GRE over IPSec configuration on the USG6000

GRE over IPSec VPN configuration on the USG6000

Configuration procedure:
1. Complete basic interface configuration, for example, configuring the IP address and adding the physical port to the related zone.
2. Enable the inter-zone security policy.
2. Configure the IPSec tunnel. Set the source and destination addresses of the sensitive traffic carried by the IPSec tunnel to the source and destination addresses of the GRE tunnel.
2. Configure the GRE tunnel. Set the source and destination addresses of the GRE tunnel to the source and destination addresses of the sensitive traffic carried by the IPSec tunnel.
Configuration example:
Topology:
Network A-----(10.1.1.1) NGFW_A-----INTERNET-----NGFW_B (10.1.2.1)------Network B

Note:
a. Network A (10.1.1.0/24) and network B (10.1.2.0/24) can mutually access each other.
b. The public IP address of NGFW_A is 1.1.3.1, the public IP address of NGFW_B is 1.1.5.1, and the public route is accessible.
c. The GRE over IPSec tunnel established between NGFW_A and NGFW_B can satisfy the IPSec security requirements and also transmit broadcast or multicast packets based on GRE.

1. Complete basic interface configuration, for example, configuring the IP address and adding the interface to the related zone.
2. Configure the IPSec.
//Configure IPSec sensitive traffic.//
[USG_A]acl 3000
[USG_A-acl-adv-3000]rule 5 permit ip source 1.1.3.1 0.0.0.0 destination 1.1.5.1 0.0.0.0
[USG_B]acl 3000
[USG_B-acl-adv-3000]rule 5 permit ip source 1.1.5.1 0.0.0.0 destination 1.1.3.1 0.0.0.0
//Configure the IKE proposal and IPSec proposal. Adopt the default parameters.//
[USG_A-1]ike proposal 1
[USG_A-1-ike-proposal-1]quit
[USG_A-1]ipsec proposal 1
[USG_A-1-ipsec-proposal-1]quit
[USG_B-1]ike proposal 1
[USG_B-1-ike-proposal-1]quit
[USG_B-1]ipsec proposal 1
[USG_B-1-ipsec-proposal-1]quit
//Configure the IKE peer.//
[USG_A-1]ike peer 1
[USG_A-1-ike-peer-1]pre-shared-key 123456
[USG_A-1-ike-peer-1]ike-proposal 1
[USG_A-1-ike-peer-1]remote-address 1.1.5.1
[USG_B-1]ike peer 1
[USG_B-1-ike-peer-1]pre-shared-key 123456
[USG_B-1-ike-peer-1]ike-proposal 1
[USG_B-1-ike-peer-1]remote-address 1.1.3.1
//Configure IPSec policies.//
[USG_A-1]ipsec policy p1 1 isakmp
[USG_A-1-ipsec-policy-isakmp-1-1] security acl 3000
[USG_A-1-ipsec-policy-isakmp-1-1]Ike peer 1
[USG_A-1-ipsec-policy-isakmp-1-1]proposal 1
[USG_A-1-ipsec-policy-isakmp-1-1]local-address 1.1.3.1
[USG_A-1-ipsec-policy-isakmp-1-1] interface GigabitEthernet1/0/1
[USG_A-1-GigabitEthernet1/0/1] ipsec policy p1 auto-neg
[USG_B-1]ipsec policy p1 1 isakmp
[USG_B-1-ipsec-policy-isakmp-1-1]security acl 3000
[USG_B-1-ipsec-policy-isakmp-1-1]Ike peer 1
[USG_B-1-ipsec-policy-isakmp-1-1]proposal 1
[USG_B-1-ipsec-policy-isakmp-1-1]local-address 1.1.5.1
[USG_B-1-ipsec-policy-isakmp-1-1] interface GigabitEthernet1/0/1
[USG_B-1-GigabitEthernet1/0/1] ipsec policy p1 auto-neg
3. Configure the GRE tunnel.
[USG_A-1]interface Tunnel 0
[USG_A-1-Tunnel0] ip address 10.3.1.1 255.255.255.0
[USG_A-1-Tunnel0]tunnel-protocol gre
[USG_A-1-Tunnel0] source 1.1.3.1
[USG_A-1-Tunnel0] destination 1.1.5.1
[USG_B-1]interface Tunnel 0
[USG_B-1-Tunnel0] ip address 10.3.1.2 255.255.255.0
[USG_B-1-Tunnel0]tunnel-protocol gre
[USG_B-1-Tunnel0] source 1.1.5.1
[USG_B-1-Tunnel0] destination 1.1.3.1
4. Add the GRE tunnel to the security zone and configure a tunnel route.
[USG_A-1]firewall zone untrust
[USG_A-1-zone-untrust]add interface Tunnel 0
[USG_A-1]ip route-static ip route-static 10.1.2.0 255.255.255.0 Tunnel0
[USG_B-1]firewall zone untrust
[USG_B-1-zone-untrust]add interface Tunnel 0
[USG_B-1]ip route-static ip route-static 10.1.1.0 255.255.255.0 Tunnel0

Scroll to top