< Home

CLI: Example for Configuring a Static Route-based GRE Tunnel

This section provides an example for configuring a GRE tunnel to which two devices direct traffic based on static routes.

Networking Requirements

As shown in Figure 1, FW_A and FW_B are connected over the Internet and have reachable public routes to each other. Networks 1 and 2 are private IP networks. A GRE tunnel is required between the FWs to interconnect the two private IP networks.

Figure 1 Network diagram of configuring a static route-based GRE tunnel

Data Planning

Item

Data

Description

FW_A

Interface configuration

Interface: GigabitEthernet 0/0/1

IP address: 1.1.1.1/24

Security zone: Untrust

Interface: GigabitEthernet 0/0/2

IP address: 10.1.1.1/24

Security zone: Trust

GRE configuration

Interface name: Tunnel

IP address: 172.16.2.1/24

Source address: 1.1.1.1/24

Destination address: 5.5.5.5/24

GRE Key:123456

FW_B

Interface configuration

Interface: GigabitEthernet 0/0/1

IP address: 5.5.5.5/24

Security zone: Untrust

Interface: GigabitEthernet 0/0/2

IP address: 10.1.2.1/24

Security zone: Trust

GRE configuration

Interface name: Tunnel

IP address: 172.16.2.2/24

Source address: 5.5.5.5/24

Destination address: 1.1.1.1/24

GRE Key:123456

Configuration Roadmap

  1. Create a tunnel interface on FW_A and FW_B respectively.

    Set encapsulation parameters on the tunnel interface, such as the source and destination IP addresses of the tunnel.

  2. On FW_A and FW_B, configure a static route and specify the local tunnel interface as the outbound interface of the route.

    The route directs traffic to be transmitted over the GRE tunnel to the GRE tunnel.

  3. Configure security policies to allow GRE tunnel setup and traffic forwarding.

Procedure

  1. Configure FW_A.

    1. Set interface IP addresses and assign the interfaces to security zones.
      <sysname> system-view
[sysname] sysname FW_A
[FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[FW_A-GigabitEthernet0/0/1] quit
[FW_A] interface GigabitEthernet 0/0/2
[FW_A-GigabitEthernet0/0/2] ip address 10.1.1.1 24
[FW_A-GigabitEthernet0/0/2] quit
[FW_A] interface Tunnel 1
[FW_A-Tunnel1] ip address 172.16.2.1 24
[FW_A-Tunnel1] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_A-zone-untrust] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/2
[FW_A-zone-trust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface tunnel 1
[FW_A-zone-dmz] quit
    2. Configure a static route to direct traffic to be transmitted over the GRE tunnel to the GRE tunnel.
      [FW_A] ip route-static 10.1.2.0 24 Tunnel1
    3. Configure encapsulation parameters for the tunnel interface.
      [FW_A] interface Tunnel 1
[FW_A-Tunnel1] tunnel-protocol gre
[FW_A-Tunnel1] source 1.1.1.1
[FW_A-Tunnel1] destination 5.5.5.5
[FW_A-Tunnel1] gre key cipher 123456
[FW_A-Tunnel1] quit
    4. Configure interzone security policies.

      Configure a Trust-DMZ interzone security policy to permit unencapsulated packets.

      [FW_A] security-policy
[FW_A-policy-security] rule name policy1
[FW_A-policy-security-rule-policy1] source-zone trust dmz
[FW_A-policy-security-rule-policy1] destination-zone dmz trust
[FW_A-policy-security-rule-policy1] action permit
[FW_A-policy-security-rule-policy1] quit

      Configure a Local-Untrust interzone security policy to permit GRE packets.

      [FW_A-policy-security] rule name policy2
[FW_A-policy-security-rule-policy2] source-zone local untrust
[FW_A-policy-security-rule-policy2] destination-zone untrust local
[FW_A-policy-security-rule-policy2] service gre
[FW_A-policy-security-rule-policy2] action permit
[FW_A-policy-security-rule-policy2] quit

  2. Configure FW_B.

    1. Set interface IP addresses and assign the interfaces to security zones.
      <sysname> system-view
[sysname] sysname FW_B
[FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ip address 5.5.5.5 24
[FW_B-GigabitEthernet0/0/1] quit
[FW_B] interface GigabitEthernet 0/0/2
[FW_B-GigabitEthernet0/0/2] ip address 10.1.2.1 24
[FW_B-GigabitEthernet0/0/2] quit
[FW_B] interface Tunnel 1
[FW_B-Tunnel1] ip address 172.16.2.2 24
[FW_B-Tunnel1] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_B-zone-untrust] quit
[FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/2
[FW_B-zone-trust] quit
[FW_B] firewall zone dmz
[FW_B-zone-dmz] add interface tunnel 1
[FW_B-zone-dmz] quit
    2. Configure a static route to direct traffic to be transmitted over the GRE tunnel to the GRE tunnel.
      [FW_B] ip route-static 10.1.1.0 24 Tunnel1
    3. Configure encapsulation parameters for the tunnel interface.
      [FW_B] interface Tunnel 1
[FW_B-Tunnel1] tunnel-protocol gre
[FW_B-Tunnel1] source 5.5.5.5
[FW_B-Tunnel1] destination 1.1.1.1
[FW_B-Tunnel1] gre key cipher 123456
[FW_B-Tunnel1] quit
    4. Configure interzone security policies.

      Configure a Trust-DMZ interzone security policy to permit unencapsulated packets.

      [FW_B] security-policy
[FW_B-policy-security] rule name policy1
[FW_B-policy-security-rule-policy1] source-zone trust dmz
[FW_B-policy-security-rule-policy1] destination-zone dmz trust
[FW_B-policy-security-rule-policy1] action permit
[FW_B-policy-security-rule-policy1] quit

      Configure a Local-Untrust interzone security policy to permit GRE packets.

      [FW_B-policy-security] rule name policy2
[FW_B-policy-security-rule-policy2] source-zone local untrust
[FW_B-policy-security-rule-policy2] destination-zone untrust local
[FW_B-policy-security-rule-policy2] service gre
[FW_B-policy-security-rule-policy2] action permit
[FW_B-policy-security-rule-policy2] quit

Verification

  1. PCs on networks 1 and 2 can ping each other.
  2. Run the display ip routing-table command on FW_A to view the routing table.

    The routing table displays a route whose destination address is 10.1.2.0/24 and outbound interface is tunnel 1.

Configuration Scripts

  • Configuration script on FW_A

    #
 sysname FW_A
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 10.1.1.1 255.255.255.0
#
interface Tunnel1
 ip address 172.16.2.1 255.255.255.0
 tunnel-protocol gre
 source 1.1.1.1
 destination 5.5.5.5
 gre key cipher %^%#=F~&KLI;w'>n:QlQ8BI3>67Ir3I*Onzv'\&ii(%^%#
#
ip route-static 10.1.2.0 255.255.255.0 Tunnel1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 set priority 50
 add interface Tunnel 1
#
security-policy
 rule name policy1
  source-zone trust
  source-zone dmz
  destination-zone trust
  destination-zone dmz
  action permit
 rule name policy2
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  service gre
  action permit
#
return

  • Configuration script on FW_B

    #
 sysname FW_B
#
interface GigabitEthernet0/0/1
 ip address 5.5.5.5 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 10.1.2.1 255.255.255.0
#
interface Tunnel1
 ip address 172.16.2.2 255.255.255.0
 tunnel-protocol gre
 source 5.5.5.5
 destination 1.1.1.1
 gre key cipher %^%#=F~&KLI;w'>n:QlQ8BI3>67Ir3I*Onzv'\&ii(%^%#
#
ip route-static 10.1.1.0 255.255.255.0 Tunnel1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 set priority 50
 add interface Tunnel 1
#
security-policy
 rule name policy1
  source-zone trust
  source-zone dmz
  destination-zone trust
  destination-zone dmz
  action permit
 rule name policy2
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  service gre
  action permit
#
return
Parent Topic: GRE
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >