GRE Over IPSec（华为USG）—— 2种方法

一、拓扑图

在FW1和FW2间建立GRE Over IPSec，使PC1、PC2互通

二、底层配置

R1：

sysname R1
#
interface GigabitEthernet0/0/0
 ip address 155.1.121.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 ip address 155.1.131.1 255.255.255.0
#
interface LoopBack0
 ip address 150.1.1.1 255.255.255.255
#

防火墙基础配置
配置接口IP地址，并将接口划分到安全区域
配置安全策略，放行防火墙自身发起的流量
配置缺省静态路由

FW1：

sysname FW1
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 155.1.121.12 255.255.255.0
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 10.1.1.12 255.255.255.0
#
firewall zone trust
 add interface GigabitEthernet1/0/1
#
firewall zone untrust
 add interface GigabitEthernet1/0/0
#
ip route-static 0.0.0.0 0.0.0.0 155.1.121.1
#
security-policy
 rule name local->any
  source-zone local
  action permit
#

FW2：

sysname FW2
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 155.1.131.13 255.255.255.0
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 10.1.2.13 255.255.255.0
#
firewall zone trust
 add interface GigabitEthernet1/0/1
#
firewall zone untrust
 add interface GigabitEthernet1/0/0
#
ip route-static 0.0.0.0 0.0.0.0 155.1.131.1
#
security-policy
 rule name local->any
  source-zone local
  action permit
#

测试访问R1的Loopback

三、配置GRE

Tunnel接口划分到DMZ区域
放行untrust到local的gre流量（GRE协议号47）

FW1：

interface Tunnel0
 ip address 10.0.0.12 255.255.255.0
 tunnel-protocol gre
 source GigabitEthernet1/0/0
 destination 155.1.131.13
 service-manage ping permit
 #
 firewall zone dmz
 add interface Tunnel0
#
security-policy
 rule name out->local
  source-zone untrust
  destination-zone local
  service gre
  action permit
#

FW2：

interface Tunnel0
 ip address 10.0.0.13 255.255.255.0
 tunnel-protocol gre
 source GigabitEthernet1/0/0
 destination 155.1.121.12
 service-manage ping permit
 #
 firewall zone dmz
 add interface Tunnel0
#
security-policy
 rule name out->local
  source-zone untrust
  destination-zone local
  service gre
  action permit
#

ping Tunnel接口

查看抓包

此时还没有加密

四、配置OSPF

把内网及Tunnel接口宣告到OSPF，千万不要宣告外网接口

FW1&FW2：

ospf 1
 area 0.0.0.0
  network 10.0.0.0 0.255.255.255
  #

查看OSPF邻居及路由

五、配置IPSec

提供两种配置方法：

• 接口调用ipsec policy
• 接口调用ipsec profile

封装模式为传输模式，隧道模式虽然也可以，但是报头比传输模式大，增加开销
ACL匹配GRE流量
在物理接口调用ipsec policy

方法一（调用ipsec policy）

FW1：

ike proposal 10
 encryption-algorithm 3des
 dh group2
 authentication-algorithm sha1
 authentication-method pre-share
#
ike peer FW2
 pre-shared-key huawei@123
 ike-proposal 10
 remote-address 155.1.131.13
#
ipsec proposal PRO1
 encapsulation-mode transport
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
acl number 3000
 rule 5 permit gre
#
ipsec policy FW1_FW2 10 isakmp
 security acl 3000
 ike-peer FW2
 proposal PRO1
#
interface GigabitEthernet1/0/0
  ipsec policy FW1_FW2
#

FW2：

ike proposal 10
 encryption-algorithm 3des
 dh group2
 authentication-algorithm sha1
 authentication-method pre-share
#
ike peer FW1
 pre-shared-key huawei@123
 ike-proposal 10
 remote-address 155.1.121.12
#
ipsec proposal PRO1
 encapsulation-mode transport
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
acl number 3000
 rule 5 permit gre
#
ipsec policy FW1_FW2 10 isakmp
 security acl 3000
 ike-peer FW1
 proposal PRO1
#
interface GigabitEthernet1/0/0
  ipsec policy FW1_FW2
#

方法二（调用ipsec profile）

FW1：

ike proposal 10
 encryption-algorithm 3des
 dh group2
 authentication-algorithm sha1
 authentication-method pre-share
#
ike peer FW2
 pre-shared-key huawei@123
 ike-proposal 10
 remote-address 155.1.131.13
#
ipsec proposal PRO1
 encapsulation-mode transport
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ipsec profile FW1_FW2
 ike-peer FW2
 proposal PRO1
#
interface Tunnel0
 ipsec profile FW1_FW2
#

FW2：

ike proposal 10
 encryption-algorithm 3des
 dh group2
 authentication-algorithm sha1
 authentication-method pre-share
#
ike peer FW1
 pre-shared-key huawei@123
 ike-proposal 10
 remote-address 155.1.121.12
#
ipsec proposal PRO1
 encapsulation-mode transport
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ipsec profile FW1_FW2
 ike-peer FW2
 proposal PRO1
#
interface Tunnel0
 ipsec profile FW1_FW2
 #

六、配置安全策略

由于GRE被IPSec加密，untrust到local的流量放行esp和ike的流量

• ike的udp端口号500
• esp协议号50

允许外部流量主动访问内网

• 放行dmz到trust的流量

允许内部流量主动发起访问

• 放行trust->dmz的流量

FW1：

security-policy
 rule name out->local
  source-zone untrust
  destination-zone local
  service esp
  undo service gre
  action permit
 rule name vpn_in
  source-zone dmz
  destination-zone trust
  source-address 10.1.2.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  action permit
 rule name vpn_out
  source-zone trust
  destination-zone dmz
  source-address 10.1.1.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
  action permit
#

FW2:

security-policy
 rule name local->any
  source-zone local
  action permit
 rule name out->local
  source-zone untrust
  destination-zone local
  service esp
  action permit
 rule name vpn_in
  source-zone dmz
  destination-zone trust
  source-address 10.1.1.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
  action permit
 rule name vpn_out
  source-zone trust
  destination-zone dmz
  source-address 10.1.2.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  action permit
#

查看IKE SA

测试PC互访

抓包

流量已被加密

查看IPSec SA

拓展

PC1访问PC2，查看FW1的会话表

FW1发出的ESP报文对应的方向为untrust->local，表示FW1在接收ESP报文，实际上不应该是FW1发出ESP报文，对应方向为local->untrust吗？

原来FW1加密后发出的ESP报文是不建立会话的，不走防火墙转发流程，当然也不做安全策略检查。但是防火墙收到ESP报文进行解密时，需要先建会话走转发流程，做安全策略检查，所以这条会话对应FW1接收到的ESP报文。ISAKMP协商报文的收发都需要走转发流程，所以不存在这个问题。