华为GRE隧道两端采用静态路由方式将流量引导到GRE隧道的配置方法

　　网络拓扑图
　　网络拓扑图组网需求
　　FW1和FW2通过Internet相连，两者公网路由可达。网络1和网络2是两个私有的IP网络，通过在两台FW之间建立GRE隧道实现两个私有IP网络互联 配置思路在FW1和FW2上分别创建一个Tunnel接口 在Tunnel接口中指定隧道的源IP地址和目的IP等封装参数 配置静态路由，将出接口指定为本设备的Tunnel接口 该路由的作用是将需要经过GRE隧道传输的流量引入到GRE隧道中 配置安全策略，允许GRE隧道的建立和流量的转发 操作步骤配置internet设备
　　a）配置接口的IP地址 [internet]inter g0/0/1 [internet-GigabitEthernet0/0/1]ip add 1.1.1.1 29 [internet-GigabitEthernet0/0/1]quit [internet]inter g0/0/2 [internet-GigabitEthernet0/0/2]ip add 2.2.2.1 29 [internet-GigabitEthernet0/0/2]quit配置FW1设备
　　a）配置接口IP地址 [FW1]inter g1/0/0 [FW1-GigabitEthernet1/0/0]ip add 1.1.1.2 29 [FW1-GigabitEthernet1/0/0]quit [FW1]inter g1/0/6 [FW1-GigabitEthernet1/0/6]ip add 10.1.1.1 24 [FW1-GigabitEthernet1/0/6]quit [FW1]inter Tunnel 1 [FW1-Tunnel1]ip add 172.16.1.1 30 [FW1-Tunnel1]quit
　　b）将接口加入安全区域 [FW1]firewall zone untrust  [FW1-zone-untrust]add inter g1/0/0 [FW1-zone-untrust]quit [FW1]firewall zone trust  [FW1-zone-trust]add inter g1/0/6 [FW1-zone-trust]quit [FW1]firewall zone dmz  [FW1-zone-dmz]add inter Tunnel 1 [FW1-zone-dmz]quit
　　c）配置Tunnel接口的封装参数 [FW1]inter Tunnel 1 [FW1-Tunnel1]tunnel-protocol gre [FW1-Tunnel1]source 1.1.1.2 [FW1-Tunnel1]destination 2.2.2.2 [FW1-Tunnel1]gre key cipher 123456789 [FW1-Tunnel1]quit
　　d）配置路由，将需要经过GRE隧道传输的流量引入到GRE隧道中 [FW1]ip route-static 10.1.2.0 24 Tunnel 1
　　e）配置默认路由 [FW1]ip route-static 0.0.0.0 0.0.0.0 g1/0/0 1.1.1.1
　　f）配置域间安全策略
　　配置Trust域和DMZ的域间安全策略，允许封装前的报文通过域间安全策略 [FW1-policy-security]rule name policy1 [FW1-policy-security-rule-policy1]source-zone trust dmz [FW1-policy-security-rule-policy1]destination-zone dmz trust [FW1-policy-security-rule-policy1]act per [FW1-policy-security-rule-policy1]quit
　　配置Local和Untrust的域间安全策略，允许封装后的GRE报文通过域间安全策略 [FW1-policy-security]rule name policy2 [FW1-policy-security-rule-policy2]source-zone local untrust [FW1-policy-security-rule-policy2]destination-zone untrust local [FW1-policy-security-rule-policy2]service gre [FW1-policy-security-rule-policy2]act per [FW1-policy-security-rule-policy2]quit配置FW2设备
　　a）配置接口IP地址 [FW2]inter g1/0/0 [FW2-GigabitEthernet1/0/0]ip add 2.2.2.2 29 [FW2-GigabitEthernet1/0/0]quit [FW2]inter g1/0/6 [FW2-GigabitEthernet1/0/6]ip add 10.1.2.1 24 [FW2-GigabitEthernet1/0/6]quit [FW2]inter Tunnel 1 [FW2-Tunnel1]ip add 172.16.1.2 30 [FW2-Tunnel1]quit
　　b）将接口加入安全区域 [FW2]firewall zone untrust  [FW2-zone-untrust]add inter g1/0/0 [FW2-zone-untrust]quit [FW2]firewall zone trust  [FW2-zone-trust]add inter g1/0/6 [FW2-zone-trust]quit [FW2]firewall zone dmz [FW2-zone-dmz]add inter Tunnel 1 [FW2-zone-dmz]quit
　　c）配置Tunnel接口的封装参数 [FW2]inter Tunnel 1 [FW2-Tunnel1]tunnel-protocol gre [FW2-Tunnel1]source 2.2.2.2 [FW2-Tunnel1]destination 1.1.1.2 [FW2-Tunnel1]gre key cipher 123456789 [FW2-Tunnel1]quit
　　d）配置路由，将需要经过GRE隧道传输的流量引入到GRE隧道中 [FW2]ip route-static 10.1.1.0 24 Tunnel 1
