华为防火墙:GRE over IPSec
华为防火墙:GRE over IPSec-(ipsec安全策略方式)-(点到点)-(静态路由)
1、Internet上仅配置IP地址
2、FW-A和FW-B之间配置GRE over ipsec tunnel隧道
3、配置静态路由使A-B两个网络互通
防火墙安全策略配置
源安全区域 |
目的安全区域 |
源地址 |
目的地址 |
untrust |
local |
gre-remote-公网IP |
gre-local-公网IP |
local |
untrust |
gre-local-公网IP |
gre-remote-公网IP |
trust |
tunnel接口所在区域 |
reg-local-匹配流量 |
gre-remote-匹配流量 |
tunnel接口所在区域 |
trust |
gre-remote-匹配流量 |
gre-local-匹配流量 |
ACL配置A-B两端的公网地址(GRE数据流)
---------------------------------------------------------------------------------------------------------------------------------
FW-A配置
基本配置
[FW-A]int GigabitEthernet 1/0/0
[FW-A-GigabitEthernet1/0/0]ip add 10.1.1.1 30
[FW-A-GigabitEthernet1/0/0]q[FW-A]int GigabitEthernet 1/0/1
[FW-A-GigabitEthernet1/0/1]ip add 172.16.10.254 24
[FW-A-GigabitEthernet1/0/1]q[FW-A]firewall zone trust
[FW-A-zone-trust]add interface GigabitEthernet 1/0/1
[FW-A-zone-trust]q[FW-A]firewall zone untrust
[FW-A-zone-untrust]add interface g1/0/0
[FW-A-zone-untrust]q配置gre tunnel
[FW-A]interface Tunnel 1
[FW-A-Tunnel1] description to_network-b
[FW-A-Tunnel1] ip address 1.1.1.1 24
[FW-A-Tunnel1] tunnel-protocol gre
[FW-A-Tunnel1] source 10.1.1.1
[FW-A-Tunnel1] destination 20.1.1.1
[FW-A-Tunnel1] gre key cipher 123456
[FW-A-Tunnel1] quit[FW-A]firewall zone name gre
[FW-A-zone-gre] set priority 10
[FW-A-zone-gre] add interface Tunnel1
[FW-A-zone-gre] quit配置路由
[FW-A]ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
[FW-A]ip route-static 172.16.20.0 255.255.255.0 Tunnel 1配置ipsecACL配置A-B两端的公网地址(GRE数据流)
[FW-A]acl number 3000
[FW-A-acl-adv-3000] rule 5 permit ip source 10.1.1.1 0 destination 20.1.1.1 0
[FW-A-acl-adv-3000]quit[FW-A]ike proposal 10
[FW-A-ike-proposal-10] encryption-algorithm aes-256
[FW-A-ike-proposal-10] dh group18
[FW-A-ike-proposal-10] authentication-algorithm sha2-512
[FW-A-ike-proposal-10] authentication-method pre-share
[FW-A-ike-proposal-10] integrity-algorithm hmac-sha2-256
[FW-A-ike-proposal-10] prf hmac-sha2-256
[FW-A-ike-proposal-10] quit[FW-A]ike peer fw
[FW-A-ike-peer-fw] exchange-mode main
[FW-A-ike-peer-fw] pre-shared-key huawei
[FW-A-ike-peer-fw] ike-proposal 10
[FW-A-ike-peer-fw] remote-address 20.1.1.1
[FW-A-ike-peer-fw] quit[FW-A]ipsec proposal 10
[FW-A-ipsec-proposal-10] transform esp
[FW-A-ipsec-proposal-10] encapsulation-mode tunnel
[FW-A-ipsec-proposal-10] esp authentication-algorithm sha2-512
[FW-A-ipsec-proposal-10] esp encryption-algorithm aes-256
[FW-A-ipsec-proposal-10] quit[FW-A]ipsec policy ipsec 1 isakmp
[FW-A-ipsec-policy-isakmp-ipsec-1] security acl 3000
[FW-A-ipsec-policy-isakmp-ipsec-1] ike-peer fw
[FW-A-ipsec-policy-isakmp-ipsec-1] proposal 10
[FW-A-ipsec-policy-isakmp-ipsec-1] quit[FW-A]interface GigabitEthernet1/0/0
[FW-A-GigabitEthernet1/0/0] ipsec policy ipsec
[FW-A-GigabitEthernet1/0/0] quit配置安全策略[FW-A]security-policy
[FW-A-policy-security] rule name local_remote
[FW-A-policy-security-rule-local_remote] source-zone local
[FW-A-policy-security-rule-local_remote] destination-zone untrust
[FW-A-policy-security-rule-local_remote] source-address 10.1.1.1 0.0.0.0
[FW-A-policy-security-rule-local_remote] destination-address 20.1.1.1 0.0.0.0
[FW-A-policy-security-rule-local_remote] action permit
[FW-A-policy-security-rule-local_remote] quit[FW-A-policy-security] rule name remote_local
[FW-A-policy-security-rule-remote_local] source-zone untrust
[FW-A-policy-security-rule-remote_local] destination-zone local
[FW-A-policy-security-rule-remote_local] source-address 20.1.1.1 0.0.0.0
[FW-A-policy-security-rule-remote_local] destination-address 10.1.1.1 0.0.0.0
[FW-A-policy-security-rule-remote_local] action permit
[FW-A-policy-security-rule-remote_local] quit[FW-A-policy-security] rule name neiwang_a-neiwang_b
[FW-A-policy-security-rule-neiwang_a-neiwang_b] source-zone trust
[FW-A-policy-security-rule-neiwang_a-neiwang_b] destination-zone gre
[FW-A-policy-security-rule-neiwang_a-neiwang_b] source-address 172.16.10.0 mask 255.255.255.0
[FW-A-policy-security-rule-neiwang_a-neiwang_b] destination-address 172.16.20.0 mask 255.255.255.0
[FW-A-policy-security-rule-neiwang_a-neiwang_b] action permit
[FW-A-policy-security-rule-neiwang_a-neiwang_b] quit[FW-A-policy-security] rule name neiwang_b-neiwang_a
[FW-A-policy-security-rule-neiwang_b-neiwang_a] source-zone gre
[FW-A-policy-security-rule-neiwang_b-neiwang_a] destination-zone trust
[FW-A-policy-security-rule-neiwang_b-neiwang_a] source-address 172.16.20.0 mask 255.255.255.0
[FW-A-policy-security-rule-neiwang_b-neiwang_a] destination-address 172.16.10.0 mask 255.255.255.0
[FW-A-policy-security-rule-neiwang_b-neiwang_a] action permit
[FW-A-policy-security-rule-neiwang_b-neiwang_a] quit
[FW-A-policy-security]q
FW-B配置
[FW-B]int GigabitEthernet 1/0/0
[FW-B-GigabitEthernet1/0/0]ip add 20.1.1.1 30
[FW-B-GigabitEthernet1/0/0]q[FW-B]int GigabitEthernet 1/0/1
[FW-B-GigabitEthernet1/0/1]ip add 172.16.20.254 24
[FW-B-GigabitEthernet1/0/1]q[FW-B]firewall zone trust
[FW-B-zone-trust]add interface GigabitEthernet 1/0/1
[FW-B-zone-trust]q[FW-B]firewall zone untrust
[FW-B-zone-untrust]add interface g1/0/0
[FW-B-zone-untrust]q[FW-B]interface Tunnel 1
[FW-B-Tunnel1] description to_network-a
[FW-B-Tunnel1] ip address 1.1.1.2 255.255.255.0
[FW-B-Tunnel1] tunnel-protocol gre
[FW-B-Tunnel1] source 20.1.1.1
[FW-B-Tunnel1] destination 10.1.1.1
[FW-B-Tunnel1] gre key cipher 123456
[FW-B-Tunnel1] quit[FW-B]ip route-static 0.0.0.0 0.0.0.0 20.1.1.2
[FW-B]ip route-static 172.16.10.0 24 Tunnel 1[FW-B]firewall zone name gre
[FW-B-zone-gre] set priority 10
[FW-B-zone-gre] add interface Tunnel1
[FW-B-zone-gre] quit[FW-B]acl number 3000
[FW-B-acl-adv-3000] rule 5 permit ip source 20.1.1.1 0 destination 10.1.1.1 0
[FW-B-acl-adv-3000]quit[FW-B]ike proposal 10
[FW-B-ike-proposal-10] encryption-algorithm aes-256
[FW-B-ike-proposal-10] dh group18
[FW-B-ike-proposal-10] authentication-algorithm sha2-512
[FW-B-ike-proposal-10] authentication-method pre-share
[FW-B-ike-proposal-10] integrity-algorithm hmac-sha2-256
[FW-B-ike-proposal-10] prf hmac-sha2-256
[FW-B-ike-proposal-10] quit[FW-B]ike peer fw
[FW-B-ike-peer-fw] exchange-mode main
[FW-B-ike-peer-fw] pre-shared-key huawei
[FW-B-ike-peer-fw] ike-proposal 10
[FW-B-ike-peer-fw] remote-address 10.1.1.1
[FW-B-ike-peer-fw] quit[FW-B]ipsec proposal 10
[FW-B-ipsec-proposal-10] transform esp
[FW-B-ipsec-proposal-10] encapsulation-mode tunnel
[FW-B-ipsec-proposal-10] esp authentication-algorithm sha2-512
[FW-B-ipsec-proposal-10] esp encryption-algorithm aes-256
[FW-B-ipsec-proposal-10] quit[FW-B]ipsec policy ipsec 1 isakmp
[FW-B-ipsec-policy-isakmp-ipsec-1] security acl 3000
[FW-B-ipsec-policy-isakmp-ipsec-1] ike-peer fw
[FW-B-ipsec-policy-isakmp-ipsec-1]
[FW-B-ipsec-policy-isakmp-ipsec-1] proposal 10
[FW-B-ipsec-policy-isakmp-ipsec-1] quit[FW-B]interface GigabitEthernet1/0/0
[FW-B-GigabitEthernet1/0/0] ipsec policy ipsec
[FW-B-GigabitEthernet1/0/0] quit[FW-B]security-policy
[FW-B-policy-security] rule name local_remote
[FW-B-policy-security-rule-local_remote] source-zone local
[FW-B-policy-security-rule-local_remote] destination-zone untrust
[FW-B-policy-security-rule-local_remote] source-address 20.1.1.1 0.0.0.0
[FW-B-policy-security-rule-local_remote] destination-address 10.1.1.1 0.0.0.0
[FW-B-policy-security-rule-local_remote] action permit
[FW-B-policy-security-rule-local_remote] q[FW-B-policy-security] rule name remote_local
[FW-B-policy-security-rule-remote_local] source-zone untrust
[FW-B-policy-security-rule-remote_local] destination-zone local
[FW-B-policy-security-rule-remote_local] source-address 10.1.1.1 0.0.0.0
[FW-B-policy-security-rule-remote_local] destination-address 20.1.1.1 0.0.0.0
[FW-B-policy-security-rule-remote_local] action permit
[FW-B-policy-security-rule-remote_local] q[FW-B-policy-security]rule name neiwang_b-neiwang_ac
[FW-B-policy-security-rule-neiwang_b-neiwang_ac] source-zone trust
[FW-B-policy-security-rule-neiwang_b-neiwang_ac] destination-zone gre
[FW-B-policy-security-rule-neiwang_b-neiwang_ac] source-address 172.16.20.0 mask 255.255.255.0
[FW-B-policy-security-rule-neiwang_b-neiwang_ac] destination-address 172.16.10.0 mask 255.255.255.0
[FW-B-policy-security-rule-neiwang_b-neiwang_ac] action permit
[FW-B-policy-security-rule-neiwang_b-neiwang_ac] q[FW-B-policy-security] rule name neiwang_ac-neiwang_b
[FW-B-policy-security-rule-neiwang_ac-neiwang_b] source-zone gre
[FW-B-policy-security-rule-neiwang_ac-neiwang_b] destination-zone trust
[FW-B-policy-security-rule-neiwang_ac-neiwang_b] source-address 172.16.10.0 mask 255.255.255.0
[FW-B-policy-security-rule-neiwang_ac-neiwang_b] destination-address 172.16.20.0 mask 255.255.255.0
[FW-B-policy-security-rule-neiwang_ac-neiwang_b] action permit
[FW-B-policy-security-rule-neiwang_ac-neiwang_b] q
[FW-B-policy-security]q
抓包验证
普通gre tunnel抓取到的数据包 没有加密
Gre over ipsec 抓取到的数据包 经过加密
华为防火墙:GRE over IPSec相关推荐
- H3C SecPath防火墙GRE+IPSEC+OSPF典型配置举例
此方案能够解决分支机构的IP地址是通过ISP动态获取,而且Secpath网关互相备份,同时在GRE封装上实现ipsec加密等多个需求. 1. 组网需求分支机构的用户访问公司总部过程如下: 分支机构的用 ...
- 防火墙gre over ipsec实验
PC1 配置 pc2配置 路由器配置 int g0/0/0 ip address 1.1.1.254 255.255.255.0 int g0/0/1 ip address 2.2.2.254 255 ...
- 华为防火墙笔记-GRE
文章整理自<华为防火墙技术漫谈> GRE(General Routing Encapsulation)即通用路由封装协议. 但凡一种网络封装技术,其基本的构成要素都可以分为三个部分:乘客协 ...
- 华为防火墙IPSec对接飞塔
华为防火墙IPSec对接飞塔 一.飞塔端设置 1) 配置第一阶段 2) 配置第二阶段 3) 配置策略放行 二.华为防火墙USG2110-F 配置 1)配置第一阶段 2)配置第二阶段 4) 配置感兴趣流 ...
- eNSP综合实例:防火墙配置GRE over IPSec VPN 网页版
模拟环境:eNSP 废话:通过命令配置此实验,做了一星期没做通,只好采用WEB配置生成配置信息学习,才有了此内容. 此文为模拟成功后,通过分析配置代码完成,有部分代码做了美化处理,可能存在一定的BUG ...
- 安全设备-华为防火墙NAT环境配置IPSec
华为防火墙NAT环境配置IPSec 本实验主要实现NAT穿透 实验环境 实验拓扑图: 模拟器:eNSP 设备型号:AR2240.S3700.USG6000VUSG6000V 默认配置口为0口 默认用户 ...
- 华为防火墙基础自学系列 | Hub Spoke IPsec VdPdNd
视频来源:B站<乾颐堂HCIP-HCIE-security安全 2019年录制> 一边学习一边整理老师的课程内容及试验笔记,并与大家分享,侵权即删,谢谢支持! 附上汇总贴:华为防火墙基础自 ...
- 华为防火墙基础自学系列 | Site to Site IPSec VdPdNd
视频来源:B站<乾颐堂HCIP-HCIE-security安全 2019年录制> 一边学习一边整理老师的课程内容及试验笔记,并与大家分享,侵权即删,谢谢支持! 附上汇总贴:华为防火墙基础自 ...
- 华为IPsce以及GRE over IPSec配置练习
华为IPsce以及GRE over IPSec配置练习 一.拓扑以及需求 二.配置思路 (1)打通核心层 (2)利用GRE将PC1.PC2逻辑上连接起来 (3)需求加密1:加密PC3与PC4的通信数据 ...
最新文章
- layui监听当前页_事件监听 · layui使用手册 · 看云
- Introduction to Objects
- 支付宝服务商子商户_支付宝服务商新功能,无需商家花钱的消费券怎么参与
- UIWebView内存泄露问题解决方法
- Catalyst3560密码破解
- seci-log1.02日志分析软件版本升级了
- 5 Android数据存储 任务二 应用程序数据文件夹里的文件读写 ,
- 111. 二叉树的最小深度 golang
- c语言结构体出现乱码,结构体数组输出时出现了乱码情况 求大神帮帮看程序
- 数据结构——图的C语言实现
- 解决firefox和IE9对icon font字体的跨域访问问题
- Ubuntu20.04、22.04安装nvidia显卡驱动
- 导出微信聊天记录并生成词云
- undefined和is not defined一样吗?
- 个人网页制作(教你制作简单网页)
- Prefix Sum —— 树状数组+懵逼的组合恒等式
- 手机从哈林子弹节省人力
- mysql 计算自然周
- 号外 ! 号外 ! V7包下的View都来此参加同学会 , 快来看,快来看...
- 第一篇,从0开始安装Ubuntu