IPSec Over GRE配置实验

实验目的：

配置分支机构与总部之间通过IPSec Over GRE方式实现安全互通

组网需求：

如图，R1为总公司出口路由，R2为分公司出口路由，分支与总部通过公网建立通信。

原公司分支与总部通过GRE隧道实现私网互通，现要求对分支与总部之间互相访问的流量（不包括组播数据）进行安全保护。因此，可基于虚拟隧道接口方式建立IPSec Over GRE，对分支和总部互通的流量进行保护。

GRE配置：

***********总部R1****************

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname R1-head-office
[R1-head-office]int gi0/0/0
[R1-head-office-GigabitEthernet0/0/0]ip addr 20.1.1.1 24
[R1-head-office-GigabitEthernet0/0/0]int gi 0/0/1
[R1-head-office-GigabitEthernet0/0/1]ip addr 10.1.1.2 24
[R1-head-office-GigabitEthernet0/0/1]
[R1-head-office-GigabitEthernet0/0/1]q
[R1-head-office]ospf 1 router-id 1.1.1.1
[R1-head-office-ospf-1]area 0
[R1-head-office-ospf-1-area-0.0.0.0]network 20.1.1.0 0.0.0.255
[R1-head-office-ospf-1-area-0.0.0.0]q
[R1-head-office-ospf-1]q
[R1-head-office]ospf 2
[R1-head-office-ospf-2]area 0
[R1-head-office-ospf-2-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[R1-head-office-ospf-2-area-0.0.0.0]
[R1-head-office-ospf-2-area-0.0.0.0]network 192.168.1.0 0.0.0.255
[R1-head-office-ospf-2-area-0.0.0.0]
[R1-head-office-ospf-2-area-0.0.0.0]q
[R1-head-office-ospf-2]q
[R1-head-office]int tunnel 0/0/0
[R1-head-office-Tunnel0/0/0]ip addr 192.168.1.1 24
[R1-head-office-Tunnel0/0/0]tunnel-protocol gre
[R1-head-office-Tunnel0/0/0]source 20.1.1.1
[R1-head-office-Tunnel0/0/0]destination 30.1.1.1
[R1-head-office-Tunnel0/0/0]q
[R1-head-office]

**************模拟Internet*************

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname R3-Ineternet
[R3-Ineternet]sysname R3-Internet
[R3-Internet]int gi 0/0/0
[R3-Internet-GigabitEthernet0/0/0]ip addr 20.1.1.2 24
[R3-Internet-GigabitEthernet0/0/0]int gi 0/0/1
[R3-Internet-GigabitEthernet0/0/1]ip addr 30.1.1.2 24
[R3-Internet-GigabitEthernet0/0/1]
[R3-Internet-GigabitEthernet0/0/1]
[R3-Internet-GigabitEthernet0/0/1]q
[R3-Internet]ospf 1 router-id 3.3.3.3
[R3-Internet-ospf-1]area 0
[R3-Internet-ospf-1-area-0.0.0.0]network 20.1.1.0 0.0.0.255
[R3-Internet-ospf-1-area-0.0.0.0]network 30.1.1.0 0.0.0.255
[R3-Internet-ospf-1-area-0.0.0.0]

**************分支R2*********************

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname R3-office-Other
[R3-office-Other]int gi 0/0/0
[R3-office-Other-GigabitEthernet0/0/0]ip addr 30.1.1.1 24
[R3-office-Other-GigabitEthernet0/0/0]int gi 0/0/1
[R3-office-Other-GigabitEthernet0/0/1]ip addr 10.1.2.2 24
[R3-office-Other-GigabitEthernet0/0/1]
[R3-office-Other-GigabitEthernet0/0/1]q
[R3-office-Other]ospf 1 router-id 2.2.2.2
[R3-office-Other-ospf-1]area 0
[R3-office-Other-ospf-1-area-0.0.0.0]network 30.1.1.0 0.0.0.255
[R3-office-Other-ospf-1-area-0.0.0.0]q
[R3-office-Other-ospf-1]q
[R3-office-Other]ospf 2
[R3-office-Other-ospf-2]area 0
[R3-office-Other-ospf-2-area-0.0.0.0]network 10.1.2.0 0.0.0.255
[R3-office-Other-ospf-2-area-0.0.0.0]network 192.168.1.0 0.0.0.255
[R3-office-Other-ospf-2-area-0.0.0.0]
[R3-office-Other-ospf-2-area-0.0.0.0]q
[R3-office-Other-ospf-2]q
[R3-office-Other]int tunnel 0/0/0
[R3-office-Other-Tunnel0/0/0]ip addr 192.168.1.2 24
[R3-office-Other-Tunnel0/0/0]tunnel-protocol gre
[R3-office-Other-Tunnel0/0/0]source 30.1.1.1
[R3-office-Other-Tunnel0/0/0]destination 20.1.1.1
[R3-office-Other-Tunnel0/0/0]q

扫描二维码关注公众号，回复： 11624162 查看本文章

配置完成后验证：

到此为原来配置，为了企业数据安全性，需要进一步配置IPSec Over GRE

**************企业总部R1**********

[R1-head-office]ipsec proposal tran1                                    //配置安全提议
[R1-head-office-ipsec-proposal-tran1]esp authentication-algorithm sha2-256
[R1-head-office-ipsec-proposal-tran1]esp encryption-algorithm aes-128
[R1-head-office-ipsec-proposal-tran1]q
[R1-head-office]ike proposal 5                                            //配置IKE提议
[R1-head-office-ike-proposal-5]encryption-algorithm aes-cbc-128
[R1-head-office-ike-proposal-5]authentication-algorithm sha2-256
                                                        ^
Error: Unrecognized command found at '^' position.
[R1-head-office-ike-proposal-5]q

[R1-head-office]ike peer spub v2                               //配置IKE对等体及其使用协议
[R1-head-office-ike-peer-spub]pre-shared-key cipher huawei
[R1-head-office-ike-peer-spub]ike-proposal 5
[R1-head-office-ike-peer-spub]q
[R1-head-office]ipsec profile profile1                                //配置安全框架
[R1-head-office-ipsec-profile-profile1]ike-peer spub
[R1-head-office-ipsec-profile-profile1]proposal tran1
[R1-head-office-ipsec-profile-profile1]q
[R1-head-office]int tunnel0/0/1                                             //配置IPSec Tunnel接口
[R1-head-office-Tunnel0/0/1]ip addr 192.168.2.1 24
[R1-head-office-Tunnel0/0/1]tunnel-protocol ipsec
[R1-head-office-Tunnel0/0/1]source tunnel0/0/0                        //指定Tunnel源接口为GRE Tunnel接口
[R1-head-office-Tunnel0/0/1]destination 192.168.1.2                //指定Tunnel的目的地址为GRE Tunnel地址
[R1-head-office-Tunnel0/0/1]ipsec profile profile1              //应用置安全框架
[R1-head-office-Tunnel0/0/1]q
[R1-head-office]ospf 2
[R1-head-office-ospf-2]area 0
[R1-head-office-ospf-2-area-0.0.0.0]network 192.168.2.0 0.0.0.255
[R1-head-office-ospf-2-area-0.0.0.0]

**************企业分支R2**********

由于与R1基本相同，参考以上配置即可