- 產品與解決方案
- 行業解決方案
- 服務
- 支持
- 合作夥伴
- 關於我們
13-H3C MSR係列路由器 移動通信Modem管理典型配置舉例
本章節下載: 13-H3C MSR係列路由器 移動通信Modem管理典型配置舉例 (522.01 KB)
H3C MSR係列路由器
移動通信Modem管理典型配置舉例
Copyright © 2024 bobty下载软件 版權所有,保留一切權利。
非經本公司書麵許可,任何單位和個人不得擅自摘抄、複製本文檔內容的部分或全部,並不得以任何形式傳播。
除bobty下载软件 的商標外,本手冊中出現的其它公司的商標、產品標識及商品名稱,由各自權利人擁有。
本文檔中的信息可能變動,恕不另行通知。
目 錄
適用於MSR集中式、MSR分布式產品R6728P13及以後版本。
如圖1所示,Router A上具有5G Modem模塊,用戶通過DDR自動定時撥號接入5G網絡,並建立永久在線連接。具體要求如下:
· 在Router A的Cellular1/0接口上通道化出以太網接口Eth-channel1/0:0,將該接口作為DDR撥號接口,並采用Modem私有協議獲取運營商自動分配的IP地址。
· 在Router A上配置撥號方式為傳統DDR撥號,去往對端的撥號串根據運營商屬性選擇,一般中國大陸移動/聯通配置“*99#”,電信配置“#777”。
· 在Router A上配置動態接入點作為參數模板,接入點名稱在撥號協商時由運營商分配。
· Router A所在的子網為192.168.1.0/24,且僅對IPv4協議報文進行DDR撥號。
圖1 5G Modem撥號上網組網圖
使用普通的5G SIM卡撥號上網時,在配置5G Modem參數模板中配置動態接入點路由器就可以接入5G網絡。當使用5G物聯網卡或者VPDN專用SIM卡,則需要在5G Modem參數模板中配置靜態接入點作為5G網絡的接入點,並需要根據運營商提供的用戶和密碼配置接入5G網絡的認證方式。
(1) 配置設備接口IP地址,步驟略。
(2) 配置5G Modem撥號。
# 配置撥號訪問組1以及對應的撥號訪問控製條件。
<RouterA> system-view
[RouterA] dialer-group 1 rule ip permit
# 配置5G Modem參數模板,配置動態接入點作為參數模板。
[RouterA] apn-profile dynamic1
[RouterA-apn-profile-dynamic] apn dynamic
[RouterA-apn-profile-dynamic] quit
# 將Cellular1/0接口通道化出以太網通道接口。
[RouterA] controller cellular 1/0
[RouterA-Cellular1/0] eth-channel 0
[RouterA-Cellular1/0] quit
# 配置Eth-channel1/0:0接口采用Modem私有協議獲取運營商自動分配的IP地址。
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ip address cellular-alloc
# 配置Eth-channel1/0:0接口使用的5G Modem參數模板。
[RouterA-Eth-channel1/0:0] apn-profile apply dynamic1
# 在Eth-channel1/0:0接口上開啟傳統DDR,並與撥號訪問組1關聯。
[RouterA-Eth-channel1/0:0] dialer circular enable
[RouterA-Eth-channel1/0:0] dialer-group 1
# 配置允許鏈路空閑的時間為0,呼叫建立超時時間為30秒,自動撥號的時間間隔為5秒。
[RouterA-Eth-channel1/0:0] dialer timer idle 0
[RouterA-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterA-Eth-channel1/0:0] dialer timer autodial 5
# 配置自動撥號時去往對端的撥號串,撥號串視具體運營商而定,一般中國大陸移動/聯通配置“*99#”,電信配置“#777”。
[RouterA-Eth-channel1/0:0] dialer number *99# autodial
# 配置Eth-channel1/0:0接口允許對內部所有報文進行地址轉換。
[RouterA-Eth-channel1/0:0] nat outbound
[RouterA-Eth-channel1/0:0] quit
# 配置缺省路由。
[RouterA] ip route-static 0.0.0.0 0 eth-channel 1/0:0
# 查看路由表,配置的缺省路由生效,用戶可以通過設備進行上網。
[RouterA] display ip routing-table
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 0.0.0.0 E-Ch1/0:0
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
1.0.0.2/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
...
#
interface gigabitethernet 1/0/1
ip address 192.168.1.1 255.255.255.0
#
dialer-group 1 rule ip permit
#
apn-profile dynamic1
apn dynamic
#
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ip address cellular-alloc
apn-profile apply dynamic1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
nat outbound
#
ip route-static 0.0.0.0 0.0.0.0 eth-channel 1/0:0
#
適用於MSR集中式、MSR分布式產品R6728P13及以後版本。
如圖2所示,Router A可以通過有線鏈路Router A->Router B訪問Internet;同時,Router A上具有5G Modem模塊,也可以通過DDR撥號接入5G網絡訪問Internet。具體要求如下:
· 在Router A上配置傳統DDR自動定時撥號接入5G網絡,建立永久5G在線連接。
· 在Router A上配置兩條路由可以去往Internet。其中,有線鏈路作為主鏈路轉發數據,5G鏈路作為備份鏈路轉發數據。
· 在Router A上檢測有線鏈路的狀態,並在有線鏈路狀態變化時可以及時切換鏈路。
圖2 5G Modem撥號鏈路備份組網圖
為了讓有線鏈路作為主鏈路轉發數據,需要配置經過有線鏈路的路由優先級高於5G網絡。
為了檢測鏈路狀態,需要在Router A上配置NQA監測有線鏈路,實時檢測鏈路狀態變化。
為了在有線鏈路狀態變化時及時切換鏈路,需要配置Track項與靜態路由聯動。NQA探測到有線鏈路不通時,自動將有線鏈路接口路由Inactive,5G鏈路的靜態路由生效,數據走5G網絡轉發。NQA探測到有線鏈路正常,自動將有線鏈路接口路由激活,有線鏈路的靜態路由生效,數據走有線轉發。
使用普通的5G SIM卡撥號上網時,在配置5G Modem參數模板中配置動態接入點路由器就可以接入5G網絡。當使用5G物聯網卡或者VPDN專用SIM卡,則需要在5G Modem參數模板中配置靜態接入點作為5G網絡的接入點,並需要根據運營商提供的用戶和密碼配置接入5G網絡的認證方式。
(1) 配置設備接口的IP地址,步驟略。
(2) 配置5G Modem撥號。
# 配置撥號訪問組1以及對應的撥號訪問控製條件。
<RouterA> system-view
[RouterA] dialer-group 1 rule ip permit
# 配置5G Modem參數模板,配置動態接入點作為參數模板。
[RouterA] apn-profile dynamic1
[RouterA-apn-profile-dynamic] apn dynamic
[RouterA-apn-profile-dynamic] quit
# 將Cellular1/0接口通道化出以太網通道接口。
[RouterA] controller cellular 1/0
[RouterA-Cellular1/0] eth-channel 0
[RouterA-Cellular1/0] quit
# 配置Eth-channel1/0:0接口采用Modem私有協議獲取運營商自動分配的IP地址。
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ip address cellular-alloc
# 配置Eth-channel1/0:0接口使用的5G Modem參數模板。
[RouterA-Eth-channel1/0:0] apn-profile apply dynamic1
# 在Eth-channel1/0:0接口上開啟傳統DDR,並與撥號訪問組1關聯。
[RouterA-Eth-channel1/0:0] dialer circular enable
[RouterA-Eth-channel1/0:0] dialer-group 1
# 配置允許鏈路空閑的時間為0,呼叫建立超時時間為30秒,自動撥號的時間間隔為5秒。
[RouterA-Eth-channel1/0:0] dialer timer idle 0
[RouterA-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterA-Eth-channel1/0:0] dialer timer autodial 5
# 配置自動撥號時去往對端的撥號串,撥號串視具體運營商而定,一般中國大陸移動/聯通配置“*99#”,電信配置“#777”。
[RouterA-Eth-channel1/0:0] dialer number *99# autodial
# 配置Eth-channel1/0:0接口允許對內部所有報文進行地址轉換。
[RouterA-Eth-channel1/0:0] nat outbound
[RouterA-Eth-channel1/0:0] quit
# 配置缺省路由,有線鏈路的路由優先級為60,並與Track 1聯動;5G鏈路路由優先級為60。
[RouterA] ip route-static 0.0.0.0 0 gigabitethernet 1/0/2 192.168.2.2 track 1 preference 50
[RouterA] ip route-static 0.0.0.0 0 eth-channel 1/0:0 preference 60
(3) 配置NQA測試組。
# 創建ICMP-echo類型的NQA測試組(管理員為admin,操作標簽為test),並配置探測報文的目的地址為1.1.1.1(目的地址根據實際組網選擇,以接口GigabitEthernet1/0/2的地址為例)。
[RouterA] nqa entry admin test
[RouterA-nqa-admin-test] type icmp-echo
[RouterA-nqa-admin-test-icmp-echo] destination ip 1.1.1.1
# 配置探測報文的下一跳地址為192.168.2.2。
[RouterA-nqa-admin-test-icmp-echo] next-hop ip 192.168.2.2
# 配置可選參數:一次NQA測試中探測的次數為5,探測的超時時間為500毫秒,測試組連續測試開始時間的時間間隔為5000毫秒。
[RouterA-nqa-admin-test-icmp-echo] probe count 5
[RouterA-nqa-admin-test-icmp-echo] probe timeout 500
[RouterA-nqa-admin-test-icmp-echo] frequency 5000
# 建立序號為1的聯動項,連續探測失敗2次,觸發其他模塊聯動。
[RouterA-nqa-admin-test-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 2 action-type trigger-only
[RouterA-nqa-admin-test-icmp-echo] quit
# 配置Track項1,關聯NQA測試組(管理員為admin,操作標簽為test)的聯動項1。
[RouterA] track 1 nqa entry admin test reaction 1
[RouterA-track-1] quit
# 測試組的立即啟動測試,並一直進行測試持續。
[RouterA] nqa schedule admin test start-time now lifetime forever
(1) 配置設備接口IP地址,步驟略。
(2) 配置路由。
# 配置接口GigabitEthernet1/0/2允許對內部所有報文進行地址轉換。
<RouterB> system-view
[RouterB] interface gigabitethernet 1/0/2
[RouterB-GigabitEthernet1/0/2] nat outbound
[RouterB-GigabitEthernet1/0/2] quit
# 配置去往192.168.1.0/24網段的靜態路由。
[RouterB] ip route-static 192.168.1.0 255.255.255.0 gigabitethernet 1/0/1 192.168.2.1
# 查看Router A的路由表,有線鏈路的缺省路由生效。
[RouterA] display ip routing-table
Destinations : 20 Routes : 20
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 50 0 192.168.2.2 GE1/0/2
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
1.0.0.2/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
...
