某局点F1070建立了GRE OVER IPSC，但是内网资源无法互通

组网如图：

VPN1与VPN2建立GRE OVER IPSEC，VPN1与VPN2的GRE的tunnel地址分别为10.0.0.1与10.0.0.2，隧道源目地址分别为11.11.11.11与22.22.22.22，内网分别使用Loopback10与loopback20代替，GRE保护的内网地址通过OSPF打通，建立IPSEC的公网地址通过静态路由打通

不涉及

问题描述：

现场IPSEC隧道已经建立，但是VPN1与VPN2的LOOPBAKC地址无法互通

[VPN1]ping -a 1.1.1.1 2.2.2.2

Ping 2.2.2.2 (2.2.2.2) from 1.1.1.1: 56 data bytes, press CTRL+C to break

Request time out

Request time out

Request time out

Request time out

Request time out

[H3C]dis ipsec sa

-------------------------------

Interface: GigabitEthernet0/0

-------------------------------

  -----------------------------

  IPsec policy: vpn

  Sequence number: 1

  Mode: ISAKMP

  -----------------------------

    Tunnel id: 0

    Encapsulation mode: tunnel

    Perfect Forward Secrecy:

    Inside VPN:

    Extended Sequence Numbers enable: N

    Traffic Flow Confidentiality enable: N

    Transmitting entity: Initiator

    Path MTU: 1428

    Tunnel:

        local  address: 202.0.0.1

        remote address: 203.0.0.1

    Flow:

        sour addr: 11.11.11.11/255.255.255.255  port: 0  protocol: ip

        dest addr: 22.22.22.22/255.255.255.255  port: 0  protocol: ip

问题分析：

排查分析发现以tunnel口建立的OSPF邻居一直在down与full之间震荡，查看VPN1的配置，发现VPN1的OSPF将202.0.0.1公网地址network了，

ospf 1

 area 0.0.0.0

  network 1.1.1.1 0.0.0.0

  network 3.3.3.3 0.0.0.0

  network 10.0.0.0 0.0.0.3

  network 202.0.0.1 0.0.0.0

具体分析如下：

当OSPF邻居down的时候，HELLO报文封装IPSEC公网头，通过默认路由发出，但是当OSPF邻居建立之后，因为202.0.0.1被宣告了，所以该地址也要封装，封装之后还是202.0.0.1，然后再走封装，如此无线循环封装

[H3C]%Apr 11 16:23:53:008 2022 H3C IFNET/5/LINK_UPDOWN: Line protocol state on the interface Tunnel0 changed to down.

%Apr 11 16:23:53:010 2022 H3C OSPF/5/OSPF_NBR_CHG: OSPF 1 Neighbor 10.0.0.2(Tunnel0) changed from FULL to DOWN.

[H3C]

[H3C]%Apr 11 16:24:03:012 2022 H3C IFNET/5/LINK_UPDOWN: Line protocol state on the interface Tunnel0 changed to up.

%Apr 11 16:24:03:031 2022 H3C OSPF/5/OSPF_NBR_CHG: OSPF 1 Neighbor 10.0.0.2(Tunnel0) changed from LOADING to FULL.

解决方案：

在VPN1设备的OSPF中，将VPN1的公网202.0.0.1不进行宣告，此时VPN1的Loopbakc地址就能ping通VPN2设备的loobpack地址了

[VPN1-ospf-1-area-0.0.0.0]undo network  202.0.0.1 0.0.0.0

[VPN1]ping -a 1.1.1.1 2.2.2.2

Ping 2.2.2.2 (2.2.2.2) from 1.1.1.1: 56 data bytes, press CTRL+C to break

56 bytes from 2.2.2.2: icmp_seq=0 ttl=255 time=2.000 ms

56 bytes from 2.2.2.2: icmp_seq=1 ttl=255 time=2.000 ms

56 bytes from 2.2.2.2: icmp_seq=2 ttl=255 time=3.000 ms

56 bytes from 2.2.2.2: icmp_seq=3 ttl=255 time=3.000 ms

56 bytes from 2.2.2.2: icmp_seq=4 ttl=255 time=2.000 ms