华为ensp防火墙双出口GRE over IPSEC主备切换_ensp双隧道

本期实验适用在防火墙ipsec vpn多出口的场景，看拓扑

IPSEC 对两个私网流量加密，通过GRE进行选路，通过静态路由来控制选路，但是主链路中的热任何节点故障，防火墙的主备ipsec流量该如何切换成为难题，这里用ip-link和静态的联动，有效的解决该问题。

上配置

FW1

sysname FW-1
#
ipsec 配置
由于是over进gre所以不需要写感兴趣流
ipsec proposal 1
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal 1
 encryption-algorithm aes-256 
 dh group14 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
ike peer all
 pre-shared-key %^%#SkSdV.BEAL&T*nX~\eD9E#XH<[UdLFb^PLE^:x@I%^%#
 ike-proposal 1
#
为两个gre隧道口创建两个ipsec名
ipsec profile fw1-fw2-100
 ike-peer all
 proposal 1
ipsec profile fw1-fw2-101
 ike-peer all
 proposal 1
#
接口配置
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 100.0.1.1 255.255.255.252
 service-manage ping permit
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 192.168.10.254 255.255.255.0
 service-manage ping permit
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 100.0.0.1 255.255.255.252
 service-manage ping permit
#
gre隧道接口配置
interface Tunnel0
 ip address 1.1.1.1 255.255.255.252  隧道地址
 tunnel-protocol gre  隧道模式为gre
 keepalive  gre的保活
 source 100.0.1.1  本段防火墙出接口地址
 destination 100.1.2.2 对端防火墙出接口地址
 ipsec profile fw1-fw2-100  调用ipsec
#
interface Tunnel1
 ip address 2.2.2.1 255.255.255.252
 tunnel-protocol gre
 keepalive
 source 100.0.0.1
 destination 100.1.1.2
 ipsec profile fw1-fw2-101
#
防火墙接口加入到区域中
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/1
 add interface Tunnel0
 add interface Tunnel1
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/0
 add interface GigabitEthernet1/0/2
#
配置ip-link，保证中间链路，路由可达，ip-link状态就会up，通过静态建立ip-link所需要的路由
ip-link check enable
ip-link name test1
 source-ip 100.0.1.1
 destination 100.1.2.2 mode icmp
 destination 100.1.2.2 interface GigabitEthernet1/0/0 mode icmp next-hop 100.0.1.2
ip-link name test2
 source-ip 100.0.0.1
 destination 100.1.1.2 mode icmp
 destination 100.1.1.2 interface GigabitEthernet1/0/2 mode icmp next-hop 100.0.0.2
#
配置到对端防火墙出口路由
ip route-static 100.1.1.0 255.255.255.0 100.0.0.2
ip route-static 100.1.2.0 255.255.255.0 100.0.1.2
配置ipsec流量进入gre隧道流量
ip route-static 192.168.20.0 255.255.255.0 Tunnel1 preference 100 track ip-link test2
ip route-static 192.168.20.0 255.255.255.0 Tunnel0 track ip-link test1
#
安全策略
security-policy
放行ipsec 和 gre 协商策略
 rule name tun
  source-zone local
  source-zone trust
  source-zone untrust
  destination-zone local
  destination-zone trust
  destination-zone untrust
  action permit
防火墙ipsec业务来回策略
 rule name vpn
  source-zone trust
  destination-zone untrust
  source-address 192.168.10.0 mask 255.255.255.0
  destination-address 192.168.20.0 mask 255.255.255.0
  action permit
 rule name vpn-
  source-zone untrust
  destination-zone trust
  source-address 192.168.20.0 mask 255.255.255.0
  destination-address 192.168.10.0 mask 255.255.255.0
  action permit

------------------------------------------------------------------------------------------------------------------------------
FW2
sysname FW-2
#
ipsec proposal 1
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal 1
 encryption-algorithm aes-256 
 dh group14 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
ike peer all
 pre-shared-key %^%#k,_T.U5*aRIHR768Z}#V!"8UUGuKnNtsHqYkUy!3%^%#
 ike-proposal 1
#
ipsec profile fw2-fw1-100
 ike-peer all
 proposal 1
ipsec profile fw2-fw1-102
 ike-peer all
 proposal 1
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 100.1.1.2 255.255.255.0
 service-manage ping permit
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 100.1.2.2 255.255.255.0
 service-manage ping permit
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 192.168.20.254 255.255.255.0
 service-manage ping permit
#
interface Tunnel0
 ip address 1.1.1.2 255.255.255.252
 tunnel-protocol gre
 source 100.1.2.2
 destination 100.0.1.1
 ipsec profile fw2-fw1-100
#
interface Tunnel1
 ip address 2.2.2.2 255.255.255.252
 tunnel-protocol gre
 keepalive
 source 100.1.1.2
 destination 100.0.0.1
 ipsec profile fw2-fw1-102
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/2
 add interface Tunnel0
 add interface Tunnel1
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/0
 add interface GigabitEthernet1/0/1
#
ip route-static 100.0.0.0 255.255.255.0 100.1.1.1
ip route-static 100.0.1.0 255.255.255.0 100.1.2.1
ip route-static 192.168.10.0 255.255.255.0 Tunnel1 preference 100 track ip-link 
test2
ip route-static 192.168.10.0 255.255.255.0 Tunnel0 track ip-link test1
#
ip-link check enable
ip-link name test1
 source-ip 100.1.2.2
 destination 100.0.1.1 mode icmp
 destination 100.0.1.1 interface GigabitEthernet1/0/1 mode icmp next-hop 100.1.2.1 ip-link name test2
 source-ip 100.1.1.2
 destination 100.0.0.1 mode icmp
 destination 100.0.0.1 interface GigabitEthernet1/0/0 mode icmp next-hop 100.1.1.1
#
security-policy
 rule name tun
  source-zone local
  source-zone trust
  source-zone untrust
  destination-zone local
  destination-zone trust
  destination-zone untrust
  action permit
 rule name vpn
  source-zone trust
  destination-zone untrust
  source-address 192.168.20.0 mask 255.255.255.0
  destination-address 192.168.10.0 mask 255.255.255.0
  action permit
 rule name vpn-
  source-zone untrust
  destination-zone trust
  source-address 192.168.10.0 mask 255.255.255.0
  destination-address 192.168.20.0 mask 255.255.255.0
  action permit

验证测试

路由

fw1

fw2

ip-link验证

ping测试

防火墙ike验证

防火墙ipsec 验证

断开主链路

测试

FW监测到直连故障，ip-link探测成功，进行主备切换

切换成功，回切

完成整个主备切换测试验证，防火墙推荐用ip-link联动，可以根动态、静态、vrrp等多种协议配合，非常好使。