CLI Example: Configuring DSVPN Protected by IPSec
Networking Requirements
A large-scale enterprise has a central office (Hub) and multiple branches which are located in different areas (this example shows only two Spokes Spoke1 and Spoke2). The networks of the central office and branches frequently change. The Spokes use dynamic addresses to connect to the public network. Open Shortest Path First (OSPF) is used on the enterprise network.
The enterprise wants to establish a VPN between the Spokes and encrypt data transmitted between the Hub and Spokes, and between Spokes to increase data security.
Configuration Roadmap
The configuration roadmap is as follows:
Because a Spoke uses a dynamic address to connect to the public network, it does not know the public IP address of the other Spoke. DSVPN is implemented to establish a VPN between the Spokes.
Shortcut Scenario of DSVPN is implemented because the enterprise has a large number of branches.
The networks of the central office and branches frequently change. OSPF is deployed to realize communication between the Hub and Spokes and to simplify maintenance.
DSVPN protected by IPSec is implemented to encrypt data transmitted between the central office and branches, and between branches.
When you deploy IPSec on a DSVPN network, the IPSec encapsulation mode can only be transport if two branches are connected to different NAT devices or the headquarters is connected to a NAT device.
Procedure
- Assign an IP address to each interface.
Configure IP addresses for the interfaces of each FW.
# Configure IP addresses for interfaces of Hub.
<sysname> system-view [sysname] sysname Hub [Hub] interface GigabitEthernet 0/0/0 [Hub-GigabitEthernet0/0/0] ip address 1.1.1.10 255.255.255.0 [Hub-GigabitEthernet0/0/0] quit [Hub] interface tunnel 0 [Hub-Tunnel0] ip address 172.16.1.1 255.255.255.0 [Hub-Tunnel0] quit [Hub] interface loopback 0 [Hub-LoopBack0] ip address 192.168.0.1 255.255.255.0 [Hub-LoopBack0] quit
Configure IP addresses for interfaces of the Spoke1 and Spoke2 as shown in Figure 1. The specific configuration is not mentioned here.
- Configure security zones and security policies.
# Configure security zones on each device. The configuration commands are the same, and the Hub is used as an example.
[Hub] firewall zone untrust [Hub-zone-untrust] add interface GigabitEthernet 0/0/0 [Hub-zone-untrust] add interface tunnel 0 [Hub-zone-untrust] quit# Configure security policies on each device. The configuration commands are the same, and the Hub is used as an example.
In this example, loopback interfaces in the Local zone are used to simulate subnet users. Therefore, the interzone policy between the Local zone and security zone where the tunnel interface resides needs to be configured (in this example, policy rule1 is configured). Actually, the interzone policy between the security zones where subnets reside needs to be configured. For example, if the subnet of the enterprise resides in the Trust zone, configure the interzone policy between the Trust zone and security zone where the tunnel interface resides.
[Hub] security-policy [Hub-policy-security] rule name rule1 [Hub-policy-security-rule-rule1] source-zone untrust local [Hub-policy-security-rule-rule1] destination-zone untrust local [Hub-policy-security-rule-rule1] sourse-address 192.168.0.0 mask 255.255.0.0 [Hub-policy-security-rule-rule1] action permit [Hub-policy-security-rule-rule1] quit [Hub-policy-security] rule name rule2 [Hub-policy-security-rule-rule2] source-zone untrust local [Hub-policy-security-rule-rule2] destination-zone untrust local [Hub-policy-security-rule-rule2] quit [Hub-policy-security] quit
- Configure routes between the FWs.
Configure OSPF on each FW to provide reachable routes to the public network.
# Configure OSPF on Hub.
[Hub] ospf 2 router-id 1.1.1.10 [Hub-ospf-2] area 0.0.0.1 [Hub-ospf-2-area-0.0.0.1] network 1.1.1.0 0.0.0.255 [Hub-ospf-2-area-0.0.0.1] quit [Hub-ospf-2] quit
# Configure OSPF on Spoke1.
[Spoke1] ospf 2 router-id 1.1.2.10 [Spoke1-ospf-2] area 0.0.0.1 [Spoke1-ospf-2-area-0.0.0.1] network 1.1.2.0 0.0.0.255 [Spoke1-ospf-2-area-0.0.0.1] quit [Spoke1-ospf-2] quit
# Configure OSPF on Spoke2.
[Spoke2] ospf 2 router-id 1.1.3.10 [Spoke2-ospf-2] area 0.0.0.1 [Spoke2-ospf-2-area-0.0.0.1] network 1.1.3.0 0.0.0.255 [Spoke2-ospf-2-area-0.0.0.1] quit [Spoke2-ospf-2] quit
- Configure the basic OSPF functions.
# Configure Hub.
[Hub] ospf 1 router-id 172.16.1.1 [Hub-ospf-1] area 0.0.0.0 [Hub-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255 [Hub-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [Hub-ospf-1-area-0.0.0.0] quit [Hub-ospf-1] quit
# Configure Spoke1.
[Spoke1] ospf 1 router-id 172.16.1.2 [Spoke1-ospf-1] area 0.0.0.0 [Spoke1-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255 [Spoke1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [Spoke1-ospf-1-area-0.0.0.0] quit [Spoke1-ospf-1] quit
# Configure Spoke2.
[Spoke2] ospf 1 router-id 172.16.1.3 [Spoke2-ospf-1] area 0.0.0.0 [Spoke2-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255 [Spoke2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255 [Spoke2-ospf-1-area-0.0.0.0] quit [Spoke2-ospf-1] quit
- Configure IKE proposals.
On Hub, Spoke1, and Spoke2, configure IKE proposals and set the same authentication mode.
# Configure Hub.
[Hub] ike proposal 1 [Hub-ike-proposal-1] dh group5 [Hub-ike-proposal-1] authentication-algorithm sha2-256 [Hub-ike-proposal-1] prf aes-xcbc-128 [Hub-ike-proposal-1] quit
# Configure Spoke1.
[Spoke1] ike proposal 1 [Spoke1-ike-proposal-1] dh group5 [Spoke1-ike-proposal-1] authentication-algorithm sha2-256 [Spoke1-ike-proposal-1] prf aes-xcbc-128 [Spoke1-ike-proposal-1] quit
# Configure Spoke2.
[Spoke2] ike proposal 1 [Spoke2-ike-proposal-1] dh group5 [Spoke2-ike-proposal-1] authentication-algorithm sha2-256 [Spoke2-ike-proposal-1] prf aes-xcbc-128 [Spoke2-ike-proposal-1] quit
- Configure IKE peers.
Configure IKE peers used during IKE negotiation on Hub, Spoke1, and Spoke2.
# Configure Hub.
[Hub] ike peer hub [Hub-ike-peer-hub] ike-proposal 1 [Hub-ike-peer-hub] pre-shared-key Huawei@1234 [Hub-ike-peer-hub] dpd type periodic [Hub-ike-peer-hub] dpd idle-time 40 [Hub-ike-peer-hub] quit
# Configure Spoke1.
[Spoke1] ike peer spoke1 [Spoke1-ike-peer-spoke1] ike-proposal 1 [Spoke1-ike-peer-spoke1] pre-shared-key Huawei@1234 [Spoke1-ike-peer-spoke1] dpd type periodic [Spoke1-ike-peer-spoke1] dpd idle-time 40 [Spoke1-ike-peer-spoke1] quit
# Configure Spoke2.
[Spoke2] ike peer spoke2 [Spoke2-ike-peer-spoke2] ike-proposal 1 [Spoke2-ike-peer-spoke2] pre-shared-key Huawei@1234 [Spoke2-ike-peer-spoke2] dpd type periodic [Spoke2-ike-peer-spoke2] dpd idle-time 40 [Spoke2-ike-peer-spoke2] quit
- Create IPSec proposals.
Configure IPSec proposals on Hub, Spoke1, and Spoke2.
# Configure Hub.
[Hub] ipsec proposal pro1 [Hub-ipsec-proposal-pro1] transform ah-esp [Hub-ipsec-proposal-pro1] ah authentication-algorithm sha2-256 [Hub-ipsec-proposal-pro1] esp authentication-algorithm sha2-256 [Hub-ipsec-proposal-pro1] esp encryption-algorithm aes-192 [Hub-ipsec-proposal-pro1] quit
# Configure Spoke1.
[Spoke1] ipsec proposal pro1 [Spoke1-ipsec-proposal-pro1] transform ah-esp [Spoke1-ipsec-proposal-pro1] ah authentication-algorithm sha2-256 [Spoke1-ipsec-proposal-pro1] esp authentication-algorithm sha2-256 [Spoke1-ipsec-proposal-pro1] esp encryption-algorithm aes-192 [Spoke1-ipsec-proposal-pro1] quit
# Configure Spoke2.
[Spoke2] ipsec proposal pro1 [Spoke2-ipsec-proposal-pro1] transform ah-esp [Spoke2-ipsec-proposal-pro1] ah authentication-algorithm sha2-256 [Spoke2-ipsec-proposal-pro1] esp authentication-algorithm sha2-256 [Spoke2-ipsec-proposal-pro1] esp encryption-algorithm aes-192 [Spoke2-ipsec-proposal-pro1] quit
- Configure IPSec profiles.
Configure IPSec profiles on Hub, Spoke1, and Spoke2.
# Configure Hub.
[Hub] ipsec profile profile1 [Hub-ipsec-profile-profile1] ike-peer hub [Hub-ipsec-profile-profile1] proposal pro1 [Hub-ipsec-profile-profile1] quit
# Configure Spoke1.
[Spoke1] ipsec profile profile1 [Spoke1-ipsec-profile-profile1] ike-peer spoke1 [Spoke1-ipsec-profile-profile1] proposal pro1 [Spoke1-ipsec-profile-profile1] quit
# Configure Spoke2.
[Spoke2] ipsec profile profile1 [Spoke2-ipsec-profile-profile1] ike-peer spoke2 [Spoke2-ipsec-profile-profile1] proposal pro1 [Spoke2-ipsec-profile-profile1] quit
- Configure tunnel interfaces.# On Hub, configure a tunnel interface, configure OSPF, and apply the IPSec profile.
[Hub] interface tunnel 0 [Hub-Tunnel0] tunnel-protocol gre p2mp [Hub-Tunnel0] source GigabitEthernet 0/0/0 [Hub-Tunnel0] nhrp entry multicast dynamic [Hub-Tunnel0] ospf network-type p2mp [Hub-Tunnel0] nhrp redirect [Hub-Tunnel0] ipsec profile profile1 [Hub-Tunnel0] quit# On Spoke1, configure a tunnel interface, OSPF, and a static NHRP mapping entry of Hub, and apply the IPSec profile.[Spoke1] interface tunnel 0 [Spoke1-Tunnel0] tunnel-protocol gre p2mp [Spoke1-Tunnel0] source GigabitEthernet 0/0/0 [Spoke1-Tunnel0] nhrp entry 172.16.1.1 1.1.1.10 register [Spoke1-Tunnel0] ospf network-type p2mp [Spoke1-Tunnel0] nhrp shortcut [Spoke1-Tunnel0] ipsec profile profile1 [Spoke1-Tunnel0] quit# On Spoke2, configure a tunnel interface, OSPF, and a static NHRP mapping entry of Hub, and apply the IPSec profile.[Spoke2] interface tunnel 0 [Spoke2-Tunnel0] tunnel-protocol gre p2mp [Spoke2-Tunnel0] source GigabitEthernet 0/0/0 [Spoke2-Tunnel0] nhrp entry 172.16.1.1 1.1.1.10 register [Spoke2-Tunnel0] ospf network-type p2mp [Spoke2-Tunnel0] nhrp shortcut [Spoke2-Tunnel0] ipsec profile profile1 [Spoke2-Tunnel0] quit - Verify the DSVPN configuration.
