华为 GRE over IPsec

IPSec 只能传输单播报文。当两地的网络较庞大之时,相互指静态路由过麻烦。
使用GRE 采用组播报文(由于路由协议是组播报文),因此使用GRE 插入到IPSec当中,构成GRE Over IPSec,使得组播报文在传输的同时,也能保证安全性。
华为 GRE over IPsec_第1张图片

1.接口配置 
//r1
[r1]int g0/0/0
[r1-GigabitEthernet0/0/0]ip add 12.0.0.1 24

[r1-GigabitEthernet0/0/0]int g0/0/1
[r1-GigabitEthernet0/0/1]ip add 10.1.1.1 24
//R2
[r2]int g0/0/0
[r2-GigabitEthernet0/0/0]ip add 12.0.0.2 24

[r2-GigabitEthernet0/0/0]int g0/0/01
[r2-GigabitEthernet0/0/1]ip add 23.0.0.2 24
//R3
[r3]int g0/0/0
[r3-GigabitEthernet0/0/0]ip add 34.0.0.3 24

[r3-GigabitEthernet0/0/0]int g0/0/1
[r3-GigabitEthernet0/0/1]ip add 23.0.0.3 24
//R4
[r4]int g0/0/0
[r4-GigabitEthernet0/0/0]ip add 34.0.0.4 24

[r4-GigabitEthernet0/0/0]int g0/0/1
[r4-GigabitEthernet0/0/1]ip add 10.4.4.1 24 
2.配置运营商网络使R1到R3网络互通
//1
[r1]ospf 14 r 1.1.1.1
[r1-ospf-10]are 0
[r1-ospf-10-area-0.0.0.0]net 12.0.0.1 0.0.0.255
//R2
[r2]ospf 14 r 2.2.2.2
[r2-ospf-14]are 0
[r2-ospf-14-area-0.0.0.0]net 12.0.0.0 0.0.0.255
[r2-ospf-14-area-0.0.0.0]net 23.0.0.0 0.0.0.255  

//R3
[r3]ospf 14 r 3.3.3.3
[r3-ospf-14]are 0
[r3-ospf-14-area-0.0.0.0]net 34.0.0.0 0.0.0.255
[r3-ospf-14-area-0.0.0.0]net 23.0.0.0 0.0.0.255
//R4
[r4]ospf 14 r 4.4.4.4
[r4-ospf-14]are 0
[r4-ospf-14-area-0.0.0.0]net 34.0.0.4 0.0.0.255
3.配置R1与R4的GRE链路
//R1
[r1]int Tunnel 0/0/0
[r1-Tunnel0/0/0]ip add 100.0.0.1 24
[r1-Tunnel0/0/0]tunnel-protocol gre 
[r1-Tunnel0/0/0]source 12.0.0.1     // 隧道的源地址既 实际发送报文的接口IP地址( R1 G0/0/0)
[r1-Tunnel0/0/0]destination 34.0.0.4      //隧道的目的地址就是实际接收报文的接口IP地址 (R4  G0/0/0)
                                                               //注意 有可能打成  description 34.0.0.4
                                                               查看接口信息  dis int tun 0/0/0


//R4
[r4]int Tunnel 0/0/0
[r4-Tunnel0/0/0]tunnel-protocol gre 
[r4-Tunnel0/0/0]sourc 34.0.0.4
[r4-Tunnel0/0/0]destination 12.0.0.1

华为 GRE over IPsec_第2张图片

4.
方式1:
配置IPsec 加密GRE隧道
//R1

[r1]acl 3001
[r1-acl-adv-3001]ru 5 per ip so 12.0.0.1 0.0.0.255 de 34.0.0.4 0.0.0.255   //注意:  保护的是GRE的隧道 


[r1]ipsec proposal ipsec_r1        //配置 ipsec 安全提议  
[r1-ipsec-proposal-ipsec_r1]ike prop 1       //配置ike安全提议

[r1-ike-proposal-1]ike peer ike_r1 v2      //配置ike 对等体
[r1-ike-peer-ike_r1]ike-proposal 1   //调用ike 安全提议
[r1-ike-peer-ike_r1]pre-shared-key si 123   //共享秘钥
[r1-ike-peer-ike_r1]remote-address 34.0.0.4   //配置对等体IP地址

