Huawei VPN Technology III: GRE

GRE implements IPV4 interoperability through static routing

Topology:

Configuration steps

1, all devices run OSPF routing protocol between devices to achieve routing interoperability.

2. Create tunnel interfaces on Routera and ROUTERC, create GRE tunnels, and configure static routes over ROUTERC interfaces on Routera and tunnel, allowing traffic between PC1 and PC2 to be transmitted through the GRE tunnel for PC1 and PC2 interoperability.

Configuration information:

R1:

Interface TUNNEL0/0/1

IP address 10.1.3.1 255.255.255.0

Tunnel-protocol GRE

SOURCE 20.1.1.1

Destination 30.1.1.1

#

OSPF 1

Area 0.0.0.0

Network 20.1.1.1 0.0.0.0

#

IP route-static 10.1.2.0 255.255.255.0 TUNNEL0/0/1

R3:

Interface TUNNEL0/0/1

IP address 10.1.3.2 255.255.255.0

Tunnel-protocol GRE

SOURCE 30.1.1.1

Destination 20.1.1.1

#

OSPF 1

Area 0.0.0.0

Network 30.1.1.1 0.0.0.0

#

IP route-static 10.1.1.0 255.255.255.0 TUNNEL0/0/1

#

GRE implements IPV4 interoperability through OSPF

Topology

Configuration steps

1, the device runs the IGP protocol between devices to achieve interoperability, where OSPF routing protocol is used and process 1.

2, the device connected to the PC to establish a GRE tunnel, and enable the KeepAlive function, and configure the network segment connected to the PC to run the IGP protocol, where OSPF process 2 is used, and OSPF1 to isolate, so that the traffic between PC1 and PC2 through the GRE tunnel transmission, Achieve PC1 and PC2 interoperability.

R1\R3:

Interface TUNNEL0/0/1

IP address 10.1.3.1 255.255.255.0

Tunnel-protocol GRE

KeepAlive

SOURCE 20.1.1.1

Destination 30.1.1.1

Principle Analysis

The implementation process for the keepalive detection function is as follows:

1, when the source of the GRE tunnel to enable the keepalive detection function, the creation of a timer, periodically send the keepalive detection message, while the counter to the count of non-up. Each send a probe message, not up to the Count plus 1.

2, on each receiving a probe message, the source to send a response message.

3, if the source side of the counter value is not reached the pre-set value of the received response message, it indicates that the end can be reached. If the value of the counter on the source reaches the pre-set value-the number of retries (Retry times), it is considered unreachable if it has not received a return paper. At this point, the source side closes the tunnel connection. However, the source port will continue to send the keepalive message, if the end up, the source port will also up, establish a tunnel link.

# # #默认

GRE over IPSEC

Topology

Configuration steps

1. Configure the IP address of the physical interface and the static route to the peer to ensure that both ends of the route can be reached.

R1\R3:

IP route-static 202.138.162.0 255.255.255.0 202.138.163.2

2. Configure the GRE tunnel interface.

R1\R3:

Interface tunnel0/0/0

IP address 192.168.1.2 255.255.255.0

Tunnel-protocol GRE

SOURCE 202.138.163.1

Destination 202.138.162.1

3. Configure IPSec security proposals to define the protection methods for IPSec.

R1\R3:

IPSec proposal Pro1

ESP Authentication-algorithm sha2-256

ESP Encryption-algorithm aes-128

4. Configure the IKE peer to define the properties of the IKE negotiation between peers.

R1\R3:

IKE Peer RUT1 v1

Pre-shared-key cipher Huawei

Ike-proposal 5

5. Configure the security framework and refer to security proposals and Ike peers.

R1\R3:

IPSec Profile Profile1

Ike-peer RUT1

Proposal Pro1

6, the security framework is applied on the tunnel interface, so that the interface has the protection function of IPSec.

R1\R3:

Interface tunnel0/0/0

IPSec Profile Profile1

7. Configure the forwarding route for the tunnel interface to bring traffic that requires IPSec protection to the tunnel interface.

R1\R3:

IP route-static 10.1.1.0 255.255.255.0 tunnel0/0/0

Principle Analysis

GRE can host a variety of protocol messages, including multicast, broadcast messages, and IPSec does not support multi-protocol hosting can only encrypt unicast data. Therefore, when the voice, video and other traffic should be tunneled, the use of GRE over IPSEC.

GRE tunnel encapsulation, unpacking process

Packaging:

1, ingress PE from the interface of the X protocol to receive the X protocol message, first referred to the X protocol processing.

2, X protocol based on the destination address in the message header in the routing table or forwarding to find out the interface, determine how to forward this message. If an interface is found to be a GRE tunnel interface, the message is GRE encapsulated, that is, the GRE header is added.

3, according to the backbone Network transmission protocol for the IP, the message plus IP header. The source address of the IP header is the tunnel source address, the destination address is the tunnel destination address.

4, according to the destination address of the IP header (that is, the tunnel destination), in the Backbone Network routing table to find the corresponding out of the interface and the delivery of the paper. After that, the encapsulated message will be transmitted in the backbone network.

Solution Encapsulation:

1, egress PE from the GRE tunnel interface received the message, analysis of IP header to find the destination address of the message is the device, then egress PE removed IP header to the GRE protocol processing.

2, the GRE protocol stripped the GRE header, to obtain the X protocol, and then by the X protocol to this data packet for subsequent forwarding processing.

Huawei VPN Technology III: GRE