Method used to configure GRE over IPSec on the AR

6

Huawei AR routers support interworking between devices through GRE over IPSec and IPSec over GRE. GRE over IPSec is supported by all AR models and versions, whereas IPSec over GRE is supported only by AR models that run V200R005C10 or later versions.
For details on how to configure IPSec over GRE, see "Example for Configuring L2TP Over IPSec to Implement Secure Communication Between the Branch and Headquarters" of "Using VPN to Implement WAN Interconnection-GRE" in Product Documentation.
For details on how to configure GRE over IPSec, see "Example for Configuring GRE Over IPSec to Implement Communication Between Devices", "Example for Configuring OSPF and GRE Over IPSec to Implement Communication Between the Branch and Headquarters", and "Example for Configuring GRE Over IPSec to Implement Communication Between the Branches and Headquarters and NAT to Implement Communication Between Branches (Running OSPF)" of "Using VPN to Implement WAN Interconnection" in Typical Configuration Examples.

Other related questions:
GRE over IPSec configuration on the USG6000
GRE over IPSec VPN configuration on the USG6000 Configuration procedure: 1. Complete basic interface configuration, for example, configuring the IP address and adding the physical port to the related zone. 2. Enable the inter-zone security policy. 2. Configure the IPSec tunnel. Set the source and destination addresses of the sensitive traffic carried by the IPSec tunnel to the source and destination addresses of the GRE tunnel. 2. Configure the GRE tunnel. Set the source and destination addresses of the GRE tunnel to the source and destination addresses of the sensitive traffic carried by the IPSec tunnel. Configuration example: Topology: Network A-----(10.1.1.1) NGFW_A-----INTERNET-----NGFW_B (10.1.2.1)------Network B Note: a. Network A (10.1.1.0/24) and network B (10.1.2.0/24) can mutually access each other. b. The public IP address of NGFW_A is 1.1.3.1, the public IP address of NGFW_B is 1.1.5.1, and the public route is accessible. c. The GRE over IPSec tunnel established between NGFW_A and NGFW_B can satisfy the IPSec security requirements and also transmit broadcast or multicast packets based on GRE. 1. Complete basic interface configuration, for example, configuring the IP address and adding the interface to the related zone. 2. Configure the IPSec. //Configure IPSec sensitive traffic.// [USG_A]acl 3000 [USG_A-acl-adv-3000]rule 5 permit ip source 1.1.3.1 0.0.0.0 destination 1.1.5.1 0.0.0.0 [USG_B]acl 3000 [USG_B-acl-adv-3000]rule 5 permit ip source 1.1.5.1 0.0.0.0 destination 1.1.3.1 0.0.0.0 //Configure the IKE proposal and IPSec proposal. Adopt the default parameters.// [USG_A-1]ike proposal 1 [USG_A-1-ike-proposal-1]quit [USG_A-1]ipsec proposal 1 [USG_A-1-ipsec-proposal-1]quit [USG_B-1]ike proposal 1 [USG_B-1-ike-proposal-1]quit [USG_B-1]ipsec proposal 1 [USG_B-1-ipsec-proposal-1]quit //Configure the IKE peer.// [USG_A-1]ike peer 1 [USG_A-1-ike-peer-1]pre-shared-key 123456 [USG_A-1-ike-peer-1]ike-proposal 1 [USG_A-1-ike-peer-1]remote-address 1.1.5.1 [USG_B-1]ike peer 1 [USG_B-1-ike-peer-1]pre-shared-key 123456 [USG_B-1-ike-peer-1]ike-proposal 1 [USG_B-1-ike-peer-1]remote-address 1.1.3.1 //Configure IPSec policies.// [USG_A-1]ipsec policy p1 1 isakmp [USG_A-1-ipsec-policy-isakmp-1-1] security acl 3000 [USG_A-1-ipsec-policy-isakmp-1-1]Ike peer 1 [USG_A-1-ipsec-policy-isakmp-1-1]proposal 1 [USG_A-1-ipsec-policy-isakmp-1-1]local-address 1.1.3.1 [USG_A-1-ipsec-policy-isakmp-1-1] interface GigabitEthernet1/0/1 [USG_A-1-GigabitEthernet1/0/1] ipsec policy p1 auto-neg [USG_B-1]ipsec policy p1 1 isakmp [USG_B-1-ipsec-policy-isakmp-1-1]security acl 3000 [USG_B-1-ipsec-policy-isakmp-1-1]Ike peer 1 [USG_B-1-ipsec-policy-isakmp-1-1]proposal 1 [USG_B-1-ipsec-policy-isakmp-1-1]local-address 1.1.5.1 [USG_B-1-ipsec-policy-isakmp-1-1] interface GigabitEthernet1/0/1 [USG_B-1-GigabitEthernet1/0/1] ipsec policy p1 auto-neg 3. Configure the GRE tunnel. [USG_A-1]interface Tunnel 0 [USG_A-1-Tunnel0] ip address 10.3.1.1 255.255.255.0 [USG_A-1-Tunnel0]tunnel-protocol gre [USG_A-1-Tunnel0] source 1.1.3.1 [USG_A-1-Tunnel0] destination 1.1.5.1 [USG_B-1]interface Tunnel 0 [USG_B-1-Tunnel0] ip address 10.3.1.2 255.255.255.0 [USG_B-1-Tunnel0]tunnel-protocol gre [USG_B-1-Tunnel0] source 1.1.5.1 [USG_B-1-Tunnel0] destination 1.1.3.1 4. Add the GRE tunnel to the security zone and configure a tunnel route. [USG_A-1]firewall zone untrust [USG_A-1-zone-untrust]add interface Tunnel 0 [USG_A-1]ip route-static ip route-static 10.1.2.0 255.255.255.0 Tunnel0 [USG_B-1]firewall zone untrust [USG_B-1-zone-untrust]add interface Tunnel 0 [USG_B-1]ip route-static ip route-static 10.1.1.0 255.255.255.0 Tunnel0

Method used to configure L2TP over IPSec on the AR
L2TP over IPSec can be used to ensure secure communication between the branch and headquarters. This function is applicable to all versions and models of AR series routers. L2TP over IPSec can be used to ensure secure communication between the LAC and LNS. For details, see Configuration Guide-VPN.

IPv6 over IPv4 GRE tunnel configuration
To configure an IPv6 over IPv4 GRE tunnel, perform the following steps: 1. Run the system-view command to enter the system view. 2. Run the interface tunnel interface-number command to create a tunnel interface and enter the tunnel interface view. 3. Run the tunnel-protocol gre command to set the tunnel encapsulation type to GRE tunnel. 4. Run the source { ipv4-address | interface-type interface-number } command to specify the source address or source interface of the GRE tunnel. Note: ?You can directly specify the IPv4 address of the interface used to connect to the IPv4 network as the source address or specify this interface as the source interface. ?You can specify a physical port or a logical interface such as the Loopback interface as the source interface of the tunnel. 5. Run the destination ipv4-address command to specify the destination address or domain name of the GRE tunnel. The destination address is the source address of the peer device. As shown in Figure 1, the destination address of FW_A is 1.1.2.1/24, while the destination address of FW_B is 1.1.1.1/24. 6. Run the ipv6 enable command to enable the IPv6 function on the tunnel interface. 7. Run the ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } command to configure the IPv6 address for the tunnel interface. 8. (Optional) Run the gre key key-number command to set the keyword in the GRE packet header. You can set the same key-number on both ends of the tunnel or do not set the key-number.

The ping operation is successful but services are unavailable on the AR configured with GRE over IPSec
IPSec encapsulates IP packets. As a result, the IP packet length becomes longer. If the IP packet length exceeds the MTU during transmission, the IP packets are fragmented and sent. The receiver needs to reassemble and parse the fragments. Fragmentation and reassembly consume CPU resources, and encryption and decryption of fragments also consume many CPU resources. When there are many fragments, CPU resources may be insufficient. In this case, the access is slow and packets are discarded. If small-sized ping packets can be transmitted but large-sized ping packets cannot be transmitted, check the MTU of the ISP. If the MTU of the ISP cannot be confirmed, perform the ping operation with different bytes to determine the intermediate MTU. Then change the MTU on the device.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top