# 將GigabitEthernet1/0/2接口down掉之後,查看Router A的路由表,5G網絡的缺省路由生效。
[RouterA] display ip routing-table
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 0.0.0.0 E-Ch1/0:0
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
1.0.0.2/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
...
· Router A:
#
interface gigabitethernet 1/0/1
ip address 192.168.1.1 255.255.255.0
#
interface gigabitethernet 1/0/2
ip address 192.168.2.1 255.255.255.0
#
dialer-group 1 rule ip permit
#
apn-profile dynamic1
apn dynamic
#
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ip address cellular-alloc
apn-profile apply dynamic1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
nat outbound
#
ip route-static 0.0.0.0 0 gigabitethernet 1/0/2 192.168.2.2 track 1 preference 50
ip route-static 0.0.0.0 0 eth-channel 1/0:0 preference 60
nqa entry admin test
type icmp-echo
destination ip 1.1.1.1
next-hop ip 192.168.2.2
probe count 5
probe timeout 500
frequency 5000
reaction 1 checked-element probe-fail threshold-type consecutive 2 action-type trigger-only
#
nqa schedule admin test start-time now lifetime forever
track 1 nqa entry admin test reaction 1
#
· Router B:
#
interface gigabitethernet 1/0/1
ip address 192.168.2.2 255.255.255.0
#
interface gigabitethernet 1/0/2
ip address 1.1.1.1 255.255.255.0
nat outbound
#
ip route-static 192.168.1.0 255.255.255.0 gigabitethernet 1/0/1 192.168.2.1
適用於MSR集中式、MSR分布式產品R6728P13及以後版本。
如圖3所示,Router A上具有5G Modem模塊,用戶通過DDR自動定時撥號接入5G網絡。在分支網關Router A和總部網關Router B之間建立一條IPsec隧道,對分支網絡192.168.1.0/24與總部網絡192.168.2.0/24之間的數據流進行安全保護。具體要求如下:
· 在Router A上配置傳統DDR自動定時撥號接入5G網絡,建立永久5G在線連接。
· 配置IPsec隧道封裝形式為隧道模式,安全協議采用ESP協議,加密算法采用CBC模式的DES,認證算法采用SHA1,使用IKE協商方式建立IPsec SA。
圖3 5G Modem撥號+IPsec隧道組網圖
在Router A的Cellular1/0接口上通道化出以太網接口Eth-channel1/0:0,並配置接口Eth-channel1/0:0采用Modem私有協議獲取運營商自動分配的IP地址。在接口Eth-channel1/0:0上配置DDR自動撥號接入5G網絡,並配置永久在線連接。
由於撥號接口Eth-channel1/0:0地址會動態變化,在配置IPsec隧道時,需要在總部網關Router B上采用IPsec策略模板,對端地址指定為0.0.0.0/0,隧道建立請求由分支網關Router A發起。
為了保證總部網關Router B上有到任意分支網關的私網路由,需要在Router B上開啟IPsec反向路由注入功能,總部到分支的靜態路會隨IPsec SA的建立而動態生成。
使用普通的5G SIM卡撥號上網時,在配置5G Modem參數模板中配置動態接入點路由器就可以接入5G網絡。當使用5G物聯網卡或者VPDN專用SIM卡,則需要在5G Modem參數模板中配置靜態接入點作為5G網絡的接入點,並需要根據運營商提供的用戶和密碼配置接入5G網絡的認證方式。
(1) 配置設備接口IP地址,步驟略。
(2) 配置5G Modem撥號。
# 配置撥號訪問組1以及對應的撥號訪問控製條件。
<RouterA> system-view
[RouterA] dialer-group 1 rule ip permit
# 配置5G Modem的參數模板,接入點為動態接入點。
[RouterA] apn-profile dynamic1
[RouterA-apn-profile-vpdn1] apn dynamic
[RouterA-apn-profile-vpdn1] quit
# 將Cellular1/0接口通道化出以太網通道接口。
[RouterA] controller cellular 1/0
[RouterA-Cellular1/0] eth-channel 0
[RouterA-Cellular1/0] quit
# 配置Eth-channel1/0:0接口通過Modem私有協議獲取IP地址。
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ip address cellular-alloc
# 配置Eth-channel1/0:0接口使用的5G Modem參數模板。
[RouterA-Eth-channel1/0:0] apn-profile apply dynamic1
# 在Eth-channel1/0:0接口上開啟傳統DDR,並與撥號訪問組1關聯。
[RouterA-Eth-channel1/0:0] dialer circular enable
[RouterA-Eth-channel1/0:0] dialer-group 1
# 配置允許鏈路空閑的時間為0,呼叫建立超時時間為30秒,自動撥號的時間間隔為5秒。
[RouterA-Eth-channel1/0:0] dialer timer idle 0
[RouterA-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterA-Eth-channel1/0:0] dialer timer autodial 5
# 配置數據包去往對端的撥號串,撥號串視具體運營商而定,一般中國大陸移動/聯通配置“*99#”,電信配置“#777”。
[RouterA-Eth-channel1/0:0] dialer number *99# autodial
[RouterA-Eth-channel1/0:0] quit
# 配置缺省路由。
[RouterA] ip route-static 0.0.0.0 0 eth-channel 1/0:0
(3) 配置IPsec策略。
# 配置IPv4高級ACL 3001,允許192.168.1.0/24網段的IP報文發往192.168.2.0/24網段。
[RouterA] acl advanced 3001
[RouterA-acl-ipv4-adv-3001] rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[RouterA-acl-ipv4-adv-3001] quit
# 創建IPsec安全提議:名稱為tran1,采用隧道模式傳輸,認證算法為SHA1算法,加密算法為CBC模式的DES算法。
[RouterA] ipsec transform-set tran1
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterA-ipsec-transform-set-tran1] protocol esp
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[RouterA-ipsec-transform-set-tran1] quit
# 創建並配置IKE提議1:使用預共享密鑰認證方式、3DES加密算法、HMAC-SHA1認證算法。
[RouterA] ike proposal 1
[RouterA-ike-proposal-1] encryption-algorithm 3des-cbc
[RouterA-ike-proposal-1] authentication-algorithm sha
[RouterA-ike-proposal-1] authentication-method pre-share
[RouterA-ike-proposal-1] quit
# 創建IKE keychain:名稱為key1,並配置與地址為1.1.1.1的對端使用的預共享密鑰為明文123456。
[RouterA] ike keychain key1
[RouterA-ike-keychain-key1] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456
[RouterA-ike-keychain-key1] quit
# 創建IKE profile:名稱為ike1,指定引用的IKE keychain為key1,並指定需要匹配對端身份類型為IP地址,取值為1.1.1.1,配置按需探測的DPD請求報文的重傳時間間隔為5秒。
[RouterA] ike profile ike1
[RouterA-ike-profile-ike1] keychain key1
[RouterA-ike-profile-ike1] match remote identity address 1.1.1.1 255.255.255.0
[RouterA-ike-profile-ike1] dpd interval 5 periodic
[RouterA-ike-profile-ike1] quit
# 創建IPsec安全策略:名稱為policy1的,指定引用的安全提議為tran1,引用的IKE profile為ike1,引用IPv4高級ACL 3001,指定IPsec隧道的對端IPv4地址為1.1.1.1。
[RouterA] ipsec policy policy1 10 isakmp
[RouterA-ipsec-policy-isakmp-policy1-10] transform-set tran1
[RouterA-ipsec-policy-isakmp-policy1-10] ike-profile ike1
[RouterA-ipsec-policy-isakmp-policy1-10] security acl 3001
[RouterA-ipsec-policy-isakmp-policy1-10] remote-address 1.1.1.1
[RouterA-ipsec-policy-isakmp-policy1-10] quit
# 在接口Eth-channel1/0:0上應用名為policy1的IPsec安全策略。
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ipsec apply policy policy1
[RouterA-Eth-channel1/0:0] quit
(1) 配置設備接口IP地址,步驟略。Router B作為總部網關設備默認存在去往公網下一跳的缺省路由。
(2) 配置IPsec策略。
# 配置IPv4高級ACL 3003,允許192.168.2.0/24網段的IP報文發往192.168.1.0/24網段。
<RouterB> system-view
[RouterB] acl advanced 3003
[RouterB-acl-ipv4-adv-3003] rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[RouterB-acl-ipv4-adv-3003] quit
# 創建IPsec安全提議tran1,采用的認證算法為SHA1算法,加密算法為CBC模式的DES算法。
[RouterB] ipsec transform-set tran1
[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterB-ipsec-transform-set-tran1] protocol esp
[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[RouterB-ipsec-transform-set-tran1] quit
# 創建IKE提議1:指定預共享密鑰認證方式、3DES加密算法、HMAC-SHA1認證算法。
[RouterB] ike proposal 1
[RouterB-ike-proposal-1] encryption-algorithm 3des-cbc
[RouterB-ike-proposal-1] authentication-algorithm sha
[RouterB-ike-proposal-1] authentication-method pre-share
[RouterB-ike-proposal-1] quit
# 創建IKE keychain:名稱為key1,並配置與對端使用的預共享密鑰為明文123456。
[RouterB] ike keychain key1
