Shulou(Shulou.com)06/01 Report--

This article mainly introduces Linux and network equipment GRE how to configure, the article introduces in great detail, has a certain reference value, interested friends must read it!

Introduction and Application scenario of GRE

GRE (General Routing Encapsulation), or generic routing encapsulation, is a three-layer technology. Its greatest function is to encapsulate the messages of some network layer protocols, such as routing protocols, voice, video and other multicast messages or IPv6 messages. At the same time, it can also be combined with IPSec to solve the security problem of GRE.

GRE message

As shown in the figure below, GRE is encapsulated layer by layer according to the TCPIP protocol stack. The new IP header is encapsulated in the original IP header and then shipped out. The encapsulation operation is done through the Tunnel interface. When the GRE protocol passes through the Tunnel port, the encapsulation protocol of the interface is set to the GRE protocol.

Configuration scenario of GRE

CentOS 7.6 establishes GRE tunnel with Huawei firewall

Topological graph

Achieve the goal

CentOS establishes GRE Tunnel with Huawei Firewall

The intranet segment 192.168.1.0 of Huawei firewall goes from CentOS to Internet via GRE tunnel.

CentOS configures port mapping to map port 8080 of 192.168.1.10 to port 8080 of CentOS's public network address 200.1.1.1.

Configuration

CentOS

Configure interfaces and routin

[root@CentOS ~] # vim / etc/sysconfig/network-scripts/ifcfg-tun0 DEVICE=tun0 BOOTPROTO=none ONBOOT=yes DEVICETYPE=tunnel TYPE=GRE PEER_INNER_IPADDR=172.16.1.2 PEER_OUTER_IPADDR=100.1.1.1 MY_INNER_IPADDR=172.16.1.1 MY_OUTER_IPADDR=200.1.1.1 [root@CentOS ~] # vim / etc/sysconfig/network-scripts/route-tun0 192.168.1.0 root@CentOS 24 via 172.16.1.2 [root@CentOS ~] # ifup tun0

Iptables configuration

# install iptables management service [root@CentOS] # yum install iptables-services # to release the public network address of the opposite end [root@CentOS ~] # iptables- I INPUT-s 100.1.1.1 ACCEPT # configure source address translation [root@CentOS ~] # iptables- t nat-A POSTROUTING-s 192.168.1.0 SNAT 24-j SNAT-- to-source 200.1.1.1 # Port Mapping [root@CentOS ~] # iptables-t nat-A PREROUTING-d 200.1.1.1-p tcp-- dport 8080-j DNAT-- to-dest 192.168.1.10 nat 8080 # Save iptables [root@CentOS ~] # service iptables save

Enable ipv4 forwarding

[root@CentOS ~] # echo "net.ipv4.ip_forward = 1" > > / etc/sysctl.conf [root@CentOS ~] # sysctl-p

Huawei firewall

This time, take Huawei USG6300E series firewall as an example:

Configure the interface and add to the security zone

Interface Tunnel0 ip address 172.16.1.2 255.255.255.0 tunnel-protocol gre source 100.1.1.1 destination 200.1.1.1 # add the interface to the security zone [USG6300E] firewall zone tunnel firewall zone name tunnel set priority 75 add interface Tunnel0

Configure security policy

In the actual implementation, the policy can be tightened and the source and destination addresses can be restricted according to the demand.

If conditions permit, you can first set the default security policy to permit, and then modify the security policy after the call:

Security-policy rule name tunnel_out source-zone trust destination-zone tunnel action permit rule name tunnel_in source-zone tunnel destination-zone trust action permit # release tunnel to untrust traffic rule name tunnel_untrust source-zone tunnel destination-zone untrust action permit

Configure policy routing

[USG6300E] policy-based-route # policy-based-route rule name PBR source-zone trust source-address 192.168.1.0 mask 255.255.255.0 action pbr egress-interface Tunnel0

Configure No-NAT

Set the traffic to the tunnel without source address translation:

[USG6300E-policy-nat] dis th nat-policy rule name SNAT source-zone tunnel destination-zone untrust source-address 192.168.1.0 mask 255.255.255.0 action no-nat

Verification

The main testing methods are as follows:

Hongmeng official Strategic Cooperation to build HarmonyOS Technology Community

Tunnel address at the opposite end of the CentOS or firewall ping

Using the traceroute public network address of the device in the 192.168.1.0 amp 24 network segment, check the path passed to confirm whether it is forwarded through the tunnel.

Ubuntu 18 establishes GRE tunnel with Huawei router

Topological graph

Achieve the goal

Ubuntu 18 establishes GRE tunnel with Huawei router

The intranet segment 192.168.1.0 of Huawei firewall goes from CentOS to Internet via GRE tunnel.

Ubuntu configures port mapping to map port 8080 of 192.168.1.10 to port 8080 of CentOS's public network address 200.1.1.1.

Configuration

Ubuntu

Netplan configuration

Root@ubunt18demo:~# vim / etc/netplan/00-installer-config.yaml network: ethernets: ens3: addresses:-200.1.1.1 pick 24 gateway4: 200.1.1.254 nameservers: addresses:-114.114.114.114 tunnels: tun0: mode: gre local: 200.1.1.1 remote: 100.1.1.1 addresses: [172.16.1.1 addresses 24] routes:-to: 192.168.1.0 Compact 24 via: 172.16.1.2 # you can perform netplan try verification first If it is not broken, you can press ENTER to confirm the configuration # if the host SSH is interrupted, you can wait for 120s to restore the root@ubunt18demo:~# netplay try automatically.

Iptables Settin

Ufw is the firewall configuration tool of Ubuntu, and the underlying layer is handled by calling iptables:

# enable ufw ufw enable # release SSH ufw allow ssh # release GRE peer incoming traffic ufw allow from 100.1.1.1 to-source 32 # configure nat mapping iptables-t nat-A POSTROUTING-s 192.168.1.0 pm 24-j SNAT-- to-source 200.1.1.1 iptables-t nat-A PREROUTING-d 200.1.1.1-p tcp-dport 8080-j DNAT-- to-dest 192.168.1.10 : 8080 # set ufw to boot self-boot systemctl enable ufw

Enable ipv4 forwarding:

Echo "net.ipv4.ip_forward = 1" > > / etc/sysctl.conf sysctl-p

Huawei router

Take the AR1200 series router as an example:

Configure Interfac

Interface Tunnel0/0/1 ip address 172.16.1.2 255.255.255.0 tunnel-protocol gre source 100.1.1.1 destination 200.1.1.1

Configure policy routing

# configure ACL [AR1200] acl number 3000 [AR1200-acl-adv-3000] rule 10 permit ip destination 192.168.1.0 0.0.0.255 # configure flow Classification [AR1200] traffic classifier togretunnel [AR1200-classifier-togretunnel] if-match acl 3000 # configure flow behavior [AR1200] traffic behavior togretunnel [AR1200-behavior-togretunnel] redirect ip-nexthop 172.16.1.1 # configure flow Policy [AR1200] trafficpolicy togretunnel [AR1200-trafficpolicy-vlan10 ] classifier togretunnel behavior togretunnel # Internal Network Port call flow Policy [AR1200] interface gigabitethernet 1-0-1 [AR1200-GigabitEthernet3/0/0] traffic-policy togretunnel inbound

Verification

The verification method is consistent with the GRE tunnel established by CentOS and Huawei firewall.

GRE configuration of Juniper SRX Firewall

If route-instances is used in the exit interface of SRX firewall, be sure to add route-instance destination when configuring tunnel port, as shown below:

Set interfaces gr-0/0/0 unit 0 tunnel source 100.1.1.1 set interfaces gr-0/0/0 unit 0 tunnel destination 200.1.1.1 set interfaces gr-0/0/0 unit 0 tunnel routing-instance destination EXAMPLE-INSTANCE set interfaces gr-0/0/0 unit 0 family inet address 172.16.1.2/24

In addition, policy routing is called FBF in SRX, and the configuration example of No-NAT is as follows:

# configure firewall filter Match the traffic that needs to enter the tunnel set firewall filter to-GreTunnel term 1 from source-address 192.168.1.0 then accept set routing-options rib-groups global import-rib EXAMPLE-INSTANCE.inet.0 24 set firewall filter to-GreTunnel term 1 then routing-instance EXAMPLE-INSTANCE set firewall filter to-GreTunnel term 3 then accept set routing-options rib-groups global import-rib EXAMPLE-INSTANCE.inet.0 # configure the route set routing-instances EXAMPLE-INSTANCE instance-type forwarding set routing-instances EXAMPLE-INSTANCE routing-options interface-routes rib-group inet global set routing-instances to GreTunnel EXAMPLE-INSTANCE routing-options static route 0.0.0.0 next-hop 0 next-hop 172.16.1.1 # call firewall filter set interfaces reth3 unit 0 family inet filter input to-GreTunnel # to the tunnel port without SNAT set security nat source rule-set Gre-snat from zone Trust set security nat source rule-set Gre-snat to zone EXAMPLE-INSTANCE set security nat source rule-set Gre-snat rule to-cn2-no-nat match source-address 192.168.1. 0/24 set security nat source rule-set Gre-snat rule to-cn2-no-nat match destination-address 0.0.0.0/0 set security nat source rule-set Gre-snat rule to-cn2-no-nat then source-nat off

Policy routing of CentOS

If there is a scenario in which Linux is used as a transit, that is, Huawei firewall and Linux establish GRE tunnels, and Linux and other devices establish GRE tunnels, and Linux acts as transit traffic, in this scenario, you can configure policy routing in Linux, as shown below:

# temporary configuration, which will disappear after restart Can be used as debugging to use ip rule add from 192.168.1.0 vim 24 table 100 pref 10 ip route add 0.0.0.0 table 0 via 200.1.1.254 10 # to persist the configuration vim / etc/sysconfig/network-scripts/rule-eth0 from 192.168.1.0 pound 24 table 100 pref 10 vim / etc/sysconfig/network-scripts/route-eth0 default via 172.16.1.1 dev tun0 # verification command ip rule show ip route show Table 100s and above are all the contents of the article "how to configure Linux and Network device GRE" Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.