GRE 配置举例:



Center FGT GRE配置:
config system gre-tunnel
    edit "tunnel1"
        set interface "port15"
        set remote-gw 202.106.2.1
        set local-gw 202.106.1.1
    next
end
config system interface
    edit "tunnel1"
        set ip 10.10.10.1 255.255.255.255
        set remote-ip 10.10.10.2
        set allowaccess ping
    next
end

Side-1 FGT GRE配置:
config system gre-tunnel
    edit "tunnel1"
        set interface "port15"
        set remote-gw 202.106.1.1
        set local-gw 202.106.2.1
    next
end
config system interface
    edit "tunnel1"
        set ip 10.10.10.2 255.255.255.255
        set remote-ip 10.10.10.1
        set allowaccess ping
    next
end

连通性测试。原则:remote-ip和local-ip之间可通,gre-tunnel就可通。
# execute ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1): 56 data bytes
64 bytes from 10.10.10.1: icmp_seq=0 ttl=255 time=0.3 ms
64 bytes from 10.10.10.1: icmp_seq=1 ttl=255 time=0.2 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=255 time=0.1 ms

# execute ping 10.10.10.2
PING 10.10.10.2 (10.10.10.2): 56 data bytes
64 bytes from 10.10.10.2: icmp_seq=0 ttl=255 time=0.3 ms
64 bytes from 10.10.10.2: icmp_seq=1 ttl=255 time=0.2 ms
64 bytes from 10.10.10.2: icmp_seq=2 ttl=255 time=0.1 ms

Center FGT GRE 业务路由的配置:
config router static
    edit 0
        set dst 192.168.112.0 255.255.255.0
        set device "tunnel1"
    next
end

# get router info routing-table all

S*      0.0.0.0/0 [10/0] via 202.106.1.2, port15
C       10.10.10.1/32 is directly connected, tunnel1
C       10.10.10.2/32 is directly connected, tunnel1
C       192.168.111.0/24 is directly connected, port16
S       192.168.112.0/24 [10/0] via 10.10.10.2, tunnel1
C       202.106.1.0/24 is directly connected, port15

Side-1 FGT GRE业务路由的配置配置:
config router static
    edit 0
        set dst 192.168.111.0 255.255.255.0
        set device "tunnel1"
    next
end

# get router info routing-table all

S*      0.0.0.0/0 [10/0] via 202.106.2.2, port15
C       10.10.10.1/32 is directly connected, tunnel1
C       10.10.10.2/32 is directly connected, tunnel1
S       192.168.111.0/24 [10/0] via 10.10.10.1, tunnel1
C       192.168.112.0/24 is directly connected, port16
C       202.106.2.0/24 is directly connected, port15

Center FGT 业务网段到GRE Tunnel的策略配置:
config firewall policy
    edit 0
        set srcintf "port16"
        set dstintf "tunnel1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set srcintf "tunnel1"
        set dstintf "port16"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
# execute ping-options source 192.168.111.1
# execute ping 192.168.112.1
PING 192.168.112.1 (192.168.112.1): 56 data bytes
64 bytes from 192.168.112.1:icmp_seq=0 ttl=255 time=0.8

Side-1 FGT业务网段到GRE Tunnel的策略配置:
config firewall policy
    edit 0
        set srcintf "port16"
        set dstintf "tunnel1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set srcintf "tunnel1"
        set dstintf "port16"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

# execute ping-options source 192.168.112.1
# execute ping 192.168.111.1
PING 192.168.111.1 (192.168.111.1): 56 data bytes
64 bytes from 192.168.111.1:icmp_seq=0 ttl=255 time=0.8

GRE 业务测试:


# diagnose sniffer packet any "icmp or proto 47" 4
interfaces=[any]
filters=[icmp or proto 47]
4.236495 port16 in 192.168.111.100 -> 192.168.112.100: icmp: echo request
4.236518 tunnel1 out 192.168.111.100 -> 192.168.112.100: icmp: echo request
4.236529 port15 out 202.106.1.1 -> 202.106.2.1:  ip-proto-47 64

4.236980 port15 in 202.106.2.1 -> 202.106.1.1:  ip-proto-47 64
4.236980 tunnel1 in 192.168.112.100 -> 192.168.111.100: icmp: echo reply
4.237000 port16 out 192.168.112.100 -> 192.168.111.100: icmp: echo reply

# diagnose debug flow filter addr 192.168.112.100
# diagnose debug flow filter  proto 1
# diagnose debug flow show console enable
# diagnose debug flow show function-name enable
# diagnose debug flow trace start 10
# diagnose debug enable   
id=20085 trace_id=34 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=1, 192.168.111.100:768->192.168.112.100:8) from port16. code=8, type=0, id=768, seq=4897."
id=20085 trace_id=34 func=init_ip_session_common line=4631 msg="allocate a new session-0050a2ad"
id=20085 trace_id=34 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.10.10.2 via tunnel1"
id=20085 trace_id=34 func=fw_forward_handler line=686 msg="Allowed by Policy-2:"

id=20085 trace_id=35 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=1, 192.168.112.100:768->192.168.111.100:0) from tunnel1. code=0, type=0, id=768, seq=4897."
id=20085 trace_id=35 func=resolve_ip_tuple_fast line=4541 msg="Find an existing session, id-0050a2ad, reply direction"
id=20085 trace_id=35 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.111.100 via port16"



GRE 上运行OSPF:
Center设备配置OSPF:
config router ospf
    set router-id 10.10.10.1
        config area
            edit 0.0.0.0
        end
        config network
            edit 1
                set prefix 192.168.111.0/24
            next
            edit 2
                set prefix 10.10.10.0/24
            next
end

Side-1设备配置OSPF:
config router ospf
    set router-id 10.10.10.2
        config area
            edit 0.0.0.0
        end
        config network
            edit 1
                set prefix 192.168.112.0/24
            next
            edit 2
                set prefix 10.10.10.0/24
            next
end

查看OSPF路由学习:
Center FGT # get router info ospf  neighbor
OSPF process 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.10.2        1   Full/ -         00:00:31    10.10.10.2      tunnel1

Side-1 FGT # get router info ospf  neighbor
OSPF process 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.10.1        1   Full/ -         00:00:39    10.10.10.1      tunnel1

Center FGT # get router info ospf  route
C  10.10.10.1/32 [100] is directly connected, tunnel1, Area 0.0.0.0
O  10.10.10.2/32 [100] via 10.10.10.2, tunnel1, Area 0.0.0.0
C  192.168.111.0/24 [10] is directly connected, port16, Area 0.0.0.0
O  192.168.112.0/24 [110] via 10.10.10.2, tunnel1, Area 0.0.0.0

Side-1 FGT # get router info ospf route
O  10.10.10.1/32 [100] via 10.10.10.1, tunnel1, Area 0.0.0.0
C  10.10.10.2/32 [100] is directly connected, tunnel1, Area 0.0.0.0
O  192.168.111.0/24 [110] via 10.10.10.1, tunnel1, Area 0.0.0.0
C  192.168.112.0/24 [10] is directly connected, port16, Area 0.0.0.0



和思科路由器对接GRE VPN:


Center防火墙的配置:
1.普通上网配置:
config system interface
    edit "port1"
        set ip 202.106.1.1 255.255.255.0
        set allowaccess ping https ssh http
        set alias "WAN1"
        set role wan
    next
    edit "port2"
        set vdom "root"
        set ip 192.168.111.1 255.255.255.0
        set allowaccess ping https ssh http
        set alias "LAN"
        set role lan
    next

config router static
    edit 1
        set gateway 202.106.1.254
        set device "port1"
    next
end

config firewall policy
    edit 3
        set name "To-Internet"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

2.GER隧道配置
config system gre-tunnel
    edit "tunnel1"
        set interface "port1"
        set remote-gw 202.106.2.1
        set local-gw 202.106.1.1
    next
end
config system interface
    edit "tunnel1"
        set ip 10.10.10.1 255.255.255.255
        set allowaccess ping
        set remote-ip 10.10.10.2 255.255.255.0
    next
end
config router static
    edit 2
        set dst 192.168.112.0 255.255.255.0
        set device "tunnel1"
    next
end
config firewall policy
    edit 1
        set name "GRE-VPN-OUT"
        set srcintf "port2"
        set dstintf "tunnel1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set name "GRE-VPN-IN"
        set srcintf "tunnel1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

Side-1 思科路由器配置:
1.普通上网配置:
!
interface Ethernet0/0
ip address 202.106.2.1 255.255.255.0
ip nat outside
!
interface Ethernet0/1
ip address 192.168.112.1 255.255.255.0
ip nat inside
!
access-list 101 permit ip any any
ip nat inside source list 101 interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 202.106.2.254

2.GER隧道配置
!
interface Tunnel1
ip address 10.10.10.2 255.255.255.0
tunnel source 202.106.2.1
tunnel destination 202.106.1.1
!
ip route 192.168.111.0 255.255.255.0 10.10.10.1

结果测试:
FortiGate_BJ_Center # execute ping-options source 192.168.111.1
FortiGate_BJ_Center # execute ping 192.168.112.1
PING 192.168.112.1 (192.168.112.1): 56 data bytes
64 bytes from 192.168.112.1: icmp_seq=0 ttl=255 time=1.5 ms
64 bytes from 192.168.112.1: icmp_seq=1 ttl=255 time=1.2 ms
64 bytes from 192.168.112.1: icmp_seq=2 ttl=255 time=1.0 ms
64 bytes from 192.168.112.1: icmp_seq=3 ttl=255 time=0.9 ms
64 bytes from 192.168.112.1: icmp_seq=4 ttl=255 time=1.0 ms

--- 192.168.112.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.9/1.1/1.5 ms

FortiGate_BJ_Center # execute ping-options reset
FortiGate_BJ_Center # execute ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1): 56 data bytes
64 bytes from 10.10.10.1: icmp_seq=0 ttl=255 time=0.2 ms
64 bytes from 10.10.10.1: icmp_seq=1 ttl=255 time=0.0 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=255 time=0.0 ms
64 bytes from 10.10.10.1: icmp_seq=3 ttl=255 time=0.0 ms
64 bytes from 10.10.10.1: icmp_seq=4 ttl=255 time=0.0 ms

--- 10.10.10.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.2 ms

FortiGate_BJ_Center # execute ping 10.10.10.2
PING 10.10.10.2 (10.10.10.2): 56 data bytes
64 bytes from 10.10.10.2: icmp_seq=0 ttl=255 time=1.2 ms
64 bytes from 10.10.10.2: icmp_seq=1 ttl=255 time=1.3 ms
64 bytes from 10.10.10.2: icmp_seq=2 ttl=255 time=1.2 ms
64 bytes from 10.10.10.2: icmp_seq=3 ttl=255 time=1.1 ms
64 bytes from 10.10.10.2: icmp_seq=4 ttl=255 time=1.2 ms

--- 10.10.10.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.1/1.2/1.3 ms
FortiGate_BJ_Center #


Cisco-Router-SH#ping 192.168.111.1 source 192.168.112.1 repeat  100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.111.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.112.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/1/1 ms
Cisco-Router-SH#

Cisco-Router-SH#ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Cisco-Router-SH#ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
Cisco-Router-SH#

使用OSPF代替静态路由:
FortiGate_BJ_Center配置修改:
FortiGate_BJ_Center # config router static
FortiGate_BJ_Center (static) # show
config router static
    edit 1
        set gateway 202.106.1.254
        set device "port1"
    next
    edit 2
        set dst 192.168.112.0 255.255.255.0
        set device "tunnel1"
    next
end
FortiGate_BJ_Center (static) # delete 2
FortiGate_BJ_Center (static) # show
config router static
    edit 1
        set gateway 202.106.1.254
        set device "port1"
    next
end
FortiGate_BJ_Center (static) # end


config router ospf
    set router-id 10.10.10.1
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "tunnel1"
            set interface "tunnel1"
            set mtu-ignore enable
            set network-type point-to-point
        next
    end
    config network
        edit 1
            set prefix 10.10.10.0 255.255.255.0
        next
        edit 2
            set prefix 192.168.111.0 255.255.255.0
        next
    end
end


Cisco-Router-SH配置修改:
no   ip route 192.168.111.0 255.255.255.0 10.10.10.1

!
router ospf 10
network 10.10.10.0 0.0.0.255 area 0
network 192.168.112.0 0.0.0.255 area 0
!
interface Tunnel1
ip mtu 1400
ip ospf mtu-ignore
!

结果测试:
FortiGate_BJ_Center # get router info ospf neighbor

OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
202.106.2.1       1   Full/ -         00:00:30    10.10.10.2      tunnel1


FortiGate_BJ_Center #
FortiGate_BJ_Center # get router info routing-table all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 202.106.1.254, port1
C       10.10.10.0/24 is directly connected, tunnel1
C       10.10.10.1/32 is directly connected, tunnel1
C       192.168.111.0/24 is directly connected, port2
O       192.168.112.0/24 [110/110] via 10.10.10.2, tunnel1, 00:41:10
C       202.106.1.0/24 is directly connected, port1

Cisco-Router-SH#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.10.1        0   FULL/  -        00:00:33    10.10.10.1      Tunnel1
Cisco-Router-SH#

Cisco-Router-SH#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 202.106.2.254 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 202.106.2.254
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.10.10.0/24 is directly connected, Tunnel1
L        10.10.10.2/32 is directly connected, Tunnel1
O     192.168.111.0/24 [110/1001] via 10.10.10.1, 00:42:03, Tunnel1
      192.168.112.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.112.0/24 is directly connected, Ethernet0/1
L        192.168.112.1/32 is directly connected, Ethernet0/1
      202.106.2.0/24 is variably subnetted, 2 subnets, 2 masks
C        202.106.2.0/24 is directly connected, Ethernet0/0
L        202.106.2.1/32 is directly connected, Ethernet0/0
Cisco-Router-SH#

Cisco-Router-SH#ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
Cisco-Router-SH#ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
Cisco-Router-SH#
Cisco-Router-SH#ping 192.168.111.1 sou
Cisco-Router-SH#ping 192.168.111.1 source 192.168.112.1 re
Cisco-Router-SH#ping 192.168.111.1 source 192.168.112.1 repeat  100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.111.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.112.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/1/1 ms
Cisco-Router-SH#




img_10075.jpg img_11300.jpg img_12082.jpg img_1575.jpg img_18629.jpg img_20537.jpg img_2061.jpg img_21174.jpg img_21858.jpg img_27195.jpg img_30794.jpg img_31884.jpg img_845.jpg