[RouterB-ike-keychain-key1] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[RouterB-ike-keychain-key1] quit
# 創建IKE profile:名稱為ike1,指定引用的IKE keychain為key1,並指定需要匹配對端身份類型為IP地址,取值為0.0.0.0。
[RouterB] ike profile ike1
[RouterB-ike-profile-ike1] keychain key1
[RouterB-ike-profile-ike1] match remote identity address 0.0.0.0 0.0.0.0
[RouterB-ike-profile-ike1] quit
# 創建IPsec安全策略模板:名稱為temp1,引用安全提議tran1,引用IKE profile為ike1,引用IPv4高級ACL 3003。
[RouterB] ipsec policy-template temp1 1
[RouterB-ipsec-policy-template-temp1-1] transform-set tran1
[RouterB-ipsec-policy-template-temp1-1] ike-profile ike1
[RouterB-ipsec-policy-template-temp1-1] security acl 3003
# 開啟IPsec反向路由注入功能,根據協商成功的IPsec SA動態生成靜態路由。
[RouterB-ipsec-policy-template-temp1-1] reverse-route dynamic
[RouterB-ipsec-policy-template-temp1-1] quit
# 使用IPsec安全策略模板temp1創建一個名稱為policy1、順序號為10、采用IKE方式協商IPsec SA的IPsec安全策略。
[RouterB] ipsec policy policy1 10 isakmp template temp1
# 在接口GigabitEthernet1/0/1上應用名為policy1的IPsec安全策略。
[RouterB] interface gigabitethernet 1/0/1
[RouterB-GigabitEthernet1/0/1] ipsec apply policy policy1
[RouterB-GigabitEthernet1/0/1] quit
以上配置完成後,當分支子網192.168.1.0/24向總部網絡192.168.2.0/24發起數據連接時,將觸發Router A和Router B之間進行IKE協商。IKE成功協商出IPsec SA後,企業總部與分支子網之間的數據流傳輸將受到IPsec SA的保護。
# 在Router A和Router B上可以相互ping通對端私網。
<RouterA> ping -a 192.168.1.1 192.168.2.1
Ping 192.168.2.1 (192.168.2.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.1: icmp_seq=0 ttl=254 time=7.343 ms
56 bytes from 192.168.2.1: icmp_seq=1 ttl=254 time=1.164 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=254 time=1.080 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=254 time=1.234 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=254 time=1.391 ms
--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.080/2.442/7.343/2.452 ms
# 在Router A上可通過以下顯示查看到協商生成的IPsec SA。
<RouterA> display ipsec sa
-------------------------------
Interface: Eth-channel1/0:0
-------------------------------
-----------------------------
IPsec policy: policy
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1444
Tunnel:
local address/port: 2.2.2.1/500
remote address/port: 1.1.1.1/500
Flow:
sour addr: 192.168.1.0/255.255.255.0 port: 4500 protocol: ip
dest addr: 192.168.2.0/255.255.255.0 port: 4500 protocol: ip
...
· Router A:
#
interface gigabitethernet 1/0/1
ip address 192.168.1.1 255.255.255.0
#
dialer-group 1 rule ip permit
#
apn-profile dynamic1
apn dynamic
#
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ip address cellular-alloc
apn-profile apply dynamic1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
#
ip route-static 0.0.0.0 0.0.0.0 eth-channel 1/0:0
#
acl advanced 3001
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp authentication-algorithm sha1
esp encryption-algorithm des-cbc
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha
authentication-method pre-share
#
ike keychain key1
pre-shared-key address 1.1.1.1 255.255.255.0 key cipher $c$3$6xffbOeJQiOn1UzvH2Vdd1H+2PenaF8c3g==
#
ike profile ike1
dpd interval 5 periodic
keychain key1
match remote identity address 1.1.1.1 255.255.255.0
dpd interval 5 periodic
#
ipsec policy policy1 10 isakmp
transform-set tran1
ike-profile ike1
security acl 3001
remote-address 1.1.1.1
#
interface eth-channel 1/0:0
ipsec apply policy policy1
#
· Router B:
#
interface gigabitethernet 1/0/1
ip address 1.1.1.1 255.255.255.0
#
interface gigabitethernet 1/0/2
ip address 192.168.2.1 255.255.255.0
#
acl advanced 3003
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp authentication-algorithm sha1
esp encryption-algorithm des-cbc
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha
authentication-method pre-share
#
ike keychain key1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$6xffbOeJQiOn1UzvH2Vdd1H+2PenaF8c3g==
#
ike profile ike1
keychain key1
match remote identity address 0.0.0.0 0.0.0.0
#
ipsec policy-template temp1 1
transform-set tran1
ike-profile ike1
security acl 3003
#
reverse-route dynamic
#
ipsec policy policy1 10 isakmp template temp1
#
interface gigabitethernet 1/0/1
ipsec apply policy policy1
#
適用於MSR集中式、MSR分布式產品R6728P13及以後版本。
如圖4所示,Router A上具有5G Modem模塊,用戶通過DDR自動定時撥號接入5G網絡。在分支網關Router A、Router B和總部網關Router C之間建立ADVPN隧道,實現分支與分支間網絡、分支與總部間網絡全互聯。具體要求如下:
· 在Router A上配置傳統DDR自動定時撥號接入5G網絡,建立永久在線連接。
· Router A、Router B作為Spoke,Router C作為Hub,Spoke和Hub之間建立永久ADVPN隧道建立永久的ADVPN隧道。
· Router A和Router B作為Spoke,兩個Spoke之間由數據觸發動態建立ADVPN隧道。
圖4 5G Modem撥號+ADVPN隧道組網圖
|
設備 |
接口 |
IP地址 |
設備 |
接口 |
IP地址 |
|
Router A(Spoke1) |
GE1/0/1 |
192.168.1.1/24 |
Router C(Hub) |
GE1/0/1 |
192.168.3.1/24 |
|
|
Tunnel1 |
192.168.0.1/24 |
|
GE1/0/2 |
1.1.1.1/24 |
|
Router B(Spoke2) |
GE1/0/1 |
192.168.2.1/24 |
|
Tunnel1 |
192.168.0.3/24 |
|
|
Tunnel1 |
192.168.0.2/24 |
Router D(VAM Server) |
GE1/0/1 |
1.1.1.2/24 |
在Router A的Cellular1/0接口上通道化出以太網接口Eth-channel1/0:0,並配置接口Eth-channel1/0:0采用Modem私有協議獲取運營商自動分配的IP地址。在接口Eth-channel1/0:0上配置DDR自動撥號接入5G網絡,並配置永久在線連接。
為保證分支到總部、分支到分支之間的數據的保密性,需要在ADVPN隧道上應用IPsec框架對數據進行加密。由於撥號接口Eth-channel1/0:0地址會動態變化,在ADVPN隧道上應用IPsec框架時,需要對端地址指定為0.0.0.0/0。
本舉例中配置Router D(VAM Server)對Router A、Router B、Router C(VAM Client)的身份不進行AAA驗證,若需要配置身份驗證,用戶可根據實際情況配置對VAM Client身份進行AAA驗證。
使用普通的5G SIM卡撥號上網時,在配置5G Modem參數模板中配置動態接入點路由器就可以接入5G網絡。當使用5G物聯網卡或者VPDN專用SIM卡,則需要在5G Modem參數模板中配置靜態接入點作為5G網絡的接入點,並需要根據運營商提供的用戶和密碼配置接入5G網絡的認證方式。
(1) 配置設備接口IP地址,步驟略。
(2) 配置5G Modem撥號。
# 配置撥號訪問組1以及對應的撥號訪問控製條件。
<RouterA> system-view
[RouterA] dialer-group 1 rule ip permit
# 配置5G Modem的參數模板,接入點為動態接入點。
[RouterA] apn-profile dynamic1
[RouterA-apn-profile-vpdn1] apn dynamic
[RouterA-apn-profile-vpdn1] quit
# 將Cellular1/0接口通道化出以太網通道接口。
[RouterA] controller cellular 1/0
[RouterA-Cellular1/0] eth-channel 0
[RouterA-Cellular1/0] quit
# 配置Eth-channel1/0:0接口采用Modem私有協議獲取運營商自動分配的IP地址。
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ip address cellular-alloc
# 配置Eth-channel1/0:0接口使用的5G Modem參數模板。
[RouterA-Eth-channel1/0:0] apn-profile apply dynamic1
# 在Eth-channel1/0:0接口上開啟傳統DDR,並與撥號訪問組1關聯。
[RouterA-Eth-channel1/0:0] dialer circular enable
[RouterA-Eth-channel1/0:0] dialer-group 1
# 配置允許鏈路空閑的時間為0,呼叫建立超時時間為30秒,自動撥號的時間間隔為5秒。
[RouterA-Eth-channel1/0:0] dialer timer idle 0
[RouterA-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterA-Eth-channel1/0:0] dialer timer autodial 5
