IPsec
The main function is to encrypt data, because he can provide a method that is sometimes used alone to achieve encryption! What IPsec establishes is a logical tunnel, not a real tunnel! And it cannot provide routing function, because IPsec does not support non-ip traffic, nor does it support broadcast (multicast)!
GRE
GRE is a layer-3 VPN encapsulation technology. GRE can encapsulate the packets of some network layer protocols (such as IPX, Apple Talk, IP, etc.), so that the encapsulated packets can be transmitted in another network (such as IPv4), thus solving the problem of crossing heterogeneous networks. For the problem of message transmission, although it cannot provide encryption, it can support non-ip traffic and broadcast very well!
GRE over IPSec (using IPsec to encrypt the tunnel for transmission)
GRE OVER IPSEC is gre for inner layer encapsulation, ipsec for outer layer encapsulation, ipsec interested data flow is gre source and destination address, applicable to both points are fixed ip or one is In dynamic IP or intranet environment, since ipsec cannot transmit broadcast and multicast, gre can, and this environment can also run some protocols suitable for multicast and broadcast.
IPSec over GRE (transmit through the tunnel after encrypting the data flow)
IPSEC OVER GRE is IPSEC as the inner layer encapsulation, GRE as the outer layer encapsulation, suitable for routers at both ends with fixed IP, ipsec policy applied to the physical port, ipsec interested data flow It is a business network segment, and only business data is encrypted.
Configure
sysname FW1
Configure the flow of interest, the source and destination are business address segments
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 10.191.10.0 0.0.0.255
acl number 3001
rule 5 permit ip source 192.168.1.0 0.0.0.2 55 destination 10.191. 20.0 0.0.0.255
The security proposal is normally configured to ensure that the parameters at both ends are consistent.
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
The peer address is worth noting. The peer address of ips over gre is the tunnel address
ike peer fw2
pre-shared-key huawei@123
ike-proposal 1
remote-address 12.1.1.2 //The peer tunnel address
ike peer fw3
pre-shared- key huawei@123
ike-proposal 1
remote-address 22.1.1.2 //The peer tunnel address
Create two ipsec policies in point-to-multipoint scenarios:
ipsec policy ips1 1 isakmp
security acl 3000
ike-peer fw2
proposal 1
ipsec policy ips2 1 isakmp
security acl 3001
ike-peer fw3
proposal 1
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.254 255.255.255.0
interface GigabitEthernet1/0/1
undo shutdown
ip address 172.16.0.254 255.255.255.0
interface GigabitEthernet1/0/3
undo shutdown
ip address 100.1.12.1 255.255.255.252
service-manage ping permit
interface Tunnel0
ip address 12.1.1.1 255.255.255.252
tunnel-protocol gre
keepalive
source GigabitEthernet1/0/3 //Specify the original interface
destination 100.1.12.6 //Specify the peer address
ipsec policy ips1 //Call ipsec
interface Tunnel1
ip address 22.1.1.1 255.255.255.252
tunnel-protocol gre
keepalive
source GigabitEthernet1/0/3
destination 100.1.12.10
ipsec policy ips2
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
add interface Tunnel0 //The tunnel interface should be added to the security zone, and it can also be added to the non-trust zone.
add interface Tunnel1
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/3
ip route-static 0.0.0.0 0.0.0.0 100.1.12.2
ip route-static 10.191.10.0 255.255.255.0 Tunnel0 //The route to the peer private network points to the tunnel port
ip route-static 10.191.20.0 255.255.255.0 Tunn el1
security-policy
rule name t-un //Firewall is cumbersome, private network to private network traffic must be set forward and reverse
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 10.191 .10.0 mask 255.255.255.0
destination-address 10.191.20.0 mask 255.255.255.0
action permit
rule name un-t
source-zone untrust
destination-zone trust
source-address 10.191.10.0 mask 255.25 5.255.0
source-address 10.191.20.0 mask 255.255. 255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
rule name ipsce //If the tunnel port is placed in an untrusted zone, two commands are omitted, and local-unt includes
source-zone local
source-zone trust
source -zone untrust
destination-zone local
destination-zone trust
destination-zone untrust
action permit
rule name to-isp //放行nat的流量
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action permit
nat-policy
rule name no-ips //Regardless of the firewall or the router, the traffic of the tunnel must be prohibited in nat
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 10.191.10.0 mask 255.255.255.0
destination-address 10.191.20.0 mask 255.255.255.0
action no-nat
rule name to-isp
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.25 5.0
action source-nat easy-ip
sysname FW2
acl number 3000
rule 5 permit ip source 10.191.10.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike peer fw1
pre-shared-key huawei@123
ike-proposal 1
remote-address 12.1.1.1
ipsec policy ips 1 isakmp
security acl 3000
ike-peer fw1
proposal 1
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.191.10.254 255.255.255.0
interface GigabitEthernet1/0/3
undo shutdown
ip address 100.1.12.6 255.255.255.252
service-manage ping permit
interface Tunnel0
ip address 12.1.1.2 255.255.255.252
tunnel-protocol gre
keepalive
source GigabitEthernet1/0/3
destination 100.1.12.1
ipsec policy ips
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
add interface Tunnel0
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/3
firewall zone dmz
set priority 50
ip route-static 0.0.0.0 0.0.0.0 100.1.12.5
ip route-static 192.168.1.0 255.255.255.0 Tunnel0
security-policy
rule name t-un
source-zone trust
destination-zone untrust
source-address 10.191.10.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
rule name un-t
source-zone untrust
destination-zone trust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 10.191.10.0 mask 255.255.255.0
action permit
rule name ipsce
source-zone local
source-zone trust
source-zone untrust
destination-zone local
destination-zone trust
destination-zone untrust
action permit
rule name to-isp
source-zone trust
destination-zone untrust
source-address 10.191.10.0 mask 255.255.255.0
action permit
nat-policy
rule name t-un
source-zone trust
destination-zone untrust
source-address 10.191.10.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action no-nat
rule name to-isp
source-zone trust
destination-zone untrust
source-address 10.191.10.0 mask 255.255.255.0
action source-nat easy-ip
sysname FW3
acl number 3000
rule 5 permit ip source 10.191.20.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike peer fw1
pre-shared-key huawei@123
ike-proposal 1
remote-address 22.1.1.1
ipsec policy ips 1 isakmp
security acl 3000
ike-peer fw1
proposal 1
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.191.20.254 255.255.255.0
interface GigabitEthernet1/0/3
undo shutdown
ip address 100.1.12.10 255.255.255.252
service-manage ping permit
interface Tunnel0
ip address 22.1.1.2 255.255.255.252
tunnel-protocol gre
keepalive
source GigabitEthernet1/0/3
destination 100.1.12.1
ipsec policy ips
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
add interface Tunnel0
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/3
firewall zone dmz
set priority 50
ip route-static 0.0.0.0 0.0.0.0 100.1.12.9
ip route-static 192.168.1.0 255.255.255.0 Tunnel0
security-policy
rule name t-un
source-zone trust
destination-zone untrust
source-address 10.191.20.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
rule name un-t
source-zone untrust
destination-zone trust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 10.191.20.0 mask 255.255.255.0
action permit
rule name ipsce
source-zone local
source-zone trust
source-zone untrust
destination-zone local
destination-zone trust
destination-zone untrust
action permit
rule name to-isp
source-zone trust
destination-zone untrust
source-address 10.191.20.0 mask 255.255.255.0
action permit
nat-policy
rule name t-un
source-zone trust
destination-zone untrust
source-address 10.191.20.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action no-nat
rule name to-isp
source-zone trust
destination-zone untrust
source-address 10.191.20.0 mask 255.255.255.0
action source-nat easy-ip
If it is point-to-point, just delete a group in the headquarters configuration
verify