After the preceding configurations are complete, check the NHRP mapping entries of Spoke1 and Spoke2.
# Run the display nhrp peer all command on Spoke and Hub. Take Spoke1 as an example. The command output is as follows:
[Spoke1] display nhrp peer all ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.1 32 1.1.1.10 172.16.1.1 hub up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:10:58 Expire time : -- HostName : Hub HostEsn : 210235G7G610F1000002 Number of nhrp peers: 1 If you run the display nhrp peer all command on Spoke1 and Spoke2, you can view only the static NHRP mapping entry of Hub.
- Verify the IPSec SA configuration.
Check the IPSec SAs generated on Hub, Spoke1, and Spoke2. Take Spoke1 as an example.
# Run the display ipsec sa command on Spoke1. The command output is as follows:
[Spoke1] display ipsec sa ipsec sa information: =============================== Interface: Tunnel0 =============================== ----------------------------- IPSec profile name: "profile1" Mode : PROF-ISAKMP ----------------------------- Connection ID : 2 Encapsulation mode: Tunnel Tunnel local : 1.1.2.10:500 Tunnel remote : 1.1.1.10:500 [Outbound ESP SAs] SPI: 2485560141 (0x9426a34d) Proposal: ESP-ENCRYPT-AES-192 SHA2-512-256 SA remaining key duration (bytes/sec): 1887426800/2652 Max sent sequence-number: 107 UDP encapsulation used for NAT traversal: N SA encrypted packets (number/bytes): 4/240 [Outbound AH SAs] SPI: 3662509166 (0xda4d746e) Proposal: SHA2-512-256 SA remaining key duration (bytes/sec): 1887436800/2652 Max sent sequence-number: 107 UDP encapsulation used for NAT traversal: N SA encrypted packets (number/bytes): 4/240 [Inbound AH SAs] SPI: 833505824 (0x31ae4a20) Proposal: SHA2-512-256 SA remaining key duration (bytes/sec): 1887436800/2652 Max received sequence-number: 119 UDP encapsulation used for NAT traversal: N SA decrypted packets (number/bytes): 4/240 Anti-replay : Enable Anti-replay window size: 1024 [Inbound ESP SAs] SPI: 2140030022 (0x7f8e4446) Proposal: ESP-ENCRYPT-AES-192 SHA2-512-256 SA remaining key duration (bytes/sec): 1887425168/2652 Max received sequence-number: 119 UDP encapsulation used for NAT traversal: N SA decrypted packets (number/bytes): 4/240 Anti-replay : Enable Anti-replay window size: 1024 - Run the ping command to check the configuration result.
To use the ping command for link detection, run the service-manage ping permit command in the interface view to set the ping service of all firewall interfaces on the link to permit.
Ping 192.168.2.1 on Spoke1. You can see that Spoke1 and Spoke2 have learned dynamic NHRP mapping entries from each other.
# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1. The command output is as follows:
[Spoke1] ping -a 192.168.1.1 192.168.2.1 PING 192.168.2.1: 56 data bytes, press CTRL_C to break Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=2 ms Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=2 ms Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=2 ms Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=2 ms --- 192.168.2.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/3 ms# Run the display nhrp peer all command on Spoke. Take Spoke1 as an example. The command output is as follows:
[Spoke1] display nhrp peer all ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.1 32 1.1.1.10 172.16.1.1 hub up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:46:35 Expire time : -- HostName : Hub HostEsn : 210235G7G610F1000002 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 192.168.2.1 32 1.1.3.10 172.16.1.3 remote-network up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:00:28 Expire time : 01:59:32 HostName : Spoke2 HostEsn : 210235G7G610F3000017 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.3 32 1.1.3.10 172.16.1.3 remote up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:00:28 Expire time : 01:59:32 HostName : Spoke2 HostEsn : 210235G7G610F3000017 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.2 32 1.1.2.10 172.16.1.2 local up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:00:28 Expire time : 01:59:32 HostName : Spoke1 HostEsn : 210235G7G610F1000013 Number of nhrp peers: 4
# Run the display ipsec sa command on Spoke. Take Spoke1 as an example. The command output is as follows:
[Spoke1] display ipsec sa ipsec sa information: =============================== Interface: Tunnel0 =============================== ----------------------------- IPSec profile name: "profile1" Mode : PROF-ISAKMP ----------------------------- Connection ID : 2 Encapsulation mode: Tunnel Tunnel local : 1.1.2.10:500 Tunnel remote : 1.1.1.10:500 [Outbound ESP SAs] SPI: 2485560141 (0x9426a34d) Proposal: ESP-ENCRYPT-AES-192 SHA2-512-256 SA remaining key duration (bytes/sec): 1887420488/2020 Max sent sequence-number: 175 UDP encapsulation used for NAT traversal: N SA encrypted packets (number/bytes): 4/240 [Outbound AH SAs] SPI: 3662509166 (0xda4d746e) Proposal: SHA2-512-256 SA remaining key duration (bytes/sec): 1887436800/2020 Max sent sequence-number: 175 UDP encapsulation used for NAT traversal: N SA encrypted packets (number/bytes): 4/240 [Inbound AH SAs] SPI: 833505824 (0x31ae4a20) Proposal: SHA2-512-256 SA remaining key duration (bytes/sec): 1887436800/2020 Max received sequence-number: 192 UDP encapsulation used for NAT traversal: N SA decrypted packets (number/bytes): 4/240 Anti-replay : Enable Anti-replay window size: 1024 [Inbound ESP SAs] SPI: 2140030022 (0x7f8e4446) Proposal: ESP-ENCRYPT-AES-192 SHA2-512-256 SA remaining key duration (bytes/sec): 1887418092/2020 Max received sequence-number: 192 UDP encapsulation used for NAT traversal: N SA decrypted packets (number/bytes): 4/240 Anti-replay : Enable Anti-replay window size: 1024 ----------------------------- IPSec profile name: "profile1" Mode : PROF-ISAKMP ----------------------------- Connection ID : 5 Encapsulation mode: Tunnel Tunnel local : 1.1.2.10:500 Tunnel remote : 1.1.3.10:500 [Outbound ESP SAs] SPI: 576349831 (0x225a6687) Proposal: ESP-ENCRYPT-AES-192 SHA2-512-256 SA remaining key duration (bytes/sec): 1887436368/3511 Max sent sequence-number: 4 UDP encapsulation used for NAT traversal: N SA encrypted packets (number/bytes): 4/240 [Outbound AH SAs] SPI: 3363305474 (0xc877f802) Proposal: SHA2-512-256 SA remaining key duration (bytes/sec): 1887436800/3511 Max sent sequence-number: 4 UDP encapsulation used for NAT traversal: N SA encrypted packets (number/bytes): 4/240 [Inbound AH SAs] SPI: 3753703982 (0xdfbcfa2e) Proposal: SHA2-512-256 SA remaining key duration (bytes/sec): 1887436800/3511 Max received sequence-number: 4 UDP encapsulation used for NAT traversal: N SA decrypted packets (number/bytes): 4/240 Anti-replay : Enable Anti-replay window size: 1024 [Inbound ESP SAs] SPI: 3361785078 (0xc860c4f6) Proposal: ESP-ENCRYPT-AES-192 SHA2-512-256 SA remaining key duration (bytes/sec): 1887436368/3511 Max received sequence-number: 4 UDP encapsulation used for NAT traversal: N SA decrypted packets (number/bytes): 4/240 Anti-replay : Enable Anti-replay window size: 1024
