Got it

Configuration of Huawei Router IPSec -Over-GRE

Latest reply: Dec 27, 2018 07:32:11 1004 6 9 0 0

Hi, everyone! Today I’m going to introduce the configuration of Huawei router IPSec -Over-GRE.

Branch 1 and branch 2 are connected to the central office through aggressive IPSec. In IPSec-Over-GRE mode, OSPF runs on the tunnel to implement communication between the headquarters and branches.

192.168.1.1/24
|
ROUTER1 202.101.1.2/30
| |
| |
2.2 ROUTER2 ROUTER3 202.101.3.2/30
| |
192.168.2.1/24 192.168.3.1/24

[Center Configuration]

#

Sysname Center

#

The local-name of the ike at the ike local-name center / center is as follows: Center/

#

Router id 1.1.1.1

#

Radius scheme system

#

Domain system

#

Ike peer branch1 / Configure the ike peer/ for branch 1.

Exchange-mode aggressive / Set IPSec to aggressive mode.

Pre-shared-key abc / The pre-shared key is abc/.

Id-type name / Select the name as the ID/ used in the ike negotiation process.

The name of remote-name branch1 / branch 1 is branch1/.

#

Ike peer branch2 / Configure the ike peer/ for branch 2.

Exchange-mode aggressive

Pre-shared-key abc

Id-type name

Remote-name branch2

#

Ipsec proposal 1 / defines ipsec proposal/.

#

Ipsec policy center 10 isakmp / Configure the ipsec policy/ for branch 1.

Security acl 3001 / Specify the number of the ACL referenced by the IPSec policy. /

The ike-peer branch1 / references the ike peer/.

The proposal 1 / references the ipsec proposal/.

#

The configuration of ipsec policy center 20 isakmp / to branch 2 is similar to that of branch 1. /

Security acl 3002

Ike-peer branch2

Proposal 1

#

Acl number 3001 / defines the intranet data flow from the center to branch 1.

Rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

Acl number 3002 / defines the intranet data flow from the center to branch 2.

Rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

#

Interface Serial2/0

Link-protocol ppp

Ip address 202.101.1.2 255.255.255.252

#

Interface Tunnel0 / Configure the GRE tunnel/ between the configuration center and branch 1.

Ip address 10.0.0.1 255.255.255.252

Source 202.101.1.2

Destination 202.101.2.2

Ipsec policy branch1 / Apply IPSec policy branch1/ on tunnel 0.

#

Interface Tunnel1 / Configure the GRE tunnel/ between the configuration center and branch 2.

Ip address 10.0.0.5 255.255.255.252

Source 202.101.1.2

Destination 202.101.3.2

Ipsec policy branch2 / Apply IPSec policy branch2/ to tunnel 1.


#

Interface NULL0

#

Interface LoopBack0

Ip address 1.1.1.1 255.255.255.255

#

Interface Ethernet0/0

Internal IP address of the ip address 192.168.1.1 255.255.255.0 / center /

#

Ospf 1

Area 0.0.0.10 / Branch 1 belongs to area 10/.

Network 10.0.0.0 0.0.0.3

#

Area 0.0.0.20 / Branch 2 belongs to area 20/.

Network 10.0.0.4 0.0.0.3

#

Area 0.0.0.0 / HQ belongs to area 0/.

Network 1.1.1.1 0.0.0.0

Network 192.168.1.0 0.0.0.255

#

Ip route-static 0.0.0.0 0.0.0.0 202.101.1.1 preference 60

#

User-interface con 0

User-interface vty 0 4

#

Return




[Configuration of Branch 1]

#

Sysname Branch1

#

The local-name of ike of ike local-name branch1 / branch 1 is as follows: Branch1/

#

Radius scheme system

#

Domain system

#

Ike peer center / Configure the ike peer/ to the center.

Exchange-mode aggressive / Set IPSec to aggressive mode.

Pre-shared-key abc / The pre-shared key is abc/.

Id-type name / Select the name as the ID/ used in the ike negotiation process.

Remote-name center / The peer name is center/.

Remote-address 10.0.0.1 / The IP address of the peer end is 10.0.0.1 (the tunnel address of the central node) /

#

Ipsec proposal 1 / defines ipsec proposal/.

#

Ipsec policy branch1 10 isakmp / Configure the ipsec policy/ to the center.

