inside a GRE packet, which it then encapsulates in a transport protocol, such as IP.

GRE is ideal for steering HTTP and HTTPS traffic to the Netskope cloud. The Netskope GRE gateway validates the source IP of the tunnel as a known IP address.

Prerequisites

To use GRE:

  • You must have the Netskope Secure Web Gateway license.

  • Configure your source device to establish the GRE tunnel. See your router (or firewall) documentation for instructions. 

  • Configure your firewalls, if any, to allow the GRE tunnel. If your firewall has an ACL blocking inbound connections, configure a rule to allow GRE traffic. See your firewall documentation for instructions.

  • Only send HTTP (port 80) and HTTPS (port 443) through the GRE tunnel. You can also use custom ports for HTTP and HTTPS traffic.

    Note

    Netskope negotiates HTTP/2 for all domains if the origin server supports it; otherwise, Netskope fallbacks to HTTP 1.1. All other traffic will continue to leverage HTTP 1.1. In addition, the Netskope Client and GRE / IPSEC and iOS access methods are fully supported. The protocol change is completely transparent to users, no configuration is required by admins. Contact Support to enable this feature in your account.

  • You cannot implement NAT for endpoints inside the GRE tunnel.

  • The GRE gateway node can respond to ICMP probes/keep-alives only when the destination IP value in the inner IP packet matches the GRE gateway probe IP listed in the GRE gateway UI Dashboard corresponding to the Netskope POP. Otherwise, the probe packets are dropped by GRE.

  • Ensure the Netskope Client is installed on your users' devices. If not, go to Settings > Manage > Certificates to download the Netskope root certificate and distribute it to your users' devices.

  • Calculate the maximum segment size (MSS) to account for GRE headers on the WAN interface. If you don't set an MSS, it can negatively impact tunnel performance.

Workflow

The primary steps to configure GRE include:

  1. Configure GRE in the Netskope UI.  

  2. Configure the GRE tunnel from the source device so that a primary and a failover exists. You can configure as many GRE tunnels as needed from the sites that you tunnel traffic from. Each tunnel supports up to 1 Gbps throughput.

  3. Install the Netskope Client or provision the Netskope root certificate on devices.

  4. Choose steering/identity options.

Configure GRE in the Netskope UI

You must add the IP addresses of your source devices (e.g., router, firewall, etc.) in the Netskope UI and copy the Netskope point of presence (POP) IP addresses to establish GRE tunnels on your devices.

  1. Go to Settings > Security Cloud Platform > GRE.

  2. Click New GRE Configuration.

  3. In the New GRE Configuration window:

    • Configuration Name: Enter a name for the GRE tunnel.

    • Tunnel Type: Select VeloCloud if you are using VMware SASE for your GRE tunnel. Otherwise, select Default.

    • Source Peer: Enter the source peer IP address (i.e., exit public IP) of the Cisco router that Netskope will receive packets from. Netskope identifies traffic belonging to your organization through your router or firewall IP addresses.

    GREnewConfig.png
  4. Click Save and View POPs.

  5. In the Netskope POPs window, copy the Netskope POP IP addresses of the the two closest locations. You need this information to establish the GRE tunnels on your Cisco routers. For optimal performance, Netskope recommends using the geographically closest POPs and configuring at least two tunnels for each egress location in your network.

    GREviewPOPs.png

After a tunnel has been established on your devices, the tunnel appears in the table on the GRE page. The table shows the configuration name, source peer, Netskope POP(s), user traffic status, keepalive status, and throughput in kilobytes per second (Kpbs). The user traffic status types are Seen and Unseen.

Click on a tunnel name to edit the GRE tunnel configuration. Also, click the MenuIcon.png icon to the right of the tunnel listing to edit, enable, disable, or delete the tunnel.

You can also search for tunnel configuration using the filters for source peer, Netskope POP, User Traffic Status, and Keepalive Status.