# 配置數據包去往對端的撥號串,撥號串視具體運營商而定,一般中國大陸移動/聯通配置“*99#”,電信配置“#777”。
[RouterA-Eth-channel1/0:0] dialer number *99# autodial
# 配置Eth-channel1/0:0接口允許對內部所有報文進行地址轉換。
[RouterA-Eth-channel1/0:0] nat outbound
[RouterA-Eth-channel1/0:0] quit
# 配置缺省路由。
[RouterA] ip route-static 0.0.0.0 0 eth-channel 1/0:0
(3) 配置VAM Client Spoke。
# 創建VAM Client Spoke1,並配置VAM Client所屬的ADVPN域為abc。
[RouterA] vam client name spoke1
[RouterA-vam-client-Spoke1] advpn-domain abc
# 配置VAM Client的預共享密鑰123456。
[RouterA-vam-client-Spoke1] pre-shared-key simple 123456
# 配置VAM Server的IP地址,並開啟VAM Client功能。
[RouterA-vam-client-Spoke1] server primary ip-address 1.1.1.2
[RouterA-vam-client-Spoke1] client enable
[RouterA-vam-client-Spoke1] quit
# 創建IKE keychain,名稱為key,並配置與對端使用的預共享密鑰為明文123456。
[RouterA] ike keychain key
[RouterA-ike-keychain-key] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[RouterA-ike-keychain-key] quit
# 創建IKE profile:名稱為ike,指定引用的IKE keychain為key。
[RouterA] ike profile ike
[RouterA-ike-profile-abc] keychain key
[RouterA-ike-profile-ike] quit
# 創建IPsec安全提議:名稱為tran,采用傳輸模式,認證算法為SHA1算法,加密算法為CBC模式的DES算法。
[RouterA] ipsec transform-set tran
[RouterA-ipsec-transform-set-tran] encapsulation-mode transport
[RouterA-ipsec-transform-set-tran] esp encryption-algorithm des-cbc
[RouterA-ipsec-transform-set-tran] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran] quit
# 創建IPsec安全框架:名稱為profile1,通過IKE協商建立安全聯盟,指定引用的安全提議為tran,引用的IKE profile為ike。
[RouterA] ipsec profile profile1 isakmp
[RouterA-ipsec-profile-isakmp-profile1] transform-set tran
[RouterA-ipsec-profile-isakmp-profile1] ike-profile ike
[RouterA-ipsec-profile-isakmp-profile1] quit
# 配置OSPF私網路由信息。
[RouterA] ospf 1
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] quit
# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。將Router A的DR優先級配置為0,以使RouterA不參與DR/BDR選舉。
[RouterA] interface tunnel1 mode advpn gre
[RouterA-Tunnel1] ip address 192.168.0.1 255.255.255.0
[RouterA-Tunnel1] vam client spoke1
[RouterA-Tunnel1] ospf network-type broadcast
[RouterA-Tunnel1] ospf dr-priority 0
[RouterA-Tunnel1] source eth-channel 1/0:0
[RouterA-Tunnel1] tunnel protection ipsec profile ipsec
[RouterA-Tunnel1] quit
(1) 配置設備接口IP地址,步驟略。
(2) 配置5G Modem撥號。
# 配置撥號訪問組1以及對應的撥號訪問控製條件。
<RouterB> system-view
[RouterB] dialer-group 1 rule ip permit
# 配置5G Modem的參數模板,接入點為動態接入點。
[RouterB] apn-profile dynamic1
[RouterB-apn-profile-vpdn1] apn dynamic
[RouterB-apn-profile-vpdn1] quit
# 將Cellular1/0接口通道化出以太網通道接口。
[RouterB] controller cellular 1/0
[RouterB-Cellular1/0] eth-channel 0
[RouterB-Cellular1/0] quit
# 配置Eth-channel1/0:0接口采用Modem私有協議獲取運營商自動分配的IP地址。
[RouterB] interface eth-channel 1/0:0
[RouterB-Eth-channel1/0:0] ip address cellular-alloc
# 配置Eth-channel1/0:0接口使用的5G Modem參數模板。
[RouterB-Eth-channel1/0:0] apn-profile apply dynamic1
# 在Eth-channel1/0:0接口上開啟傳統DDR,並與撥號訪問組1關聯。
[RouterB-Eth-channel1/0:0] dialer circular enable
[RouterB-Eth-channel1/0:0] dialer-group 1
# 配置允許鏈路空閑的時間為0,呼叫建立超時時間為30秒,自動撥號的時間間隔為5秒。
[RouterB-Eth-channel1/0:0] dialer timer idle 0
[RouterB-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterB-Eth-channel1/0:0] dialer timer autodial 5
# 配置數據包去往對端的撥號串,撥號串視具體運營商而定,一般中國大陸移動/聯通配置“*99#”,電信配置“#777”。
[RouterB-Eth-channel1/0:0] dialer number *99# autodial
# 配置Eth-channel1/0:0接口允許對內部所有報文進行地址轉換。
[RouterB-Eth-channel1/0:0] nat outbound
[RouterB-Eth-channel1/0:0] quit
# 配置缺省路由。
[RouterB] ip route-static 0.0.0.0 0 eth-channel 1/0:0
(3) 配置VAM Client Spoke。
# 創建VAM Client Spoke2,並配置VAM Client所屬的ADVPN域為abc。
[RouterB] vam client name spoke2
[RouterB-vam-client-Spoke2] advpn-domain abc
# 配置VAM Client的預共享密鑰123456。
[RouterB-vam-client-Spoke2] pre-shared-key simple 123456
# 配置VAM Server的IP地址,並開啟VAM Client功能。
[RouterB-vam-client-Spoke2] server primary ip-address 1.1.1.2
[RouterB-vam-client-Spoke2] client enable
[RouterB-vam-client-Spoke2] quit
# 創建IKE keychain,名稱為key,並配置與對端使用的預共享密鑰為明文123456。
[RouterB] ike keychain key
[RouterB-ike-keychain-key] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[RouterB-ike-keychain-key] quit
# 創建IKE profile:名稱為ike,指定引用的IKE keychain為key。
[RouterB] ike profile ike
[RouterB-ike-profile-ike] keychain key
[RouterB-ike-profile-ike] quit
# 創建IPsec安全提議:名稱為tran,采用傳輸模式,認證算法為SHA1算法,加密算法為CBC模式的DES算法。
[RouterB] ipsec transform-set tran
[RouterB-ipsec-transform-set-tran] encapsulation-mode transport
[RouterB-ipsec-transform-set-tran] esp encryption-algorithm des-cbc
[RouterB-ipsec-transform-set-tran] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran] quit
# 創建IPsec安全框架:名稱為profile1,通過IKE協商建立安全聯盟,指定引用的安全提議為tran,引用的IKE profile為ike。
[RouterB] ipsec profile profile1 isakmp
[RouterB-ipsec-profile-isakmp-profile1] transform-set tran
[RouterB-ipsec-profile-isakmp-profile1] ike-profile ike
[RouterB-ipsec-profile-isakmp-profile1] quit
# 配置OSPF私網的路由信息。
[RouterB] ospf 1
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
[RouterB-ospf-1] quit
# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。將RouterB的DR優先級配置為0,以使RouterB不參與DR/BDR選舉。
[RouterB] interface tunnel1 mode advpn gre
[RouterB-Tunnel1] ip address 192.168.0.2 255.255.255.0
[RouterB-Tunnel1] vam client spoke2
[RouterB-Tunnel1] ospf network-type broadcast
[RouterB-Tunnel1] ospf dr-priority 0
[RouterB-Tunnel1] source eth-channel 1/0:0
[RouterB-Tunnel1] tunnel protection ipsec profile ipsec
[RouterB-Tunnel1] quit
(1) 配置設備接口的IP地址,步驟略。Router C默認存在到達公網下一跳的缺省路由。
(2) 配置VAM Client Hub。
# 配置接口GigabitEthernet1/0/2允許對內部所有報文進行地址轉換。
<RouterC> system-view
[RouterC] interface gigabitethernet 1/0/2
[RouterC-GigabitEthernet1/0/2] nat outbound
[RouterC-GigabitEthernet1/0/2] quit
# 創建VAM Client Hub,並配置VAM Client所屬的ADVPN域為abc。
[RouterC] vam client name Hub
[RouterC-vam-client-Hub] advpn-domain abc
# 配置VAM Client的預共享密鑰為123456。
[RouterC-vam-client-Hub] pre-shared-key simple 123456
# 配置VAM Server的IP地址,並開啟VAM Client功能。
[RouterC-vam-client-Hub] server primary ip-address 1.1.1.2
[RouterC-vam-client-Hub] client enable
[RouterC-vam-client-Hub] quit
# 創建IKE keychain:名稱為key,並配置與對端使用的預共享密鑰為明文123456。
[RouterC] ike keychain key
[RouterC-ike-keychain-key] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[RouterC-ike-keychain-key] quit
# 創建IKE profile:名稱為ike,指定引用的IKE keychain為key。
[RouterC] ike profile ike
