1. 首页
  2. 华为RS/Wlan/FW
  3. 华为 | 配置虚拟隧道接口建立GRE over IPSec示例
0条评论

华为 | 配置虚拟隧道接口建立GRE over IPSec示例

  • 内容
  • 相关

利用前面所学的知识,进行GRE over IPSec的组网。

一、组网需求

如图所示,RouterA为企业分支网关,RouterB为企业总部网关,分支与总部通过公网建立通信。

企业希望对分支与总部之间相互访问的流量(包括组播数据)进行安全保护。由于组播数据无法直接应用IPSec,所以基于虚拟隧道接口方式建立GRE over IPSec,对Tunnel接口下的流量进行保护。

二、配置思路

采用如下思路配置虚拟隧道接口建立GRE over IPSec:

1配置物理接口的IP地址和到对端的静态路由,保证两端路由可达;

2配置GRE Tunnel接口;

3配置IPSec安全提议,定义IPSec的保护方法;

4配置IKE对等体,定义对等体间IKE协商时的属性;

5配置安全框架,并引用安全提议和IKE对等体;

6在Tunnel接口上应用安全框架,使接口具有IPSec的保护功能;

7配置Tunnel接口的转发路由,将需要IPSec保护的数据流引到Tunnel接口。

三、操作步骤

1、分别在RouterA和RouterB上配置物理接口的IP地址和到对端的静态路由

# 在RouterA上配置接口的IP地址

<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface gigabitethernet 1/0/0 
[RouterA-GigabitEthernet1/0/0] ip address 202.138.163.1 255.255.255.0
[RouterA-GigabitEthernet1/0/0] quit
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0
[RouterA-GigabitEthernet2/0/0] quit

# 在RouterA上配置到对端的静态路由,此处假设到对端的下一跳地址为202.138.163.2

[RouterA] ip route-static 202.138.162.0 255.255.255.0 202.138.163.2

# 在RouterB上配置接口的IP地址

<Huawei> system-view
[Huawei] sysname RouterB
[RouterB] interface gigabitethernet 1/0/0 
[RouterB-GigabitEthernet1/0/0] ip address 202.138.162.1 255.255.255.0
[RouterB-GigabitEthernet1/0/0] quit
[RouterB] interface gigabitethernet 2/0/0
[RouterB-GigabitEthernet2/0/0] ip address 10.1.2.1 255.255.255.0
[RouterB-GigabitEthernet2/0/0] quit

# 在RouterB上配置到对端的静态路由,此处假设到对端下一跳地址为202.138.162.2

[RouterB] ip route-static 202.138.163.0 255.255.255.0 202.138.162.2

2、配置GRE Tunnel接口

# 配置RouterA

[RouterA] interface tunnel 0/0/0
[RouterA-Tunnel0/0/0] ip address 192.168.1.1 255.255.255.0
[RouterA-Tunnel0/0/0] tunnel-protocol gre
[RouterA-Tunnel0/0/0] source 202.138.163.1
[RouterA-Tunnel0/0/0] destination 202.138.162.1
[RouterA-Tunnel0/0/0] quit

# 配置RouterB

[RouterB] interface tunnel 0/0/0
[RouterB-Tunnel0/0/0] ip address 192.168.1.2 255.255.255.0
[RouterB-Tunnel0/0/0] tunnel-protocol gre
[RouterB-Tunnel0/0/0] source 202.138.162.1
[RouterB-Tunnel0/0/0] destination 202.138.163.1
[RouterB-Tunnel0/0/0] quit

3、分别在RouterA和RouterB上创建IPSec安全提议

# 在RouterA上配置IPSec安全提议

[RouterA] ipsec proposal tran1
[RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[RouterA-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[RouterA-ipsec-proposal-tran1] quit

# 在RouterB上配置IPSec安全提议

[RouterB] ipsec proposal tran1
[RouterB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[RouterB-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[RouterB-ipsec-proposal-tran1] quit

4、分别在RouterA和RouterB上配置IKE对等体

# 在RouterA上配置IKE安全提议。

[RouterA] ike proposal 5
[RouterA-ike-proposal-5] authentication-algorithm sha2-256
[RouterA-ike-proposal-5] encryption-algorithm aes-cbc-128
[RouterA-ike-proposal-5] quit

# 在RouterA上配置IKE对等体

[RouterA] ike peer spub v2
[RouterA-ike-peer-spub] ike-proposal 5
[RouterA-ike-peer-spub] pre-shared-key cipher huawei
[RouterA-ike-peer-spub] quit

# 在RouterB上配置IKE安全提议

[RouterB] ike proposal 5
[RouterB-ike-proposal-5] authentication-algorithm sha2-256
[RouterB-ike-proposal-5] encryption-algorithm aes-cbc-128
[RouterB-ike-proposal-5] quit

# 在RouterB上配置IKE对等体

[RouterB] ike peer spua v2
[RouterB-ike-peer-spua] ike-proposal 5
[RouterB-ike-peer-spua] pre-shared-key cipher huawei
[RouterB-ike-peer-spua] quit

5、分别在RouterA和RouterB上创建安全框架

# 在RouterA上配置安全框架

[RouterA] ipsec profile profile1
[RouterA-ipsec-profile-profile1] proposal tran1
[RouterA-ipsec-profile-profile1] ike-peer spub
[RouterA-ipsec-profile-profile1] quit

# 在RouterB上配置安全框架

[RouterB] ipsec profile profile1
[RouterB-ipsec-profile-profile1] proposal tran1
[RouterB-ipsec-profile-profile1] ike-peer spua
[RouterB-ipsec-profile-profile1] quit

6、分别在RouterA和RouterB的接口上应用各自的安全框架

# 在RouterA的接口上引用安全框架

[RouterA] interface tunnel 0/0/0
[RouterA-Tunnel0/0/0] ipsec profile profile1
[RouterA-Tunnel0/0/0] quit

# 在RouterB的接口上引用安全框架

[RouterB] interface tunnel 0/0/0
[RouterB-Tunnel0/0/0] ipsec profile profile1
[RouterB-Tunnel0/0/0] quit

# 此时在RouterA和RouterB上执行display ipsec profile会显示所配置的信息

7、配置Tunnel接口的转发路由,将需要IPSec保护的数据流引到Tunnel接口

# 在RouterA上配置Tunnel接口的转发路由

[RouterA] ip route-static 10.1.2.0 255.255.255.0 tunnel 0/0/0

# 在RouterB上配置Tunnel接口的转发路由

[RouterB] ip route-static 10.1.1.0 255.255.255.0 tunnel 0/0/0

8、检查配置结果

# 配置成功后,分别在RouterA和RouterB上执行display ike sa v2会显示所配置的信息,以RouterA为例。

[RouterA] display ike sa v2
    Conn-ID  Peer            VPN   Flag(s)                Phase
  ---------------------------------------------------------------
       22    202.138.162.1   0     RD|ST                  2
       21    202.138.162.1   0     RD|ST                  1
   Flag Description:
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT

# 配置成功后,分别在RouterA和RouterB上执行display ipsec sa会显示所配置的信息,以RouterA为例。

[RouterA] display ipsec sa
===============================
Interface: Tunnel0/0/0
 Path MTU: 1500
===============================
  -----------------------------
  IPSec profile name: "profile1"
  Mode              : PROF-ISAKMP
  -----------------------------
    Connection ID     : 22
    Encapsulation mode: Tunnel
    Tunnel local      : 202.138.163.1
    Tunnel remote     : 202.138.162.1
    Qos pre-classify  : Disable
    [Outbound ESP SAs]
      SPI: 1599804596 (0x5f5b14b4)
      Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128
      SA remaining key duration (bytes/sec): 1887436800/2489
            Max sent sequence-number: 0
      UDP encapsulation used for NAT traversal: N
    [Inbound ESP SAs]
      SPI: 2169616882 (0x8151b9f2)
      Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128
      SA remaining key duration (bytes/sec): 1887436800/2489
            Max received sequence-number: 0
      Anti-replay window size: 32
      UDP encapsulation used for NAT traversal: N  

四、配置文件

RouterA的配置文件

#
 sysname RouterA
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-128
#
ike proposal 5
 encryption-algorithm aes-cbc-128
 authentication-algorithm sha2-256
#
ike peer spub v2
 pre-shared-key cipher Huawei
 ike-proposal 5
#
ipsec profile profile1
 ike-peer spub
 proposal tran1
#
interface Tunnel0/0/0
 ip address 192.168.1.1 255.255.255.0
 tunnel-protocol gre
 source 202.138.163.1
 destination 202.138.162.1
 ipsec profile profile1
#
interface GigabitEthernet1/0/0
 ip address 202.138.163.1 255.255.255.0
#
interface GigabitEthernet2/0/0
 ip address 10.1.1.1 255.255.255.0
#
ip route-static 202.138.162.0 255.255.255.0 202.138.163.2
ip route-static 10.1.2.0 255.255.255.0 tunnel0/0/0
#
return

RouterB的配置文件

#
 sysname RouterB
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-128
#
ike proposal 5
 encryption-algorithm aes-cbc-128
 authentication-algorithm sha2-256
#
ike peer spua v2
 pre-shared-key cipher Huawei
 ike-proposal 5
#
ipsec profile profile1
 ike-peer spua
 proposal tran1
#
interface Tunnel0/0/0
 ip address 192.168.1.2 255.255.255.0
 tunnel-protocol gre
 source 202.138.162.1
 destination 202.138.163.1
 ipsec profile profile1
#
interface GigabitEthernet1/0/0
 ip address 202.138.162.1 255.255.255.0
#
interface GigabitEthernet2/0/0
 ip address 10.1.2.1 255.255.255.0
#
ip route-static 202.138.163.0 255.255.255.0 202.138.162.2
ip route-static 10.1.1.0 255.255.255.0 tunnel0/0/0
#
return

 您阅读这篇文章共花了:

上一篇:华为 | IPSEC Over GRE与GRE Over IPSEC区别比较

下一篇:华为 | Snmp的基本概念

本文标签:    

版权声明:本文依据CC-BY-NC-SA 3.0协议发布,若无特殊注明,本文皆为《fishyoung》原创,转载请保留文章出处。

本文链接:华为 | 配置虚拟隧道接口建立GRE over IPSec示例 - http://www.fishyoung.com/post-212.html

相关文章

大家都在搜