Example for Configuring GRE over IPsec (with the Source Interface Address of a GRE Tunnel the Same as the Source IP Address of an IPsec Tunnel)

In GRE over IPsec networking, using the same the source IP address for the GRE tunnel and the IPsec tunnel helps save IP address resources.

Networking Requirements

Figure 1 shows the networking diagram.

Figure 1 GRE over IPsec networking

Interfaces 1 and 2 in this example represent GE 0/1/1 and GE 0/1/2, respectively.



  • Network A belongs to subnet 10.1.1.0/24 and connects to GE 0/1/1 on DeviceA.

  • Network B belongs to subnet 10.1.2.0/24 and connects to GE 0/1/1 on DeviceB.

  • DeviceA and DeviceB are routable to each other.

Configuration Notes

A GRE tunnel uses a loopback interface as a source interface, and an IPsec tunnel borrows an IP address of a physical interface. Because the IP address of the source interface of the GRE tunnel must be the same as the source IP address of the IPsec tunnel, bind the loopback interface to a VPN instance, preventing a public IP address conflict.

The binding tunnel ipsec command is automatically generated on the interface whose IP address is borrowed by the IPsec tunnel.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a GRE tunnel between DeviceA and DeviceB to encapsulate multicast and broadcast packets.

  2. Configure an IPsec tunnel between DeviceA and DeviceB to encrypt multicast and broadcast packets.

  3. A GRE tunnel uses a loopback interface as a source interface, and an IPsec tunnel borrows an IP address of a physical interface.

Data Preparation

To complete the configuration, you need the following data:

  • IP addresses of interfaces
  • Tunnel mode, IP address, source IP address, and destination IP address of a tunnel interface
  • IP address segment on each network
  • Pre-shared key
  • Security protocol, encryption algorithm, and authentication algorithm to be used in an IPsec proposal
  • Authentication algorithm used in an IKE security proposal

Procedure

  • Configure DeviceA.
    1. Assign an IP address to each interface.

      1. Assign an IP address to GE 0/1/1.

        <DeviceA> system-view
[~DeviceA] interface GigabitEthernet 0/1/1
[~DeviceA-GigabitEthernet0/1/1] ip address 10.1.1.1 24
[*DeviceA-GigabitEthernet0/1/1] quit
[*DeviceA] commit

      2. Assign an IP address to GE 0/1/2.

        [~DeviceA] interface GigabitEthernet 0/1/2
[~DeviceA-GigabitEthernet0/1/2] ip address 172.16.3.1 24
[*DeviceA-GigabitEthernet0/1/2] quit
[*DeviceA] commit

      3. Assign an IP address for Loopback1 and bind the interface to a VPN instance.

        [DeviceA] ip vpn-instance vpna
[~DeviceA-vpn-instance-vpna] ipv4-family
[*DeviceA-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[*DeviceA-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[*DeviceA-vpn-instance-vpna-af-ipv4] quit
[*DeviceA-vpn-instance-vpna] quit
[*DeviceA] interface loopback1
[*DeviceA-Loopback1] ip binding vpn-instance vpna
[*DeviceA-Loopback1] ip address 172.16.3.1 255.255.255.255 
[*DeviceA-Loopback1] quit
[*DeviceA] commit

    2. Configure the IPsec service instance group.

      [~DeviceA] service-location 1
[*DeviceA-service-location-1] location slot 1
[*DeviceA-service-location-1] commit
[~DeviceA-service-location-1] quit
[~DeviceA] service-instance-group group1
[*DeviceA-service-instance-group-group1] service-location 1
[*DeviceA-service-instance-group-group1] commit
[~DeviceA-service-instance-group-group1] quit

    3. Create a tunnel interface and configure attributes for it.

      [~DeviceA] interface loopback1
[*DeviceA-Loopback1] binding tunnel gre
[*DeviceA-Loopback1] quit
[~DeviceA] interface Tunnel 2
[*DeviceA-Tunnel2] tunnel-protocol gre
[*DeviceA-Tunnel2] ip address 172.21.1.1 24
[*DeviceA-Tunnel2] source loopback1
[*DeviceA-Tunnel2] destination vpn-instance vpna 172.16.9.1
[*DeviceA-Tunnel2] quit
[*DeviceA] commit
[~DeviceA] interface Tunnel 1
[*DeviceA-Tunnel1] tunnel-protocol ipsec
[*DeviceA-Tunnel1] ip address unnumbered interface GigabitEthernet0/1/2
[*DeviceA-Tunnel1] quit
[*DeviceA] commit

    4. Configure a static route destined for network B. Assume that the next-hop IP address and mask for DeviceA is 172.16.3.2/24.

