华为防火墙：GRE over IPSec

华为防火墙：GRE over IPSec-（ipsec安全策略方式）-（点到点）-（静态路由）

1、Internet上仅配置IP地址

2、FW-A和FW-B之间配置GRE over ipsec tunnel隧道

3、配置静态路由使A-B两个网络互通

防火墙安全策略配置

源安全区域	目的安全区域	源地址	目的地址
untrust	local	gre-remote-公网IP	gre-local-公网IP
local	untrust	gre-local-公网IP	gre-remote-公网IP
trust	tunnel接口所在区域	reg-local-匹配流量	gre-remote-匹配流量
tunnel接口所在区域	trust	gre-remote-匹配流量	gre-local-匹配流量

ACL配置A-B两端的公网地址（GRE数据流）

---------------------------------------------------------------------------------------------------------------------------------

FW-A配置

基本配置
[FW-A]int GigabitEthernet 1/0/0
[FW-A-GigabitEthernet1/0/0]ip add 10.1.1.1 30
[FW-A-GigabitEthernet1/0/0]q[FW-A]int GigabitEthernet 1/0/1
[FW-A-GigabitEthernet1/0/1]ip add 172.16.10.254 24
[FW-A-GigabitEthernet1/0/1]q[FW-A]firewall zone trust
[FW-A-zone-trust]add interface GigabitEthernet 1/0/1
[FW-A-zone-trust]q[FW-A]firewall zone untrust
[FW-A-zone-untrust]add interface g1/0/0
[FW-A-zone-untrust]q配置gre tunnel
[FW-A]interface Tunnel 1
[FW-A-Tunnel1] description to_network-b
[FW-A-Tunnel1] ip address 1.1.1.1 24
[FW-A-Tunnel1] tunnel-protocol gre
[FW-A-Tunnel1] source 10.1.1.1
[FW-A-Tunnel1] destination 20.1.1.1
[FW-A-Tunnel1] gre key cipher 123456
[FW-A-Tunnel1] quit[FW-A]firewall zone name gre
[FW-A-zone-gre] set priority 10
[FW-A-zone-gre] add interface Tunnel1
[FW-A-zone-gre] quit配置路由
[FW-A]ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
[FW-A]ip route-static 172.16.20.0 255.255.255.0 Tunnel 1配置ipsecACL配置A-B两端的公网地址（GRE数据流）
[FW-A]acl number 3000
[FW-A-acl-adv-3000] rule 5 permit ip source 10.1.1.1 0 destination 20.1.1.1 0
[FW-A-acl-adv-3000]quit[FW-A]ike proposal 10
[FW-A-ike-proposal-10] encryption-algorithm aes-256
[FW-A-ike-proposal-10] dh group18
[FW-A-ike-proposal-10] authentication-algorithm sha2-512
[FW-A-ike-proposal-10] authentication-method pre-share
[FW-A-ike-proposal-10] integrity-algorithm hmac-sha2-256
[FW-A-ike-proposal-10] prf hmac-sha2-256
[FW-A-ike-proposal-10] quit[FW-A]ike peer fw
[FW-A-ike-peer-fw] exchange-mode main
[FW-A-ike-peer-fw] pre-shared-key huawei
[FW-A-ike-peer-fw] ike-proposal 10
[FW-A-ike-peer-fw] remote-address 20.1.1.1
[FW-A-ike-peer-fw] quit[FW-A]ipsec proposal 10
[FW-A-ipsec-proposal-10] transform esp
[FW-A-ipsec-proposal-10] encapsulation-mode tunnel
[FW-A-ipsec-proposal-10] esp authentication-algorithm sha2-512
