< Home

CLI Example: Configuring an IPSec over GRE Tunnel

This example provides the configuration of an IPSec over GRE tunnel between the enterprise branch and headquarters.

Networking Requirements

Originally, the enterprise branch and headquarters communicate through a GRE tunnel. As network threats become severe, the enterprise manager intends to enhance network communication security without changing the existing network deployment. Therefore, IPSec encapsulation of traffic can be performed before GRE encapsulation to form an IPSec over GRE tunnel, as shown in Figure 1.

Figure 1 Networking diagram of the IPSec over GRE tunnel

Configuration Roadmap

  1. Create a tunnel interface on FW_A and FW_B for establishing a GRE tunnel.
  2. Configure an IPSec policy on FW_A and FW_B and apply the policy to the GRE tunnel interface.

Procedure

  1. Configure FW_A.
    1. Set interface IP addresses and assign the interfaces to security zones.

      <sysname> system-view
[sysname] sysname FW_A
[FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[FW_A-GigabitEthernet0/0/1] quit
[FW_A] interface GigabitEthernet 0/0/2
[FW_A-GigabitEthernet0/0/2] ip address 10.1.1.1 24
[FW_A-GigabitEthernet0/0/2] quit
[FW_A] interface Tunnel 1
[FW_A-Tunnel1] ip address 172.16.2.1 24
[FW_A-Tunnel1] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_A-zone-untrust] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/2
[FW_A-zone-trust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface tunnel 1
[FW_A-zone-dmz] quit

    2. Configure interzone security policies.

      Configure a Trust-DMZ interzone security policy to allow unencapsulated packets to pass.
      [FW_A] security-policy
[FW_A-policy-security] rule name policy1
[FW_A-policy-security-rule-policy1] source-zone trust dmz
[FW_A-policy-security-rule-policy1] destination-zone dmz trust
[FW_A-policy-security-rule-policy1] action permit
[FW_A-policy-security-rule-policy1] quit

      Configure a Local-DMZ interzone security policy to allow encapsulated IPSec packets to pass.

      [FW_A-policy-security] rule name policy2
[FW_A-policy-security-rule-policy2] source-zone local dmz
[FW_A-policy-security-rule-policy2] destination-zone dmz local
[FW_A-policy-security-rule-policy2] action permit
[FW_A-policy-security-rule-policy2] quit

      Configure a Local-Untrust interzone security policy to allow encapsulated GRE packets to pass.

      [FW_A-policy-security] rule name policy3
[FW_A-policy-security-rule-policy3] source-zone local untrust
[FW_A-policy-security-rule-policy3] destination-zone untrust local
[FW_A-policy-security-rule-policy3] service gre
[FW_A-policy-security-rule-policy3] action permit
[FW_A-policy-security-rule-policy3] quit

    3. Set encapsulation parameters for the tunnel interface.

      [FW_A] interface Tunnel 1
[FW_A-Tunnel1] tunnel-protocol gre
[FW_A-Tunnel1] source GigabitEthernet 0/0/1
[FW_A-Tunnel1] destination 5.5.5.5
[FW_A-Tunnel1] gre key cipher 123456
[FW_A-Tunnel1] keepalive
[FW_A-Tunnel1] quit

    4. Create an IPSec policy.

      1. Create an ACL and define the data flow to be protected.

        [FW_A] acl 3000
[FW_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[FW_A-acl-adv-3000] quit

      2. Configure IPSec proposal tran1.

        [FW_A] ipsec proposal tran1
[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_A-ipsec-proposal-tran1] quit

      3. Configure an IKE proposal and use the default parameter settings.

        [FW_A] ike proposal 10
[FW_A-ike-proposal-10] authentication-method pre-share
[FW_A-ike-proposal-10] authentication-algorithm sha2-256
[FW_A-ike-proposal-10] encryption-algorithm aes-256
[FW_A-ike-proposal-10] dh group14
[FW_A-ike-proposal-10] quit

      4. Configure the IKE peer.

        [FW_A] ike peer b
[FW_A-ike-peer-b] ike-proposal 10
[FW_A-ike-peer-b] remote-address 172.16.2.2
[FW_A-ike-peer-b] pre-shared-key Test!123
[FW_A-ike-peer-b] quit

      5. Create an IPSec policy using IKE negotiation.

        [FW_A] ipsec policy map1 10 isakmp
[FW_A-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_A-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_A-ipsec-policy-isakmp-map1-10] ike-peer b
[FW_A-ipsec-policy-isakmp-map1-10] quit

      6. Apply IPSec policy group map1 to the tunnel interface.

        [FW_A] interface tunnel 1
[FW_A-Tunnel1] ipsec policy map1
[FW_A-Tunnel1] quit

    5. Configure a route to divert traffic destined for the headquarters to the GRE tunnel.

      [FW_A] ip route-static 0.0.0.0 0 1.1.1.2 /*Indicates the public route from FW_A to the Internet. Assume that the next hop is 1.1.1.2.*/
[FW_A] ip route-static 10.1.2.0 24 Tunnel1