      When you configure the static route to direct traffic to an IPsec tunnel, set the outbound interface in the static route to the IPsec tunnel interface and specify a next-hop IP address.

      [~DeviceA] ip route-static 10.1.2.2 255.255.255.255 Tunnel 2
[*DeviceA] ip route-static vpn-instance vpna 172.16.9.1 255.255.255.255 Tunnel 1 172.16.9.1
[*DeviceA] ip route-static 172.16.9.1 255.255.255.255 172.16.3.2
[*DeviceA] commit

    5. Configure an advanced ACL numbered 3000.

      [~DeviceA] acl 3000
[*DeviceA-acl-adv-3000] rule permit gre vpn-instance vpna source 172.16.3.1 0.0.0.0 destination 172.16.9.1 0.0.0.0
[*DeviceA-acl-adv-3000] quit
[*DeviceA] commit

    6. Configure an IPsec security proposal named tran1.

      [~DeviceA] ipsec proposal tran1
[*DeviceA-ipsec-proposal-tran1] encapsulation-mode tunnel
[*DeviceA-ipsec-proposal-tran1] transform esp
[*DeviceA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[*DeviceA-ipsec-proposal-tran1] esp encryption-algorithm aes 256
[*DeviceA-ipsec-proposal-tran1] quit
[*DeviceA] commit

    7. Configure an IKE proposal numbered 10.

      [~DeviceA] ike proposal 10
[*DeviceA-ike-proposal-10] authentication-method pre-share
[*DeviceA-ike-proposal-10] authentication-algorithm sha2-256
[*DeviceA-ike-proposal-10] integrity-algorithm hmac-sha2-256
[*DeviceA-ike-proposal-10] dh group14
[*DeviceA-ike-proposal-10] quit
[*DeviceA] commit

    8. Configure an IKE peer named b.

      • The setting of the pre-shared key should be identical with that on the peer device.

      [~DeviceA] ike peer b 
[*DeviceA-ike-peer-b] ike-proposal 10 
[*DeviceA-ike-peer-b] remote-address 172.16.9.1 
[*DeviceA-ike-peer-b] pre-shared-key abcde 
[*DeviceA-ike-peer-b] sa binding vpn-instance vpna 
[*DeviceA-ike-peer-b] quit
[*DeviceA] commit

    9. Configure an IPsec security policy named map1 and numbered 10.

      [~DeviceA] ipsec policy map1 10 isakmp
[*DeviceA-ipsec-policy-isakmp-map1-10] security acl 3000
[*DeviceA-ipsec-policy-isakmp-map1-10] proposal tran1
[*DeviceA-ipsec-policy-isakmp-map1-10] ike-peer b
[*DeviceA-ipsec-policy-isakmp-map1-10] quit
[*DeviceA] commit

    10. Apply the IPsec policy named map1 to the tunnel interface.

      [~DeviceA] interface Tunnel 1
[*DeviceA-Tunnel1] ipsec policy map1 service-instance-group group1
[*DeviceA-Tunnel1] quit
[*DeviceA] commit

  • Configure DeviceB.
    1. Assign an IP address to each interface.

      1. Assign an IP address to GE 0/1/1.

        <DeviceB> system-view
[~DeviceB] interface GigabitEthernet 0/1/1
[~DeviceB-GigabitEthernet0/1/1] ip address 10.1.2.1 24
[*DeviceB-GigabitEthernet0/1/1] quit
[*DeviceB] commit

      2. Assign an IP address to GE 0/1/2.

        [~DeviceB] interface GigabitEthernet 0/1/2
[~DeviceB-GigabitEthernet0/1/2] ip address 172.16.9.1 24
[*DeviceB-GigabitEthernet0/1/2] quit
[*DeviceB] commit

      3. Assign an IP address for Loopback1 and bind the interface to a VPN instance.

        [DeviceB] ip vpn-instance vpna
[~DeviceB-vpn-instance-vpna] ipv4-family
[*DeviceB-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[*DeviceB-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[*DeviceB-vpn-instance-vpna-af-ipv4] quit
[*DeviceB-vpn-instance-vpna] quit
[*DeviceB] interface loopback1
[*DeviceB-Loopback1] ip binding vpn-instance vpna
[*DeviceB-Loopback1] ip address 172.16.9.1 255.255.255.255 
[*DeviceB-Loopback1] quit
[*DeviceB] commit

    2. Configure the IPsec service instance group.

      [~DeviceB] service-location 1
[*DeviceB-service-location-1] location slot 1
[*DeviceB-service-location-1] commit
[~DeviceB-service-location-1] quit
[~DeviceB] service-instance-group group1
[*DeviceB-service-instance-group-group1] service-location 1
[*DeviceB-service-instance-group-group1] commit
[~DeviceB-service-instance-group-group1] quit

    3. Create a tunnel interface and configure attributes for it.

      [~DeviceB] interface loopback1
[*DeviceB-Loopback1] binding tunnel gre
[*DeviceB-Loopback1] quit
[~DeviceB] interface Tunnel 2
[*DeviceB-Tunnel2] tunnel-protocol gre
[*DeviceB-Tunnel2] ip address 172.22.1.2 24
[*DeviceB-Tunnel2] source loopback1
[*DeviceB-Tunnel2] destination vpn-instance vpna 172.16.3.1
[*DeviceB-Tunnel2] quit
[*DeviceB] commit
[~DeviceB] interface Tunnel 1
[*DeviceB-Tunnel1] tunnel-protocol ipsec
[*DeviceB-Tunnel1] ip address unnumbered interface GigabitEthernet0/1/2
[*DeviceB-Tunnel1] quit
[*DeviceB] commit

    4. Configure a static route destined for network A. Assume that the next-hop IP address and mask for DeviceB is 172.16.9.2/24.

      When you configure the static route to direct traffic to an IPsec tunnel, set the outbound interface in the static route to the IPsec tunnel interface and specify a next-hop IP address.

      [~DeviceB] ip route-static 10.1.1.2 255.255.255.255 Tunnel 2
[*DeviceB] ip route-static vpn-instance vpna 172.16.3.1 255.255.255.255 Tunnel 1 172.16.3.1
[*DeviceB] ip route-static 172.16.3.1 255.255.255.255 172.16.9.2
[*DeviceB] commit

    5. Configure an advanced ACL numbered 3000.

      [~DeviceB] acl 3000
[*DeviceB-acl-adv-3000] rule permit gre vpn-instance vpna source 172.16.9.1 0.0.0.0 destination 172.16.3.1 0.0.0.0
[*DeviceB-acl-adv-3000] quit
[*DeviceB] commit

    6. Configure an IPsec security proposal named tran1.

      [~DeviceB] ipsec proposal tran1
[*DeviceB-ipsec-proposal-tran1] encapsulation-mode tunnel
[*DeviceB-ipsec-proposal-tran1] transform esp
[*DeviceB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[*DeviceB-ipsec-proposal-tran1] esp encryption-algorithm aes 256
[*DeviceB-ipsec-proposal-tran1] quit
[*DeviceB] commit

    7. Configure an IKE proposal numbered 10.

      [~DeviceB] ike proposal 10 
[*DeviceB-ike-proposal-10] authentication-method pre-share 
[*DeviceB-ike-proposal-10] authentication-algorithm sha2-256 
[*DeviceB-ike-proposal-10] integrity-algorithm hmac-sha2-256
[*DeviceB-ike-proposal-10] dh group14
[*DeviceB-ike-proposal-10] quit
[*DeviceB] commit

    8. Configure an IKE peer named a.

      • The setting of the pre-shared key should be identical with that on the peer device.

