H3C 路由器

GRE over IPsec典型配置

目  录

1 简介

2 配置前提

3 典型配置

3.1 组网需求

3.2 配置思路

3.3 配置注意事项

3.4 配置步骤

3.4.1 Device A的配置

3.4.2 Device B的配置

3.5 验证配置

3.6 配置文件

1 简介

本文档介绍路由器GRE over IPsec典型配置的方法。

2 配置前提

本文档适用于使用Comware V7软件版本的路由器，如果使用过程中与产品实际情况有差异，请以设备实际情况为准。

本文档中的配置均是在实验室环境下进行的配置和验证，配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置，为了保证配置效果，请确认现有配置和以下举例中的配置不冲突。

本文档假设您已了解IPsec特性。

3 典型配置

3.1  组网需求

如图3-1所示，Device A和Device B之间通过GRE隧道传输数据，要求对通过GRE隧道的数据进行IPsec加密处理。

图3-1 GRE over IPsec组网图

3.2  配置思路

·     为了对经GRE封装的数据进行IPsec加密，将IPsec策略应用在物理接口上，访问控制列表源和目的地址为物理接口地址。

·     为了使IPsec保护整个GRE隧道，应用IPsec策略的接口和GRE隧道源、目的接口必须是同一接口。

3.3  配置注意事项

在开始配置之前，请确保Device A的GE1/0/2接口和Device B的GE1/0/2接口之间IPv4报文路由可达。

3.4  配置步骤

3.4.1  Device A的配置

(1)     配置各接口IP地址。

# 配置接口GigabitEthernet1/0/1的IP地址。

<DeviceA> system-view

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.255.0

[DeviceA-GigabitEthernet1/0/1] quit

# 配置接口GigabitEthernet1/0/2的IP地址。

[DeviceA] interface gigabitethernet 1/0/2

[DeviceA-GigabitEthernet1/0/2] ip address 1.1.1.1 255.255.255.0

[DeviceA-GigabitEthernet1/0/2] quit

(2)     配置GRE隧道。

# 创建Tunnel0接口，并指定隧道模式为GRE over IPv4隧道。

[DeviceA] interface tunnel 0 mode gre

# 配置Tunnel0接口的IP地址为10.1.1.1/24。

[DeviceA-Tunnel0] ip address 10.1.1.1 255.255.255.0

# 配置Tunnel0接口的源端地址为1.1.1.1/24（Device A的GigabitEthernet1/0/2的IP地址）。

[DeviceA-Tunnel0] source 1.1.1.1

# 配置Tunnel0接口的目的端地址为2.2.2.1/24（Device B的GigabitEthernet1/0/2的IP地址）。

[DeviceA-Tunnel0] destination 2.2.2.1

[DeviceA-Tunnel0] quit

(3)     配置ACL。

# 创建ACL3000，定义需要IPsec保护的数据流。

[DeviceA] acl number 3000

[DeviceA-acl-adv-3000] rule 0 permit gre source 1.1.1.1 0 destination 2.2.2.1 0

[DeviceA-acl-adv-3000] quit

(4)     配置静态路由。

# 配置从Device A经过Tunnel0接口到Host B所在子网的静态路由。

[DeviceA] ip route-static 192.168.2.1 255.255.255.0 tunnel 0

(5)     配置IPsec VPN。

# 配置IKE keychain。

[DeviceA] ike keychain keychain1

[DeviceA-ike-keychain-keychain1] pre-shared-key address 2.2.2.1 255.255.255.0 key simple 123456TESTplat&!

[DeviceA-ike-keychain-keychain1] quit

# 配置IPsec安全提议。

[DeviceA] ipsec transform-set tran1

[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des

[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1

[DeviceA-ipsec-transform-set-tran1] quit

# 创建一条IKE协商方式的IPsec安全策略，名称为policy1，序列号为1。

[DeviceA] ipsec policy policy1 1 isakmp

[DeviceA-ipsec-policy-isakmp-policy1-1] security acl 3000

[DeviceA-ipsec-policy-isakmp-policy1-1] remote-address 2.2.2.1

[DeviceA-ipsec-policy-isakmp-policy1-1] transform-set tran1

[DeviceA-ipsec-policy-isakmp-policy1-1] quit

# 在接口GigabitEthernet1/0/2上应用安全策略。

[DeviceA] interface gigabitethernet 1/0/2

[DeviceA-GigabitEthernet1/0/2] ipsec apply policy policy1

[DeviceA-GigabitEthernet1/0/2] quit

3.4.2  Device B的配置

(1)     配置各接口IP地址。

# 配置接口GigabitEthernet1/0/1的IP地址。

<DeviceB> system-view

[DeviceB] interface gigabitethernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] ip address 192.168.2.1 255.255.255.0

[DeviceB-GigabitEthernet1/0/1] quit

# 配置接口GigabitEthernet1/0/2的IP地址。

[DeviceB] interface gigabitethernet 1/0/2

[DeviceB-GigabitEthernet1/0/2] ip address 2.2.2.1 255.255.255.0

[DeviceB-GigabitEthernet1/0/2] quit

(2)     配置GRE隧道。

# 创建Tunnel0接口，并指定隧道模式为GRE over IPv4隧道。

[DeviceB] interface tunnel 0 mode gre

# 配置Tunnel0接口的IP地址为10.1.1.2/24。

[DeviceB-Tunnel0] ip address 10.1.1.2 255.255.255.0

# 配置Tunnel0接口的源端地址为2.2.2.1/24（Device B的GigabitEthernet1/0/2的IP地址）。

[DeviceB-Tunnel0] source 2.2.2.1

# 配置Tunnel0接口的目的端地址为1.1.1.1/24（Device A的GigabitEthernet1/0/2的IP地址）。

[DeviceB-Tunnel0] destination 1.1.1.1

[DeviceB-Tunnel0] quit

(3)     配置静态路由。

# 配置从DeviceB经过Tunnel0接口到Host A所在子网的静态路由。

[DeviceB] ip route-static 192.168.1.1 255.255.255.0 tunnel 0

(4)     创建ACL。

# 创建ACL3000，定义需要IPsec保护的数据流。

[DeviceB] acl number 3000

[DeviceB-acl-adv-3000] rule 0 permit gre source 2.2.2.1 0 destination 1.1.1.1 0

[DeviceB-acl-adv-3000] quit

(5)     配置IPsec VPN。

# 配置IKE keychain。

[DeviceB] ike keychain keychain1

[DeviceB-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!

[DeviceB-ike-keychain-keychain1] quit

# 配置IPsec安全提议。

[DeviceB] ipsec transform-set tran1

[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des

[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1

[DeviceB-ipsec-transform-set-tran1] quit

# 创建一条IKE协商方式的IPsec安全策略，名称为policy1，序列号为1。

[DeviceB] ipsec policy policy1 1 isakmp

[DeviceB-ipsec-policy-isakmp-policy1-1] security acl 3000

[DeviceB-ipsec-policy-isakmp-policy1-1] remote-address 1.1.1.1

[DeviceB-ipsec-policy-isakmp-policy1-1] transform-set tran1

[DeviceB-ipsec-policy-isakmp-policy1-1] quit

# 在接口GigabitEthernet1/0/2上应用安全策略。

[DeviceB] interface gigabitethernet 1/0/2

[DeviceB-GigabitEthernet1/0/2] ipsec apply policy policy1

[DeviceB-GigabitEthernet1/0/2] quit

3.5  验证配置

# 以Host A向Host B发起通信为例，从192.168.1.2 ping 192.168.2.2，会触发IPsec协商，建立IPsec隧道，在成功建立IPsec隧道后，可以ping通。

C:\Users> ping 192.168.2.2

Pinging 192.168.2.2 with 32 bytes of data:

Request timed out.

