< Home

CLI: Example for Configuring Route-based GRE over IPSec VPN Using IPSec Profile

Networking Requirements

As shown in Figure 1, network A and network B connect to the Internet through FW_A and FW_B respectively. Users on network A need to access resources on network B through a GRE tunnel. The network environment is as follows:

  • Network A is in the network segment 10.1.1.0/24. This network connects to FW_A through GigabitEthernet 0/0/3.

  • Network B is in the network segment 10.1.2.0/24. This network connects to FW_B through GigabitEthernet 0/0/3.

  • FW_A and FW_B have reachable routes to each other.

Figure 1 GRE over IPSec networking

Data Plan

Item

Data

FW_A

Interface number: GigabitEthernet 0/0/3

IP address: 10.1.1.1/24

Security zone: Trust

Interface number: GigabitEthernet 0/0/1

IP address: 1.1.3.1/24

Security zone: Untrust

GRE tunnel interface configuration

Source IP address: 1.1.3.1

Destination IP address: 1.1.5.1

IP address: any address that does not conflict with other IP addresses

IPSec profile configuration

Authentication type: Pre-shared key

Pre-shared key: Test!1234

Local ID type: IP address

Peer ID type: any

FW_B

Interface number: GigabitEthernet 0/0/1

IP address: 1.1.5.1/24

Security zone: Untrust

Interface number: GigabitEthernet 0/0/3

IP address: 10.1.2.1/24

Security zone: Trust

GRE tunnel interface configuration

Source IP address: 1.1.5.1

Destination IP address: 1.1.3.1

IP address: any address that does not conflict with other IP addresses

IPSec profile configuration

Authentication type: Pre-shared key

Pre-shared key: Test!1234

Local ID type: IP address

Peer ID type: any

Configuration Roadmap

The procedure and roadmap for configuring FW_A and FW_B are the same. The configuration roadmap is as follows:

  1. Configure interfaces.
  2. Configure security policies to allow specific subnets to communicate.
  3. Create a static route to the remote intranet.
  4. Configure GRE tunnel interfaces and routes to these interfaces.
  5. Configure an IPSec profile, including basic IPSec profile information and IPSec proposal negotiation parameters.

Procedure

  1. Perform basic configurations on FW_A, including setting the interface IP addresses, adding interfaces to security zones, and configuring interzone security policies and static route.
    1. Set the interface IP addresses.

      1. Set the IP address of GigabitEthernet 0/0/3.

        <sysname> system-view
[sysname] sysname FW_A
[FW_A] interface GigabitEthernet 0/0/3
[FW_A-GigabitEthernet0/0/3] ip address 10.1.1.1 24
[FW_A-GigabitEthernet0/0/3] quit

      2. Set the IP address of GigabitEthernet 0/0/1.

        [FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip address 1.1.3.1 24
[FW_A-GigabitEthernet0/0/1] quit

    2. Add interfaces to corresponding security zones.

      1. Add GigabitEthernet 0/0/3 to the Trust zone.

        [FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/3
[FW_A-zone-trust] quit

      2. Add GigabitEthernet 0/0/1 to the Untrust zone.

        [FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_A-zone-untrust] quit

    3. Configure interzone security policies.

      1. Configure the security policies between the Trust and Untrust zones.

        [FW_A] security-policy
[FW_A-policy-security] rule name policy1
[FW_A-policy-security-rule-policy1] source-zone trust
[FW_A-policy-security-rule-policy1] destination-zone untrust
[FW_A-policy-security-rule-policy1] source-address 10.1.1.0 24
[FW_A-policy-security-rule-policy1] destination-address 10.1.2.0 24
[FW_A-policy-security-rule-policy1] action permit
[FW_A-policy-security-rule-policy1] quit
        [FW_A-policy-security] rule name policy2
[FW_A-policy-security-rule-policy2] source-zone untrust
[FW_A-policy-security-rule-policy2] destination-zone trust
[FW_A-policy-security-rule-policy2] source-address 10.1.2.0 24
[FW_A-policy-security-rule-policy2] destination-address 10.1.1.0 24
[FW_A-policy-security-rule-policy2] action permit
[FW_A-policy-security-rule-policy2] quit

      2. Configure the security policies between the Local and Untrust zones.

        The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

        The security policies for the Local-Untrust interzone enable the devices at two ends to negotiate an IPSec tunnel.

        [FW_A-policy-security] rule name policy3
[FW_A-policy-security-rule-policy3] source-zone local
[FW_A-policy-security-rule-policy3] destination-zone untrust
[FW_A-policy-security-rule-policy3] source-address 1.1.3.1 32
[FW_A-policy-security-rule-policy3] destination-address 1.1.5.1 32
[FW_A-policy-security-rule-policy3] action permit
[FW_A-policy-security-rule-policy3] quit
        [FW_A-policy-security] rule name policy4
[FW_A-policy-security-rule-policy4] source-zone untrust
[FW_A-policy-security-rule-policy4] destination-zone local
[FW_A-policy-security-rule-policy4] source-address 1.1.5.1 32
[FW_A-policy-security-rule-policy4] destination-address 1.1.3.1 32
[FW_A-policy-security-rule-policy4] action permit
[FW_A-policy-security-rule-policy4] quit
[FW_A-policy-security] quit

    4. Configure the static route of the public network. Assume that assuming that the next hop address is 1.1.3.2.

      [FW_A] ip route-static 1.1.5.0 255.255.255.0 1.1.3.2

  2. Configure GRE over IPSec on FW_A.
    1. Configure GRE tunnel interfaces.

      [FW_A] interface Tunnel 1
[FW_A-Tunnel1] tunnel-protocol gre
[FW_A-Tunnel1] source 1.1.3.1
[FW_A-Tunnel1] destination 1.1.5.1
[FW_A-Tunnel1] ip address 172.16.2.1 24
[FW_A-Tunnel1] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface tunnel 1
[FW_A-zone-untrust] quit

    2. Configure a static route to direct traffic to the GRE over IPSec tunnel.

      [FW_A] ip route-static 10.1.2.0 24 Tunnel 1

    3. Configure an IPSec proposal using the default parameters.

      [FW_A] ipsec proposal tran1
[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_A-ipsec-proposal-tran1] quit

    4. Configure an IKE proposal using the default parameters.

      [FW_A] ike proposal 10
[FW_A-ike-proposal-10] authentication-method pre-share
[FW_A-ike-proposal-10] prf hmac-sha2-256
[FW_A-ike-proposal-10] encryption-algorithm aes-256
[FW_A-ike-proposal-10] dh group14
[FW_A-ike-proposal-10] integrity-algorithm hmac-sha2-256
[FW_A-ike-proposal-10] quit

    5. Configure an IKE peer.

      [FW_A] ike peer b
[FW_A-ike-peer-b] ike-proposal 10
[FW_A-ike-peer-b] pre-shared-key Test!1234
[FW_A-ike-peer-b] quit

    6. Configure an IPSec profile.

      [FW_A] ipsec profile pro1
[FW_A-ipsec-profile-pro1] proposal tran1
[FW_A-ipsec-profile-pro1] ike-peer b
[FW_A-ipsec-profile-pro1] quit

    7. Apply IPSec profile pro1 to the IPSec tunnel interface.

      [FW_A] interface tunnel 1
[FW_A-Tunnel1] ipsec profile pro1
[FW_A-Tunnel1] quit

  3. Set the interface IP addresses, add interfaces to security zones, and configure interzone security policy and static route on FW_B.
    1. Set the interface IP addresses.

      1. Configure the IP address of GigabitEthernet 0/0/3.

        <sysname> system-view
[sysname] sysname FW_B
[FW_B] GigabitEthernet 0/0/3
[FW_B-GigabitEthernet0/0/3] ip address 10.1.2.1 24
[FW_B-GigabitEthernet0/0/3] quit

      2. Configure the IP address of GigabitEthernet 0/0/1.

        [FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ip address 1.1.5.1 24
[FW_B-GigabitEthernet0/0/1] quit

    2. Add interfaces to corresponding security zones.

      1. Add GigabitEthernet 0/0/3 to the Trust zone.

        [FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/3
[FW_B-zone-trust] quit

      2. Add GigabitEthernet 0/0/1 to the Untrust zone.

        [FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_B-zone-untrust] quit

    3. Configure interzone security policies.

      1. Configure the security policies between the Trust and Untrust zones.

        [FW_B] security-policy
[FW_B-policy-security] rule name policy1
[FW_B-policy-security-rule-policy1] source-zone trust
[FW_B-policy-security-rule-policy1] destination-zone untrust
[FW_B-policy-security-rule-policy1] source-address 10.1.2.0 24
[FW_B-policy-security-rule-policy1] destination-address 10.1.1.0 24
[FW_B-policy-security-rule-policy1] action permit
[FW_B-policy-security-rule-policy1] quit
        [FW_B-policy-security] rule name policy2
[FW_B-policy-security-rule-policy2] source-zone untrust
[FW_B-policy-security-rule-policy2] destination-zone trust
[FW_B-policy-security-rule-policy2] source-address 10.1.1.0 24
[FW_B-policy-security-rule-policy2] destination-address 10.1.2.0 24
[FW_B-policy-security-rule-policy2] action permit
[FW_B-policy-security-rule-policy2] quit

      2. Configure the security policies between the Local and Untrust zones.

        The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

        The security policies for the Local-Untrust interzone enable the devices at two ends to negotiate an IPSec tunnel.

        [FW_B-policy-security] rule name policy3
[FW_B-policy-security-rule-policy3] source-zone local
[FW_B-policy-security-rule-policy3] destination-zone untrust
[FW_B-policy-security-rule-policy3] source-address 1.1.5.1 32
[FW_B-policy-security-rule-policy3] destination-address 1.1.3.1 32
[FW_B-policy-security-rule-policy3] action permit
[FW_B-policy-security-rule-policy3] quit
        [FW_B-policy-security] rule name policy4
[FW_B-policy-security-rule-policy4] source-zone untrust
[FW_B-policy-security-rule-policy4] destination-zone local
[FW_B-policy-security-rule-policy4] source-address 1.1.3.1 32
[FW_B-policy-security-rule-policy4] destination-address 1.1.5.1 32
[FW_B-policy-security-rule-policy4] action permit
[FW_B-policy-security-rule-policy4] quit
[FW_B-policy-security] quit

    4. Configure the static route of the public network. Assume that assuming that the next hop address is 1.1.5.2.

      [FW_B] ip route-static 1.1.3.0 255.255.255.0 1.1.5.2

  4. Configure GRE over IPSec on FW_B.
    1. Configure GRE tunnel interfaces.

      [FW_B] interface Tunnel 1
[FW_B-Tunnel1] tunnel-protocol gre
[FW_B-Tunnel1] source 1.1.5.1
[FW_B-Tunnel1] destination 1.1.3.1
[FW_B-Tunnel1] ip address 172.16.2.2 24
[FW_B-Tunnel1] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface tunnel 1
[FW_B-zone-untrust] quit

    2. Configure a static route to direct traffic to the GRE over IPSec tunnel.

      [FW_B] ip route-static 10.1.1.0 24 Tunnel1

    3. Configure an IPSec proposal.

      [FW_B] ipsec proposal tran1
[FW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_B-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_B-ipsec-proposal-tran1] quit

    4. Configure an IKE proposal.

      [FW_B] ike proposal 10
[FW_B-ike-proposal-10] authentication-method pre-share
[FW_B-ike-proposal-10] prf hmac-sha2-256
[FW_B-ike-proposal-10] encryption-algorithm aes-256
[FW_B-ike-proposal-10] dh group14
[FW_B-ike-proposal-10] integrity-algorithm hmac-sha2-256  
[FW_B-ike-proposal-10] quit

    5. Configure an IKE peer.

      [FW_B] ike peer a 
[FW_B-ike-peer-a] ike-proposal 10 
[FW_B-ike-peer-a] pre-shared-key Test!1234 
[FW_B-ike-peer-a] quit

    6. Configure an IPSec profile.

      [FW_B] ipsec profile pro1  
[FW_B-ipsec-policy-isakmp-map1-10] proposal tran1 
[FW_B-ipsec-policy-isakmp-map1-10] ike-peer a 
[FW_B-ipsec-policy-isakmp-map1-10] quit

    7. Apply IPSec profile pro1 to the GRE tunnel interface.

      [FW_B] interface tunnel 1 
[FW_B-tunnel1] ipsec profile pro1
[FW_B-tunnel1] quit

Configuration Files

  • FW_A configuration file

    #
 sysname FW_A
#
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256   
#
ike proposal 10
  encryption-algorithm aes-256                                                   
  dh group14                                                                      
  authentication-algorithm sha2-256                                              
  authentication-method pre-share                                                
  integrity-algorithm hmac-sha2-256                                              
  prf hmac-sha2-256 
#
ike peer b
  pre-shared-key %^%#{j1P([P@.*0kW\B_5t3=L(0Y%^%#
  ike-proposal 10
#                                                                               
ipsec profile pro1
 ike-peer b
 proposal tran1
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.3.1 255.255.255.0
#
interface Tunnel1
 tunnel-protocol gre
 source 1.1.3.1
 destination 1.1.5.1
 ip address 172.16.2.1 255.255.255.0
 ipsec profile pro1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
 add interface tunnel1
#
 ip route-static 1.1.5.0 255.255.255.0 1.1.3.2
 ip route-static 10.1.2.0 255.255.255.0 Tunnel1
#
security-policy
  rule name policy1
    source-zone trust
    destination-zone untrust
    source-address 10.1.1.0 mask 255.255.255.0
    destination-address 10.1.2.0 mask 255.255.255.0
    action permit
  rule name policy2
    source-zone untrust
    destination-zone trust
    source-address 10.1.2.0 mask 255.255.255.0
    destination-address 10.1.1.0 mask 255.255.255.0
    action permit
  rule name policy3
    source-zone local
    destination-zone untrust
    source-address 1.1.3.1 mask 255.255.255.255
    destination-address 1.1.5.1 mask 255.255.255.255
    action permit
  rule name policy4
    source-zone untrust
    destination-zone local
    source-address 1.1.5.1 mask 255.255.255.255
    destination-address 1.1.3.1 mask 255.255.255.255
    action permit
#
return

  • FW_B configuration file

    #
 sysname FW_B
#
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256   
#
ike proposal 10
  encryption-algorithm aes-256                                                   
  dh group14                                                                      
  authentication-algorithm sha2-256                                              
  authentication-method pre-share                                                
  integrity-algorithm hmac-sha2-256                                              
  prf hmac-sha2-256 
#
ike peer a
 pre-shared-key %^%#wtV"Og}Iy>%[Sq5h(*KIcA(M%^%#
 ike-proposal 10
#                                                                               
ipsec profile pro1
 ike-peer a
 proposal tran1
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.5.1 255.255.255.0
#
interface Tunnel1
 tunnel-protocol gre
 source 1.1.5.1
 destination 1.1.3.1
 ip address 172.16.2.2 255.255.255.0
 ipsec profile pro1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
 add interface Tunnel1
#
 ip route-static 1.1.3.0 255.255.255.0 1.1.5.2
 ip route-static 10.1.1.0 255.255.255.0 Tunnel1
#
security-policy
  rule name policy1
    source-zone trust
    destination-zone untrust
    source-address 10.1.2.0 mask 255.255.255.0
    destination-address 10.1.1.0 mask 255.255.255.0
    action permit
  rule name policy2
    source-zone untrust
    destination-zone trust
    source-address 10.1.1.0 mask 255.255.255.0
    destination-address 10.1.2.0 mask 255.255.255.0
    action permit
  rule name policy3
    source-zone local
    destination-zone untrust
    source-address 1.1.5.1 mask 255.255.255.255
    destination-address 1.1.3.1 mask 255.255.255.255
    action permit
  rule name policy4
    source-zone untrust
    destination-zone local
    source-address 1.1.3.1 mask 255.255.255.255
    destination-address 1.1.5.1 mask 255.255.255.255
    action permit
#
return
Parent Topic: IPSec
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >