GRE over IPSec
即 IPSec 在最外层(或称最底层)。意思是先在 R1 与 R2 之间建立 IPSec Tunnel,把里面的 GRE Tunnel 整个进行加密,Routing Protocol 在 GRE Tunnel 里面完成 Route 交换,最后 Data 在 GRE Tunnel 里面传送。从下图所见,因整个 GRE Tunnel 被加密,所以里面的 Routing Protocol 及 Data 都会被加密。
GRE over IPSec隧道示例
配置思路
采用如下思路配置虚拟隧道接口建立GRE over IPSec隧道:
1.配置物理接口的IP地址和到对端的静态路由,保证两端路由可达。
2.配置GRE Tunnel接口。
3.配置IPSec安全提议,定义IPSec的保护方法。
4.配置IKE对等体,定义对等体间IKE协商时的属性。
5.配置安全框架,并引用安全提议和IKE对等体。
6.在Tunnel接口上应用安全框架,使接口具有IPSec的保护功能。
7.配置Tunnel接口的转发路由,将需要IPSec保护的数据流引到Tunnel接口。
#
sysname RouterA
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer spub
undo version 2
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
ike-proposal 5
#
ipsec profile profile1
ike-peer spub
proposal tran1
#
interface Tunnel0/0/0
ip address 192.168.1.1 255.255.255.0
tunnel-protocol gre
source 1.1.1.1
destination 2.1.1.1
ipsec profile profile1
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
#
ip route-static 2.1.1.0 255.255.255.0 1.1.1.2
ip route-static 10.1.2.0 255.255.255.0 tunnel0/0/0
#
return
•RouterB的配置文件
#
sysname RouterB
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer spua
undo version 2
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
ike-proposal 5
#
ipsec profile profile1
ike-peer spua
proposal tran1
#
interface Tunnel0/0/0
ip address 192.168.1.2 255.255.255.0
tunnel-protocol gre
source 2.1.1.1
destination 1.1.1.1
ipsec profile profile1
#
interface GigabitEthernet1/0/0
ip address 2.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
ip route-static 1.1.1.0 255.255.255.0 2.1.1.2
ip route-static 10.1.1.0 255.255.255.0 tunnel0/0/0
#
return
IPSec over GRE
即 GRE 在最外层(或称最底层)。在 R1 与 R2 之间先建立 GRE Tunnel,在 GRE Tunnel 里面再建 IPSec Tunnel,有趣的是:由于 IPSec 并不支缓 Multicast,因此通常把 Routing Protocol 建在 GRE Tunnel 进行 Route 交换,并无加密,只有 Data 在 IPSec Tunnel 里面被加密。如坚持把 Routing Protocol 也放在 IPSec Tunnel 中,可以透过设定 Unicast IP Address 建立 Neighbor,但这样做 Router 就无法自动建立 Neighbor 关系,如果 Router 数量多起来,设定方面肯定比较痛苦。
IPSec over GRE隧道示例
配置思路
采用如下思路配置虚拟隧道接口建立IPSec over GRE隧道:
1.配置物理接口的IP地址和到对端的静态路由,保证两端路由可达。
2.配置GRE Tunnel接口。
3.配置IPSec安全提议,定义IPSec的保护方法。
4.配置IKE对等体,定义对等体间IKE协商时的属性。
5.配置安全框架,并引用安全提议和IKE对等体。
6.配置IPSec Tunnel接口,将IPSec Tunnel的源接口配置为GRE Tunnel接口;且IPSec Tunnel的目的地址的路由必须从GRE Tunnel接口出去。
7.在IPSec Tunnel接口上应用安全框架,使接口具有IPSec的保护功能。
8.配置IPSec Tunnel接口的转发路由,将需要IPSec保护的数据流引到IPSec Tunnel接口。
•Router_1的配置文件
#
sysname Router_1
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer spub
undo version 2
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
ike-proposal 5
#
ipsec profile profile1
ike-peer spub
proposal tran1
#
interface Tunnel0/0/0
ip address 192.168.1.1 255.255.255.0
tunnel-protocol gre
source 1.1.1.1
destination 2.1.1.1
#
interface Tunnel0/0/1
ip address 192.168.2.1 255.255.255.0
tunnel-protocol ipsec
source Tunnel0/0/0
destination 192.168.1.2
ipsec profile profile1
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
#
ip route-static 10.1.2.0 255.255.255.0 tunnel0/0/1
ip route-static 2.1.1.0 255.255.255.0 1.1.1.2
#
return
•Router_2的配置文件
#
sysname Router_2
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer spua
undo version 2
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
ike-proposal 5
#
ipsec profile profile1
ike-peer spua
proposal tran1
#
interface Tunnel0/0/0
ip address 192.168.1.2 255.255.255.0
tunnel-protocol gre
source 2.1.1.1
destination 1.1.1.1
#
interface Tunnel0/0/1
ip address 192.168.2.2 255.255.255.0
tunnel-protocol ipsec
source Tunnel0/0/0
destination 192.168.1.1
ipsec profile profile1
#
interface GigabitEthernet1/0/0
ip address 2.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
ip route-static 10.1.1.0 255.255.255.0 tunnel0/0/1
ip route-static 1.1.1.0 255.255.255.0 2.1.1.2
#
return