　　e）配置默认路由 [FW2]ip route-static 0.0.0.0 0.0.0.0 g1/0/0 2.2.2.1
　　f）配置域间安全策略
　　配置Trust域和DMZ的域间安全策略，允许封装前的报文通过域间安全策略 [FW2-policy-security]rule name policy1 [FW2-policy-security-rule-policy1]source-zone trust dmz [FW2-policy-security-rule-policy1]destination-zone dmz trust [FW2-policy-security-rule-policy1]act per [FW2-policy-security-rule-policy1]quit
　　配置Local和Untrust的域间安全策略，允许封装后的GRE报文通过域间安全策略 [FW2-policy-security]rule name policy2 [FW2-policy-security-rule-policy2]source-zone local untrust [FW2-policy-security-rule-policy2]destination-zone untrust local [FW2-policy-security-rule-policy2]service gre [FW2-policy-security-rule-policy2]act per [FW2-policy-security-rule-policy2]quit结果验证
　　a)PC1和PC2能够互相ping通
　　PC1能够ping通PC2
　　PC2能够ping通PC1
　　b）在FW1使用display ip routing-table命令查看路由表，可以看到10.1.2.0的网段出口为Tunnel 1 dis ip routing-table  2022-11-28 09:17:42.420  Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public          Destinations : 10       Routes : 10         Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface          0.0.0.0/0   Static  60   0           D   1.1.1.1         GigabitEthernet1/0/0         1.1.1.0/29  Direct  0    0           D   1.1.1.2         GigabitEthernet1/0/0         1.1.1.2/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/0        10.1.1.0/24  Direct  0    0           D   10.1.1.1        GigabitEthernet1/0/6        10.1.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/6        10.1.2.0/24  Static  60   0           D   172.16.1.1      Tunnel1       127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0       127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0      172.16.1.0/30  Direct  0    0           D   172.16.1.1      Tunnel1      172.16.1.1/32  Direct  0    0           D   127.0.0.1       Tunnel1
　　c）在FW2使用display ip routing-table命令查看路由表，可以看到10.1.1.0的网段出口为Tunnel 1 [FW2]dis ip routing-table  2022-11-28 09:26:24.870  Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public          Destinations : 10       Routes : 10         Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface          0.0.0.0/0   Static  60   0           D   2.2.2.1         GigabitEthernet1/0/0         2.2.2.0/29  Direct  0    0           D   2.2.2.2         GigabitEthernet1/0/0         2.2.2.2/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/0        10.1.1.0/24  Static  60   0           D   172.16.1.2      Tunnel1        10.1.2.0/24  Direct  0    0           D   10.1.2.1        GigabitEthernet1/0/6        10.1.2.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/6       127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0       127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0      172.16.1.0/30  Direct  0    0           D   172.16.1.2      Tunnel1      172.16.1.2/32  Direct  0    0           D   127.0.0.1       Tunnel1