[RouterC-ike-profile-ike] keychain key
[RouterC-ike-profile-ike] quit
# 創建IPsec安全提議:名稱為tran,采用傳輸模式,認證算法為SHA1算法,加密算法為CBC模式的DES算法。
[RouterC] ipsec transform-set tran
[RouterC-ipsec-transform-set-tran] encapsulation-mode transport
[RouterC-ipsec-transform-set-tran] esp encryption-algorithm des-cbc
[RouterC-ipsec-transform-set-tran] esp authentication-algorithm sha1
[RouterC-ipsec-transform-set-tran] quit
# 創建IPsec安全框架:名稱為profile1,通過IKE協商建立安全聯盟,指定引用的安全提議為tran,引用的IKE profile為ike。
[RouterC] ipsec profile profile1 isakmp
[RouterC-ipsec-profile-isakmp-profile1] transform-set tran
[RouterC-ipsec-profile-isakmp-profile1] ike-profile ike
[RouterC-ipsec-profile-isakmp-profile1] quit
# 配置OSPF私網路由信息。
[RouterC] ospf 1
[RouterC-ospf-1] area 0
[RouterC-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[RouterC-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255
[RouterC-ospf-1-area-0.0.0.0] quit
[RouterC-ospf-1] quit
# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。
[RouterC] interface tunnel1 mode advpn gre
[RouterC-Tunnel1] ip address 192.168.0.3 255.255.255.0
[RouterC-Tunnel1] vam client Hub
[RouterC-Tunnel1] ospf network-type broadcast
[RouterC-Tunnel1] source gigabitethernet 1/0/2
[RouterC-Tunnel1] tunnel protection ipsec profile ipsec
[RouterC-Tunnel1] quit
(1) 配置設備接口的IP地址,步驟略。Router D默認存在到達公網下一跳的缺省路由。
(2) 配置VAM Server。
# 創建ADVPN域abc。
<RouterD> system-view
[RouterD] vam server advpn-domain abc id 1
# 創建Hub組0。
[RouterD-vam-server-domain-abc] hub-group 0
# 指定Hub組內Hub的IPv4私網地址為192.168.0.3,NAT映射公網地址為1.1.1.1。
[RouterD-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.3 public-address 1.1.1.1
# 指定Hub組內Spoke的IPv4私網地址範圍。
[RouterD-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 255.255.255.0
[RouterD-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的預共享密鑰為123456,對VAM Client的身份不進行AAA認證。
[RouterD-vam-server-domain-abc] pre-shared-key simple 123456
[RouterD-vam-server-domain-abc] authentication-method none
# 開啟該ADVPN域的VAM Server功能。
[RouterD-vam-server-domain-abc] server enable
[RouterD-vam-server-domain-abc] quit
以上配置完成後,Router A、Router B和Router C之間將建立ADVPN隧道,Router A、Router B和Router C之間的私網可以實現互聯互通。
# 顯示注冊到VAM Server的所有VAM Client的IPv4私網地址映射信息。
[RouterD] display vam server address-map
Total private address mappings: 3
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.1.1.2 Spoke Yes 0H 4M 35S
0 192.168.0.2 1.1.1.3 Spoke Yes 0H 4M 17S
0 192.168.0.3 1.1.1.1 Hub No 0H 2M 42S
以上顯示信息表示Hub、Spoke1和Spoke2均已將地址映射信息注冊到VAM Server。
# 在Spoke1上使用ping命令驗證到Spoke2的私網地址192.168.2.1的連通性。
<RouterA> ping 192.168.2.1
Ping 192.168.2.1 (192.168.2.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.1: icmp_seq=0 ttl=255 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=1 ttl=255 time=60.000 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=255 time=7.000 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=255 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=255 time=1.000 ms
--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.080/2.442/7.343/2.452 ms
# 顯示Spoke1上的IPv4 ADVPN隧道信息。
[RouterA] display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.2 1.1.1.3 -- S-S Establishing 0H 0M 22S
192.168.0.3 1.1.1.1 -- S-H Success 0H 1M 25S
# 顯示Hub上的IPv4 ADVPN隧道信息。
[RouterC] display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.1 1.1.1.2 -- H-S Success 0H 2M 40S
192.168.0.2 1.1.1.3 -- H-S Success 0H 1M 53S
· Router A:
#
interface gigabitethernet 1/0/1
ip address 192.168.1.1 255.255.255.0
#
dialer-group 1 rule ip permit
#
apn-profile dynamic1
apn dynamic
#
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ip address cellular-alloc
apn-profile apply dynamic1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
nat outbound
#
ip route-static 0.0.0.0 0 eth-channel 1/0:0
vam client name spoke1
advpn-domain abc
pre-shared-key cipher $c$3$k4hxzHYdkYZ8QUIr6+XsNTxsG/lGk6SGeQ==
server primary ip-address 1.1.1.2
client enable
#
ike keychain key
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$i/ODxQdpM7b0kmqHCMj+VpV6G+x/IBDycg==
#
ike profile ike
keychain key
#
ipsec transform-set tran
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile profile1 isakmp
transform-set tran
ike-profile ike
#
ospf 1
area 0
network 192.168.1.0 0.0.0.255
network 192.168.0.0 0.0.0.255
#
interface tunnel1 mode advpn gre
ip address 192.168.0.1 255.255.255.0
vam client spoke1
ospf network-type broadcast
ospf dr-priority 0
source eth-channel 1/0:0
tunnel protection ipsec profile ipsec
#
· Router B:
#
interface gigabitethernet 1/0/1
ip address 192.168.2.1 255.255.255.0
#
dialer-group 1 rule ip permit
#
apn-profile dynamic1
apn dynamic
#
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ip address cellular-alloc
apn-profile apply dynamic1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
nat outbound
#
ip route-static 0.0.0.0 0 eth-channel 1/0:0
vam client name spoke2
advpn-domain abc
pre-shared-key cipher $c$3$k4hxzHYdkYZ8QUIr6+XsNTxsG/lGk6SGeQ==
server primary ip-address 1.1.1.2
client enable
#
ike keychain key
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$i/ODxQdpM7b0kmqHCMj+VpV6G+x/IBDycg==
#
ike profile ike
keychain key
#
ipsec transform-set tran
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile profile1 isakmp
transform-set tran
ike-profile ike
#
ospf 1
area 0
network 192.168.2.0 0.0.0.255
network 192.168.0.0 0.0.0.255
#
interface tunnel1 mode advpn gre
ip address 192.168.0.2 255.255.255.0
vam client spoke2
ospf network-type broadcast
ospf dr-priority 0
source eth-channel 1/0:0
tunnel protection ipsec profile ipsec
#
· Router C:
#
interface gigabitethernet 1/0/1
ip address 192.168.3.1 255.255.255.0
#
interface gigabitethernet 1/0/2
ip address 1.1.1.1 255.255.255.0
nat outbound
#
vam client name Hub
advpn-domain abc
pre-shared-key cipher $c$3$k4hxzHYdkYZ8QUIr6+XsNTxsG/lGk6SGeQ==
server primary ip-address 1.1.1.2
client enable
#
ike keychain key
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$i/ODxQdpM7b0kmqHCMj+VpV6G+x/IBDycg==
#
ike profile ike
keychain key
#
ipsec transform-set tran
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile profile1 isakmp
transform-set tran
ike-profile ike
#
ospf 1
area 0
network 192.168.0.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
interface tunnel1 mode advpn gre
ip address 192.168.0.3 255.255.255.0
vam client Hub
ospf network-type broadcast
source gigabitethernet 1/0/2
tunnel protection ipsec profile ipsec
#
· Router D:
#
interface gigabitethernet 1/0/1
ip address 1.1.1.2 255.255.255.0
#
vam server advpn-domain abc id 1
hub-group 0
hub private-address 192.168.0.3 public-address 1.1.1.1
spoke private-address network 192.168.0.0 255.255.255.0
#
pre-shared-key cipher $c$3$qb30FA4sK0lRsl3UgtHXhVZwwJtz4YdPrg==
authentication-method none
server enable
#
適用於MSR集中式、MSR分布式產品R6728P13及以後版本。
如圖5所示,Router A上具有5G Modem模塊,用戶通過DDR自動定時撥號接入運營商VPDN專用網絡。在分支網關Router A和總部網關Router B之間建立IPsec隧道,運營商LAC設備和總部網關Router B之間建立L2TP隧道。具體要求如下:
· 在Router A上配置傳統DDR通過IPv4和IPv6雙協議棧撥號接入5G網絡,建立永久5G在線連接。
· 在LAC設備和Router B之間采用NAS-Initiated模式建立的L2TP隧道,分支和總部網關之間流量走運營商專線,與公共網絡隔離。
· 在Router A和Router B采用IKE協商的方式配置IPsec隧道,對分支和總部網關之間的流量進行加密。
圖5 5G Modem撥號+VPDN隧道組網圖
在Router A的Cellular1/0接口上通道化出以太網接口Eth-channel1/0:0,並配置接口Eth-channel1/0:0采用Modem私有協議獲取運營商自動分配的IP地址。在接口Eth-channel1/0:0上配置DDR自動撥入運營商VPDN專用網絡,並配置永久在線連接。
在LAC設備和Router B之間采用NAS-Initiated模式建立的L2TP隧道,運營商LAC設備、總部網關Router B作為LNS設備均采用本地認證。
為保證分支網關可以撥號接入運營商VPDN專用網絡,需要使用VPDN專用SIM卡進行DDR撥號。配置DDR撥號時,根據運營商提供的VPDN的接入點名稱/認證方式/用戶名/密碼用以配置5G Modem參數模板和撥號認證。
(1) 配置設備接口IP地址,步驟略。
(2) 配置5G Modem撥號。
# 配置撥號訪問組1以及對應的撥號訪問控製條件。
<RouterA> system-view
[RouterA] dialer-group 1 rule ip permit
[RouterA] dialer-group 1 rule ipv6 permit
# 配置5G Modem參數模板vpdn1,靜態接入點名稱為vpdn,PDP協議的數據負載類型為IPv4v6,認證方式為CHAP或PAP,用戶名為user1,明文密碼為password1(接入點名稱/認證方式/用戶名/密碼均以運營商提供為準)。
[RouterA] apn-profile vpdn1
[RouterA-apn-profile-vpdn1] pdp-type ipv4v6
[RouterA-apn-profile-vpdn1] apn static vpdn
[RouterA-apn-profile-vpdn1] authentication-mode pap-chap user1 password simple password1
[RouterA-apn-profile-vpdn1] quit
# 將Cellular1/0接口通道化出以太網通道接口。
[RouterA] controller cellular 1/0
[RouterA-Cellular1/0] eth-channel 0
[RouterA-Cellular1/0] quit
# 配置Eth-channel1/0:0接口采用Modem私有協議獲取運營商自動分配的IPv4和IPv6地址。
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ip address cellular-alloc
[RouterA-Eth-channel1/0:0] ipv6 address cellular-alloc
# 配置Eth-channel1/0:0接口使用的5G Modem參數模板。
[RouterA-Eth-channel1/0:0] apn-profile apply vpdn1
# 在Eth-channel1/0:0接口上開啟傳統DDR,並與撥號訪問組1關聯。
[RouterA-Eth-channel1/0:0] dialer circular enable
[RouterA-Eth-channel1/0:0] dialer-group 1
# 配置允許鏈路空閑的時間為0,呼叫建立超時時間為30秒,自動撥號的時間間隔為5秒。
[RouterA-Eth-channel1/0:0] dialer timer idle 0
[RouterA-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterA-Eth-channel1/0:0] dialer timer autodial 5
# 配置數據包去往對端的撥號串,撥號串視具體運營商而定,一般中國大陸移動/聯通配置“*99#”,電信配置“#777”。
[RouterA-Eth-channel1/0:0] dialer number *99# autodial
[RouterA-Eth-channel1/0:0] quit
# 配置缺省路由。
[RouterA] ip route-static 0.0.0.0 0 eth-channel 1/0:0
[RouterA] ipv6 route-static 0::0 0 eth-channel 1/0:0
(3) 配置IPsec隧道。
# 配置IPv4高級ACL 3000,允許192.168.1.0/24網段的IP報文發往192.168.2.0/24網段。
[RouterA] acl advanced 3000
[RouterA-acl-ipv4-adv-3000] rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[RouterA-acl-ipv4-adv-3000] quit
# 配置IPv6高級ACL 3500,允許2001::/64網段的IPv6報文發往2002::/64網段。
[RouterA] acl ipv6 advanced 3500
[RouterA-acl-ipv6-adv-3500] rule 0 permit ipv6 source 2001::0 64 destination 2002::0 64
[RouterA-acl-ipv6-adv-3500] quit
# 創建名為tran1的IPsec安全提議,采用的認證算法為SHA1算法,加密算法為CBC模式的DES算法。
[RouterA] ipsec transform-set tran1
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterA-ipsec-transform-set-tran1] protocol esp
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[RouterA-ipsec-transform-set-tran1] quit
# 創建IKE keychain,名稱為key1,並配置與IPv4地址為192.168.0.1,IPv6地址為2003::1的對端使用的預共享密鑰為明文的123456。
[RouterA] ike keychain key1
[RouterA-ike-keychain-key1] pre-shared-key address 192.168.0.1 24 key simple 123456
[RouterA-ike-keychain-key1] pre-shared-key address ipv6 2003::1 64 key simple 123456
[RouterA-ike-keychain-key1] quit
# 創建IKE profile,名稱為ike1,指定引用的IKE keychain為key1,並指定需要匹配對端身份類型為IPv4地址,取值為192.168.0.1,指定需要匹配對端身份類型為IPv6地址,取值為2003::1。
[RouterA] ike profile ike1
[RouterA-ike-profile-ike1] keychain key1
[RouterA-ike-profile-ike1] match remote identity address 192.168.0.1 24
[RouterA-ike-profile-ike1] match remote identity address ipv6 2003::1 64
[RouterA-ike-profile-ike1] quit
# 創建名稱為policy1的IPv4 IPsec安全策略,指定引用的安全提議為tran1,引用的IKE profile為ike1,引用IPv4高級ACL 3000,指定IPsec隧道的對端IPv4地址為192.168.0.1。
[RouterA] ipsec policy policy1 10 isakmp
[RouterA-ipsec-policy-isakmp-policy1-10] transform-set tran1
[RouterA-ipsec-policy-isakmp-policy1-10] ike-profile ike1
[RouterA-ipsec-policy-isakmp-policy1-10] security acl 3000
[RouterA-ipsec-policy-isakmp-policy1-10] remote-address 192.168.0.1
[RouterA-ipsec-policy-isakmp-policy1-10] quit
# 創建名稱為policy2的IPv6 IPsec安全策略,指定引用的安全提議為tran1,引用的IKE profile為ike1,引用IPv6高級ACL 3500,IPv6地址為2003::1。
[RouterA] ipsec ipv6-policy policy2 20 isakmp
[RouterA-ipsec-policy-isakmp-policy2-20] transform-set tran1
[RouterA-ipsec-policy-isakmp-policy2-20] ike-profile ike1
[RouterA-ipsec-policy-isakmp-policy2-20] security acl ipv6 3500
[RouterA-ipsec-policy-isakmp-policy2-20] remote-address ipv6 2003::1
[RouterA-ipsec-policy-isakmp-policy2-20] quit
# 在接口Eth-channel1/0:0上分別應用IPv4 IPsec安全策略policy1和IPv6 IPsec安全策略policy2。
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ipsec apply policy policy1
[RouterA-Eth-channel1/0:0] ipsec apply ipv6-policy policy2
[RouterA-Eth-channel1/0:0] quit
(1) 配置設備接口IP地址,步驟略。LAC設備作為運營商設備,以下配置僅供參考,實際配置中LAC端不需要配置。
(2) 配置L2TP隧道LAC端。
# 創建本地VPDN用戶user1,設置密碼為password1,並指定用戶使用PPP服務。
<LAC> system-view
[LAC] local-user user1 class network
[LAC-luser-network-user1] password simple password1
[LAC-luser-network-user1] service-type ppp
[LAC-luser-network-user1] quit
# 配置ISP域system對VPDN用戶采用本地驗證。
[LAC] domain system
[LAC-isp-system] authentication ppp local
[LAC-isp-system] quit
# 開啟L2TP功能。
[LAC] l2tp enable
# 創建LAC模式的L2TP組1,配置LAC端本端名稱為LAC,指定接入的VPDN用戶的用戶名為user1時LAC向LNS發起隧道建立請求,並指定LNS的IP地址為10.1.1.2。
[LAC] l2tp-group 1 mode lac
[LAC-l2tp1] tunnel name LAC
[LAC-l2tp1] user fullusername user1
[LAC-l2tp1] lns-ip 10.1.1.2
# 開啟隧道驗證功能,並設置隧道驗證密鑰為aabbcc。
[LAC-l2tp1] tunnel authentication
[LAC-l2tp1] tunnel password simple aabbcc
[LAC-l2tp1] quit
(1) 配置設備接口的IP地址,步驟略。Rouer B作為總部網關設備默認存在去往公網下一跳的缺省路由。
(2) 配置L2TP隧道LNS端。
