GRE over IPSec configuration on the USG6000

1

GRE over IPSec VPN configuration on the USG6000

Configuration procedure:
1. Complete basic interface configuration, for example, configuring the IP address and adding the physical port to the related zone.
2. Enable the inter-zone security policy.
2. Configure the IPSec tunnel. Set the source and destination addresses of the sensitive traffic carried by the IPSec tunnel to the source and destination addresses of the GRE tunnel.
2. Configure the GRE tunnel. Set the source and destination addresses of the GRE tunnel to the source and destination addresses of the sensitive traffic carried by the IPSec tunnel.
Configuration example:
Topology:
Network A-----(10.1.1.1) NGFW_A-----INTERNET-----NGFW_B (10.1.2.1)------Network B

Note:
a. Network A (10.1.1.0/24) and network B (10.1.2.0/24) can mutually access each other.
b. The public IP address of NGFW_A is 1.1.3.1, the public IP address of NGFW_B is 1.1.5.1, and the public route is accessible.
c. The GRE over IPSec tunnel established between NGFW_A and NGFW_B can satisfy the IPSec security requirements and also transmit broadcast or multicast packets based on GRE.

1. Complete basic interface configuration, for example, configuring the IP address and adding the interface to the related zone.
2. Configure the IPSec.
//Configure IPSec sensitive traffic.//
[USG_A]acl 3000
[USG_A-acl-adv-3000]rule 5 permit ip source 1.1.3.1 0.0.0.0 destination 1.1.5.1 0.0.0.0
[USG_B]acl 3000
[USG_B-acl-adv-3000]rule 5 permit ip source 1.1.5.1 0.0.0.0 destination 1.1.3.1 0.0.0.0
//Configure the IKE proposal and IPSec proposal. Adopt the default parameters.//
[USG_A-1]ike proposal 1
[USG_A-1-ike-proposal-1]quit
[USG_A-1]ipsec proposal 1
[USG_A-1-ipsec-proposal-1]quit
[USG_B-1]ike proposal 1
[USG_B-1-ike-proposal-1]quit
[USG_B-1]ipsec proposal 1
[USG_B-1-ipsec-proposal-1]quit
//Configure the IKE peer.//
[USG_A-1]ike peer 1
[USG_A-1-ike-peer-1]pre-shared-key 123456
[USG_A-1-ike-peer-1]ike-proposal 1
[USG_A-1-ike-peer-1]remote-address 1.1.5.1
[USG_B-1]ike peer 1
[USG_B-1-ike-peer-1]pre-shared-key 123456
[USG_B-1-ike-peer-1]ike-proposal 1
[USG_B-1-ike-peer-1]remote-address 1.1.3.1
//Configure IPSec policies.//
[USG_A-1]ipsec policy p1 1 isakmp
[USG_A-1-ipsec-policy-isakmp-1-1] security acl 3000
[USG_A-1-ipsec-policy-isakmp-1-1]Ike peer 1
[USG_A-1-ipsec-policy-isakmp-1-1]proposal 1
[USG_A-1-ipsec-policy-isakmp-1-1]local-address 1.1.3.1
[USG_A-1-ipsec-policy-isakmp-1-1] interface GigabitEthernet1/0/1
[USG_A-1-GigabitEthernet1/0/1] ipsec policy p1 auto-neg
[USG_B-1]ipsec policy p1 1 isakmp
[USG_B-1-ipsec-policy-isakmp-1-1]security acl 3000
[USG_B-1-ipsec-policy-isakmp-1-1]Ike peer 1
[USG_B-1-ipsec-policy-isakmp-1-1]proposal 1
[USG_B-1-ipsec-policy-isakmp-1-1]local-address 1.1.5.1
[USG_B-1-ipsec-policy-isakmp-1-1] interface GigabitEthernet1/0/1
[USG_B-1-GigabitEthernet1/0/1] ipsec policy p1 auto-neg
3. Configure the GRE tunnel.
[USG_A-1]interface Tunnel 0
[USG_A-1-Tunnel0] ip address 10.3.1.1 255.255.255.0
[USG_A-1-Tunnel0]tunnel-protocol gre
[USG_A-1-Tunnel0] source 1.1.3.1
[USG_A-1-Tunnel0] destination 1.1.5.1
[USG_B-1]interface Tunnel 0
[USG_B-1-Tunnel0] ip address 10.3.1.2 255.255.255.0
[USG_B-1-Tunnel0]tunnel-protocol gre
[USG_B-1-Tunnel0] source 1.1.5.1
[USG_B-1-Tunnel0] destination 1.1.3.1
4. Add the GRE tunnel to the security zone and configure a tunnel route.
[USG_A-1]firewall zone untrust
[USG_A-1-zone-untrust]add interface Tunnel 0
[USG_A-1]ip route-static ip route-static 10.1.2.0 255.255.255.0 Tunnel0
[USG_B-1]firewall zone untrust
[USG_B-1-zone-untrust]add interface Tunnel 0
[USG_B-1]ip route-static ip route-static 10.1.1.0 255.255.255.0 Tunnel0

Other related questions:
Method used to configure GRE over IPSec on the AR
Huawei AR routers support interworking between devices through GRE over IPSec and IPSec over GRE. GRE over IPSec is supported by all AR models and versions, whereas IPSec over GRE is supported only by AR models that run V200R005C10 or later versions. For details on how to configure IPSec over GRE, see "Example for Configuring L2TP Over IPSec to Implement Secure Communication Between the Branch and Headquarters" of "Using VPN to Implement WAN Interconnection-GRE" in Product Documentation. For details on how to configure GRE over IPSec, see "Example for Configuring GRE Over IPSec to Implement Communication Between Devices", "Example for Configuring OSPF and GRE Over IPSec to Implement Communication Between the Branch and Headquarters", and "Example for Configuring GRE Over IPSec to Implement Communication Between the Branches and Headquarters and NAT to Implement Communication Between Branches (Running OSPF)" of "Using VPN to Implement WAN Interconnection" in Typical Configuration Examples.

Configuration of L2TP over IPSec on the USG6000
Configuration of L2TP over IPSec on the USG6000 Configuration procedure: 1. Complete basic interface configuration, security policy configuration, and route configuration. 2. Configure and apply the IPSec. Note that the source and destination addresses of the data flow protected by the IPSec are the source and destination addresses of the sensitive traffic transmitted over the external interfaces of two gateways. 3. Configure the L2TP and L2TP tunnel source. For details, click Huawei Security Forum USG6000 L2TP over IPSec Configuration Cases. Procedure 1. Configure the IP address of each interface, and add the interfaces to the security zone. The specific configuration procedure is not described here. 2. Enable the inter-zone security policy. e map_temp [NGFW_A] interface GigabitEthernet 1/0/1 [NGFW_A-GigabitEthernet 1/0/1] ipsec policy map1 [NGFW_B] ipsec policy map1 10 isakmp [NGFW_B-ipsec-policy-isakmp-map1-10] security acl 3000 [NGFW_B-ipsec-policy-isakmp-map1-10] proposal tran1 [NGFW_B-ipsec-policy-isakmp-map1-10] ike-peer b [NGFW_B] interface GigabitEthernet 1/0/1 [NGFW_B-GigabitEthernet1/0/1] ipsec policy map1 5. Configure the L2TP. A. (LNS end) Configure the L2TP. [NGFW_A] user-manage user l2tpuser //Configure the L2TP user. [NGFW_A-localuser-l2tpuser] password Password1 [NGFW_A-localuser-l2tpuser] quit [NGFW_A] l2tp enable //Enable the L2TP. [NGFW_A] aaa [NGFW_A-aaa] ip pool 0 192.168.0.2 192.168.0.99 //Configure the IP address pool. [NGFW_A] interface Virtual-Template 1 //Configure the virtual template interface. [NGFW_A-Virtual-Template1] ppp authentication-mode pap [NGFW_A-Virtual-Template1] ip address 1.1.1.2 255.255.255.0 [NGFW_A-Virtual-Template1] remote address pool 0 //Set the virtual interface to reference the address pool used to allocate addresses to the peer end. [NGFW_A] l2tp-group 1 //Create the L2TP group. [NGFW_A-l2tp1] allow l2tp virtual-template 1 [NGFW_A-l2tp1] tunnel password cipher Pass1234 B. Configure the L2TP. # Configure the L2TP user. [NGFW_B] user-manage user l2tpuser [NGFW_B-localuser-l2tpuser] password Password1 [NGFW_B-localuser-l2tpuser] quit Configure the L2TP. [NGFW_B] l2tp enable [NGFW_B] interface Virtual-Template 1 [NGFW_B-Virtual-Template1] ppp authentication-mode pap [NGFW_B-Virtual-Template1] quit [NGFW_B] interface GigabitEthernet 1/0/3 [NGFW_B-GigabitEthernet1/0/3] pppoe-server bind virtual-template 1 [NGFW_B-GigabitEthernet1/0/3] quit [NGFW_B] l2tp-group 1 [NGFW_B-l2tp1] tunnel password cipher Pass1234 [NGFW_B-l2tp1] start l2tp ip 1.1.3.1 fullusername l2tpuser [NGFW_B-l2tp1] quit

The ping operation is successful but services are unavailable on the AR configured with GRE over IPSec
IPSec encapsulates IP packets. As a result, the IP packet length becomes longer. If the IP packet length exceeds the MTU during transmission, the IP packets are fragmented and sent. The receiver needs to reassemble and parse the fragments. Fragmentation and reassembly consume CPU resources, and encryption and decryption of fragments also consume many CPU resources. When there are many fragments, CPU resources may be insufficient. In this case, the access is slow and packets are discarded. If small-sized ping packets can be transmitted but large-sized ping packets cannot be transmitted, check the MTU of the ISP. If the MTU of the ISP cannot be confirmed, perform the ping operation with different bytes to determine the intermediate MTU. Then change the MTU on the device.

Does the VLANIF interface support IPSec on the AR
The VLANIF interface on the Huawei AR router does not support IPSec.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top