  2. Configure FW_B.
    1. Set interface IP addresses and assign the interfaces to security zones.

      <sysname> system-view
[sysname] sysname FW_B
[FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ip address 5.5.5.5 24
[FW_B-GigabitEthernet0/0/1] quit
[FW_B] interface GigabitEthernet 0/0/2
[FW_B-GigabitEthernet0/0/2] ip address 10.1.2.1 24
[FW_B-GigabitEthernet0/0/2] quit
[FW_B] interface Tunnel 1
[FW_B-Tunnel1] ip address 172.16.2.2 24
[FW_B-Tunnel1] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_B-zone-untrust] quit
[FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/2
[FW_B-zone-trust] quit
[FW_B] firewall zone dmz
[FW_B-zone-dmz] add interface tunnel 1
[FW_B-zone-dmz] quit

    2. Configure interzone security policies.

      Configure a Trust-DMZ interzone security policy to allow unencapsulated packets to pass.
      [FW_B] security-policy
[FW_B-policy-security] rule name policy1
[FW_B-policy-security-rule-policy1] source-zone trust dmz
[FW_B-policy-security-rule-policy1] destination-zone dmz trust
[FW_B-policy-security-rule-policy1] action permit
[FW_B-policy-security-rule-policy1] quit

      Configure a Local-DMZ interzone security policy to allow encapsulated IPSec packets to pass.

      [FW_B-policy-security] rule name policy2
[FW_B-policy-security-rule-policy2] source-zone local dmz
[FW_B-policy-security-rule-policy2] destination-zone dmz local
[FW_B-policy-security-rule-policy2] action permit
[FW_B-policy-security-rule-policy2] quit

      Configure a Local-Untrust interzone security policy to allow encapsulated GRE packets to pass.

      [FW_B-policy-security] rule name policy3
[FW_B-policy-security-rule-policy3] source-zone local untrust
[FW_B-policy-security-rule-policy3] destination-zone untrust local
[FW_B-policy-security-rule-policy3] service gre
[FW_B-policy-security-rule-policy3] action permit
[FW_B-policy-security-rule-policy3] quit

    3. Set encapsulation parameters for the tunnel interface.

      [FW_B] interface Tunnel 1
[FW_B-Tunnel1] tunnel-protocol gre
[FW_B-Tunnel1] source GigabitEthernet 0/0/1
[FW_B-Tunnel1] destination 1.1.1.1
[FW_B-Tunnel1] gre key cipher 123456
[FW_B-Tunnel1] keepalive
[FW_B-Tunnel1] quit

    4. Create an IPSec policy.

      1. Create an ACL and define the data flow to be protected.

        [FW_B] acl 3000
[FW_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[FW_B-acl-adv-3000] quit

      2. Configure IPSec proposal tran1.

        [FW_B] ipsec proposal tran1
[FW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_B-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_B-ipsec-proposal-tran1] quit

      3. Configure an IKE proposal and use the default parameter settings.

        [FW_B] ike proposal 10
[FW_B-ike-proposal-10] authentication-method pre-share
[FW_B-ike-proposal-10] authentication-algorithm sha2-256
[FW_B-ike-proposal-10] encryption-algorithm aes-256
[FW_B-ike-proposal-10] dh group14
[FW_B-ike-proposal-10] quit

      4. Configure the IKE peer.

        [FW_B] ike peer a
[FW_B-ike-peer-a] ike-proposal 10
[FW_B-ike-peer-a] remote-address 172.16.2.1
[FW_B-ike-peer-a] pre-shared-key Test!123
[FW_B-ike-peer-a] quit

      5. Create an IPSec policy using IKE negotiation.

        [FW_B] ipsec policy map1 10 isakmp
[FW_B-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_B-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_B-ipsec-policy-isakmp-map1-10] ike-peer a
[FW_B-ipsec-policy-isakmp-map1-10] quit

      6. Apply IPSec policy group map1 to the tunnel interface.

        [FW_B] interface tunnel 1
[FW_B-Tunnel1] ipsec policy map1
[FW_B-Tunnel1] quit

    5. Configure a route to divert traffic destined for the branch to the GRE tunnel.

      [FW_B] ip route-static 0.0.0.0 0 5.5.5.1 /*Indicates the public route from FW_B to the Internet. Assume that the next hop is 5.5.5.1.*/
[FW_B] ip route-static 10.1.1.0 24 Tunnel1

Verification

  1. Run the display ipsec sa command to view information about the IPSec SA. The command output on FW_A is used as an example.
    [FW_A] display ipsec sa
ipsec sa information:            
                                 
===============================  
Interface: Tunnel1               
===============================  
                                 
  -----------------------------  
  IPSec policy name: "map1"   
  Sequence number  : 1           
  Acl group        : 3000        
  Acl rule         : 5           
  Mode             : ISAKMP      
  -----------------------------  
    Connection ID     : 278      
    Encapsulation mode: Tunnel   
    Tunnel local      : 172.16.2.1                    
    Tunnel remote     : 172.16.2.2                    
    Flow source       : 10.1.1.0/255.255.255.0 0/0   
    Flow destination  : 10.1.2.0/255.255.255.0 0/0   
                                 
    [Outbound ESP SAs]           
      SPI: 3907311427 (0xe8e4d743)                    
      Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256           
      SA remaining key duration (kilobytes/sec): 5242880/2280       
      Max sent sequence-number: 10                    
      UDP encapsulation used for NAT traversal: N     
      SA encrypted packets (number/bytes): 9/756      
                                 
    [Inbound ESP SAs]            
      SPI: 3291681250 (0xc43311e2)                    
      Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256           
      SA remaining key duration (kilobytes/sec): 5242880/2280       
      Max received sequence-number: 10                
      UDP encapsulation used for NAT traversal: N     
      SA decrypted packets (number/bytes): 9/756      
      Anti-replay : Enable       
      Anti-replay window size: 1024
  2. Users in the branch can communicate with users at the headquarters.
  3. You can run the display ip routing-table command to view the routing table.

    The destination address of the route is 10.1.2.0/24, and the outbound interface is Tunnel1.

Configuration Scripts

  • Configuration script on FW_A:

    #
 sysname FW_A
#
acl 3000
 rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256
#
ike proposal 10
 authentication-method pre-share
 authentication-algorithm sha2-256
 encryption-algorithm aes-256
 dh group14
#
ike peer b
 ike-proposal 10
 remote-address 172.16.2.2
 pre-shared-key %^%#eY>XCM5+)9nKwEIT`J+YA0lL31/MGS=gZBF.""`6%^%#
#
ipsec policy map1 10 isakmp
 security acl 3000
 proposal tran1
 ike-peer b
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 10.1.1.1 255.255.255.0
#
interface Tunnel1
 ip address 172.16.2.1 255.255.255.0
 tunnel-protocol gre
 source 1.1.1.1
 destination 5.5.5.5
 gre key cipher %^%#=F~&KLI;T>w'>n:QlQ8BI3>67Ir3I*Onzv'\&ii(%^%#
 keepalive
 ipsec policy map1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 set priority 50
 add interface Tunnel 1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
ip route-static 10.1.2.0 24 Tunnel1
#
security-policy
 rule name policy1
  source-zone trust
  source-zone dmz
  destination-zone trust
  destination-zone dmz
  action permit
 rule name policy2
  source-zone local
  source-zone dmz
  destination-zone dmz
  destination-zone local
  service gre
  action permit
 rule name policy3
  source-zone local
  source-zone untrust
  destination-zone untrust
  destination-zone local
  service gre
  action permit
#
return

  • Configuration script on FW_B:

    #
 sysname FW_B
#
acl 3000
 rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256
#
ike proposal 10
 authentication-method pre-share
 authentication-algorithm sha2-256
 encryption-algorithm aes-256
 dh group14
#
ike peer b
 ike-proposal 10
 remote-address 172.16.2.1
 pre-shared-key %^%#eY>XCM5+)9nKwEIT`J+YA0lL31/MGS=gZBF.""`6%^%#
#
ipsec policy map1 10 isakmp
 security acl 3000
 proposal tran1
 ike-peer b
#
interface GigabitEthernet0/0/1
 ip address 5.5.5.5 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 10.1.2.1 255.255.255.0
#
interface Tunnel1
 ip address 172.16.2.2 255.255.255.0
 tunnel-protocol gre
 source 5.5.5.5
 destination 1.1.1.1
 gre key cipher %^%#=F~&KLI;T>w'>n:QlQ8BI3>67Ir3I*Onzv'\&ii(%^%#
 keepalive
 ipsec policy map1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 set priority 50
 add interface Tunnel 1
#
ip route-static 0.0.0.0 0.0.0.0 5.5.5.1
ip route-static 10.1.1.0 24 Tunnel1
#
security-policy
 rule name policy1
  source-zone trust
  source-zone dmz
  destination-zone trust
  destination-zone dmz
  action permit
 rule name policy2
source-zone local
  source-zone dmz
  destination-zone dmz
  destination-zone local
  service gre
  action permit
 rule name policy3
  source-zone local
  source-zone untrust
  destination-zone untrust
  destination-zone local
  service gre
  action permit
#
return
Parent Topic: Configuration Examples for GRE
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic