在華為防火墻上配置GRE實現不同地區網絡安全連接

拓撲如下圖所示：

A\B為不同地區的兩套網絡，需要通過配置GRE實現網絡安全連接。

配置步驟如下：

1.配置基本的ip地址

2.配置兩臺防火墻之間的路由可以到達，采用靜態路由配

3.配置防火墻與所屬區域內網的域間策略通過

4.配置tunnel 口 ，其中協議為gre協議，源地址為防火墻出口

5.目的地址為另一個防火墻的出口。

6.配置到達對端區域內網的靜態路由，下一跳是在tunnel 口上。

具體配置如下：

防火墻FW1：

interface GigabitEthernet1/0/3.1

vlan-type dot1q 10 \\vlan的類型打標簽為10

ip address 10.1.1.254 255.255.255.0

ospf network-type p2p \\ospf的網絡類型為p2p縮短建立鄰居時間

service-manage ping permit

interface GigabitEthernet1/0/3.2

vlan-type dot1q 20

ip address 10.1.2.254 255.255.255.0

ospf network-type p2p

service-manage ping permit

interface GigabitEthernet1/0/4

undo shutdown

ip address 200.1.1.1 255.255.255.0

service-manage ping permit

interface Tunnel0

ip address 172.1.1.1 255.255.255.0

tunnel-protocol gre

source 200.1.1.1

destination 100.1.1.1

firewall zone local

set priority 100

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/3

add interface GigabitEthernet1/0/3.1

add interface GigabitEthernet1/0/3.2

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/4

add interface Tunnel0

靜態路由的配置：

ip route-static 20.1.0.0 255.255.0.0 Tunnel0

ip route-static 100.1.1.0 255.255.255.0 200.1.1.2

防火墻的域間策略：

security-policy

rule name t_u

source-zone trust

destination-zone untrust

action permit

rule name u_t

source-zone untrust

destination-zone trust

action permit

rule name l_u

source-zone local

destination-zone untrust

action permit

rule name u_ll

source-zone untrust

destination-zone local

action permit

防火墻FW2配置：

interface GigabitEthernet1/0/3.1

vlan-type dot1q 10

description vl10

ip address 20.1.1.254 255.255.255.0

ospf network-type p2p

service-manage ping permit

interface GigabitEthernet1/0/3.2

vlan-type dot1q 20

description vl20

ip address 20.1.2.254 255.255.255.0

ospf network-type p2p

service-manage ping permit

interface GigabitEthernet1/0/4

undo shutdown

ip address 100.1.1.1 255.255.255.0

service-manage ping permit

tunnel 0的ipv4地址：

interface Tunnel0

ip address 172.1.1.2 255.255.255.0

tunnel-protocol gre

source 100.1.1.1

destination 200.1.1.1

把接口加入防火墻的安全區域：

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/3

add interface GigabitEthernet1/0/3.1

add interface GigabitEthernet1/0/3.2

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/4

add interface Tunnel0

配置到達公網與私網的靜態路由：

ip route-static 10.1.0.0 255.255.0.0 Tunnel0

ip route-static 200.1.1.0 255.255.255.0 100.1.1.2

配置防火墻的域間策略：

security-policy

rule name t_u

source-zone trust

destination-zone untrust

action permit

rule name u_t

source-zone untrust

destination-zone trust

action permit

rule name l_u

source-zone local

destination-zone untrust

action permit

rule name u_ll

source-zone untrust

destination-zone local

action permit