华为gre带验证key案例

配置FW_A。

a.配置接口的IP地址，并将接口加入安全区域。 system-view

$sysname$ sysname FW_A

$FW_A$ interface GigabitEthernet 1/0/1

$FW_A-GigabitEthernet1/0/1$ ip address 1.1.1.1 24

$FW_A-GigabitEthernet1/0/1$ quit

$FW_A$ interface GigabitEthernet 1/0/2

$FW_A-GigabitEthernet1/0/2$ ip address 10.1.1.1 24

$FW_A-GigabitEthernet1/0/2$ quit

$FW_A$ interface Tunnel 1

$FW_A-Tunnel1$ ip address 172.16.2.1 24

$FW_A-Tunnel1$ quit

$FW_A$ firewall zone untrust

$FW_A-zone-untrust$ add interface GigabitEthernet 1/0/1

$FW_A-zone-untrust$ quit

$FW_A$ firewall zone trust

$FW_A-zone-trust$ add interface GigabitEthernet 1/0/2

$FW_A-zone-trust$ quit

$FW_A$ firewall zone dmz

$FW_A-zone-dmz$ add interface tunnel 1

$FW_A-zone-dmz$ quit

b.配置路由，将需要经过GRE隧道传输的流量引入到GRE隧道中。

$FW_A$ ip route-static 10.1.2.0 24 Tunnel1

不用静态用ospf也可以

network发布隧道地址和内网地址

$FW_A$ ip route-static 0.0.0.0 0 1.1.1.2

c.配置Tunnel接口的封装参数。 $FW_A$ interface Tunnel 1

$FW_A-Tunnel1$ tunnel-protocol gre

$FW_A-Tunnel1$ source 1.1.1.1

$FW_A-Tunnel1$ destination 5.5.5.5

$FW_A-Tunnel1$ gre key cipher 123456 //gre连接验证

$FW_A-Tunnel1$ keepalive //验证对端是否存活，避免数据流量黑洞

d.配置域间安全策略。

配置Trust域和DMZ的域间安全策略，允许封装前的报文通过域间安全策略。

$FW_A$ security-policy

$FW_A-policy-security$ rule name policy1

$FW_A-policy-security-rule-policy1$ source-zone trust dmz

$FW_A-policy-security-rule-policy1$ destination-zone dmz trust

$FW_A-policy-security-rule-policy1$ action permit

$FW_A-policy-security-rule-policy1$ quit

配置Local和Untrust的域间安全策略，允许封装后的GRE报文通过域间安全策略。

$FW_A-policy-security$ rule name policy2

$FW_A-policy-security-rule-policy2$ source-zone local untrust

$FW_A-policy-security-rule-policy2$ destination-zone untrust local

$FW_A-policy-security-rule-policy2$ service gre

$FW_A-policy-security-rule-policy2$ action permit

$FW_A-policy-security-rule-policy2$ quit

2.配置FW_B。

a.配置接口的IP地址，并将接口加入安全区域。 system-view

$sysname$ sysname FW_B

$FW_B$ interface GigabitEthernet 1/0/1

$FW_B-GigabitEthernet1/0/1$ ip address 5.5.5.5 24

$FW_B-GigabitEthernet1/0/1$ quit

$FW_B$ interface GigabitEthernet 1/0/2

$FW_B-GigabitEthernet1/0/2$ ip address 10.1.2.1 24

$FW_B-GigabitEthernet1/0/2$ quit

$FW_B$ interface Tunnel 1

$FW_B-Tunnel1$ ip address 172.16.2.2 24

$FW_B-Tunnel1$ quit

$FW_B$ firewall zone untrust

$FW_B-zone-untrust$ add interface GigabitEthernet 1/0/1

$FW_B-zone-untrust$ quit

$FW_B$ firewall zone trust

$FW_B-zone-trust$ add interface GigabitEthernet 1/0/2

$FW_B-zone-trust$ quit

$FW_B$ firewall zone dmz

$FW_B-zone-dmz$ add interface tunnel 1

$FW_B-zone-dmz$ quit

b.配置路由，将需要经过GRE隧道传输的流量引入到GRE隧道中。

$FW_B$ ip route-static 10.1.1.0 24 Tunnel1

$FW_A$ ip route-static 0.0.0.0 0 5.5.5.1

c.配置Tunnel接口的封装参数。 $FW_B$ interface Tunnel 1

$FW_B-Tunnel1$ tunnel-protocol gre

$FW_B-Tunnel1$ source 5.5.5.5

$FW_B-Tunnel1$ destination 1.1.1.1

$FW_B-Tunnel1$ gre key cipher 123456

$FW_B-Tunnel1$ quit

d.配置域间安全策略。

配置Trust域和DMZ的域间安全策略，允许封装前的报文通过域间安全策略。

$FW_B$ security-policy

$FW_B-policy-security$ rule name policy1

$FW_B-policy-security-rule-policy1$ source-zone trust dmz

$FW_B-policy-security-rule-policy1$ destination-zone dmz trust

$FW_B-policy-security-rule-policy1$ action permit

$FW_B-policy-security-rule-policy1$ quit

配置Local和Untrust的域间安全策略，允许封装后的GRE报文通过域间安全策略。

$FW_B-policy-security$ rule name policy2

$FW_B-policy-security-rule-policy2$ source-zone local untrust

$FW_B-policy-security-rule-policy2$ destination-zone untrust local

$FW_B-policy-security-rule-policy2$ service gre

$FW_B-policy-security-rule-policy2$ action permit

$FW_B-policy-security-rule-policy2$ quit