Example for Configuring Inter-Board BGP over GRE over IPsec

Networking Requirements

As shown in Figure 1, a GRE over IPsec tunnel is created between Device A and Device B. The IPsec service board is installed in slot 1 on both CE-side Device A and PE-side Device B. The GRE tunnel board is installed in slot 1 on Device A and in slot 1 on Device B. Packets are transmitted through the MPLS LDP network before being encrypted and after being decrypted on Device B, and the Device B-side GRE tunnel is bound to a L3VPN.

Figure 1 Networking of BGP over GRE over IPsec

Configuration Roadmap

The configuration roadmap on Device A is as follows:

  1. Allocate IP addresses to interfaces.

  2. Create a loopback interface and bind it to GRE.

  3. Create a tunnel interface and configure attributes for the tunnel interface.

  4. Configure an ACL rule.

  5. Configure an IKE proposal.

  6. Configure an IPsec proposal.

  7. Configure an IKE peer.

  8. Configure an IPsec policy.

  9. Configure an IPsec service instance group.

  10. Create a tunnel interface and configure IPsec for the tunnel interface.

  11. Configure a static route that imports traffic into the tunnel.

  12. Configure a static route that imports GRE packets into the IPsec tunnel.

  13. Configure a static route that imports encrypted packets to a physical link's outbound interface.

  14. Configure BGP.

The configuration roadmap on Device B is as follows:

  1. Allocate IP addresses to interfaces.

  2. Create a loopback interface and bind it to GRE.

  3. Create and configure a VPN instance.

  4. Create a tunnel interface and configure attributes for the tunnel interface.

  5. Configure an ACL rule.

  6. Configure an IKE proposal.

  7. Configure an IPsec proposal.

  8. Configure an IKE peer.

  9. Configure an IPsec policy.

  10. Configure an IPsec service instance group.

  11. Create a tunnel interface and configure IPsec for the tunnel interface.

  12. Configure a static route that imports traffic into the tunnel.

  13. Configure a static route that imports GRE packets into the IPsec tunnel.

  14. Configure a static route that imports encrypted packets to a physical link's outbound interface.

  15. Configure IS-IS.

  16. Configure an MPLS session.

  17. Configure BGP.

Data Preparation

To complete the configuration, you need the following data:

  • IP addresses of interfaces

  • Security protocol, encapsulation mode, encryption and authentication algorithms that security protocols use

  • Pre-shared authentication key

Configuration Procedure

  • Configure Device A.

  1. Allocate IP addresses to interfaces.

    • Configure an IP address for GE 0/1/9.

      <DeviceA> system-view
[~DeviceA] interface GigabitEthernet 0/1/9
[*DeviceA-GigabitEthernet0/1/9] ip address 10.0.0.1 24
[*DeviceA-GigabitEthernet0/1/9] quit
[*DeviceA] commit

    • Configure an IP address for GE 0/1/1.

      [~DeviceA] interface GigabitEthernet 0/1/1
[*DeviceA-GigabitEthernet0/1/1] ip address 10.1.0.1 24
[*DeviceA-GigabitEthernet0/1/1] quit
[*DeviceA] commit

  2. Create a loopback interface and bind it to GRE.

    [~DeviceA] interface LoopBack 1
[*DeviceA-LoopBack1] ip address 10.60.60.60 32
[*DeviceA-LoopBack1] binding tunnel gre
[*DeviceA-LoopBack1] quit
[*DeviceA] commit

  3. Create a tunnel interface and configure GRE for the tunnel interface.

    [~DeviceA] interface Tunnel 100
[*DeviceA-Tunnel100] ip address 10.0.1.1 24
[*DeviceA-Tunnel100] tunnel-protocol gre
[*DeviceA-Tunnel100] source LoopBack 1
[*DeviceA-Tunnel100] destination 10.108.108.108
[*DeviceA-Tunnel100] quit
[*DeviceA] commit

  4. Configure an ACL rule.

    [~DeviceA] acl 3001
[*DeviceA-acl4-advance-3001] rule permit gre source 10.60.60.60 0 destination 10.108.108.108 0
[*DeviceA-acl4-advance-3001] quit
[*DeviceA] commit

  5. Configure an IKE proposal numbered 1.

    [~DeviceA] ike proposal 1
[*DeviceA-ike-proposal-1] authentication-method pre-share
[*DeviceA-ike-proposal-1] authentication-algorithm sha2-256
[*DeviceA-ike-proposal-1] dh group14
[*DeviceA-ike-proposal-1] quit
[*DeviceA] commit

  6. Configure an IPsec proposal named pro1.

    [~DeviceA] ipsec proposal pro1
[*DeviceA-ipsec-proposal-pro1] encapsulation-mode tunnel
[*DeviceA-ipsec-proposal-pro1] transform esp
[*DeviceA-ipsec-proposal-pro1] esp authentication-algorithm sha2-256
[*DeviceA-ipsec-proposal-pro1] esp encryption-algorithm aes 256
[*DeviceA-ipsec-proposal-pro1] quit
[*DeviceA] commit

  7. Configure an IKE peer named peer1.

    [~DeviceA] ike peer peer1
[*DeviceA-ike-peer-peer1] pre-shared-key 1234567890
[*DeviceA-ike-peer-peer1] ike-proposal 1
[*DeviceA-ike-peer-peer1] remote-address 10.12.0.2 
[*DeviceA-ike-peer-peer1] quit
[*DeviceA] commit

  8. Configure IKE DPD.

    [~DeviceA] ike dpd interval 10 10
[*DeviceA] commit

  9. Configure an IPsec policy named policy1 and numbered 1.

    [~DeviceA] ipsec policy policy1 1 isakmp
[*DeviceA-ipsec-policy-isakmp-policy1-1] security acl 3001
[*DeviceA-ipsec-policy-isakmp-policy1-1] proposal pro1
[*DeviceA-ipsec-policy-isakmp-policy1-1] ike-peer peer1
[*DeviceA-ipsec-policy-isakmp-policy1-1] quit
[*DeviceA] commit
  10. Configure an IPsec service instance group.
    [~DeviceA] service-location 1
[*DeviceA-service-location-1] location slot 1
[*DeviceA-service-location-1] commit
[~DeviceA-service-location-1] quit
[~DeviceA] service-instance-group group1
[*DeviceA-service-instance-group-group1] service-location 1
[*DeviceA-service-instance-group-group1] commit
[~DeviceA-service-instance-group-group1] quit

  11. Create a tunnel interface and configure IPsec for the tunnel interface.

    [~DeviceA] interface Tunnel 1
[*DeviceA-Tunnel1] ip address 10.12.0.1 24
[*DeviceA-Tunnel1] tunnel-protocol ipsec
[*DeviceA-Tunnel1] ipsec policy policy1 service-instance-group group1
[*DeviceA-Tunnel1] quit
[*DeviceA] commit

  12. Configure static routes that import traffic into the tunnel.

    [~DeviceA] ip route-static 10.0.1.2 255.255.255.255 Tunnel100
[*DeviceA] commit

  13. Configure a static route that imports GRE packets into the IPsec tunnel.

    [*DeviceA] ip route-static 10.108.108.108 32 Tunnel 1 10.12.0.2
[*DeviceA] commit

  14. Configure a static route that imports encrypted packets to a physical link's outbound interface.

    [*DeviceA] ip route-static 10.12.0.2 32 GigabitEthernet 0/1/9 10.0.0.2
[*DeviceA] commit

  15. Configure BGP.

    [~DeviceA] bgp 200
[*DeviceA-bgp] peer 10.0.1.2 as-number 100 
[*DeviceA-bgp] peer 10.0.1.2 ebgp-max-hop 255
[*DeviceA-bgp] peer 10.0.1.2 connect-interface Tunnel 100
[*DeviceA-bgp] ipv4-family unicast
[*DeviceA-bgp-af-ipv4] network 10.1.0.0
[*DeviceA-bgp-af-ipv4] quit
[*DeviceA] commit

  • Configure Device B.

  1. Allocate IP addresses to interfaces.

    [~DeviceB] interface GigabitEthernet0/1/3
[*DeviceB-GigabitEthernet0/1/3] ip address 10.0.0.2 24
[*DeviceB-GigabitEthernet0/1/3] quit
[*DeviceB] commit

  2. Create a loopback interface and bind it to GRE.

    [~DeviceB] interface LoopBack 1
[*DeviceB-LoopBack1] ip address 10.108.108.108 32
[*DeviceB-LoopBack1] binding tunnel gre
[*DeviceB-LoopBack1] quit
[*DeviceB] commit

  3. Configure a VPN instance.

    [~DeviceB] ip vpn-instance vpn1
[*DeviceB-vpn-instance-vpn1] route-distinguisher 1:1
[*DeviceB-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both
[*DeviceB-vpn-instance-vpn1-af-ipv4] quit
[*DeviceB-vpn-instance-vpn1] quit
[*DeviceB] commit

  4. Configure a GRE tunnel.

    [~DeviceB] interface Tunnel 100
[*DeviceB-Tunnel100] ip binding vpn-instance vpn1
[*DeviceB-Tunnel100] ip address 10.0.1.2 24
[*DeviceB-Tunnel100] tunnel-protocol gre
[*DeviceB-Tunnel100] source LoopBack 1
[*DeviceB-Tunnel100] destination 10.60.60.60
[*DeviceB-Tunnel100] quit
[*DeviceB] commit

  5. Configure an ACL rule.

    [~DeviceB] acl 3001
[*DeviceB-acl4-advance-3001] rule permit gre source 10.108.108.108 0 destination 10.60.60.60 0
[*DeviceB-acl4-advance-3001] quit
[*DeviceB] commit

  6. Configure an IKE proposal numbered 1.

    [~DeviceB] ike proposal 1
[*DeviceB-ike-proposal-1] authentication-method pre-share
[*DeviceB-ike-proposal-1] authentication-algorithm sha2-256
[*DeviceB-ike-proposal-1] dh group14
[*DeviceB-ike-proposal-1] quit
[*DeviceB] commit

  7. Configure an IPsec proposal named pro1.

    [~DeviceB] ipsec proposal pro1
[*DeviceB-ipsec-proposal-pro1] encapsulation-mode tunnel
[*DeviceB-ipsec-proposal-pro1] transform esp
[*DeviceB-ipsec-proposal-pro1] esp authentication-algorithm sha2-256
[*DeviceB-ipsec-proposal-pro1] esp encryption-algorithm aes 256
[*DeviceB-ipsec-proposal-pro1] quit
[*DeviceB] commit

  8. Configure an IKE peer named peer1.

    [~DeviceB] ike peer peer1
[*DeviceB-ike-peer-peer1] pre-shared-key 1234567890
[*DeviceB-ike-peer-peer1] ike-proposal 1
[*DeviceB-ike-peer-peer1] remote-address 10.12.0.1
[*DeviceB-ike-peer-peer1] quit
[*DeviceB] commit

  9. Configure IKE DPD.

    [~DeviceB] ike dpd interval 10 10
[*DeviceB] commit

  10. Configure an IPsec policy named policy1 and numbered 1.

    [~DeviceB] ipsec policy policy1 1 isakmp
[*DeviceB-ipsec-policy-isakmp-policy1-1] security acl 3001
[*DeviceB-ipsec-policy-isakmp-policy1-1] proposal pro1
[*DeviceB-ipsec-policy-isakmp-policy1-1] ike-peer peer1
[*DeviceB-ipsec-policy-isakmp-policy1-1] quit
[*DeviceB] commit
  11. Configure an IPsec service instance group.
    [~DeviceB] service-location 1
[*DeviceB-service-location-1] location slot 1
[*DeviceB-service-location-1] commit
[~DeviceB-service-location-1] quit
[~DeviceB] service-instance-group group1
[*DeviceB-service-instance-group-group1] service-location 1
[*DeviceB-service-instance-group-group1] commit
[~DeviceB-service-instance-group-group1] quit

  12. Create a tunnel interface and configure IPsec for the tunnel interface.

    [~DeviceB] interface Tunnel 1
[*DeviceB-Tunnel1] ip address 10.12.0.2 24
[*DeviceB-Tunnel1] tunnel-protocol ipsec
[*DeviceB-Tunnel1] ipsec policy policy1 service-instance-group group1
[*DeviceB-Tunnel1] quit
[*DeviceB] commit

  13. Configure static routes that import traffic into the tunnel.

    [~DeviceB] ip route-static vpn-instance vpn1 10.0.1.1 255.255.255.255 Tunnel100
[*DeviceB] commit

  14. Configure a static route that imports GRE packets into the IPsec tunnel.

    [*DeviceB] ip route-static 10.60.60.60 32 Tunnel 1 10.12.0.1
[*DeviceB] commit

  15. Configure a static route that imports encrypted packets to a physical link's outbound interface.

    [*DeviceB] ip route-static 10.12.0.1 32 GigabitEthernet 0/1/3 10.0.0.1
[*DeviceB] commit

  16. Configure IS-IS.

    [~DeviceB] isis 1
[*DeviceB-isis-1] network-entity 00.0000.0000.0108.00
[*DeviceB-isis-1] quit
[*DeviceB] commit

  17. Configure MPLS LDP sessions.

    [~DeviceB] interface LoopBack 0
[*DeviceB-LoopBack0] ip address 10.108.108.108 32
[*DeviceB-LoopBack0] isis enable 1
[*DeviceB-LoopBack0] quit
[*DeviceB] mpls lsr-id 10.108.108.108
[*DeviceB] mpls
[*DeviceB-mpls] quit
[*DeviceB] mpls ldp
[*DeviceB-mpls-ldp] quit
[*DeviceB] interface GigabitEthernet0/1/2
[*DeviceB-GigabitEthernet0/1/2] ip address 10.2.0.1 24
[*DeviceB-GigabitEthernet0/1/2] isis enable 1
[*DeviceB-GigabitEthernet0/1/2] mpls
[*DeviceB-GigabitEthernet0/1/2] mpls ldp
[*DeviceB-GigabitEthernet0/1/2] quit
[*DeviceB] commit

  18. Configure BGP.

    [~DeviceB] bgp 100
[*DeviceB-bgp] peer 10.2.0.2 as-number 100
[*DeviceB-bgp] peer 10.2.0.2 connect-interface LoopBack0
[*DeviceB-bgp] ipv4-family vpn-instance vpn1
[*DeviceB-bgp-vpn1] peer 10.0.1.1 as-number 200
[*DeviceB-bgp-vpn1] peer 10.0.1.1 ebgp-max-hop 255
[*DeviceB-bgp-vpn1] peer 10.0.1.1 connect-interface Tunnel 100
[*DeviceB-bgp-vpn1] quit
[*DeviceB] commit

Configuration Files

  • Device A configuration file

#
 sysname DeviceA
#
ike dpd interval 10 10
#
service-location 1
 location slot 1
#
service-instance-group group1
 service-location 1
#
acl number 3001
 rule 5 permit gre source 10.60.60.60 0 destination 10.108.108.108 0
#
ike proposal 1
 encryption-algorithm aes-cbc 256
 dh group14
 authentication-algorithm sha2-256
 integrity-algorithm hmac-sha2-256
#
ike peer peer1
 pre-shared-key %$%$0\WT%.iDi6%K-f)_^mQ6,.2n%$%$
 ike-proposal 1
 remote-address 10.12.0.2
#
ipsec proposal pro1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes 256
#
ipsec policy policy1 1 isakmp
 security acl 3001
 ike-peer peer1
 proposal pro1
#
interface GigabitEthernet0/1/9
 undo shutdown
 ip address 10.0.0.1 255.255.255.0
#
interface GigabitEthernet0/1/1
 undo shutdown
 ip address 10.1.0.1 255.255.255.0
#
interface LoopBack1
 ip address 10.60.60.60 255.255.255.255
 binding tunnel gre
#
interface Tunnel1
 ip address 10.12.0.1 255.255.255.0
 tunnel-protocol ipsec
 ipsec policy policy1 service-instance-group group1
#
interface Tunnel100
 ip address 10.0.1.1 255.255.255.0
 tunnel-protocol gre
 source LoopBack1
 destination 10.108.108.108
#
bgp 200
 peer 10.0.1.2 as-number 100
 peer 10.0.1.2 ebgp-max-hop 255
 peer 10.0.1.2 connect-interface Tunnel100
#
 ipv4-family unicast
  undo synchronization
  network 10.1.0.0 255.255.255.0
  peer 10.0.1.2 enable
#
 ip route-static 10.0.1.2 255.255.255.255 Tunnel100
 ip route-static 10.12.0.2 255.255.255.255 GigabitEthernet0/1/9 10.0.0.2
 ip route-static 10.108.108.108 255.255.255.255 Tunnel1 10.12.0.2
#
return

  • Device B configuration file

#
 sysname DeviceB
#
ike dpd interval 10 10
#
service-location 1
 location slot 1
#
service-instance-group group1
 service-location 1
#
ip vpn-instance vpn1
 ipv4-family
  route-distinguisher 1:1
  apply-label per-instance
  vpn-target 1:1 export-extcommunity
  vpn-target 1:1 import-extcommunity
#
 mpls lsr-id 10.108.108.108
 mpls
#
mpls ldp
#
#
acl number 3001
 rule 5 permit gre source 10.108.108.108 0 destination 10.60.60.60 0 
#
ike proposal 1
 encryption-algorithm aes-cbc 256
 dh group14
 authentication-algorithm sha2-256
 integrity-algorithm hmac-sha2-256
#
ike peer peer1
 pre-shared-key %$%$0\WT%.iDi6%K-f)_^mQ6,.2n%$%$
 ike-proposal 1
 remote-address 10.12.0.1
#
ipsec proposal pro1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes 256
#
ipsec policy policy1 1 isakmp
 security acl 3001
 ike-peer peer1
 proposal pro1
#
isis 1
 network-entity 00.0000.0000.0108.00
#
interface GigabitEthernet0/1/3
 undo shutdown
 ip address 10.0.0.2 255.255.255.0
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 10.2.0.1 255.255.255.0
 isis enable 1
 mpls
 mpls ldp
#
interface LoopBack0
 ip address 10.108.108.108 255.255.255.255
 isis enable 1
#
interface LoopBack1
 ip address 10.108.108.108 255.255.255.255
 binding tunnel gre
#
interface Tunnel1
 ip address 10.12.0.2 255.255.255.0
 tunnel-protocol ipsec
 ipsec policy policy1 service-instance-group group1
#
interface Tunnel100
 ip binding vpn-instance vpn1
 ip address 10.0.1.2 255.255.255.0
 tunnel-protocol gre
 source LoopBack1
 destination 10.60.60.60
#
bgp 100
 peer 10.2.0.2 as-number 100
 peer 10.2.0.2 connect-interface LoopBack0
#
 ipv4-family unicast
  undo synchronization
  peer 10.2.0.2 enable
#
 ipv4-family vpnv4
  policy vpn-target
  peer 10.2.0.2 enable
#
 ipv4-family vpn-instance vpn1
  import-route direct
  peer 10.0.1.1 as-number 200 
  peer 10.0.1.1 ebgp-max-hop 255
  peer 10.0.1.1 connect-interface Tunnel100
#
 ip route-static 10.12.0.1 255.255.255.255 GigabitEthernet0/1/3 10.0.0.1
 ip route-static 10.60.60.60 255.255.255.255 Tunnel1 10.12.0.1
 ip route-static vpn-instance vpn1 10.0.1.1 255.255.255.255 Tunnel100
#
return
Parent Topic: GRE over IPsec Scenario
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >