< Home

CLI: Example for Configuring an OSPF-based GRE Tunnel

This section provides an example for configuring GRE tunnel to enable two connected private IP networks to exchange OSPF routing information over the Internet.

Networking Requirements

As shown in Figure 1, FW_A and FW_B are connected over the Internet and have reachable public routes to each other. Networks 1 and 2 are private IP networks and run OSPF. A GRE tunnel needs to be established between the FWs to enable their connected two private IP networks to exchange OSPF routing information over the Internet.

Figure 1 Network diagram of configuring an OSPF-based GRE tunnel

Configuration Roadmap

  1. Create a tunnel interface on FW_A and FW_B respectively.

    Set encapsulation parameters on the tunnel interface, such as the source and destination IP addresses of the tunnel.

  2. Configuring OSPF.

    Enable an OSPF process and specify OSPF-capable interfaces. In this example, network segment 10.1.1.0/24 of network 1 and network segment 172.16.2.0/24 where the tunnel interface resides are advertised to network 2 through the GRE tunnel. The tunnel interfaces establish an OSPF adjacency over the GRE tunnel.

  3. Configure security policies to allow GRE tunnel setup and traffic forwarding.

Procedure

  1. Configure FW_A.

    1. Set interface IP addresses and assign the interfaces to security zones.
      <sysname> system-view
[sysname] sysname FW_A
[FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[FW_A-GigabitEthernet0/0/1] quit
[FW_A] interface GigabitEthernet 0/0/2
[FW_A-GigabitEthernet0/0/2] ip address 10.1.1.1 24
[FW_A-GigabitEthernet0/0/2] quit
[FW_A] interface Tunnel 1
[FW_A-Tunnel1] ip address 172.16.2.1 24
[FW_A-Tunnel1] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_A-zone-untrust] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/2
[FW_A-zone-trust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface tunnel 1
[FW_A-zone-dmz] quit
    2. Configure OSPF.

      Advertise network segment 10.1.1.0/24 of network 1 and network segment 172.16.2.0/24 where the tunnel interface resides through OSPF.

      [FW_A] ospf 1
[FW_A-ospf-1] area 0
[FW_A-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[FW_A-ospf-1-area-0.0.0.0] network 172.16.2.0 0.0.0.255
[FW_A-ospf-1-area-0.0.0.0] quit
[FW_A-ospf-1] quit
    3. Configure encapsulation parameters for the tunnel interface.
      [FW_A] interface Tunnel 1
[FW_A-Tunnel1] tunnel-protocol gre
[FW_A-Tunnel1] source 1.1.1.1
[FW_A-Tunnel1] destination 5.5.5.5
[FW_A-Tunnel1] gre key cipher 123456
[FW_A-Tunnel1] keepalive
[FW_A-Tunnel1] quit
    4. Configure interzone security policies.

      Configure a Trust-DMZ interzone security policy to permit unencapsulated packets.

      [FW_A] security-policy
[FW_A-policy-security] rule name policy1
[FW_A-policy-security-rule-policy1] source-zone trust dmz
[FW_A-policy-security-rule-policy1] destination-zone dmz trust
[FW_A-policy-security-rule-policy1] action permit
[FW_A-policy-security-rule-policy1] quit

      Configure a Local-Untrust interzone security policy to permit GRE packets.

      [FW_A-policy-security] rule name policy2
[FW_A-policy-security-rule-policy2] source-zone local untrust
[FW_A-policy-security-rule-policy2] destination-zone untrust local
[FW_A-policy-security-rule-policy2] service gre
[FW_A-policy-security-rule-policy2] action permit
[FW_A-policy-security-rule-policy2] quit

  2. Configure FW_B.

    1. Set interface IP addresses and assign the interfaces to security zones.
      <sysname> system-view
[sysname] sysname FW_B
[FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ip address 5.5.5.5 24
[FW_B-GigabitEthernet0/0/1] quit
[FW_B] interface GigabitEthernet 0/0/2
[FW_B-GigabitEthernet0/0/2] ip address 10.1.2.1 24
[FW_B-GigabitEthernet0/0/2] quit
[FW_B] interface Tunnel 1
[FW_B-Tunnel1] ip address 172.16.2.2 24
[FW_B-Tunnel1] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_B-zone-untrust] quit
[FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/2
[FW_B-zone-trust] quit
[FW_B] firewall zone dmz
[FW_B-zone-dmz] add interface tunnel 1
[FW_B-zone-dmz] quit
    2. Configure OSPF.