# 創建本地VPDN用戶user1,設置密碼為password1,並指定用戶使用PPP服務。
<RouterB> system-view
[RouterB] local-user user1 class network
[RouterB-luser-network-user1] password simple password1
[RouterB-luser-network-user1] service-type ppp
[RouterB-luser-network-user1] quit
# 配置ISP域system對VPDN用戶采用本地驗證。
[RouterB] domain system
[RouterB-isp-system] authentication ppp local
# 在ISP域下配置為用戶授權IPv6前綴屬性。
[RouterB-isp-system] authorization-attribute ipv6-prefix 2003:: 64
[RouterB-isp-system] quit
# 開啟L2TP功能,並創建LNS模式的L2TP組1。
[RouterB] l2tp enable
[RouterB] l2tp-group 1 mode lns
# 配置LNS端本端名稱為LNS,指定接收呼叫的虛擬模板接口為VT1,並配置隧道對端名稱為LAC。
[RouterB-l2tp1] tunnel name LNS
[RouterB-l2tp1] allow l2tp virtual-template 1 remote LAC
# 啟用隧道驗證功能,並設置隧道驗證密鑰為aabbcc。
[RouterB-l2tp1] tunnel authentication
[RouterB-l2tp1] tunnel password simple aabbcc
[RouterB-l2tp1] quit
# 配置PPP地址池。
[RouterB] ip pool aaa 192.168.0.10 192.168.0.20
[RouterB] ip pool aaa gateway 192.168.0.1
# 創建接口Virtual-Template1,配置接口的IPv4地址為192.168.0.1/24,IPv6地址為2003::1/64,並關閉對RA消息發布的抑製。配置對端的認證方式為CHAP和PAP,使用地址池aaa為Router A分配IPv4地址。
[RouterB] interface virtual-template 1
[RouterB-virtual-template1] ip address 192.168.0.1 255.255.255.0
[RouterB-virtual-template1] ipv6 address 2003::1 64
[RouterB-virtual-template1] undo ipv6 nd ra halt
[RouterB-virtual-template1] ppp authentication-mode chap domain system
[RouterB-virtual-template1] remote address pool aaa
[RouterB-virtual-template1] quit
(3) 配置IPsec隧道。
# 創建IPsec安全提議tran1,采用esp安全協議,認證算法為SHA1算法,加密算法為CBC模式的DES算法。
[RouterB] ipsec transform-set tran1
[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterB-ipsec-transform-set-tran1] protocol esp
[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[RouterB-ipsec-transform-set-tran1] quit
# 創建IKE keychain,名稱為key1,並配置與對端使用的預共享密鑰為明文的123456。
[RouterB] ike keychain key1
[RouterB-ike-keychain-key1] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[RouterB-ike-keychain-key1] pre-shared-key address ipv6 0::0 0 key simple 123456
[RouterB-ike-keychain-key1] quit
# 創建IKE profile,名稱為ike1,指定引用的IKE keychain為key1,並指定需要匹配對端身份類型為IPv4地址,取值為0.0.0.0,指定需要匹配對端身份類型為IPv6地址,取值為0::0。
[RouterB] ike profile ike1
[RouterB-ike-profile-ike1] keychain key1
[RouterB-ike-profile-ike1] match remote identity address 0.0.0.0 0.0.0.0
[RouterB-ike-profile-ike1] match remote identity address ipv6 0::0 0
[RouterB-ike-profile-ike1] quit
# 創建並配置名為temp1的IPv4 IPsec安全策略模板,指定引用的安全提議為tran1,引用的IKE profile為ike1,並開啟IPsec反向路由注入功能。
[RouterB] ipsec policy-template temp1 1
[RouterB-ipsec-policy-template-temp1-1] transform-set tran1
[RouterB-ipsec-policy-template-temp1-1] ike-profile ike1
[RouterB-ipsec-policy-template-temp1-1] reverse-route dynamic
[RouterB-ipsec-policy-template-temp1-1] quit
# 創建並配置名為temp2的IPv6 IPsec安全策略模板,指定引用的安全提議為tran1,引用的IKE profile為ike1,並開啟IPsec反向路由注入功能。
[RouterB] ipsec ipv6-policy-template temp2 2
[RouterB-ipsec-ipv6-policy-template-temp2-2] transform-set tran1
[RouterB-ipsec-ipv6-policy-template-temp2-2] ike-profile ike1
[RouterB-ipsec-ipv6-policy-template-temp2-2] reverse-route dynamic
[RouterB-ipsec-ipv6-policy-template-temp2-2] quit
# 使用IPv4 IPsec安全策略模板temp1創建一個名稱為policy1、順序號為10、采用IKE方式協商IPsec SA的IPsec安全策略。
[RouterB] ipsec policy policy1 10 isakmp template temp1
# 使用IPv6 IPsec安全策略模板temp2創建一個名稱為policy2、順序號為20、采用IKE方式協商IPsec SA的IPsec安全策略。
[RouterB] ipsec ipv6-policy policy2 20 isakmp template temp2
# 在接口Virtual-Template1上應用IPv4 IPsec安全策略policy1和IPv6 IPsec安全策略policy2。
[RouterB] interface virtual-template 1
[RouterB-Virtual-Template1] ipsec apply policy policy1
[RouterB-Virtual-Template1] ipsec apply ipv6-policy policy2
[RouterB-Virtual-Template1] quit
以上配置完成後,當Router A通過DDR撥號成功後,將觸發LAC設備和Router B之間將建立L2TP隧道和L2TP會話,Router A和Router B之間的私網可以實現互聯互通。當Router A和Router B之間有流量轉發時,還將觸發建立IPsec隧道,對Router A和Router B之間的私網流量進行加密。
# 在Router B上可通過以下顯示查看建立的L2TP隧道,以及L2TP會話信息。
[RouterB] display l2tp tunnel
LocalTID RemoteTID State Sessions RemoteAddress RemotePort RemoteName
18986 558 Established 1 10.1.1.1 1701 LAC
[RouterB] display l2tp session
LocalSID RemoteSID LocalTID State
50693 61202 18986 Established
# 在Router A上可通過以下顯示查看到協商生成的IPsec SA。
[RouterA] display ipsec sa
-------------------------------
Interface: Eth-channel1/0:0
-------------------------------
-----------------------------
IPsec policy: policy1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1444
Tunnel:
local address/port: 192.168.0.10/500
remote address/port: 192.168.0.1/500
Flow:
sour addr: 192.168.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 192.168.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 367543574 (0x15e84516)
Connection ID: 4294967296
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3533
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 4212574134 (0xfb16c7b6)
Connection ID: 4294967297
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3533
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
Status: Active
-----------------------------
IPsec policy: policy2
Sequence number: 20
Alias: policy2-20
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1424
Tunnel:
local address/port: 2003::F85B:7EE1:1410:74C9/500
remote address/port: 2003::1/500
Flow:
sour addr: 2001::/64 port: 0 protocol: ipv6
dest addr: 2002::/64 port: 0 protocol: ipv6
[Inbound ESP SAs]
SPI: 3314600301 (0xc590c96d)
Connection ID: 4294967296
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843196/3462
Max received sequence-number: 29
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 3370073640 (0xc8df3e28)
Connection ID: 4294967297
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843196/3462
Max sent sequence-number: 29
UDP encapsulation used for NAT traversal: N
Status: Active
· Router A:
#
interface gigabitethernet 1/0/1
ip address 192.168.1.1 255.255.255.0
ipv6 address 2001::1 64
#
dialer-group 1 rule ip permit
dialer-group 1 rule ipv6 permit
#
apn-profile vpdn1
pdp-type ipv4v6
apn static vpdn
authentication-mode pap-chap user1 password simple password1
#
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ip address cellular-alloc
ipv6 address cellular-alloc
apn-profile apply vpdn1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
ipsec apply policy policy1
ipsec apply ipv6-policy policy2
#
ip route-static 0.0.0.0 0 eth-channel 1/0:0
ipv6 route-static :: 0 eth-channel 1/0:0
#
acl advanced 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
acl ipv6 advanced 3500
rule 0 permit ipv6 source 2001::/64 destination 2002::/64
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp authentication-algorithm sha1
esp encryption-algorithm des-cbc
#
ike keychain key1
pre-shared-key address 192.168.0.1 255.255.255.0 key cipher $c$3$0kzuqazKcTGikVRekZ1E8R7jTOC2ZrJR2A==
pre-shared-key address ipv6 2003::1 64 key cipher $c$3$+93VGZhgfe4yG5D0d9VsLxWS6dlGVw2/Fw==
#
ike profile ike1
keychain key1
match remote identity address 192.168.0.1 255.255.255.0
match remote identity address ipv6 2003::1 64
#
ipsec policy policy1 10 isakmp
transform-set tran1
ike-profile ike1
security acl 3000
remote-address 192.168.0.1
#
ipsec ipv6-policy policy2 20 isakmp
transform-set tran1
security acl ipv6 3500
remote-address ipv6 2003::1
ike-profile ike1
#
· LAC:
#
interface gigabitethernet 1/0/1
ip address 10.1.1.1 255.255.255.0
#
local-user user1 class network
password simple password1
service-type ppp
#
domain system
authentication ppp local
#
l2tp enable
l2tp-group 1 mode lac
tunnel name LAC
user fullusername user1
lns-ip 10.1.1.2
tunnel authentication
tunnel password simple aabbcc
#
· Router B:
#
interface gigabitethernet 1/0/1
ip address 10.1.1.2 255.255.255.0
#
interface gigabitethernet 1/0/2
ip address 192.168.1.2 255.255.255.0
ipv6 address 2002::1 64
#
interface virtual-template 1
ip address 192.168.0.1 255.255.255.0
ipv6 address 2003::1 64
undo ipv6 nd ra halt
ppp authentication-mode chap domain system
remote address pool aaa
ipsec apply policy policy1
ipsec apply ipv6-policy policy2
#
local-user user1 class network
password simple password1
service-type ppp
#
domain system
authentication ppp local
authorization-attribute ipv6-prefix 2003:: 64
#
l2tp enable
l2tp-group 1 mode lns
tunnel name LNS
allow l2tp virtual-template 1 remote LAC
tunnel authentication
tunnel password simple aabbcc
#
ip pool aaa 192.168.0.10 192.168.0.20
ip pool aaa gateway 192.168.0.1
#
acl advanced 3000
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
acl ipv6 advanced 3500
rule 0 permit ipv6 source 2002::/64 destination 2001::/64
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp authentication-algorithm sha1
esp encryption-algorithm des-cbc
#
ike keychain key1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$vZXXcxKbhB/YCMg4oFr5IVJyrxwQTcB4Mg==
pre-shared-key address ipv6 0::0 0 key cipher $c$3$ua9potCkbZArSufmcQhY+LgLA+38vxmiXw==
#
ike profile ike1
keychain key1
match remote identity address 0.0.0.0 0.0.0.0
match remote identity address ipv6 :: 0
#
ipsec policy-template temp1 1
transform-set tran1
ike-profile ike1
security acl 3000
reverse-route dynamic
#
ipsec ipv6-policy-template temp2 2
transform-set tran1
security acl ipv6 3500
ike-profile ike1
reverse-route dynamic
#
ipsec policy policy1 10 isakmp template temp1
#
ipsec ipv6-policy policy2 20 isakmp template temp2
#
適用於MSR集中式、MSR分布式產品R6728P13及以後版本。
如圖6所示,Router A上具有5G Modem模塊,用戶通過DDR自動定時撥號接入IPv6 5G網絡,並建立永久在線連接。具體要求如下:
· 在Router A上配置傳統DDR自動定時撥號接入IPv6 5G網絡,建立永久5G在線連接。
· 在Router A上配置撥號方式為傳統DDR撥號,去往對端的撥號串根據運營商屬性選擇,一般中國大陸移動/聯通配置“*99#”,電信配置“#777”。
· Router A所在的IPv6子網為2001::/64,且僅對IPv6協議報文進行DDR撥號。
圖6 5G Modem IPv6撥號組網圖
在Router A的Cellular1/0接口上通道化出以太網接口Eth-channel1/0:0,並配置接口Eth-channel1/0:0采用Modem私有協議獲取運營商自動分配的IP地址。在接口Eth-channel1/0:0上配置DDR自動撥號接入IPv6 5G網絡,並配置永久在線連接。
(1) 配置設備接口IP地址,步驟略。
(2) 配置5G Modem撥號。
# 配置撥號訪問組1以及對應的撥號訪問控製條件。
<RouterA> system-view
[RouterA] dialer-group 1 rule ipv6 permit
# 配置5G Modem的參數模板dynamic1,接入點為動態接入點。
[RouterA] apn-profile dynamic1
[RouterA-apn-profile-vpdn1] apn dynamic
[RouterA-apn-profile-vpdn1] quit
# 將Cellular1/0接口通道化出以太網通道接口。
[RouterA] controller cellular 1/0
[RouterA-Cellular1/0] eth-channel 0
[RouterA-Cellular1/0] quit
# 配置Eth-channel1/0:0接口采用Modem私有協議獲取運營商自動分配的IP地址。
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ipv6 address cellular-alloc
# 配置Eth-channel1/0:0接口使用的5G Modem參數模板。
[RouterA-Eth-channel1/0:0] apn-profile apply dynamic1
# 在Eth-channel1/0:0接口上開啟傳統DDR,並與撥號訪問組1關聯。
[RouterA-Eth-channel1/0:0] dialer circular enable
[RouterA-Eth-channel1/0:0] dialer-group 1
# 配置允許鏈路空閑的時間為0,呼叫建立超時時間為30秒,自動撥號的時間間隔為5秒。
[RouterA-Eth-channel1/0:0] dialer timer idle 0
[RouterA-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterA-Eth-channel1/0:0] dialer timer autodial 5
# 配置自動撥號時去往對端的撥號串,撥號串視具體運營商而定,一般中國大陸移動/聯通配置“*99#”,電信配置“#777”。
[RouterA-Eth-channel1/0:0] dialer number *99# autodial
# 配置Eth-channel1/0:0接口將IPv6地址前綴2001::/64轉換為2002:0DF8:0001::/48,假設Router A撥號接口獲取的IPv6地址前綴為2002:0DF8:0001::/48。
[RouterA-Eth-channel1/0:0] nat66 prefix source 2001:: 64 2002:0df8:0001:: 48
[RouterA-Eth-channel1/0:0] quit
# 配置缺省路由。
[RouterA] ipv6 route-static :: 0 eth-channel 1/0:0
# 查看路由表,配置的缺省路由生效,用戶可以通過設備進行上網。
[RouterA] display ipv6 routing-table
Destinations : 6 Routes : 6
Destination: ::/0 Protocol : Static
NextHop : ::1 Preference: 60
Interface : E-CH1/0:0 Cost : 0
Destination: 100::/128 Protocol : Direct
NextHop : ::1 Preference: 4
Interface : InLoop0 Cost : 0
Destination: 100::1/128 Protocol : Direct
NextHop : ::1 Preference: 4
Interface : InLoop0 Cost : 0
Destination: 100::7B/128 Protocol : Direct
NextHop : ::1 Preference: 4
Interface : InLoop0 Cost : 0
...
# 在Host主機上通過Ping驗證可以訪問外網,例如百度。
C:\Users\host1>ping www.baidu.com
正在Ping www.baidu.com[112.80.248.76]具有32字節的數據:
來自112.80.248.76的回複: 字節=32 時間=91ms TTL=122
來自112.80.248.76的回複: 字節=32 時間=92ms TTL=122
來自112.80.248.76的回複: 字節=32 時間=81ms TTL=122
來自112.80.248.76的回複: 字節=32 時間=88ms TTL=122
112.80.248.76的Ping統計信息:
數據包: 已發送 = 4,已接收 = 4,丟失 = 0 (0% 丟失),
往返行程的估計時間(以毫秒為單位):
最短 = 81ms,最長 = 92ms,平均 = 88ms
#
interface gigabitethernet 1/0/1
ipv6 address 2001::1 64
#
dialer-group 1 rule ipv6 permit
#
apn-profile dynamic1
apn dynamic
#
controller cellular 1/0
eth-channel 0
#
dialer-group 1 rule ipv6 permit
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ipv6 address cellular-alloc
apn-profile apply dynamic1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
nat66 prefix source 2001:: 64 2002:0df8:0001:: 48
#
ipv6 route-static :: 0 eth-channel 1/0:0
#
不同款型規格的資料略有差異, 詳細信息請向具體銷售和400谘詢。H3C保留在沒有任何通知或提示的情況下對資料內容進行修改的權利!
支持
