gre over ipsec *** 配置
1)配置IP地址,配置缺省路由:
center:
#
interface LoopBack0
ip address 172.16.1.1 255.255.255.255
#
interface GigabitEthernet0/0/0
port link-mode route
ip address 61.67.1.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 61.67.1.1
#
ISP:
#
interface GigabitEthernet0/0/0
ip address 202.112.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 61.67.1.1 255.255.255.0
#
branch-1:
#
interface LoopBack0
ip address 192.168.1.1 255.255.255.255
#
interface GigabitEthernet0/0/1
ip address 202.112.1.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 202.112.1.1
#
branch-2:
#
interface LoopBack0
ip address 192.168.2.1 255.255.255.255
#
interface GigabitEthernet0/0/0
ip address 202.112.2.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 202.112.2.1
#
(2)抓流:
center:
#
acl number 3000
rule 0 permit ip source 61.67.1.2 0 destination 202.112.1.2 0
acl number 3001
rule 0 permit ip source 61.67.1.2 0 destination 202.112.2.2 0
#
branch-1:
#
acl number 3000
rule 0 permit ip source 202.112.1.2 0 destination 61.67.1.2 0
#
branch-2:
#
acl number 3000
rule 0 permit ip source 202.112.2.2 0 destination 61.67.1.2 0
#
(3)配置IPsec proposal,建立GRE隧道,建立ike对等体,配置ipsec policy:
center:
#
ike peer branch-1
pre-shared-key simple h3c
remote-address 202.112.1.2
#
ike peer branch-2
pre-shared-key simple h3c
remote-address 202.112.2.2
#
ipsec proposal 123
#
ipsec policy h3c 10 isakmp
security acl 3000
ike-peer branch-1
proposal 123
#
ipsec policy h3c 20 isakmp
security acl 3001
ike-peer branch-2
proposal 123
#
interface Tunnel0
ip address 10.13.1.1 255.255.255.0
source 61.67.1.2
destination 202.112.1.2
keepalive 10 3
#
interface Tunnel1
ip address 10.14.1.1 255.255.255.0
source 61.67.1.2
destination 202.112.2.2
keepalive 10 3
#
branch-1:
#
ike peer center
pre-shared-key simple h3c
remote-address 61.67.1.2
#
ipsec proposal 123
#
ipsec policy h3c 10 isakmp
security acl 3000
ike-peer center
proposal 123
#
interface Tunnel0
ip address 10.13.1.2 255.255.255.0
source 202.112.1.2
destination 61.67.1.2
keepalive 10 3
#
branch-2:
#
ike peer center
pre-shared-key simple h3c
remote-address 61.67.1.2
#
ipsec proposal 123
#
ipsec policy h3c 10 isakmp
security acl 3000
ike-peer center
proposal 123
#
interface Tunnel1
ip address 10.14.1.2 255.255.255.0
source 202.112.2.2
destination 61.67.1.2
keepalive 10 3
#
(4)运行路由协议:
center:
#
ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 10.13.1.0 0.0.0.255
network 10.14.1.0 0.0.0.255
#
branch-1:
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 10.13.1.0 0.0.0.255
#
branch-2:
#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 10.14.1.0 0.0.0.255
#
查看信息:
<center>dis ike sa
total phase-1 SAs: 2
connection-id peer flag phase doi
----------------------------------------------------------
3 202.112.1.2 RD 1 IPSEC
6 202.112.2.2 RD|ST 1 IPSEC
5 202.112.1.2 RD 2 IPSEC
7 202.112.2.2 RD|ST 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
<branch-1>dis ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
1 61.67.1.2 RD|ST 1 IPSEC
2 61.67.1.2 RD|ST 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
<branch-2>dis ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
1 61.67.1.2 RD 1 IPSEC
2 61.67.1.2 RD 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
测试结果:
<branch-1>ping -a 192.168.1.1 172.16.1.1
PING 172.16.1.1: 56 data bytes, press CTRL_C to break
Reply from 172.16.1.1: bytes=56 Sequence=1 ttl=255 time=4 ms
Reply from 172.16.1.1: bytes=56 Sequence=2 ttl=255 time=20 ms
Reply from 172.16.1.1: bytes=56 Sequence=3 ttl=255 time=15 ms
Reply from 172.16.1.1: bytes=56 Sequence=4 ttl=255 time=20 ms
Reply from 172.16.1.1: bytes=56 Sequence=5 ttl=255 time=15 ms
--- 172.16.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/14/20 ms
<branch-2>ping -a 192.168.2.1 172.16.1.1
PING 172.16.1.1: 56 data bytes, press CTRL_C to break
Reply from 172.16.1.1: bytes=56 Sequence=1 ttl=255 time=26 ms
Reply from 172.16.1.1: bytes=56 Sequence=2 ttl=255 time=5 ms
Reply from 172.16.1.1: bytes=56 Sequence=3 ttl=255 time=26 ms
