华为防火墙GRE Over IPSec混合NAT场景配置案例来啦

yangjinyu945

实验拓扑如下:

FW1配置:

interface Tunnel0
 ip address 10.1.0.12 255.255.255.0
 tunnel-protocol gre
 source GigabitEthernet1/0/1
 destination 155.1.131.13
 ospf enable 1 area 0.0.0.0
#
[FW-1]dis zone 
trust
 interface of the zone is (2):
    GigabitEthernet0/0/0
    GigabitEthernet1/0/0
#
untrust
 interface of the zone is (1):
    GigabitEthernet1/0/1
#
dmz
 interface of the zone is (1):
    Tunnel0
#
security-policy
 rule name LOCAL_TO_ANY
  source-zone local
  action permit
 rule name OUT_TO_LOCAL
  source-zone untrust
  destination-zone local
  service protocol 50
  service protocol udp destination-port 500
  action permit
 rule name OUT_TO_IN
  source-zone dmz
  destination-zone trust
  source-address 10.1.13.0 mask 255.255.255.0
  destination-address 10.1.12.0 mask 255.255.255.0
  action permit
 rule name IN_TO_OUT
  source-zone trust
  destination-zone dmz
  source-address 10.1.12.0 mask 255.255.255.0
  destination-address 10.1.13.0 mask 255.255.255.0
  action permit
  rule name IN_TO_Internet
  source-zone trust
  destination-zone untrust
  source-address 10.1.12.0 mask 255.255.255.0
  action permit
#
ospf 1 router-id 150.1.1.1
 area 0.0.0.0
#
interface GigabitEthernet1/0/0
 ip address 10.1.12.12 255.255.255.0
 ospf enable 1 area 0.0.0.0
#
nat-policy
 rule name EASY_IP
  source-zone trust
  destination-zone untrust
  source-address 10.1.12.0 mask 255.255.255.0
  action source-nat easy-ip

FW2配置:

interface Tunnel0
 ip address 10.1.0.13 255.255.255.0
 tunnel-protocol gre
 source GigabitEthernet1/0/1
 destination 155.1.121.12
 ospf enable 1 area 0.0.0.0
#
trust
 interface of the zone is (2):
    GigabitEthernet0/0/0
    GigabitEthernet1/0/0
#
untrust
 interface of the zone is (1):
    GigabitEthernet1/0/1
#
dmz
 interface of the zone is (1):
    Tunnel0
#
security-policy
 rule name LOCAL_TO_ANY
  source-zone local
  action permit
 rule name OUT_TO_LOCAL
  source-zone untrust
  destination-zone local
  service protocol 50
  service protocol udp destination-port 500
  action permit
 rule name OUT_TO_IN
  source-zone dmz
  destination-zone trust
  source-address 10.1.12.0 mask 255.255.255.0
  destination-address 10.1.13.0 mask 255.255.255.0
  action permit
 rule name IN_TO_OUT
  source-zone trust
  destination-zone dmz
  source-address 10.1.13.0 mask 255.255.255.0
  destination-address 10.1.12.0 mask 255.255.255.0
  action permit
#
ospf 1 router-id 150.1.3.3
 area 0.0.0.0
#
interface GigabitEthernet1/0/0
 ip address 10.1.13.13 255.255.255.0
 ospf enable 1 area 0.0.0.0

验证及测试

#[FW-1]dis ike sa  //IKE SA联盟
2024-04-03 03:41:01.800 

IKE SA information :
 Conn-ID    Peer                                          VPN              Flag(
s)               Phase  RemoteType  RemoteID  
------------------------------------------------------------------------------------
 7          155.1.131.13:500                                               RD|ST
|A               v2:2   IP          155.1.131.13  
 4          155.1.131.13:500                                               RD|ST
|A               v2:1   IP          155.1.131.13  

  Number of IKE SA : 2
------------------------------------------------------------------------------------
 Flag Description:
 RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
 HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
 M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

[FW-1]dis ipsec sa  //IPSEC SA联盟
2024-04-03 03:41:03.950 

ipsec sa information:

===============================
Interface: GigabitEthernet1/0/1
===============================

  -----------------------------
  IPSec policy name: "LAN_MAP"
  Sequence number  : 10
  Acl group        : 3000
  Acl rule         : 5
  Mode             : ISAKMP
  -----------------------------
    Connection ID     : 7
    Encapsulation mode: Transport
    Holding time      : 0d 0h 8m 30s
    Tunnel local      : 155.1.121.12:500
    Tunnel remote     : 155.1.131.13:500
    Flow source       : 155.1.121.0/255.255.255.0 47/0-65535
    Flow destination  : 155.1.131.0/255.255.255.0 47/0-65535

    [Outbound ESP SAs] 
      SPI: 195662205 (0xba9917d)
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
      SA remaining key duration (kilobytes/sec): 10485755/3094
      Max sent sequence-number: 68
      UDP encapsulation used for NAT traversal: N
      SA encrypted packets (number/bytes): 67/6124

    [Inbound ESP SAs] 
      SPI: 198173290 (0xbcfe26a)
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
      SA remaining key duration (kilobytes/sec): 10485756/3094
      Max received sequence-number: 64
      UDP encapsulation used for NAT traversal: N
      SA decrypted packets (number/bytes): 54/4980
      Anti-replay : Enable
      Anti-replay window size: 1024
#
PC>ping 10.1.13.10 //测试

Ping 10.1.13.10: 32 data bytes, Press Ctrl_C to break
From 10.1.13.10: bytes=32 seq=2 ttl=126 time=31 ms

--- 10.1.13.10 ping statistics ---
  5 packet(s) transmitted
  4 packet(s) received
  20.00% packet loss
  round-trip min/avg/max = 0/39/47 ms

PC>ping 150.1.1.1

Ping 150.1.1.1: 32 data bytes, Press Ctrl_C to break
From 150.1.1.1: bytes=32 seq=1 ttl=254 time=16 ms

--- 150.1.1.1 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 0/9/16 ms