[FW-A-ipsec-proposal-10] esp encryption-algorithm aes-256
[FW-A-ipsec-proposal-10] quit[FW-A]ipsec policy ipsec 1 isakmp
[FW-A-ipsec-policy-isakmp-ipsec-1] security acl 3000
[FW-A-ipsec-policy-isakmp-ipsec-1] ike-peer fw
[FW-A-ipsec-policy-isakmp-ipsec-1] proposal 10
[FW-A-ipsec-policy-isakmp-ipsec-1] quit[FW-A]interface GigabitEthernet1/0/0
[FW-A-GigabitEthernet1/0/0] ipsec policy ipsec
[FW-A-GigabitEthernet1/0/0] quit配置安全策略[FW-A]security-policy
[FW-A-policy-security] rule name local_remote
[FW-A-policy-security-rule-local_remote]  source-zone local
[FW-A-policy-security-rule-local_remote]  destination-zone untrust
[FW-A-policy-security-rule-local_remote]  source-address 10.1.1.1 0.0.0.0
[FW-A-policy-security-rule-local_remote]  destination-address 20.1.1.1 0.0.0.0
[FW-A-policy-security-rule-local_remote]  action permit
[FW-A-policy-security-rule-local_remote]  quit[FW-A-policy-security] rule name remote_local
[FW-A-policy-security-rule-remote_local]  source-zone untrust
[FW-A-policy-security-rule-remote_local]  destination-zone local
[FW-A-policy-security-rule-remote_local]  source-address 20.1.1.1 0.0.0.0
[FW-A-policy-security-rule-remote_local]  destination-address 10.1.1.1 0.0.0.0
[FW-A-policy-security-rule-remote_local]  action permit
[FW-A-policy-security-rule-remote_local]  quit[FW-A-policy-security] rule name neiwang_a-neiwang_b
[FW-A-policy-security-rule-neiwang_a-neiwang_b]  source-zone trust
[FW-A-policy-security-rule-neiwang_a-neiwang_b]  destination-zone gre
[FW-A-policy-security-rule-neiwang_a-neiwang_b]  source-address 172.16.10.0 mask 255.255.255.0
[FW-A-policy-security-rule-neiwang_a-neiwang_b]  destination-address 172.16.20.0 mask 255.255.255.0
[FW-A-policy-security-rule-neiwang_a-neiwang_b]  action permit
[FW-A-policy-security-rule-neiwang_a-neiwang_b]  quit[FW-A-policy-security] rule name neiwang_b-neiwang_a
[FW-A-policy-security-rule-neiwang_b-neiwang_a]  source-zone gre
[FW-A-policy-security-rule-neiwang_b-neiwang_a]  destination-zone trust
[FW-A-policy-security-rule-neiwang_b-neiwang_a]  source-address 172.16.20.0 mask 255.255.255.0
[FW-A-policy-security-rule-neiwang_b-neiwang_a]  destination-address 172.16.10.0 mask 255.255.255.0
[FW-A-policy-security-rule-neiwang_b-neiwang_a]  action permit
[FW-A-policy-security-rule-neiwang_b-neiwang_a]  quit
[FW-A-policy-security]q