Configure GRE Tunnels on Source Device

Netskope recommends configuring two GRE tunnels from your location to the Netskope POPs. This ensures high availability for tunneling traffic through GRE. Here is an example of how to configure your GRE tunnels:

GREtunnel.png
  1. Configure your router/firewall for GRE. Refer to Deploying GRE Tunnels and Monitoring GRE Tunnels below for specifics.

  2. Configure the GRE tunnels to direct traffic to the Netskope POPs. 

  3. Traffic is directed through the Netskope cloud. 

Deploying GRE Tunnels

Create two GRE tunnels for each egress location in your network. Having two GRE tunnels ensures that connectivity is maintained in the event of an outage on the primary tunnel. The second GRE tunnel takes over until the first GRE tunnel gets restored. The second tunnel should be connected to a different Netskope data center than the first one.

Calculate the maximum transmission unit (MTU) and maximum segment size (MSS) needed for your GRE tunnels based on the configuration of  your WAN interface. If the MTU is not properly calculated then higher fragmentation occurs and impacts performance. 

Here is a sample MTU and MSS calculation for a WAN interface that has 1500 bytes:

WAN Interface MTU = 1500

WAN Interface MSS = MTU (1500) - IP (20 bytes header) - TCP (20 bytes header) = 1460

GRE = 4 bytes header

GRE MTU = MTU (1500) - IP (20) - GRE (4) = 1476

GRE MSS = GRE MTU (1476) - IP (20) - TCP (20) = 1436

Important

Use policy-based routing so only web  traffic is steered through ports 80 and 443 to the GRE tunnels.

Monitoring GRE Tunnels

Monitor your GRE tunnels to ensure failover between the primary and backup GRE tunnels. Enable GRE keepalives as a basic detection mechanism. 

  • For Cisco routers, you can use IPSLA or keepalive on the Cisco tunnel interface to monitor the tunnels.

    Keepalive on Cisco devices use a GRE packet with the source and destination IP addresses reversed to be sent as the inner payload from the source peer. The GRE destination relays the inner packet to indicate the tunnel is up.

  • For Juniper routers, you can use RPM or keepalive to monitor the tunnels.

    Keepalive on Juniper devices use an ICMP packet with the endpoint’s inner IPs to be sent over the GRE tunnel. These inner IPs are allocated by Netskope so that Netskope GRE gateway can be configured to respond that the tunnel is up.

For high-availability, keepalive functionality enables GRE endpoints to failover to a backup tunnel if a response is not received. The Netskope GRE gateway sends back a keepalive response only if there are no health check issues with a tenant specific proxy.

If the Netskope GRE gateway does not observe any keepalive packet within a minute, then the tunnel probe status will be flagged as down, and the GRE service will update the keepalive status as Not Seen in the Netskope UI. 

Traffic Steering and Identity Options

To steer traffic and identify users, use one or more of these method.

Install the Netskope Client for Root CA Distribution, User Identity, and User Notifications

Installing the Netskope Client is optional, but doing so facilitates the certificate distribution on devices and provides coverage for remote users. The Client provides user identification directly to Netskope and eliminates the need to implement authentication on the GRE tunnel.

We recommend installing the Client so it can send device and user info to the Netskope Cloud and show user-facing notifications that result from policy violations. To do this, go to Settings > Security Cloud Platform > Devices > Client Configuration and enable the feature Enable Device Classification and Client-Based End User Notifications when the Client is Disabled.  When the Client detects a GRE tunnel, it disables the data tunnel (TLS tunnel) to the Netskope platform, but continues sending user identity to Netskope and facilitating user notifications on the endpoint.

Provision Certificates on Devices

Certificates only need to be provisioned on devices that do not have the Netskope Client installed. Get the root certificate from the Netskope UI and provision it on your devices. In the Netskope UI, go to Settings > Manage > Certificates to download the certificates.  Check the product documentation for your devices to learn how to provision the certificates.

Use SAML Authentication

If you don't use the Netskope Client, you can use SAML to authenticate a user with your Identity Provider (IdP) before their traffic is tunneled via GRE. Use Netskope as an authentication mode to integrate with an IdP.

Enable Authentication

You can use SAML to authenticate a user to Netskope before their connection is allowed to traverse the GRE tunnel. Use Netskope as an authentication mode to integrate with an Identity Provider (IdP). This feature acts as an authentication module taking Netskope's framework and an IdP's auth assertion after authentication.

  1. Go to Settings > Security Cloud Platform > Forward Proxy > Authentication.

  2. Click Enable Authentication.

  3. Click the Enabled checkbox to turn this feature on.

  4. Click Create New for SAML based authentication. The Add SAML Account window opens.

  5. Configure these parameters:

    • Name: Enter a name identifying the account.

    • IdP URL: Contact your third party Identity Provider and add the unique IdP login URL in this field.

    • IdP Entity ID:  Type your globally unique name for your SAML entity.

    • IdP Certificate: Copy and paste the PEM format certificate of the third party IdP in this field. This is required by Netskope to validate the signature of the SAML assertion.

    • Alternate User ID Field: Netskope looks at the NameID field in the SAML assertion to get the user identity. If you would like to use another field for user identification, type the name of the SAML attribute in this field.

    • Group Attribute: Type your name:value pair to identify / describe your entities user group and role memberships.

  6. Click Save.

Authentication Bypass Settings

You can specify domains, web categories, and network IP addresses for which user authentication is not required.

Domain Bypass

Click Edit and add comma-separated URLs to bypass. When finished, click Save.

FPauthDomainsBypass.png

Note

Adding your IdP domains here are recommended.

Web Category Bypass

Click Edit and add comma-separated URLs to bypass. When finished, click Save.

FPauthWebCategoryBypass.png
IP Address Bypass

Click Edit and search for source networks. For each of the networks found, you can choose to bypass based on User IPs or Egress IPs (just one, not both).

FPauthIPaddressBypass.png

If search does not locate the network you want to bypass, click +New to add it.

FPauthIPaddressBypassAddNetwork1.png

Enter the IP address, IP address range, or CIDR netmask in the text field, and then click the adjacent + button. Multiple network locations can be added. After adding the network locations, click Next, enter a name, and then click Save Network Location.

Select User IP or Egress Source IP for each network location, and then click Save.

Troubleshooting

Certificate Issues:

  • If you are seeing a certificate error in browser, check the Netskope certificate on the browser, make sure the Netskope root certificate is installed on the  end-user devices.

Connection issues: 

If end-to-end traffic is not working:

  • Check if the GRE tunnel status to see if it is up on the exit router.

  • Check the tunnel interface counters to see if they are going up or not, which would indicate the transit of traffic.

  • If a tunnel is down, check to make sure the GRE/ICMP keepalives sent by the exit router is receiving the keepalive response back. 

  • If a tunnel is down, end-to-end traffic should be working through the router's default-gateway.

  • If the tunnel is up, check the route-map configured to re-direct the traffic.

  • Make sure the firewall is allowing GRE traffic.

  • Make sure the router exit IP (public IP) is added to the GRE page from Netskope console (tenant UI).

  • Route map should ideally be configured to redirect port 443/80 over the GRE Tunnel.

  • Contact Netskope Support.

Performance issues:

  • Check the MTR against the Netskope GRE IP address. It should show RTT between your environment to the Netskope Cloud. It will also show packet drops.

  • Capture packets at the endpoint egress interface using Wireshark. It will show complete TCP statistics.

GRE device status:

  • Login into the source peer device to determine the GRE tunnel status. If the tunnel is down, there is high chance that the device is not able to communicate with Netskope GRE service, or this GRE node/site is not yet provisioned. Go to the Netskope GRE page to confirm.