[r1]ipsec  policy po_r1  1 isakmp    //创建一个安全策略
[r1-ipsec-policy-isakmp-po_r1-1]security acl 3000    //引用访问控制列表
[r1-ipsec-policy-isakmp-po_r1-1]ike-peer ike_r1   //调用ike对等体
[r1-ipsec-policy-isakmp-po_r1-1]proposal ipsec_r1   //调用IPsec安全提议

//R4
[r4]acl 3001
[r4-acl-adv-3001]rul 5 per ip so 34.0.0.4 0.0.0.255 de 12.0.0.1 0.0.0.25

[r4]ipsec proposal ipsec_r3   
[r4]ike prop 1
[r4]ike peer ike_r3 v2
[r4-ike-peer-ike_r3]pre-shared-key si 123
[r4-ike-peer-ike_r3]ike-proposal 1
[r4-ike-peer-ike_r3]remote-address 12.0.0.1

[r4]ipsec policy po_r3 1 i
[r4]ipsec policy po_r3 1 isakmp 
[r4-ipsec-policy-isakmp-po_r3-1]security acl 3000
[r4-ipsec-policy-isakmp-po_r3-1]ike-peer ike_r3 
[r4-ipsec-policy-isakmp-po_r3-1]proposal ipsec_r3 

#接口下引用
[R1]int g0/0/0
[R1-GigabitEthernet0/0/1]ipsec policy po_r1

[R3]int g0/0/0
[R3-GigabitEthernet0/0/0]ipsec policy po_r3

方式2:

配置IPsec 加密GRE隧道
//R1
[r1]ipsec proposal ipsec_r1        //配置 ipsec 安全提议  

[r1-ipsec-proposal-ipsec_r1]ike prop 1       //配置ike安全提议

[r1-ike-proposal-1]ike peer ike_r1 v2      //配置ike 对等体
[r1-ike-peer-ike_r1]ike-proposal 1   //调用ike 安全提议
[r1-ike-peer-ike_r1]pre-shared-key si 123   //共享秘钥


[r1]ipsec  profile fi_r1     //创建一个安全策略
[r1-ipsec-profile-fi_r1]ike-peer ike_r1   //调用ike对等体
[r1-ipsec-profile-fi_r1]proposal ipsec_r1   //调用IPsec安全提议

//R4
[r4]ipsec proposal ipsec_r3   

[r4]ike prop 1

[r4]ike peer ike_r3 v2
[r4-ike-peer-ike_r3]pre-shared-key si 123
[r4-ike-peer-ike_r3]ike-proposal 1

[r4]ipsec profile fi_r3 
[r4-ipsec-profile-fi_r3]ike-peer ike_r3 
[r4-ipsec-profile-fi_r3]proposal ipsec_r3 

#接口下引用
[R1]int Tunnel 0/0/0
[R1-Tunnel0/0/0]ipsec profile fi_r1

[R3]int Tunnel 0/0/0
[R3-Tunnel0/0/0]ipsec profile fi_r3

5.配置客户端ospf,配置基于Tunnel隧道的ospf进程传输路由
//R1
[r1]ospf 1 r 1.1.1.1
[r1-ospf-1]are 0
[r1-ospf-1-area-0.0.0.0]net 10.1.1.1 0.0.0.255
[r1-ospf-1-area-0.0.0.0]net 100.1.1.1 0.0.0.255    // gre隧道接口地址

//R4
[r4]ospf 1 r 4.4.4.4 
[r4-ospf-1]are 0
[r4-ospf-1-area-0.0.0.0]net 10.4.4.1 0.0.0.255
[r4-ospf-1-area-0.0.0.0]net 100.0.0.2 0.0.0.255   // gre隧道接口地址

扩展
将流量引入到隧道中。 注意:也可以动态路由方式
将去往10.4.4.0 网段的数据包引入gre隧道
ip route-static 10.4.4.4 255.255.255.0 Tunnel 0

你可能感兴趣的:(#,路由)