Security acl 3001 / Specify the number of the ACL referenced by the IPSec policy. /

The ike-peer center / references the ike peer/.

The proposal 1 / references the ipsec proposal/.

#

Acl number 3001 / defines the intranet data flow from branch 1 to the center.

Rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

#

Interface Serial2/0

Link-protocol ppp

Ip address 202.101.2.2 255.255.255.252

#

Interface Tunnel0 / Configure the GRE tunnel/ between branch 1 and the center.

Ip address 10.0.0.2 255.255.255.252

Source 202.101.2.2

Destination 202.101.1.2

Ipsec policy branch1 / Apply IPSec policy branch1/ on tunnel 0.

#

Interface NULL0

#

Interface LoopBack0

Ip address 2.2.2.2 255.255.255.255

#

Interface Ethernet0/0 / Configure the internal IP address of branch 1. /

Ip address 192.168.2.1 255.255.255.0

#

Ospf 1

Area 0.0.0.10 / Branch 1 belongs to area 10/.

Network 2.2.2.2 0.0.0.0

Network 10.0.0.0 0.0.0.3

Network 192.168.2.0 0.0.0.255

#

Ip route-static 0.0.0.0 0.0.0.0 202.101.2.1 preference 60

#

User-interface con 0

User-interface vty 0 4

#

Return



[Configuration of Branch 2]

#

Sysname Branch2

#

The local-name of ike of ike local-name branch1 / branch 2 is as follows: Branch2/

#

Radius scheme system

#

Domain system

#

Ike peer center / Configure the ike peer/ to the center.

Exchange-mode aggressive / Set IPSec to aggressive mode.

Pre-shared-key abc / The pre-shared key is abc/.

Id-type name / Select the name as the ID/ used in the ike negotiation process.

Remote-name center / The peer name is center/.

Remote-address 10.0.0.5 / The peer address is 10.0.0.5 (the tunnel address of the central node) /

#

Ipsec proposal 1 / defines ipsec proposal/.

#

Ipsec policy branch1 10 isakmp / Configure the ipsec policy/ to the central node.

Security acl 3001 / Specify the number of the ACL referenced by the security policy. /

The ike-peer center / references the ike peer/.

The proposal 1 / references the ipsec proposal/.

#

Acl number 3001 / defines GRE data flows from branch 2 to the center.

Rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

#

Interface Serial2/0

Link-protocol ppp

Ip address 202.101.3.2 255.255.255.252

#

Interface Tunnel0 / Configure the GRE tunnel/ between branch 1 and the center.

Ip address 10.0.0.6 255.255.255.252

Source 202.101.3.2

Destination 202.101.1.2

Ipsec policy branch2 / Apply IPSec policy branch2/ on tunnel 0.

#

Interface NULL0

#

Interface LoopBack0

Ip address 3.3.3.3 255.255.255.255

#

Interface Ethernet0/0 / Configure the internal IP address of branch 1. /

Ip address 192.168.3.1 255.255.255.0

#

Ospf 1

Area 0.0.0.20 / Branch 2 belongs to area 20/.

Network 3.3.3.3 0.0.0.0

Network 10.0.0.4 0.0.0.3

Network 192.168.3.0 0.0.0.255

#

Ip route-static 0.0.0.0 0.0.0.0 202.101.3.1 preference 60

#

User-interface con 0

User-interface vty 0 4

#

Return

If you have any problems, please post them in our Community. We are happy to solve them for you!

  • x
  • convention:

yiyi0519
Created Dec 21, 2018 08:36:17

it is very useful for the company which have many branch
View more
  • x
  • convention:

Hain
Created Dec 21, 2018 08:57:30

I come to the forum to see technical posts every day, sooner or later I will become an expert.
View more
  • x
  • convention:

Yolanda_617
Created Dec 21, 2018 09:35:49

A very good share
View more
  • x
  • convention:

xiaomumu
Created Dec 22, 2018 02:45:35

I still need more study to understand
View more
  • x
  • convention:

user_2915719
Created Dec 22, 2018 05:45:03

Advanced feature for me to understand, maybe some other day. Configuration of Huawei Router IPSec -Over-GRE-2827093-1
View more
  • x
  • convention:

dagui
Created Dec 27, 2018 07:32:11

The local-name of the ike at the ike local-name center / center is as follows: Center/Can you provide a more detailed explanation?
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.