Request time out
Reply from 172.16.1.1: bytes=56 Sequence=5 ttl=255 time=26 ms
--- 172.16.1.1 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 5/20/26 ms
详细配置:
[center]dis cu
#
version 5.20, Release LITO
#
sysname center
#
undo voice vlan mac-address 00e0-bb00-0000
#
domain default enable system
#
sysnetid center
#
rpr mac-address timer aging 100
#
acl number 3000
rule 0 permit ip source 61.67.1.2 0 destination 202.112.1.2 0
acl number 3001
rule 0 permit ip source 61.67.1.2 0 destination 202.112.2.2 0
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
ike peer branch-1
pre-shared-key simple h3c
remote-address 202.112.1.2
#
ike peer branch-2
pre-shared-key simple h3c
remote-address 202.112.2.2
#
ipsec proposal 123
#
ipsec policy h3c 10 isakmp
security acl 3000
ike-peer branch-1
proposal 123
#
ipsec policy h3c 20 isakmp
security acl 3001
ike-peer branch-2
proposal 123
#
user-group system
#
wlan rrm
dot11a mandatory-rate 6 12 24
dot11a supported-rate 9 18 36 48 54
dot11b mandatory-rate 1 2
dot11b supported-rate 5.5 11
dot11g mandatory-rate 1 2 5.5 11
dot11g supported-rate 6 9 12 18 24 36 48 54
#
attack-defense policy 1
#
interface Serial0/1/0
link-protocol ppp
#
interface Serial0/1/1
link-protocol ppp
#
interface Serial0/1/2
link-protocol ppp
#
interface Serial0/1/3
link-protocol ppp
#
interface NULL0
#
interface LoopBack0
ip address 172.16.1.1 255.255.255.255
#
interface Ethernet0/4/0
port link-mode bridge
#
interface Ethernet0/4/1
port link-mode bridge
#
interface Ethernet0/4/2
port link-mode bridge
#
interface Ethernet0/4/3
port link-mode bridge
#
interface Ethernet0/4/4
port link-mode bridge
#
interface Ethernet0/4/5
port link-mode bridge
#
interface Ethernet0/4/6
port link-mode bridge
#
interface Ethernet0/4/7
port link-mode bridge
#
interface GigabitEthernet0/0/0
port link-mode route
ip address 61.67.1.2 255.255.255.0
ipsec policy h3c
#
interface GigabitEthernet0/0/1
port link-mode route
#
interface GigabitEthernet0/0/2
port link-mode route
#
interface GigabitEthernet0/0/3
port link-mode route
#
interface Tunnel0
ip address 10.13.1.1 255.255.255.0
source 61.67.1.2
destination 202.112.1.2
keepalive 10 3
#
interface Tunnel1
ip address 10.14.1.1 255.255.255.0
source 61.67.1.2
destination 202.112.2.2
keepalive 10 3
#
ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 10.13.1.0 0.0.0.255
network 10.14.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 61.67.1.1
#
load xml-configuration
#
load tr069-configuration
#
user-interface con 0
user-interface vty 0 4
#
return
<ISP>dis cu
#
version 5.20, Release LITO
#
sysname ISP
#
undo voice vlan mac-address 00e0-bb00-0000
#
domain default enable system
#
rpr mac-address timer aging 100
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
wlan rrm
dot11a mandatory-rate 6 12 24
dot11a supported-rate 9 18 36 48 54
dot11b mandatory-rate 1 2
dot11b supported-rate 5.5 11
dot11g mandatory-rate 1 2 5.5 11
dot11g supported-rate 6 9 12 18 24 36 48 54
#
attack-defense policy 1
#
interface Serial0/1/0
link-protocol ppp
#
interface Serial0/1/1
link-protocol ppp
#
interface Serial0/1/2
link-protocol ppp
#
interface Serial0/1/3
link-protocol ppp
#
interface NULL0
#
interface Ethernet0/4/0
port link-mode bridge
#
interface Ethernet0/4/1
port link-mode bridge
#
interface Ethernet0/4/2
port link-mode bridge
#
interface Ethernet0/4/3
port link-mode bridge
#
interface Ethernet0/4/4
port link-mode bridge
#
interface Ethernet0/4/5
port link-mode bridge
#
interface Ethernet0/4/6
port link-mode bridge
#
interface Ethernet0/4/7
port link-mode bridge
#
interface GigabitEthernet0/0/0
port link-mode route
ip address 202.112.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-mode route
ip address 61.67.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
port link-mode route
ip address 202.112.2.1 255.255.255.0
#
interface GigabitEthernet0/0/3
port link-mode route
#
load xml-configuration
#
load tr069-configuration
#
user-interface con 0
user-interface vty 0 4
#
return