Configuration Files
-
# sysname Hub # ipsec proposal pro1 transform ah-esp ah authentication-algorithm sha2-256 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-192 # ike proposal 1 encryption-algorithm aes-256 dh group5 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf aes-xcbc-128 # ike peer hub pre-shared-key ike-proposal 1 dpd type periodic dpd idle-time 40 # ipsec profile profile1 ike-peer hub proposal pro1 # interface GigabitEthernet0/0/0 ip address 1.1.1.10 255.255.255.0 # interface LoopBack0 ip address 192.168.0.1 255.255.255.0 # interface Tunnel0 ip address 172.16.1.1 255.255.255.0 tunnel-protocol gre p2mp source GigabitEthernet0/0/0 ospf network-type p2mp nhrp redirect nhrp entry multicast dynamic ipsec profile profile1 # ospf 1 router-id 172.16.1.1 area 0.0.0.0 network 172.16.1.0 0.0.0.255 network 192.168.0.0 0.0.0.255 # ospf 2 router-id 1.1.1.10 area 0.0.0.1 network 1.1.1.0 0.0.0.255 # firewall zone untrust add interface GigabitEthernet0/0/0 add interface Tunnel0 # security-policy rule name rule1 source-zone local source-zone untrust destination-zone local destination-zone untrust source-address 192.168.0.0 mask 255.255.0.0 action permit rule name rule2 source-zone local source-zone untrust destination-zone local destination-zone untrust action permit # return
-
# sysname Spoke1 # ipsec proposal pro1 transform ah-esp ah authentication-algorithm sha2-256 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-192 # ike proposal 1 encryption-algorithm aes-256 dh group5 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf aes-xcbc-128 # ike peer spoke1 pre-shared-key ike-proposal 1 dpd type periodic dpd idle-time 40 # ipsec profile profile1 ike-peer spoke1 proposal pro1 # interface GigabitEthernet0/0/0 ip address 1.1.2.10 255.255.255.0 # interface LoopBack0 ip address 192.168.1.1 255.255.255.0 # interface Tunnel0 ip address 172.16.1.2 255.255.255.0 tunnel-protocol gre p2mp source GigabitEthernet0/0/0 ospf network-type p2mp nhrp shortcut nhrp entry 172.16.1.1 1.1.1.10 register ipsec profile profile1 # ospf 1 router-id 172.16.1.2 area 0.0.0.0 network 172.16.1.0 0.0.0.255 network 192.168.1.0 0.0.0.255 # ospf 2 router-id 1.1.2.10 area 0.0.0.1 network 1.1.2.0 0.0.0.255 # firewall zone untrust add interface GigabitEthernet0/0/0 add interface Tunnel0 # security-policy rule name rule1 source-zone local source-zone untrust destination-zone local destination-zone untrust source-address 192.168.0.0 mask 255.255.0.0 action permit rule name rule2 source-zone local source-zone untrust destination-zone local destination-zone untrust action permit # return
-
# sysname Spoke2 # ipsec proposal pro1 transform ah-esp ah authentication-algorithm sha2-256 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-192 # ike proposal 1 encryption-algorithm aes-256 dh group5 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf aes-xcbc-128 # ike peer spoke2 pre-shared-key ike-proposal 1 dpd type periodic dpd idle-time 40 # ipsec profile profile1 ike-peer spoke2 proposal pro1 # interface GigabitEthernet0/0/0 ip address 1.1.3.10 255.255.255.0 # interface LoopBack0 ip address 192.168.2.1 255.255.255.0 # interface Tunnel0 ip address 172.16.1.3 255.255.255.0 tunnel-protocol gre p2mp source GigabitEthernet0/0/0 ospf network-type p2mp nhrp shortcut nhrp entry 172.16.1.1 1.1.1.10 register ipsec profile profile1 # ospf 1 router-id 172.16.1.3 area 0.0.0.0 network 172.16.1.0 0.0.0.255 network 192.168.2.0 0.0.0.255 # ospf 2 router-id 1.1.3.10 area 0.0.0.1 network 1.1.3.0 0.0.0.255 # firewall zone untrust add interface GigabitEthernet0/0/0 add interface Tunnel0 # security-policy rule name rule1 source-zone local source-zone untrust destination-zone local destination-zone untrust source-address 192.168.0.0 mask 255.255.0.0 action permit rule name rule2 source-zone local source-zone untrust destination-zone local destination-zone untrust action permit # return