Hi, everyone! Today I’m going to introduce the configuration of Huawei router IPSec -Over-GRE.
Branch 1 and branch 2 are connected to the central office through aggressive IPSec. In IPSec-Over-GRE mode, OSPF runs on the tunnel to implement communication between the headquarters and branches.
192.168.1.1/24
|
ROUTER1 202.101.1.2/30
| |
| |
2.2 ROUTER2 ROUTER3 202.101.3.2/30
| |
192.168.2.1/24 192.168.3.1/24
[Center Configuration]
#
Sysname Center
#
The local-name of the ike at the ike local-name center / center is as follows: Center/
#
Router id 1.1.1.1
#
Radius scheme system
#
Domain system
#
Ike peer branch1 / Configure the ike peer/ for branch 1.
Exchange-mode aggressive / Set IPSec to aggressive mode.
Pre-shared-key abc / The pre-shared key is abc/.
Id-type name / Select the name as the ID/ used in the ike negotiation process.
The name of remote-name branch1 / branch 1 is branch1/.
#
Ike peer branch2 / Configure the ike peer/ for branch 2.
Exchange-mode aggressive
Pre-shared-key abc
Id-type name
Remote-name branch2
#
Ipsec proposal 1 / defines ipsec proposal/.
#
Ipsec policy center 10 isakmp / Configure the ipsec policy/ for branch 1.
Security acl 3001 / Specify the number of the ACL referenced by the IPSec policy. /
The ike-peer branch1 / references the ike peer/.
The proposal 1 / references the ipsec proposal/.
#
The configuration of ipsec policy center 20 isakmp / to branch 2 is similar to that of branch 1. /
Security acl 3002
Ike-peer branch2
Proposal 1
#
Acl number 3001 / defines the intranet data flow from the center to branch 1.
Rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
Acl number 3002 / defines the intranet data flow from the center to branch 2.
Rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
Interface Serial2/0
Link-protocol ppp
Ip address 202.101.1.2 255.255.255.252
#
Interface Tunnel0 / Configure the GRE tunnel/ between the configuration center and branch 1.
Ip address 10.0.0.1 255.255.255.252
Source 202.101.1.2
Destination 202.101.2.2
Ipsec policy branch1 / Apply IPSec policy branch1/ on tunnel 0.
#
Interface Tunnel1 / Configure the GRE tunnel/ between the configuration center and branch 2.
Ip address 10.0.0.5 255.255.255.252
Source 202.101.1.2
Destination 202.101.3.2
Ipsec policy branch2 / Apply IPSec policy branch2/ to tunnel 1.
#
Interface NULL0
#
Interface LoopBack0
Ip address 1.1.1.1 255.255.255.255
#
Interface Ethernet0/0
Internal IP address of the ip address 192.168.1.1 255.255.255.0 / center /
#
Ospf 1
Area 0.0.0.10 / Branch 1 belongs to area 10/.
Network 10.0.0.0 0.0.0.3
#
Area 0.0.0.20 / Branch 2 belongs to area 20/.
Network 10.0.0.4 0.0.0.3
#
Area 0.0.0.0 / HQ belongs to area 0/.
Network 1.1.1.1 0.0.0.0
Network 192.168.1.0 0.0.0.255
#
Ip route-static 0.0.0.0 0.0.0.0 202.101.1.1 preference 60
#
User-interface con 0
User-interface vty 0 4
#
Return
[Configuration of Branch 1]
#
Sysname Branch1
#
The local-name of ike of ike local-name branch1 / branch 1 is as follows: Branch1/
#
Radius scheme system
#
Domain system
#
Ike peer center / Configure the ike peer/ to the center.
Exchange-mode aggressive / Set IPSec to aggressive mode.
Pre-shared-key abc / The pre-shared key is abc/.
Id-type name / Select the name as the ID/ used in the ike negotiation process.
Remote-name center / The peer name is center/.
Remote-address 10.0.0.1 / The IP address of the peer end is 10.0.0.1 (the tunnel address of the central node) /
#
Ipsec proposal 1 / defines ipsec proposal/.
#
Ipsec policy branch1 10 isakmp / Configure the ipsec policy/ to the center.
Security acl 3001 / Specify the number of the ACL referenced by the IPSec policy. /
The ike-peer center / references the ike peer/.
The proposal 1 / references the ipsec proposal/.
#
Acl number 3001 / defines the intranet data flow from branch 1 to the center.
Rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
Interface Serial2/0
Link-protocol ppp
Ip address 202.101.2.2 255.255.255.252
#
Interface Tunnel0 / Configure the GRE tunnel/ between branch 1 and the center.
Ip address 10.0.0.2 255.255.255.252
Source 202.101.2.2
Destination 202.101.1.2
Ipsec policy branch1 / Apply IPSec policy branch1/ on tunnel 0.
#
Interface NULL0
#
Interface LoopBack0
Ip address 2.2.2.2 255.255.255.255
#
Interface Ethernet0/0 / Configure the internal IP address of branch 1. /
Ip address 192.168.2.1 255.255.255.0
#
Ospf 1
Area 0.0.0.10 / Branch 1 belongs to area 10/.
Network 2.2.2.2 0.0.0.0
Network 10.0.0.0 0.0.0.3
Network 192.168.2.0 0.0.0.255
#
Ip route-static 0.0.0.0 0.0.0.0 202.101.2.1 preference 60
#
User-interface con 0
User-interface vty 0 4
#
Return
[Configuration of Branch 2]
#
Sysname Branch2
#
The local-name of ike of ike local-name branch1 / branch 2 is as follows: Branch2/
#
Radius scheme system
#
Domain system
#
Ike peer center / Configure the ike peer/ to the center.
Exchange-mode aggressive / Set IPSec to aggressive mode.
Pre-shared-key abc / The pre-shared key is abc/.
Id-type name / Select the name as the ID/ used in the ike negotiation process.
Remote-name center / The peer name is center/.
Remote-address 10.0.0.5 / The peer address is 10.0.0.5 (the tunnel address of the central node) /
#
Ipsec proposal 1 / defines ipsec proposal/.
#
Ipsec policy branch1 10 isakmp / Configure the ipsec policy/ to the central node.
Security acl 3001 / Specify the number of the ACL referenced by the security policy. /
The ike-peer center / references the ike peer/.
The proposal 1 / references the ipsec proposal/.
#
Acl number 3001 / defines GRE data flows from branch 2 to the center.
Rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
Interface Serial2/0
Link-protocol ppp
Ip address 202.101.3.2 255.255.255.252
#
Interface Tunnel0 / Configure the GRE tunnel/ between branch 1 and the center.
Ip address 10.0.0.6 255.255.255.252
Source 202.101.3.2
Destination 202.101.1.2
Ipsec policy branch2 / Apply IPSec policy branch2/ on tunnel 0.
#
Interface NULL0
#
Interface LoopBack0
Ip address 3.3.3.3 255.255.255.255
#
Interface Ethernet0/0 / Configure the internal IP address of branch 1. /
Ip address 192.168.3.1 255.255.255.0
#
Ospf 1
Area 0.0.0.20 / Branch 2 belongs to area 20/.
Network 3.3.3.3 0.0.0.0
Network 10.0.0.4 0.0.0.3
Network 192.168.3.0 0.0.0.255
#
Ip route-static 0.0.0.0 0.0.0.0 202.101.3.1 preference 60
#
User-interface con 0
User-interface vty 0 4
#
Return
If you have any problems, please post them in our Community. We are happy to solve them for you!