热门标签
热门文章
- 1logsim&worldsim&场景库_worldsim和logsim
- 2Python练手小项目(7)提取身份证信息(中级)_输入一个身份证号,用宇符串切片技术,读 出省份,出身年月,性别等信息
- 3Negative Sampling 负采样详解_negative sampling代码
- 4unity调试手机游戏(Android)【模拟器+真机】+设置运行时游戏横屏_unityplayer手机模拟器
- 5Qt之JSON基础操作_qt json
- 6Java基于springboot+vue的影院电影订票系统 含选座功能_springboot+vue电影购票系统
- 7C++实现归并排序_归并排序c++
- 8让工作快乐起来500强企业推崇的新理念
- 9SpringBoot 实现 PDF 添加水印的方式_response流文件怎么添加水印
- 10mysql:增删改查语句大全_mysql增删改查语句
当前位置: article > 正文
两个网关之间建立GRE over IPSec VPN(IPSec安全策略方式)_gre over ipsec 神州
作者:盐析白兔 | 2024-08-26 17:53:31
赞
踩
gre over ipsec 神州
两个网关之间建立GRE over IPSec VPN
前言
GRE VPN无法直接实现数据的加密,而IPSec只能对单播数据进行加密保护。因此,对于路由协议、语音、视频等组播数据需要在IPSec隧道中传输的情况,可以通过建立GRE隧道,并对组播数据进行GRE封装,然后对封装后的数据报文进行IPSec的加密处理,就可以实现组播数据在IPSec隧道中的加密传输。
GRE over IPSec解决了IPSec不支持组播、广播和非IP报文的缺点。对于这些报文数据,首先采用GRE进行封装,IPSec就可以把这些报文当作普通报文进行处理。
组网需求
网络环境描述如下:
网络A属于10.1.1.0/24子网,通过接口GE1/0/3与FW_A连接。
网络B属于10.1.2.0/24子网,通过接口GE1/0/3与FW_B连接。
FW_A和FW_B路由可达。
配置思路
采用如下思路配置GRE over IPSec:
网络A和网络B之间通信,需要通过FW_A和FW_B之间建立GRE隧道传输。
FW_A和FW_B之间数据需要进行IPSec加密。使用IKE协商方式进行加密。
GRE over IPSec中IPSec需要保护的数据流以GRE的起点为源、终点为目的。在FW_A上ACL的源为1.1.3.1,目的为1.1.5.1。
一、实验拓扑
二、使用步骤
1.AR1
<huawei>system-view [huawei]sysname AR1 [AR1]user-interface console 0 [AR1]idle-timeout 0 [AR1]quit ##.配置接口IP地址。 [AR1]interface g0/0/0 [AR1-GigabitEthernet0/0/0]ip address 1.1.3.2 255.255.255.0 [AR1-GigabitEthernet0/0/0]quit # [AR1]interface g0/0/1 [AR1-GigabitEthernet0/0/1]ip address 1.1.5.2 255.255.255.0 [AR1-GigabitEthernet0/0/1]quit ##配置OSPF [AR1]ospf 1 [AR1-ospf-1]area 0.0.0.0 [AR1-ospf-1-area-0.0.0.0]network 1.1.3.0 0.0.0.255 [AR1-ospf-1-area-0.0.0.0]network 1.1.5.0 0.0.0.255 [AR1-ospf-1-area-0.0.0.0]quit [AR1-ospf-1]quit
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
2.FW_A
>clock timezone beijing add 8 <USG6000V>system-view [USG6000V]sysname FW_A [FW_A]user-interface console 0 [FW_A]idle-timeout 0 [FW_A]quit ##.配置接口IP地址。 [FW_A]interface gigabitethernet 1/0/0 [FW_A-GigabitEthernet1/0/0]ip address 10.1.1.1 255.255.255.0 [FW_A-GigabitEthernet1/0/0]quit # [FW_A]interface gigabitethernet 1/0/1 [FW_A-GigabitEthernet1/0/1]ip address 1.1.3.1 255.255.255.0 [FW_A-GigabitEthernet1/0/1]quit ##.将接口加入相应的安全区域。 [FW_A]firewall zone trust [FW_A-zone-trust]add interface gigabitethernet 1/0/0 [FW_A-zone-trust]quit # [FW_A]firewall zone untrust [FW_A-zone-untrust]add interface gigabitethernet 1/0/1 [FW_A-zone-untrust]quit ##.配置域间安全策略。 [FW_A]security-policy [FW_A-policy-security]rule name policy1 [FW_A-policy-security-rule-policy1]source-zone trust [FW_A-policy-security-rule-policy1]destination-zone untrust [FW_A-policy-security-rule-policy1]source-address 10.1.1.0 24 [FW_A-policy-security-rule-policy1]destination-address 10.1.2.0 24 [FW_A-policy-security-rule-policy1]action permit [FW_A-policy-security-rule-policy1]quit # [FW_A-policy-security]rule name policy2 [FW_A-policy-security-rule-policy2]source-zone untrust [FW_A-policy-security-rule-policy2]destination-zone trust [FW_A-policy-security-rule-policy2]source-address 10.1.2.0 24 [FW_A-policy-security-rule-policy2]destination-address 10.1.1.0 24 [FW_A-policy-security-rule-policy2]action permit [FW_A-policy-security-rule-policy2]quit # [FW_A-policy-security]rule name policy3 [FW_A-policy-security-rule-policy3]source-zone local destination-zone untrust [FW_A-policy-security-rule-policy3]source-address 1.1.3.1 32 [FW_A-policy-security-rule-policy3]destination-address 1.1.5.1 32 [FW_A-policy-security-rule-policy3]action permit [FW_A-policy-security-rule-policy3]quit # [FW_A-policy-security]rule name policy4 [FW_A-policy-security-rule-policy4]source-zone untrust [FW_A-policy-security-rule-policy4]destination-zone local [FW_A-policy-security-rule-policy4]source-address 1.1.5.1 32 [FW_A-policy-security-rule-policy4]destination-address 1.1.3.1 32 [FW_A-policy-security-rule-policy4]action permit [FW_A-policy-security-rule-policy4]quit [FW_A-policy-security-rule-policy4]quit ##.在FW_A上配置GRE。 [FW_A]interface tunnel 1 [FW_A-Tunnel1]tunnel-protocol gre [FW_A-Tunnel1]ip address 30.1.1.1 255.255.255.0 [FW_A-Tunnel1]source 1.1.3.1 [FW_A-Tunnel1]destination 1.1.5.1 [FW_A-Tunnel1]quit ##.将接口Tunnel 1加入Untrust区域。 [FW_A]firewall zone untrust [FW_A-zone-untrust]add interface tunnel 1 [FW_A-zone-untrust]quit # ##配置从FW_A经过Tunnel 1接口到网络B的静态路由。此处假设FW_A通过GE1/0/1到网络B的下一跳为1.1.3.2。 [FW_A]ip route-static 10.1.2.0 255.255.255.0 tunnel 1 [FW_A]ip route-static 1.1.5.0 255.255.255.0 gigabitethernet 1/0/1 1.1.3.2 # ##创建高级ACL 3000,配置源IP地址为1.1.3.1、目的IP地址为1.1.5.1的规则。 [FW_A]acl 3000 [FW_A-acl-adv-3000]rule 5 permit ip source 1.1.3.1 0 destination 1.1.5.1 0 [FW_A-acl-adv-3000]quit ##.配置IPSec安全提议tran1,采用缺省参数。 [FW_A]ipsec proposal tran1 [FW_A-ipsec-proposal-tran1]esp authentication-algorithm sha2-256 [FW_A-ipsec-proposal-tran1]esp encryption-algorithm aes-256 [FW_A-ipsec-proposal-tran1]quit ##.配置IKE安全提议,采用缺省参数。 [FW_A]ike proposal 10 [FW_A-ike-proposal-10]authentication-method pre-share [FW_A-ike-proposal-10]prf hmac-sha2-256 [FW_A-ike-proposal-10]encryption-algorithm aes-256 [FW_A-ike-proposal-10]dh group14 [FW_A-ike-proposal-10]integrity-algorithm hmac-sha2-256 [FW_A-ike-proposal-10]quit ##.配置IKE Peer。 [FW_A]ike peer b [FW_A-ike-peer-b]ike-proposal 10 [FW_A-ike-peer-b]remote-address 1.1.5.1 [FW_A-ike-peer-b]pre-shared-key Test!123 [FW_A-ike-peer-b]quit ##.配置采用IKE方式协商的IPSec策略。 [FW_A]ipsec policy map1 10 isakmp [FW_A-ipsec-policy-isakmp-map1-10]security acl 3000 [FW_A-ipsec-policy-isakmp-map1-10]proposal tran1 [FW_A-ipsec-policy-isakmp-map1-10]ike-peer b [FW_A-ipsec-policy-isakmp-map1-10]quit ##.在接口GE1/0/1上应用IPSec策略组map1。 [FW_A]interface gigabitethernet 1/0/1 [FW_A-GigabitEthernet1/0/1]ipsec policy map1 [FW_A-GigabitEthernet1/0/1]quit
