华为防火墙上gre vpn的配置

配置IP地址 [FW4-GigabitEthernet1/0/1]ip add 40.1.1.1 24 [FW4-GigabitEthernet1/0/0]ip add 10.1.1.1 24 [FW5-GigabitEthernet1/0/1]ip add 40.1.1.2 24 [FW5-GigabitEthernet1/0/0]ip add 10.1.2.2 24 将接口加入相关区域 [FW4]firewall zone trust [FW4-zone-trust]add interface GigabitEthernet 1/0/0 [FW4]firewall zone untrust [FW4-zone-untrust]add interface GigabitEthernet 1/0/1 [FW4]firewall zone dmz [FW4-zone-dmz]add interface Tunnel 1 [FW5]firewall zone trust [FW5-zone-trust]add interface GigabitEthernet1/0/0 [FW5]firewall zone untrust [FW5-zone-untrust]add interface GigabitEthernet 1/0/1 [FW5]firewall zone dmz [FW5-zone-dmz]add interface Tunnel 1 放行相关服务 [FW4-GigabitEthernet1/0/1]service-manage ping permit [FW4-GigabitEthernet1/0/0]service-manage ping permit [FW5-GigabitEthernet1/0/1]service-manage ping permit [FW5-GigabitEthernet1/0/0]service-manage ping permit 配置GRE隧道接口 [FW4]int Tunnel 1 [FW4-Tunnel1]ip add 172.16.2.1 30 [FW4-Tunnel1]tunnel-protocol gre [FW4-Tunnel1]source 40.1.1.1 [FW4-Tunnel1]destination 40.1.1.2 [FW5]interface Tunnel 1 [FW5-Tunnel1]ip add 172.16.2.2 30 [FW5-Tunnel1]tunnel-protocol gre [FW5-Tunnel1]source 40.1.1.2 [FW5-Tunnel1]destination 40.1.1.1 配置到对端的路由 [FW4]ip route-static 10.1.2.0 24 Tunnel 1 [FW5]ip route-static 10.1.1.0 24 Tunnel 1 配置安全策略 [FW4]security-policy [FW4-policy-security]rule name gre1 //允许网段互访 [FW4-policy-security-rule-gre1]source-zone trust [FW4-policy-security-rule-gre1]destination-zone dmz [FW4-policy-security-rule-gre1]source-address 10.1.1.0 24 [FW4-policy-security-rule-gre1]destination-address 10.1.2.0 24 [FW4-policy-security-rule-gre1]action permit [FW4-policy-security-rule-gre]rule name gre2 [FW4-policy-security-rule-gre2]source-zone dmz [FW4-policy-security-rule-gre2]destination-zone trust [FW4-policy-security-rule-gre2]source-address 10.1.2.0 24 [FW4-policy-security-rule-gre2]destination-address 10.1.1.0 24 [FW4-policy-security-rule-gre2]action permit [FW4-policy-security]rule name gre3 //放行封装后的gre报文 [FW4-policy-security-rule-gre3]source-zone [FW4-policy-security-rule-gre3]source-zone local untrust [FW4-policy-security-rule-gre3]destination-zone local untrust [FW4-policy-security-rule-gre3]service gre [FW4-policy-security-rule-gre3]action permit [FW5]security-policy [FW5-policy-security]rule name gre1 [FW5-policy-security-rule-gre1]source-zone trust [FW5-policy-security-rule-gre1]destination-zone dmz [FW5-policy-security-rule-gre1]source-address 10.1.2.0 24 [FW5-policy-security-rule-gre1]destination-address 10.1.1.0 24 [FW5-policy-security-rule-gre1]action permit [FW5-policy-security]rule name gre2 [FW5-policy-security-rule-gre2]source-zone dmz [FW5-policy-security-rule-gre2]destination-zone trust [FW5-policy-security-rule-gre2]source-address 10.1.1.0 24 [FW5-policy-security-rule-gre2]destination-address 10.1.2.0 24 [FW5-policy-security-rule-gre2]action permit [FW5-policy-security]rule name gre3 [FW5-policy-security-rule-gre3]source-zone local untrust [FW5-policy-security-rule-gre3]destination-zone local untrust [FW5-policy-security-rule-gre3]service gre [FW5-policy-security-rule-gre3]action permit 验证

PC1 ping server1时在FW4的G1/0/1口抓包