GRE over IPSec应用场景

IPSec VPN本端设备无法感知对端有几个设备 ，本端共用一个IPSec SA 。报文封装中没有对端设备的下一跳 ，所以无法传输组播、广播和非IP报文 ，比如OSPF协议 ，导致分支与总部的内部网络之间无法使用OSPF路由。

GRE over  IPSec可利用GRE和IPSec的优势 ，通过GRE将组播 、广播和非IP报文封装成普通的 IP报文 ，通过IPSec为封装后的IP报文提供安全地通信 ，进而可以提供在总部和分支之间安全地传送广播、组播的业务

GRE over IPSec报文封装

当网关之间采用GRE over IPSec连接时 ，先进行GRE封装 ，再进行IPSec封装 。GRE over IPSec使用的封装模式为可以是隧道模式也可以是传输模式 。采用AH协议的GRE over IPSec报文封装过程如下：

GRE over IPSec的优势

GRE over IPSec的实验

实验拓扑

实验配置

##.配置接口IP地址。

[AR1]interface g0/0/0

[AR1-GigabitEthernet0/0/0]ip  address  1.1.3.2  255.255.255.0

[AR1-GigabitEthernet0/0/0]quit

#

[AR1]interface g0/0/1

[AR1-GigabitEthernet0/0/1]ip  address  1.1.5.2  255.255.255.0

[AR1-GigabitEthernet0/0/1]quit

##配置OSPF

[AR1]ospf 1

[AR1-ospf-1]area 0.0.0.0

[AR1-ospf-1-area-0.0.0.0]network 1.1.3.0  0.0.0.255

[AR1-ospf-1-area-0.0.0.0]network 1.1.5.0  0.0.0.255

[AR1-ospf-1-area-0.0.0.0]quit

[AR1-ospf-1]quit

##.配置接口IP地址。

[FW1]interface gigabitethernet 1/0/0

[FW1-GigabitEthernet1/0/0]ip address 10.1.1.11 255.255.255.0

[FW1-GigabitEthernet1/0/0]quit

#

[FW1]interface gigabitethernet 1/0/1  

[FW1-GigabitEthernet1/0/1]ip address 1.1.3.11  255.255.255.0  

[FW1-GigabitEthernet1/0/1]quit

##.将接口加入相应的安全区域。

[FW1]firewall zone trust  

[FW1-zone-trust]add interface gigabitethernet 1/0/0  

[FW1-zone-trust]quit

#

[FW1]firewall zone untrust  

[FW1-zone-untrust]add interface gigabitethernet 1/0/1  

[FW1-zone-untrust]quit

##.配置域间安全策略。

[FW1]security-policy

[FW1-policy-security]rule name policy1

[FW1-policy-security-rule-policy1]source-zone trust

[FW1-policy-security-rule-policy1]destination-zone untrust

[FW1-policy-security-rule-policy1]source-address 10.1.1.0 24

[FW1-policy-security-rule-policy1]destination-address 10.1.2.0 24

[FW1-policy-security-rule-policy1]action permit

[FW1-policy-security-rule-policy1]quit

#

[FW1-policy-security]rule name policy2

[FW1-policy-security-rule-policy2]source-zone untrust

[FW1-policy-security-rule-policy2]destination-zone trust

[FW1-policy-security-rule-policy2]source-address 10.1.2.0 24

[FW1-policy-security-rule-policy2]destination-address 10.1.1.0 24

[FW1-policy-security-rule-policy2]action permit

[FW1-policy-security-rule-policy2]quit

#

[FW1-policy-security]rule name policy3

[FW1-policy-security-rule-policy3]source-zone local destination-zone untrust

[FW1-policy-security-rule-policy3]source-address 1.1.3.11 32

[FW1-policy-security-rule-policy3]destination-address 1.1.5.22 32

[FW1-policy-security-rule-policy3]action permit

[FW1-policy-security-rule-policy3]quit

#

[FW1-policy-security]rule name policy4

[FW1-policy-security-rule-policy4]source-zone untrust

[FW1-policy-security-rule-policy4]destination-zone local

[FW1-policy-security-rule-policy4]source-address 1.1.5.22 32

[FW1-policy-security-rule-policy4]destination-address 1.1.3.11 32

[FW1-policy-security-rule-policy4]action permit

[FW1-policy-security-rule-policy4]quit

[FW1-policy-security-rule-policy4]quit

##.在FW1上配置GRE。

[FW1]interface tunnel 1

[FW1-Tunnel1]tunnel-protocol gre

[FW1-Tunnel1]ip address 30.1.1.1  255.255.255.0