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
3.FW_B
>clock timezone beijing add 8 <USG6000V>system-view [USG6000V]sysname FW_B [FW_B]user-interface console 0 [FW_B]idle-timeout 0 [FW_B]quit ##.配置接口IP地址。 [FW_B]interface gigabitethernet 1/0/0 [FW_B-GigabitEthernet1/0/0]ip address 10.1.2.1 255.255.255.0 [FW_B-GigabitEthernet1/0/0]quit # [FW_B]interface gigabitethernet 1/0/1 [FW_B-GigabitEthernet1/0/1]ip address 1.1.5.1 255.255.255.0 [FW_B-GigabitEthernet1/0/1]quit ##.配置接口加入相应的安全区域。 [FW_B]firewall zone trust [FW_B-zone-trust]add interface gigabitethernet 1/0/0 [FW_B-zone-trust]quit # [FW_B]firewall zone untrust [FW_B-zone-untrust]add interface gigabitethernet 1/0/1 [FW_B-zone-untrust]quit ##.配置域间安全策略。 [FW_B]security-policy [FW_B-policy-security]rule name policy1 [FW_B-policy-security-rule-policy1]source-zone trust [FW_B-policy-security-rule-policy1]destination-zone untrust [FW_B-policy-security-rule-policy1]source-address 10.1.2.0 24 [FW_B-policy-security-rule-policy1]destination-address 10.1.1.0 24 [FW_B-policy-security-rule-policy1]action permit [FW_B-policy-security-rule-policy1]quit # [FW_B-policy-security]rule name policy2 [FW_B-policy-security-rule-policy2]source-zone untrust [FW_B-policy-security-rule-policy2]destination-zone trust [FW_B-policy-security-rule-policy2]source-address 10.1.1.0 24 [FW_B-policy-security-rule-policy2]destination-address 10.1.2.0 24 [FW_B-policy-security-rule-policy2]action permit [FW_B-policy-security-rule-policy2]quit # [FW_B-policy-security]rule name policy3 [FW_B-policy-security-rule-policy3]source-zone local [FW_B-policy-security-rule-policy3]destination-zone untrust [FW_B-policy-security-rule-policy3]source-address 1.1.5.1 32 [FW_B-policy-security-rule-policy3]destination-address 1.1.3.1 32 [FW_B-policy-security-rule-policy3]action permit [FW_B-policy-security-rule-policy3]quit # [FW_B-policy-security]rule name policy4 [FW_B-policy-security-rule-policy4]source-zone untrust [FW_B-policy-security-rule-policy4]destination-zone local [FW_B-policy-security-rule-policy4]source-address 1.1.3.1 32 [FW_B-policy-security-rule-policy4]destination-address 1.1.5.1 32 [FW_B-policy-security-rule-policy4]action permit [FW_B-policy-security-rule-policy4]quit [FW_B-policy-security-rule-policy4]quit ##.在FW_B上配置GRE。 [FW_B]interface tunnel 1 [FW_B-Tunnel1]tunnel-protocol gre [FW_B-Tunnel1]ip address 30.1.1.2 24 [FW_B-Tunnel1]source 1.1.5.1 [FW_B-Tunnel1]destination 1.1.3.1 [FW_B-Tunnel1]quit ##.将接口Tunnel 1加入Untrust区域。 [FW_B]firewall zone untrust [FW_B-zone-untrust]add interface tunnel 1 [FW_B-zone-untrust]quit # ##.配置从FW_B经过Tunnel 1接口到网络A的静态路由,此处假设FW_B通过GE1/0/1到网络A的下一跳为1.1.5.2。 [FW_B]ip route-static 10.1.1.0 255.255.255.0 tunnel 1 [FW_B]ip route-static 1.1.3.0 255.255.255.0 GigabitEthernet1/0/1 1.1.5.2 # ##.创建高级ACL 3000,配置源IP地址为1.1.5.1、目的IP地址为1.1.3.1的规则。 [FW_B]acl 3000 [FW_B-acl-adv-3000]rule 5 permit ip source 1.1.5.1 0 destination 1.1.3.1 0 [FW_B-acl-adv-3000]quit # ##.配置IKE安全提议,采用缺省参数。 [FW_B]ike proposal 10 [FW_B-ike-proposal-10]authentication-method pre-share [FW_B-ike-proposal-10]prf hmac-sha2-256 [FW_B-ike-proposal-10]encryption-algorithm aes-256 [FW_B-ike-proposal-10]dh group14 [FW_B-ike-proposal-10]integrity-algorithm hmac-sha2-256 [FW_B-ike-proposal-10]quit # ##.配置IKE peer。 [FW_B]ike peer a [FW_B-ike-peer-a]ike-proposal 10 [FW_B-ike-peer-a]remote-address 1.1.3.1 [FW_B-ike-peer-a]pre-shared-key Test!123 [FW_B-ike-peer-a]quit # ##.配置IPSec安全提议tran1,采用缺省参数。 [FW_B] ipsec proposal tran1 [FW_B-ipsec-proposal-tran1]esp authentication-algorithm sha2-256 [FW_B-ipsec-proposal-tran1]esp encryption-algorithm aes-256 [FW_B-ipsec-proposal-tran1]quit # ##.配置IPSec安全策略。 [FW_B]ipsec policy map1 10 isakmp [FW_B-ipsec-policy-isakmp-map1-10]security acl 3000 [FW_B-ipsec-policy-isakmp-map1-10]proposal tran1 [FW_B-ipsec-policy-isakmp-map1-10]ike-peer a [FW_B-ipsec-policy-isakmp-map1-10]quit ##.在接口GE1/0/1上应用IPSec策略组map1。 [FW_B]interface gigabitethernet 1/0/1 [FW_B-GigabitEthernet1/0/1]ipsec policy map1 [FW_B-GigabitEthernet1/0/1]quit
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
4.LSW1
>clock timezone beijing add 8 <huawei>system-view [huawei]sysname LAN1 [LAN1]user-interface console 0 [LAN1]idle-timeout 0 [LAN1]quit ##.配置接口IP地址。 [LAN1]interface Vlanif 1 [LAN1-Vlanif1]ip address 10.1.1.254 255.255.255.0 [LAN1-Vlanif1]quit ##.配置OSPF [LAN1]ospf 1 [LAN1-ospf-1]area 0.0.0.0 [LAN1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255 [LAN1-ospf-1-area-0.0.0.0]quit [LAN1-ospf-1]quit
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
5.LSW2
>clock timezone beijing add 8 <huawei>system-view [huawei]sysname LAN2 [LAN2]user-interface console 0 [LAN2]idle-timeout 0 [LAN2]quit ##.配置接口IP地址。 [LAN2]interface Vlanif 1 [LAN1-Vlanif2]ip address 10.1.2.254 255.255.255.0 [LAN1-Vlanif2]quit ##.配置OSPF [LAN2]ospf 1 [LAN2-ospf-1]area 0.0.0.0 [LAN2-ospf-1-area-0.0.0.0]network 10.1.2.0 0.0.0.255 [LAN2-ospf-1-area-0.0.0.0]quit [LAN2-ospf-1-area]quit
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
测试实验结果
测试IPSec VPN
#再次使用ping命令,以激活ike,使用"display ike sa"查看运行情况:
#在FW_1查看IKE
display ike sa
#在FW_2查看IKE
display ike sa
----结束
简单的IPSec防火墙到防火墙的GRE over IPSec VPN网络,IPSec安全策略方式通信实验就配置完成了,如有错误,欢迎指出!!!
声明:本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:【wpsshop博客】
推荐阅读
相关标签