<branch-1>dis cu
#
version 5.20, Release LITO
#
sysname branch-1
#
undo voice vlan mac-address 00e0-bb00-0000
#
domain default enable system
#
rpr mac-address timer aging 100
#
acl number 3000
rule 0 permit ip source 202.112.1.2 0 destination 61.67.1.2 0
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
ike peer center
pre-shared-key simple h3c
remote-address 61.67.1.2
#
ipsec proposal 123
#
ipsec policy h3c 10 isakmp
security acl 3000
ike-peer center
proposal 123
#
user-group system
#
wlan rrm
dot11a mandatory-rate 6 12 24
dot11a supported-rate 9 18 36 48 54
dot11b mandatory-rate 1 2
dot11b supported-rate 5.5 11
dot11g mandatory-rate 1 2 5.5 11
dot11g supported-rate 6 9 12 18 24 36 48 54
#
attack-defense policy 1
#
interface Serial0/1/0
link-protocol ppp
#
interface Serial0/1/1
link-protocol ppp
#
interface Serial0/1/2
link-protocol ppp
#
interface Serial0/1/3
link-protocol ppp
#
interface NULL0
#
interface LoopBack0
ip address 192.168.1.1 255.255.255.255
#
interface Ethernet0/4/0
port link-mode bridge
#
interface Ethernet0/4/1
port link-mode bridge
#
interface Ethernet0/4/2
port link-mode bridge
#
interface Ethernet0/4/3
port link-mode bridge
#
interface Ethernet0/4/4
port link-mode bridge
#
interface Ethernet0/4/5
port link-mode bridge
#
interface Ethernet0/4/6
port link-mode bridge
#
interface Ethernet0/4/7
port link-mode bridge
#
interface GigabitEthernet0/0/0
port link-mode route
#
interface GigabitEthernet0/0/1
port link-mode route
ip address 202.112.1.2 255.255.255.0
ipsec policy h3c
#
interface GigabitEthernet0/0/2
port link-mode route
#
interface GigabitEthernet0/0/3
port link-mode route
#
interface Tunnel0
ip address 10.13.1.2 255.255.255.0
source 202.112.1.2
destination 61.67.1.2
keepalive 10 3
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 10.13.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.112.1.1
#
load xml-configuration
#
load tr069-configuration
#
user-interface con 0
user-interface vty 0 4
#
return
<branch-2>dis cu
#
version 5.20, Release LITO
#
sysname branch-2
#
undo voice vlan mac-address 00e0-bb00-0000
#
domain default enable system
#
rpr mac-address timer aging 100
#
acl number 3000
rule 0 permit ip source 202.112.2.2 0 destination 61.67.1.2 0
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
ike peer center
pre-shared-key simple h3c
remote-address 61.67.1.2
#
ipsec proposal 123
#
ipsec policy h3c 10 isakmp
security acl 3000
ike-peer center
proposal 123
#
user-group system
#
wlan rrm
dot11a mandatory-rate 6 12 24
dot11a supported-rate 9 18 36 48 54
dot11b mandatory-rate 1 2
dot11b supported-rate 5.5 11
dot11g mandatory-rate 1 2 5.5 11
dot11g supported-rate 6 9 12 18 24 36 48 54
#
attack-defense policy 1
#
interface Serial0/1/0
link-protocol ppp
#
interface Serial0/1/1
link-protocol ppp
#
interface Serial0/1/2
link-protocol ppp
#
interface Serial0/1/3
link-protocol ppp
#
interface NULL0
#
interface LoopBack0
ip address 192.168.2.1 255.255.255.255
#
interface Ethernet0/4/0
port link-mode bridge
#
interface Ethernet0/4/1
port link-mode bridge
#
interface Ethernet0/4/2
port link-mode bridge
#
interface Ethernet0/4/3
port link-mode bridge
#
interface Ethernet0/4/4
port link-mode bridge
#
interface Ethernet0/4/5
port link-mode bridge
#
interface Ethernet0/4/6
port link-mode bridge
#
interface Ethernet0/4/7
port link-mode bridge
#
interface GigabitEthernet0/0/0
port link-mode route
ip address 202.112.2.2 255.255.255.0
ipsec policy h3c
#
interface GigabitEthernet0/0/1
port link-mode route
#
interface GigabitEthernet0/0/2
port link-mode route
#
interface GigabitEthernet0/0/3
port link-mode route
#
interface Tunnel1
ip address 10.14.1.2 255.255.255.0
source 202.112.2.2
destination 61.67.1.2
keepalive 10 3
#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 10.14.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.112.2.1
#
load xml-configuration
#
load tr069-configuration
#
user-interface con 0
user-interface vty 0 4
#
return
转载于:https://blog.51cto.com/naturalvolume/1542220