Reply from 192.168.2.2: bytes=32 time=2ms TTL=254

Reply from 192.168.2.2: bytes=32 time=2ms TTL=254

Reply from 192.168.2.2: bytes=32 time=1ms TTL=254

Ping statistics for 192.168.2.2:

    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 2ms, Average = 1ms

# 在Device A上使用display ike sa命令，可以看到第一阶段的SA正常建立。

<DeviceA> display ike sa

    Connection-ID   Remote                Flag         DOI

------------------------------------------------------------------

    2               2.2.2.1               RD           IPSEC

Flags:

RD--READY RL--REPLACED FD-FADING

# 在Device A上使用display ipsec sa命令可以看到IPsec SA的建立情况。

<DeviceA> display ipsec sa

-------------------------------

Interface: GigabitEthernet1/0/2

-------------------------------

  -----------------------------

  IPsec policy: policy1

  Sequence number: 1

  Mode: isakmp

  -----------------------------

    Tunnel id: 0

    Encapsulation mode: tunnel

    Perfect forward secrecy:

    Path MTU: 1443

    Tunnel:

        local  address: 1.1.1.1

        remote address: 2.2.2.1

    Flow:

    sour addr: 1.1.1.1/255.255.255.255  port: 0  protocol: gre

    dest addr: 2.2.2.1/255.255.255.255  port: 0  protocol: gre

    [Inbound ESP SAs]

      SPI: 2130348402 (0x7efa8972)

      Transform set:  ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843199/3573

      Max received sequence-number: 3

      Anti-replay check enable: Y

      Anti-replay window size: 64

      UDP encapsulation used for NAT traversal: N

      Status: Active

    [Outbound ESP SAs]

      SPI: 2811839266 (0xa7994322)

      Transform set:  ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843199/3573

      Max sent sequence-number: 3

      UDP encapsulation used for NAT traversal: N

      Status: Active

# 在Device A上通过命令display interface tunnel 0可以查看经过GRE隧道传输的流量情况。

<DeviceA> display interface tunnel 0

Tunnel0

Current state: UP

Line protocol state: UP

Description: Tunnel0 Interface

Bandwidth: 64kbps

Maximum Transmit Unit: 1476

Internet Address is 10.1.1.1/24 Primary

Tunnel source 1.1.1.1, destination 2.2.2.1

Tunnel keepalive disabled

Tunnel TTL 255

Tunnel protocol/transport GRE/IP

    GRE key disabled

    Checksumming of GRE packets disabled

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 43 packets, 3480 bytes, 0 drops

Output: 45 packets, 3740 bytes, 2 drops

# 从Host B向Host A发起通信验证方法相同，此不赘述。

3.6  配置文件

·     Device A：

#

interface GigabitEthernet1/0/1

 ip address 192.168.1.1 255.255.255.0

#

interface GigabitEthernet1/0/2

 ip address 1.1.1.1 255.255.255.0

ipsec apply policy policy1

#

interface Tunnel0 mode gre

 ip address 10.1.1.1 255.255.255.0

 source 1.1.1.1

 destination 2.2.2.1

#

ip route-static 192.168.2.1 24 Tunnel0

#

acl number 3000

 rule 0 permit gre source 1.1.1.1 0 destination 2.2.2.1 0

#

ipsec transform-set tran1

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec policy policy1 1 isakmp

 transform-set tran1

 security acl 3000

 remote-address 2.2.2.1

#

ike keychain keychain1

 pre-shared-key address 2.2.2.1 255.255.255.0 key cipher $c$3$n6jdlYtuR+K6mijQ8

qp4hMMjV/iteA==

#

·     Device B：

#

interface GigabitEthernet1/0/1

 ip address 192.168.2.1 255.255.255.0

#

interface GigabitEthernet1/0/2

 ip address 2.2.2.1 255.255.255.0

ipsec apply policy policy1

#

interface Tunnel0 mode gre

 ip address 10.1.1.2 255.255.255.0

 source 2.2.2.1

 destination 1.1.1.1

#

ip route-static 192.168.1.1 24 Tunnel0

#

acl number 3000

 rule 0 permit gre source 2.2.2.1 0 destination 1.1.1.1 0

#

ipsec transform-set tran1

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec policy policy1 1 isakmp

 transform-set tran1

 security acl 3000

 remote-address 1.1.1.1

#

ike keychain keychain1

 pre-shared-key address 1.1.1.1 255.255.255.0 key cipher $c$3$n6jdlYtuR+K6mijQ8

qp4hMMjV/iteA==

#