[FW1-Tunnel1]source 1.1.3.11

[FW1-Tunnel1]destination 1.1.5.22

[FW1-Tunnel1]quit

##.将接口Tunnel 1加入Untrust区域。

[FW1]firewall zone untrust

[FW1-zone-untrust]add interface tunnel 1

[FW1-zone-untrust]quit

# 配置ospf路由

[FW1]ospf

[FW1-ospf-1]a 0

[FW1-ospf-1-area-0.0.0.0]network  10.1.1.0 0.0.0.255

[FW1-ospf-1-area-0.0.0.0]network  1.1.3.0 0.0.0.255

##创建高级ACL 3000，配置源IP地址为1.1.3.11、目的IP地址为1.1.5.22的规则。

[FW1]acl 3000

[FW1-acl-adv-3000]rule 5 permit ip source 1.1.3.11 0 destination 1.1.5.22 0

[FW1-acl-adv-3000]quit

##.配置IPSec安全提议tran1，采用缺省参数。

[FW1]ipsec proposal tran1

[FW1-ipsec-proposal-tran1]esp authentication-algorithm sha2-256

[FW1-ipsec-proposal-tran1]esp encryption-algorithm aes-256

[FW1-ipsec-proposal-tran1]quit

##.配置IKE安全提议，采用缺省参数。

[FW1]ike proposal 10

[FW1-ike-proposal-10]authentication-method pre-share

[FW1-ike-proposal-10]prf hmac-sha2-256

[FW1-ike-proposal-10]encryption-algorithm aes-256

[FW1-ike-proposal-10]dh group14

[FW1-ike-proposal-10]integrity-algorithm hmac-sha2-256

[FW1-ike-proposal-10]quit

##.配置IKE Peer。

[FW1]ike peer b

[FW1-ike-peer-b]ike-proposal 10

[FW1-ike-peer-b]remote-address 1.1.5.22

[FW1-ike-peer-b]pre-shared-key Test!123

[FW1-ike-peer-b]quit

##.配置采用IKE方式协商的IPSec策略。

[FW1]ipsec policy map1 10 isakmp

[FW1-ipsec-policy-isakmp-map1-10]security acl 3000

[FW1-ipsec-policy-isakmp-map1-10]proposal tran1

[FW1-ipsec-policy-isakmp-map1-10]ike-peer b

[FW1-ipsec-policy-isakmp-map1-10]quit

##.在接口GE1/0/1上应用IPSec策略组map1。

[FW1]interface gigabitethernet 1/0/1

[FW1-GigabitEthernet1/0/1]ipsec policy map1

[FW1-GigabitEthernet1/0/1]quit

##.配置接口IP地址。

[FW2]interface gigabitethernet 1/0/0  

[FW2-GigabitEthernet1/0/0]ip  address 10.1.2.22  255.255.255.0  

[FW2-GigabitEthernet1/0/0]quit

#

[FW2]interface gigabitethernet 1/0/1  

[FW2-GigabitEthernet1/0/1]ip  address 1.1.5.22  255.255.255.0

[FW2-GigabitEthernet1/0/1]quit

##.配置接口加入相应的安全区域。

[FW2]firewall zone trust  

[FW2-zone-trust]add interface gigabitethernet 1/0/0

[FW2-zone-trust]quit

#

[FW2]firewall zone untrust  

[FW2-zone-untrust]add interface gigabitethernet 1/0/1  

[FW2-zone-untrust]quit

##.配置域间安全策略。

[FW2]security-policy

[FW2-policy-security]rule name policy1

[FW2-policy-security-rule-policy1]source-zone trust

[FW2-policy-security-rule-policy1]destination-zone untrust

[FW2-policy-security-rule-policy1]source-address 10.1.2.0 24

[FW2-policy-security-rule-policy1]destination-address 10.1.1.0 24

[FW2-policy-security-rule-policy1]action permit

[FW2-policy-security-rule-policy1]quit

#

[FW2-policy-security]rule name policy2

[FW2-policy-security-rule-policy2]source-zone untrust

[FW2-policy-security-rule-policy2]destination-zone trust

[FW2-policy-security-rule-policy2]source-address 10.1.1.0 24

[FW2-policy-security-rule-policy2]destination-address 10.1.2.0 24

[FW2-policy-security-rule-policy2]action permit

[FW2-policy-security-rule-policy2]quit

#

[FW2-policy-security]rule name policy3

[FW2-policy-security-rule-policy3]source-zone local

[FW2-policy-security-rule-policy3]destination-zone untrust

[FW2-policy-security-rule-policy3]source-address 1.1.5.22 32

[FW2-policy-security-rule-policy3]destination-address 1.1.3.11 32

[FW2-policy-security-rule-policy3]action permit

[FW2-policy-security-rule-policy3]quit

#

[FW2-policy-security]rule name policy4

[FW2-policy-security-rule-policy4]source-zone untrust

[FW2-policy-security-rule-policy4]destination-zone local

[FW2-policy-security-rule-policy4]source-address 1.1.3.11 32

[FW2-policy-security-rule-policy4]destination-address 1.1.5.22 32

[FW2-policy-security-rule-policy4]action permit

[FW2-policy-security-rule-policy4]quit

[FW2-policy-security-rule-policy4]quit

##.在FW2上配置GRE。

[FW2]interface tunnel  1

[FW2-Tunnel1]tunnel-protocol gre

[FW2-Tunnel1]ip address 30.1.1.2 24

[FW2-Tunnel1]source 1.1.5.22

[FW2-Tunnel1]destination 1.1.3.11

[FW2-Tunnel1]quit

##.将接口Tunnel 1加入Untrust区域。

[FW2]firewall zone untrust  

[FW2-zone-untrust]add interface tunnel 1  

[FW2-zone-untrust]quit

##.配置路由

[FW2]ospf 1

[FW2-ospf-1]a 0

[FW2-ospf-1-area-0.0.0.0]network  10.1.2.0 0.0.0.255

[FW2-ospf-1-area-0.0.0.0]network  1.1.5.0 0.0.0.255

##.创建高级ACL 3000，配置源IP地址为1.1.5.22、目的IP地址为1.1.3.11的规则。

[FW2]acl 3000  

[FW2-acl-adv-3000]rule 5 permit ip source 1.1.5.22 0 destination 1.1.3.11 0

[FW2-acl-adv-3000]quit

#

##.配置IKE安全提议，采用缺省参数。

[FW2]ike proposal 10

[FW2-ike-proposal-10]authentication-method pre-share

[FW2-ike-proposal-10]prf hmac-sha2-256

[FW2-ike-proposal-10]encryption-algorithm aes-256

[FW2-ike-proposal-10]dh group14

[FW2-ike-proposal-10]integrity-algorithm hmac-sha2-256   

[FW2-ike-proposal-10]quit

#

##.配置IKE peer。

[FW2]ike peer a  

[FW2-ike-peer-a]ike-proposal 10

[FW2-ike-peer-a]remote-address 1.1.3.11

[FW2-ike-peer-a]pre-shared-key Test!123

[FW2-ike-peer-a]quit

#

##.配置IPSec安全提议tran1，采用缺省参数。

[FW2] ipsec proposal tran1

[FW2-ipsec-proposal-tran1]esp authentication-algorithm sha2-256

[FW2-ipsec-proposal-tran1]esp encryption-algorithm aes-256

[FW2-ipsec-proposal-tran1]quit

#

##.配置IPSec安全策略。

[FW2]ipsec policy map1 10 isakmp  

[FW2-ipsec-policy-isakmp-map1-10]security acl 3000  

[FW2-ipsec-policy-isakmp-map1-10]proposal tran1  

[FW2-ipsec-policy-isakmp-map1-10]ike-peer a  

[FW2-ipsec-policy-isakmp-map1-10]quit

##.在接口GE1/0/1上应用IPSec策略组map1。

[FW2]interface gigabitethernet 1/0/1  

[FW2-GigabitEthernet1/0/1]ipsec policy map1

[FW2-GigabitEthernet1/0/1]quit

[SW1]user-interface console 0

[SW1]idle-timeout 0

[SW1]quit

##.配置接口IP地址。

[SW1]interface Vlanif 1

[SW1-Vlanif1]ip address 10.1.1.254 255.255.255.0

[SW1-Vlanif1]quit

##.配置OSPF

[SW1]ospf 1

[SW1-ospf-1]area 0.0.0.0

[SW1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255

[SW1-ospf-1-area-0.0.0.0]quit

[SW1-ospf-1]quit

>clock timezone beijing add 8

<huawei>system-view

[huawei]sysname SW2

[SW2]user-interface console 0

[SW2]idle-timeout 0

[SW2]quit

##.配置接口IP地址。

[SW2]interface Vlanif 1

[SW1-Vlanif2]ip address 10.1.2.254 255.255.255.0

[SW1-Vlanif2]quit

##.配置OSPF

[SW2]ospf 1

[SW2-ospf-1]area 0.0.0.0

[SW2-ospf-1-area-0.0.0.0]network 10.1.2.0 0.0.0.255

[SW2-ospf-1-area-0.0.0.0]quit

[SW2-ospf-1-area]quit