FW-B配置

[FW-B]int GigabitEthernet 1/0/0
[FW-B-GigabitEthernet1/0/0]ip add 20.1.1.1 30
[FW-B-GigabitEthernet1/0/0]q[FW-B]int GigabitEthernet 1/0/1
[FW-B-GigabitEthernet1/0/1]ip add 172.16.20.254 24
[FW-B-GigabitEthernet1/0/1]q[FW-B]firewall zone trust
[FW-B-zone-trust]add interface GigabitEthernet 1/0/1
[FW-B-zone-trust]q[FW-B]firewall zone untrust
[FW-B-zone-untrust]add interface g1/0/0
[FW-B-zone-untrust]q[FW-B]interface Tunnel 1
[FW-B-Tunnel1] description to_network-a
[FW-B-Tunnel1] ip address 1.1.1.2 255.255.255.0
[FW-B-Tunnel1] tunnel-protocol gre
[FW-B-Tunnel1] source 20.1.1.1
[FW-B-Tunnel1] destination 10.1.1.1
[FW-B-Tunnel1] gre key cipher 123456
[FW-B-Tunnel1] quit[FW-B]ip route-static 0.0.0.0 0.0.0.0 20.1.1.2
[FW-B]ip route-static 172.16.10.0 24 Tunnel 1[FW-B]firewall zone name gre
[FW-B-zone-gre] set priority 10
[FW-B-zone-gre] add interface Tunnel1
[FW-B-zone-gre] quit[FW-B]acl number 3000
[FW-B-acl-adv-3000] rule 5 permit ip source 20.1.1.1 0 destination 10.1.1.1 0
[FW-B-acl-adv-3000]quit[FW-B]ike proposal 10
[FW-B-ike-proposal-10] encryption-algorithm aes-256
[FW-B-ike-proposal-10] dh group18
[FW-B-ike-proposal-10] authentication-algorithm sha2-512
[FW-B-ike-proposal-10] authentication-method pre-share
[FW-B-ike-proposal-10] integrity-algorithm hmac-sha2-256
[FW-B-ike-proposal-10] prf hmac-sha2-256
[FW-B-ike-proposal-10] quit[FW-B]ike peer fw
[FW-B-ike-peer-fw] exchange-mode main
[FW-B-ike-peer-fw] pre-shared-key huawei
[FW-B-ike-peer-fw] ike-proposal 10
[FW-B-ike-peer-fw] remote-address 10.1.1.1
[FW-B-ike-peer-fw] quit[FW-B]ipsec proposal 10
[FW-B-ipsec-proposal-10] transform esp
[FW-B-ipsec-proposal-10] encapsulation-mode tunnel
[FW-B-ipsec-proposal-10] esp authentication-algorithm sha2-512
[FW-B-ipsec-proposal-10] esp encryption-algorithm aes-256
[FW-B-ipsec-proposal-10] quit[FW-B]ipsec policy ipsec 1 isakmp
[FW-B-ipsec-policy-isakmp-ipsec-1] security acl 3000
[FW-B-ipsec-policy-isakmp-ipsec-1] ike-peer fw
[FW-B-ipsec-policy-isakmp-ipsec-1]
[FW-B-ipsec-policy-isakmp-ipsec-1] proposal 10
[FW-B-ipsec-policy-isakmp-ipsec-1] quit[FW-B]interface GigabitEthernet1/0/0
[FW-B-GigabitEthernet1/0/0] ipsec policy ipsec
[FW-B-GigabitEthernet1/0/0] quit[FW-B]security-policy
[FW-B-policy-security] rule name local_remote
[FW-B-policy-security-rule-local_remote]  source-zone local
[FW-B-policy-security-rule-local_remote]  destination-zone untrust
[FW-B-policy-security-rule-local_remote]  source-address 20.1.1.1 0.0.0.0
[FW-B-policy-security-rule-local_remote]  destination-address 10.1.1.1 0.0.0.0
[FW-B-policy-security-rule-local_remote]  action permit
[FW-B-policy-security-rule-local_remote]  q[FW-B-policy-security] rule name remote_local
[FW-B-policy-security-rule-remote_local]  source-zone untrust
[FW-B-policy-security-rule-remote_local]  destination-zone local
[FW-B-policy-security-rule-remote_local]  source-address 10.1.1.1 0.0.0.0
[FW-B-policy-security-rule-remote_local]  destination-address 20.1.1.1 0.0.0.0
[FW-B-policy-security-rule-remote_local]  action permit
[FW-B-policy-security-rule-remote_local]  q[FW-B-policy-security]rule name neiwang_b-neiwang_ac
[FW-B-policy-security-rule-neiwang_b-neiwang_ac]  source-zone trust
[FW-B-policy-security-rule-neiwang_b-neiwang_ac]  destination-zone gre
[FW-B-policy-security-rule-neiwang_b-neiwang_ac]  source-address 172.16.20.0 mask 255.255.255.0
[FW-B-policy-security-rule-neiwang_b-neiwang_ac]  destination-address 172.16.10.0 mask 255.255.255.0
[FW-B-policy-security-rule-neiwang_b-neiwang_ac]  action permit
[FW-B-policy-security-rule-neiwang_b-neiwang_ac]  q[FW-B-policy-security] rule name neiwang_ac-neiwang_b
[FW-B-policy-security-rule-neiwang_ac-neiwang_b]  source-zone gre
[FW-B-policy-security-rule-neiwang_ac-neiwang_b]  destination-zone trust
[FW-B-policy-security-rule-neiwang_ac-neiwang_b]  source-address 172.16.10.0 mask 255.255.255.0
[FW-B-policy-security-rule-neiwang_ac-neiwang_b]  destination-address 172.16.20.0 mask 255.255.255.0
[FW-B-policy-security-rule-neiwang_ac-neiwang_b]  action permit
[FW-B-policy-security-rule-neiwang_ac-neiwang_b]  q
[FW-B-policy-security]q

抓包验证

普通gre tunnel抓取到的数据包没有加密

Gre over ipsec 抓取到的数据包经过加密

华为防火墙：GRE over IPSec相关推荐

H3C SecPath防火墙GRE＋IPSEC＋OSPF典型配置举例
此方案能够解决分支机构的IP地址是通过ISP动态获取,而且Secpath网关互相备份,同时在GRE封装上实现ipsec加密等多个需求. 1. 组网需求分支机构的用户访问公司总部过程如下: 分支机构的用 ...
防火墙gre over ipsec实验
PC1 配置 pc2配置路由器配置 int g0/0/0 ip address 1.1.1.254 255.255.255.0 int g0/0/1 ip address 2.2.2.254 255 ...
华为防火墙笔记-GRE
文章整理自<华为防火墙技术漫谈> GRE(General Routing Encapsulation)即通用路由封装协议. 但凡一种网络封装技术,其基本的构成要素都可以分为三个部分:乘客协 ...
华为防火墙IPSec对接飞塔
华为防火墙IPSec对接飞塔一.飞塔端设置 1) 配置第一阶段 2) 配置第二阶段 3) 配置策略放行二.华为防火墙USG2110-F 配置 1)配置第一阶段 2)配置第二阶段 4) 配置感兴趣流 ...
eNSP综合实例：防火墙配置GRE over IPSec VPN 网页版
模拟环境:eNSP 废话:通过命令配置此实验,做了一星期没做通,只好采用WEB配置生成配置信息学习,才有了此内容. 此文为模拟成功后,通过分析配置代码完成,有部分代码做了美化处理,可能存在一定的BUG ...
安全设备-华为防火墙NAT环境配置IPSec
华为防火墙NAT环境配置IPSec 本实验主要实现NAT穿透实验环境实验拓扑图: 模拟器:eNSP 设备型号:AR2240.S3700.USG6000VUSG6000V 默认配置口为0口默认用户 ...
华为防火墙基础自学系列 | Hub Spoke IPsec VdPdNd
视频来源:B站<乾颐堂HCIP-HCIE-security安全 2019年录制> 一边学习一边整理老师的课程内容及试验笔记,并与大家分享,侵权即删,谢谢支持! 附上汇总贴:华为防火墙基础自 ...
华为防火墙基础自学系列 | Site to Site IPSec VdPdNd
视频来源:B站<乾颐堂HCIP-HCIE-security安全 2019年录制> 一边学习一边整理老师的课程内容及试验笔记,并与大家分享,侵权即删,谢谢支持! 附上汇总贴:华为防火墙基础自 ...
华为IPsce以及GRE over IPSec配置练习
华为IPsce以及GRE over IPSec配置练习一.拓扑以及需求二.配置思路 (1)打通核心层 (2)利用GRE将PC1.PC2逻辑上连接起来 (3)需求加密1:加密PC3与PC4的通信数据 ...

华为防火墙：GRE over IPSec

华为防火墙：GRE over IPSec相关推荐

最新文章

热门文章