      [~DeviceB] ike peer a 
[*DeviceB-ike-peer-a] ike-proposal 10 
[*DeviceB-ike-peer-a] remote-address 172.16.3.1 
[*DeviceB-ike-peer-a] pre-shared-key abcde 
[*DeviceB-ike-peer-a] sa binding vpn-instance vpna 
[*DeviceB-ike-peer-a] quit
[*DeviceB] commit

    9. Configure an IPsec security policy named map1 and numbered 10.

      [~DeviceB] ipsec policy map1 10 isakmp 
[*DeviceB-ipsec-policy-isakmp-map1-10] security acl 3000 
[*DeviceB-ipsec-policy-isakmp-map1-10] proposal tran1 
[*DeviceB-ipsec-policy-isakmp-map1-10] ike-peer a 
[*DeviceB-ipsec-policy-isakmp-map1-10] quit
[*DeviceB] commit

    10. Apply the IPsec policy named map1 to the tunnel interface.

      [~DeviceB] interface Tunnel1 
[*DeviceB-Tunnel1] ipsec policy map1 service-instance-group group1
[*DeviceB-Tunnel1] quit
[*DeviceB] commit

Configuration Files

  • DeviceA configuration file

    #
 sysname DeviceA
#
acl number 3000
 rule 5 permit gre vpn-instance vpna source 172.16.3.1 0 destination 172.16.9.1 0
#
ip vpn-instance vpna
 ipv4-family
  route-distinguisher 100:1
  apply-label per-instance
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
#
service-location 1
 location slot 1
#
service-instance-group group1
 service-location 1
#
ike proposal 10
 encryption-algorithm aes-cbc 256
 dh group14
 authentication-algorithm sha2-256
 integrity-algorithm hmac-sha2-256
#
ike peer b
 pre-shared-key %$%$THBGMJK2659z"C(T{J"-,.2n%$%$
 ike-proposal 10
 remote-address 172.16.9.1
 sa binding vpn-instance vpna
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes 256
#
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer b
 proposal tran1
#
interface GigabitEthernet0/1/1 
 undo shutdown
 ip address 10.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 172.16.3.1 255.255.255.0
 binding tunnel ipsec
#
interface loopback1
 ip binding vpn-instance vpna
 ip address 172.16.3.1 255.255.255.255
 binding tunnel gre
#
interface Tunnel1
 ip address unnumbered interface GigabitEthernet0/1/2
 tunnel-protocol ipsec
 ipsec policy map1 service-instance-group group1
#
interface Tunnel2
 ip address 172.21.1.1 255.255.255.0
 tunnel-protocol gre
 source loopback1
 destination vpn-instance vpna 172.16.9.1
#
 ip route-static 10.1.2.2 255.255.255.255 Tunnel 2 172.16.9.1
 ip route-static vpn-instance vpna 172.16.9.1 255.255.255.255 Tunnel 1 172.16.9.1
 ip route-static 172.16.9.1 255.255.255.255 172.16.3.2
#
return
  • DeviceB configuration file
    #
 sysname DeviceB
#
acl number 3000
 rule 5 permit gre vpn-instance vpna source 172.16.9.1 0 destination 172.16.3.1 0
#
ip vpn-instance vpna
 ipv4-family
  route-distinguisher 100:1
  apply-label per-instance
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
#
service-location 1
 location slot 1
#
service-instance-group group1
 service-location 1
#
ike proposal 10
 encryption-algorithm aes-cbc 256
 dh group14
 authentication-algorithm sha2-256
 integrity-algorithm hmac-sha2-256
#
ike peer a
 pre-shared-key %$%$THBGMJK2659z"C(T{J"-,.2n%$%$
 ike-proposal 10
 remote-address 172.16.3.1
 sa binding vpn-instance vpna
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes 256
#
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer a
 proposal tran1
#
interface GigabitEthernet0/1/1
 undo shutdown
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 172.16.9.1 255.255.255.0
 binding tunnel ipsec
#
interface loopback1
 ip binding vpn-instance vpna
 ip address 172.16.9.1 255.255.255.255
 binding tunnel gre
#
interface Tunnel1
 ip address unnumbered interface GigabitEthernet0/1/2
 tunnel-protocol ipsec
 ipsec policy map1 service-instance-group group1
#
interface Tunnel2
 ip address 172.22.1.2 255.255.255.0
 tunnel-protocol gre
 source loopback1
 destination vpn-instance vpna 172.16.3.1
#
 ip route-static 10.1.1.2 255.255.255.255 Tunnel 2 172.16.3.1
 ip route-static vpn-instance vpna 172.16.3.1 255.255.255.255 Tunnel 1 172.16.3.1
 ip route-static 172.16.3.1 255.255.255.255 172.16.9.2
#
return
Parent Topic: GRE over IPsec Scenario
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >