GRE Over IPSec配置示例(H3C-MSR36-20)
GRE Over IPSec配置示例
标签:
GRE
IPSec
需求
RTA与RTC之间建立GRE隧道,同时需要对GRE数据流进行加密,这里采用GRE Over IPSec的配置。
实验拓扑
实验步骤:
1、配置各接口的IP地址
2、配置GRE基本功能,配置keepalive进行保活,检测隧道状况
3、配置IPsec保护GRE源、目的地址网段
以RTA为例:
#
interface LoopBack0
ip address 192.168.1.1 255.255.255.255
#
interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.0
ipsec apply policy 1
#
interface Tunnel0 mode gre
ip address 192.168.3.1 255.255.255.0
source 1.1.1.1
destination 2.2.2.1
keepalive 10 3
#
ip route-static 0.0.0.0 0 1.1.1.2
ip route-static 192.168.2.0 24 Tunnel0
保护流是Gre的源、目的地址
acl advanced 3000
rule 0 permit gre source 1.1.1.1 0 destination 2.2.2.1 0
#
ipsec transform-set tran1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy 1 1 isakmp
transform-set tran1
security acl 3000
remote-address 2.2.2.1
ike-profile 1
#
ike profile 1
keychain 1
local-identity address 1.1.1.1
match remote identity address 2.2.2.1 255.255.255.0
proposal 1
#
ike proposal 1
#
ike keychain 1
pre-shared-key address 2.2.2.1 255.255.255.255 key cipher \$c\$3\$hkBK0QaK54Q9QRjgZYb4egw3lW9Y/Q==
#
测试结果
流量触发后,IPSec隧道已经建立:
\<RTA>dis ike sa
Connection-ID Local Remote Flag DOI
-------------------------------------------------------------------------
1 1.1.1.1 2.2.2.1 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
\<RTA>dis ipsec sa
-------------------------------
Interface: GigabitEthernet0/0
-------------------------------
-----------------------------
IPsec policy: 1
Sequence number: 1
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1428
Tunnel:
local address: 1.1.1.1
remote address: 2.2.2.1
Flow:
sour addr: 1.1.1.1/255.255.255.255 port: 0 protocol: gre
dest addr: 2.2.2.1/255.255.255.255 port: 0 protocol: gre
实验设备配置:
RTA配置
#
version 7.1.075, Alpha 7571
#
sysname RTA
#
system-working-mode standard
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
interface Serial1/0
#
interface Serial2/0
#
interface Serial3/0
#
interface Serial4/0
#
interface NULL0
#
interface LoopBack0
ip address 192.168.1.1 255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 1.1.1.1 255.255.255.0
ipsec apply policy 1
#
interface GigabitEthernet0/1
port link-mode route
combo enable copper
#
interface GigabitEthernet0/2
port link-mode route
combo enable copper
#
interface GigabitEthernet5/0
port link-mode route
combo enable copper
#
interface GigabitEthernet5/1
port link-mode route
combo enable copper
#
interface GigabitEthernet6/0
port link-mode route
combo enable copper
#
interface GigabitEthernet6/1
port link-mode route
combo enable copper
#
interface Tunnel0 mode gre
ip address 192.168.3.1 255.255.255.0
source 1.1.1.1
destination 2.2.2.1
keepalive 10 3
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 63
user-role network-operator
#
ip route-static 0.0.0.0 0 1.1.1.2
ip route-static 192.168.2.0 24 Tunnel0
#
acl advanced 3000
rule 0 permit gre source 1.1.1.1 0 destination 2.2.2.1 0
#
domain name system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
ipsec transform-set tran1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy 1 1 isakmp
transform-set tran1
security acl 3000
remote-address 2.2.2.1
ike-profile 1
#
ike profile 1
keychain 1
local-identity address 1.1.1.1
match remote identity address 2.2.2.1 255.255.255.0
proposal 1
#
ike proposal 1
#
ike keychain 1
pre-shared-key address 2.2.2.1 255.255.255.255 key cipher $c$3$hkBK0QaK54Q9QRjgZYb4egw3lW9Y/Q==
#
return
RTB配置:
#
version 7.1.075, Alpha 7571
#
sysname RTB
#
system-working-mode standard
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
interface Serial1/0
#
interface Serial2/0
#
interface Serial3/0
#
interface Serial4/0
#
interface NULL0
#
interface LoopBack0
ip address 192.168.2.1 255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 2.2.2.1 255.255.255.0
ipsec apply policy 1
#
interface GigabitEthernet0/1
port link-mode route
combo enable copper
#
interface GigabitEthernet0/2
port link-mode route
combo enable copper
#
interface GigabitEthernet5/0
port link-mode route
combo enable copper
#
interface GigabitEthernet5/1
port link-mode route
combo enable copper
#
interface GigabitEthernet6/0
port link-mode route
combo enable copper
#
interface GigabitEthernet6/1
port link-mode route
combo enable copper
#
interface Tunnel0 mode gre
ip address 192.168.3.2 255.255.255.0
source 2.2.2.1
destination 1.1.1.1
keepalive 10 3
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 63
user-role network-operator
#
ip route-static 0.0.0.0 0 2.2.2.2
ip route-static 192.168.1.0 24 Tunnel0
#
acl advanced 3000
rule 0 permit gre source 2.2.2.1 0 destination 1.1.1.1 0
#
domain name system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
ipsec transform-set tran1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy 1 1 isakmp
transform-set tran1
security acl 3000
remote-address 1.1.1.1
ike-profile 1
#
ike profile 1
keychain 1
local-identity address 2.2.2.1
match remote identity address 1.1.1.1 255.255.255.0
proposal 1
#
ike proposal 1
#
ike keychain 1
pre-shared-key address 1.1.1.1 255.255.255.255 key cipher $c$3$xCWbIRh+bQHD1AF9F5M0pgb9+lVWhg==
#
return
Inernet设备配置:
#
version 7.1.075, Alpha 7571
#
sysname Intetnet
#
system-working-mode standard
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
interface Serial1/0
#
interface Serial2/0
#
interface Serial3/0
#
interface Serial4/0
#
interface NULL0
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 1.1.1.2 255.255.255.0
#
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 2.2.2.2 255.255.255.0
#
interface GigabitEthernet0/2
port link-mode route
combo enable copper
#
interface GigabitEthernet5/0
port link-mode route
combo enable copper
#
interface GigabitEthernet5/1
port link-mode route
combo enable copper
#
interface GigabitEthernet6/0
port link-mode route
combo enable copper
#
interface GigabitEthernet6/1
port link-mode route
combo enable copper
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 63
user-role network-operator
#
domain name system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
return
说明:
1、本实验用的模拟器为MSR36-20,设置内存为默认。
2、本实验用的路由器版本为默认。