      Advertise network segment 10.1.2.0/24 of network 1 and network segment 172.16.2.0/24 where the tunnel interface resides through OSPF.

      [FW_B] ospf 1
[FW_B-ospf-1] area 0
[FW_B-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[FW_B-ospf-1-area-0.0.0.0] network 172.16.2.0 0.0.0.255
[FW_B-ospf-1-area-0.0.0.0] quit
[FW_B-ospf-1] quit
    3. Configure encapsulation parameters for the tunnel interface.
      [FW_B] interface Tunnel 1
[FW_B-Tunnel1] tunnel-protocol gre
[FW_B-Tunnel1] source 5.5.5.5
[FW_B-Tunnel1] destination 1.1.1.1
[FW_B-Tunnel1] gre key cipher 123456
[FW_B-Tunnel1] keepalive
[FW_B-Tunnel1] quit
    4. Configure interzone security policies.

      Configure a Trust-DMZ interzone security policy to permit unencapsulated packets.

      [FW_B] security-policy
[FW_B-policy-security] rule name policy1
[FW_B-policy-security-rule-policy1] source-zone trust dmz
[FW_B-policy-security-rule-policy1] destination-zone dmz trust
[FW_B-policy-security-rule-policy1] action permit
[FW_B-policy-security-rule-policy1] quit

      Configure a Local-Untrust interzone security policy to permit GRE packets.

      [FW_B-policy-security] rule name policy2
[FW_B-policy-security-rule-policy2] source-zone local untrust
[FW_B-policy-security-rule-policy2] destination-zone untrust local
[FW_B-policy-security-rule-policy2] service gre
[FW_B-policy-security-rule-policy2] action permit
[FW_B-policy-security-rule-policy2] quit

Verification

  1. PCs on networks 1 and 2 can ping each other.
  2. Run the display ip routing-table command on FW_A to view the routing table.

    The routing table displays a route whose destination address is 10.1.2.0/24 and outbound interface is tunnel 1.

Configuration Scripts

  • Configuration script on FW_A

    #
 sysname FW_A
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 10.1.1.1 255.255.255.0
#
interface Tunnel1
 ip address 172.16.2.1 255.255.255.0
 tunnel-protocol gre
 source 1.1.1.1
 destination 5.5.5.5
 gre key cipher %^%#=F~&KLI;T>w'>n:QlQ8BI3>67Ir3I*Onzv'\&ii(%^%#
 keepalive
#
ospf 1
 area 0.0.0.0
  network 10.1.1.0 0.0.0.255  
  network 172.16.2.0 0.0.0.255
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 set priority 50
 add interface Tunnel 1
#
security-policy
 rule name policy1
  source-zone trust
  source-zone dmz
  destination-zone trust
  destination-zone dmz
  action permit
 rule name policy2
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  service gre
  action permit
#
return

  • Configuration script on FW_B

    #
 sysname FW_B
#
interface GigabitEthernet0/0/1
 ip address 5.5.5.5 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 10.1.2.1 255.255.255.0
#
interface Tunnel1
 ip address 172.16.2.2 255.255.255.0
 tunnel-protocol gre
 source 5.5.5.5
 destination 1.1.1.1
 gre key cipher %^%#=F~&KLI;T>w'>n:QlQ8BI3>67Ir3I*Onzv'\&ii(%^%#
 keepalive
#
ospf 1
 area 0.0.0.0
  network 10.1.2.0 0.0.0.255  
  network 172.16.2.0 0.0.0.255
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 set priority 50
 add interface Tunnel 1
#
security-policy
 rule name policy1
  source-zone trust
  source-zone dmz
  destination-zone trust
  destination-zone dmz
  action permit
 rule name policy2
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  service gre
  action permit
#
return
Parent Topic: GRE
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >