F1060 GRE OVER IPSEC典型组网配置案例

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了F1060 GRE OVER IPSEC典型组网配置案例相关的知识,希望对你有一定的参考价值。

F1060 GRE OVER IPSEC典型组网配置案例

组网及说明

组网说明:

技术图片

本案例采用H3C HCL模拟器的F1060防火墙来模拟GRE OVER IPSEC 的典型组网配置。内网和外网在网络拓扑图中已经有了明确的标识。FW1与FW2均为各自内网的出口设备,提供NAT地址转换的服务。为了内网1和内网2能跨越外网实现通信,因为在FW1和FW2之间采用GRE ***建立隧道,同时为了保证数据传输的安全性,将ipsec嵌入到GRE ***隧道中。

配置步骤

1、按照网络拓扑图正确配置IP地址

2、FW1配置NAT,并配置默认路由指向ISP

3、FW2配置NAT,并配置默认路由指向ISP

4、FW1与FW2建立GRE ***隧道

5、在GRE ***隧道的基础上在嵌套IPSEC

配置关键点

F1060 GRE OVER IPSEC关键配置点如下所示,全部配置过程及测试结果的详情见附件:

GRE OVER IPSEC关键配置点:

FW1:


[FW1]acl advanced 3000

[FW1-acl-ipv4-adv-3000]rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255

[FW1-acl-ipv4-adv-3000]quit

[FW1]ike proposal 1

[FW1-ike-proposal-1]quit

[FW1]ike keychain james

[FW1-ike-keychain-james]pre-shared-key address 123.0.0.2 255.255.255.252 key simple james

[FW1-ike-keychain-james]quit

[FW1]ike profile james

[FW1-ike-profile-james]proposal 1

[FW1-ike-profile-james]keychain james

[FW1-ike-profile-james]local-identity address 123.0.0.1

[FW1-ike-profile-james]match remote identity address 123.0.0.2 255.255.255.252

[FW1-ike-profile-james]quit

[FW1]ipsec transform-set james

[FW1-ipsec-transform-set-james]protocol esp

[FW1-ipsec-transform-set-james]encapsulation-mode tunnel

[FW1-ipsec-transform-set-james]esp authentication-algorithm md5

[FW1-ipsec-transform-set-james]esp encryption-algorithm des-cbc

[FW1-ipsec-transform-set-james]quit

[FW1]ipsec policy james 1 isakmp

[FW1-ipsec-policy-isakmp-james-1]security acl 3000

[FW1-ipsec-policy-isakmp-james-1]transform-set james

[FW1-ipsec-policy-isakmp-james-1]ike-profile james

[FW1-ipsec-policy-isakmp-james-1]remote-address 123.0.0.2

[FW1-ipsec-policy-isakmp-james-1]quit

[FW1]int Tunnel 0 mode gre

[FW1-Tunnel0]ip address 123.0.0.1 30

[FW1-Tunnel0]source 202.1.100.2

[FW1-Tunnel0]destination 202.2.100.2

[FW1-Tunnel0]ipsec apply policy james

[FW1-Tunnel0]quit

[FW1]ip route-static 172.16.1.0 255.255.255.0 123.0.0.2

[FW1]security-zone name Untrust

[FW1-security-zone-Untrust]import interface Tunnel 0

[FW1-security-zone-Untrust]quit

FW2:


[FW2]acl advanced 3000

[FW2-acl-ipv4-adv-3000]rule 0 permit ip source 172.16.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

[FW2-acl-ipv4-adv-3000]quit

[FW2]ike proposal 1

[FW2-ike-proposal-1]quit

[FW2]ike keychain james

[FW2-ike-keychain-james]pre-shared-key address 123.0.0.1 255.255.255.252 key simple james

[FW2-ike-keychain-james]quit

[FW2]ike profile james

[FW2-ike-profile-james]keychain james

[FW2-ike-profile-james]proposal 1

[FW2-ike-profile-james]match remote identity address 123.0.0.1 255.255.255.252

[FW2-ike-profile-james]local-identity address 123.0.0.2

[FW2-ike-profile-james]quit

[FW2]ipsec policy james 1 isakmp

[FW2-ipsec-policy-isakmp-james-1]security acl 3000

[FW2-ipsec-policy-isakmp-james-1]transform-set james

[FW2-ipsec-policy-isakmp-james-1]ike-profile james

[FW2-ipsec-policy-isakmp-james-1]remote-address 123.0.0.1

[FW2-ipsec-policy-isakmp-james-1]quit

[FW2]int Tunnel 0 mode gre

[FW2-Tunnel0]ip address 123.0.0.2 30

[FW2-Tunnel0]source 202.2.100.2

[FW2-Tunnel0]destination 202.1.100.2

[FW2-Tunnel0]ipsec apply policy james

[FW2-Tunnel0]quit

[FW2]ip route-static 192.168.1.0 255.255.255.0 123.0.0.1

[FW2]security-zone name Untrust

[FW2-security-zone-Untrust]import interface Tunnel 0

[FW2-security-zone-Untrust]quit

以上是关于F1060 GRE OVER IPSEC典型组网配置案例的主要内容,如果未能解决你的问题,请参考以下文章

GRE over IPSEC

怎样在路由器上做ipsec over gre和gre over ipsec?

ipsec over gre 和GER OVER IPSEC分别用在啥场合

HCIE大师之路——IPSec Over GRE综合实验

HCIE必经之路——IPSec Over GRE综合实验

IPSEC over GRE