- 產品與解決方案
- 行業解決方案
- 服務
- 支持
- 合作夥伴
- 關於我們
24-H3C MSR係列路由器 IPsec典型配置舉例
本章節下載: 24-H3C MSR係列路由器 IPsec典型配置舉例 (1.27 MB)
H3C MSR係列路由器
IPsec配置舉例
Copyright © 2024 bobty下载软件 版權所有,保留一切權利。
非經本公司書麵許可,任何單位和個人不得擅自摘抄、複製本文檔內容的部分或全部,並不得以任何形式傳播。
除bobty下载软件 的商標外,本手冊中出現的其它公司的商標、產品標識及商品名稱,由各自權利人擁有。
本文檔中的信息可能變動,恕不另行通知。
本文檔介紹IPsec的典型配置舉例。
本文檔適用於使用Comware V7軟件版本的MSR係列路由器,如果使用過程中與產品實際情況有差異,請參考相關產品手冊,或以設備實際情況為準。
本文檔中的配置均是在實驗室環境下進行的配置和驗證,配置前設備的所有參數均采用出廠時的缺省配置。如果您已經對設備進行了配置,為了保證配置效果,請確認現有配置和以下舉例中的配置不衝突。
本文檔假設您已了解IPsec特性。
如圖1所示,PPP用戶Host與Device建立L2TP隧道,Windows server 2003作為CA服務器,要求:
· 通過L2TP隧道訪問Corporate network。
· 用IPsec對L2TP隧道進行數據加密。
· 采用RSA證書認證方式建立IPsec隧道。
圖1 基於證書認證的L2TP over IPsec配置組網圖
由於使用證書認證方式建立IPsec隧道,所以需要在ike profile中配置local-identity為dn,指定從本端證書中的主題字段取得本端身份。
本配置舉例是在MSR3610-X1路由器Release 6749版本上進行配置和驗證的。
(1) 配置各接口IP地址
# 配置接口GigabitEthernet1/0/1的IP地址。
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 192.168.100.50 24
[Device-GigabitEthernet1/0/1] quit
# 配置接口GigabitEthernet1/0/2的IP地址。
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] ip address 102.168.1.11 24
[Device-GigabitEthernet1/0/2] quit
# 配置接口GigabitEthernet1/0/3的IP地址。
[Device] interface gigabitethernet 1/0/3
[Device-GigabitEthernet1/0/3] ip address 192.168.1.1 24
[Device-GigabitEthernet1/0/3] quit
(2) 配置L2TP
# 創建本地PPP用戶l2tpuser,設置密碼為hello。
[Device] local-user l2tpuser class network
[Device-luser-network-l2tpuser] password simple hello
[Device-luser-network-l2tpuser] service-type ppp
[Device-luser-network-l2tpuser] quit
# 配置ISP域system對PPP用戶采用本地驗證。
[Device] domain system
[Device-isp-system] authentication ppp local
[Device-isp-system] quit
# 啟用L2TP服務。
[Device] l2tp enable
# 創建接口Virtual-Template0,配置接口的IP地址為172.16.0.1/24。
[Device] interface virtual-template 0
[Device-Virtual-Template0] ip address 172.16.0.1 255.255.255.0
# 配置PPP認證方式為PAP。
[Device-Virtual-Template0] ppp authentication-mode pap
# 配置為PPP用戶分配的IP地址為172.16.0.2。
[Device-Virtual-Template0] remote address 172.16.0.2
[Device-Virtual-Template0] quit
# 創建LNS模式的L2TP組1。
[Device] l2tp-group 1 mode lns
# 配置LNS側本端名稱為lns。
[Device-l2tp1] tunnel name lns
# 關閉L2TP隧道驗證功能。
[Device-l2tp1] undo tunnel authentication
# 指定接收呼叫的虛擬模板接口為VT0。
[Device-l2tp1] allow l2tp virtual-template 0
[Device-l2tp1] quit
(3) 配置PKI證書
# 配置PKI實體 security。
[Device] pki entity security
[Device-pki-entity-security] common-name device
[Device-pki-entity-security] quit
# 新建PKI域。
[Device] pki domain headgate
[Device-pki-domain-headgate] ca identifier LYQ
[Device-pki-domain-headgate] certificate request url http://192.168.1.51/certsrv/mscep/mscep.dll
[Device-pki-domain-headgate] certificate request from ra
[Device-pki-domain-headgate] certificate request entity security
[Device-pki-domain-headgate] undo crl check enable
[Device-pki-domain-headgate] public-key rsa general name abc length 1024
[Device-pki-domain-headgate] quit
# 生成RSA算法的本地密鑰對。
[Device] public-key local create rsa name abc
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512,it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
..........................++++++
.++++++
Create the key pair successfully.
# 獲取CA證書並下載至本地。
[Device] pki retrieve-certificate domain headgate ca
The trusted CA's finger print is:
MD5 fingerprint:8649 7A4B EAD5 42CF 5031 4C99 BFS3 2A99
SHA1 fingerprint:61A9 6034 181E 6502 12FA 5A5F BA12 0EA0 5187 031C
Is the finger print correct?(Y/N):y
Retrieved the certificates successfully.
# 手工申請本地證書。
[Device] pki request-certificate domain headgate
Start to request general certificate ...
Certificate requested successfully.
(4) 配置IPsec隧道
# 創建IKE安全提議。
[Device] ike proposal 1
[Device-ike-proposal-1] authentication-method rsa-signature
[Device-ike-proposal-1] encryption-algorithm 3des-cbc
[Device-ike-proposal-1] dh group2
[Device-ike-proposal-1] quit
# 配置IPsec安全提議。
[Device] ipsec transform-set tran1
[Device-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[Device-ipsec-transform-set-tran1] esp encryption-algorithm 3des
[Device-ipsec-transform-set-tran1] quit
# 配置IKE profile。
[Device] ike profile profile1
[Device-ike-profile-profile1] local-identity dn
[Device-ike-profile-profile1] certificate domain headgate
[Device-ike-profile-profile1] proposal 1
[Device-ike-profile-profile1] match remote certificate device
[Device-ike-profile-profile1] quit
# 在采用數字簽名認證時,指定總從本端證書中的主題字段取得本端身份。
[Device]ike signature-identity from-certificate
# 創建一條IPsec安全策略模板,名稱為template1,序列號為1。
[Device] ipsec policy-template template1 1
[Device-ipsec-policy-template-template1-1] transform-set tran1
[Device-ipsec-policy-template-template1-1] ike-profile profile1
[Device-ipsec-policy-template-template1-1] quit
# 引用IPsec安全策略模板創建一條IPsec安全策略,名稱為policy1,順序號為1。
[Device] ipsec policy policy1 1 isakmp template template1
# 在接口上應用IPsec安全策略。
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] ipsec apply policy policy1
[Device-GigabitEthernet1/0/2] quit
(1) 從證書服務器上申請客戶端證書
# 登錄到證書服務器:http://192.168.1.51/certsrv ,點擊“申請一個證書”。
圖2 進入申請證書頁麵
# 點擊“高級證書申請”。
圖3 高級證書申請
# 選擇第一項:創建並向此CA提交一個申請。
圖4 創建並向CA提交一個申請
# 填寫相關信息。
· 需要的證書類型,選擇“客戶端身份驗證證書”;
· 密鑰選項的配置,勾選“標記密鑰為可導出”前的複選框。
# 點擊<提交>,彈出一提示框 :在對話框中選擇“是”。
# 點擊安裝此證書。
圖5 安裝證書
(2) iNode客戶端的配置(使用iNode版本為:iNode PC 5.2(E0409))
# 打開L2TP VPN連接,並單擊“屬性…(Y)”。
圖6 打開L2TP連接
# 輸入LNS服務器的地址,並啟用IPsec安全協議,驗證證方法選擇證書認證。
圖7 基本配置
# 單擊<高級(C)>按鈕,進入“L2TP設置”頁簽,設置L2TP參數如下圖所示。
圖8 L2TP設置
# 單擊“IPsec設置”頁簽,配置IPsec參數。
圖9 IPsec參數設置
# 單擊“IKE設置”頁簽,配置IKE參數。
圖10 IKE參數設置
# 單擊“路由設置”頁簽,添加訪問Corporate network的路由。
圖11 路由設置
# 完成上述配置後,單擊<確定>按鈕,回到L2TP連接頁麵。
# 在L2TP連接對話框中,輸入用戶名“l2tpuser”和密碼“hello”,單擊<連接>按鈕。
圖12 連接L2TP
# 在彈出的對話框中選擇申請好的證書,單擊<確定>按鈕。
圖13 證書選擇
# 通過下圖可以看到L2TP連接成功。
圖14 連接成功
圖15 連接成功
# 在Device上使用display ike sa命令,可以看到IPsec隧道第一階段的SA正常建立。
<Device> display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
10 102.168.1.1 RD IPSEC
Flags:
RD--READY RL--REPLACED FD-FADING
# 在Device上使用display ipsec sa命令可以看到IPsec SA的建立情況。
<Device> display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/2
-------------------------------
-----------------------------
IPsec policy: policy1
Sequence number: 1
Mode: template
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect forward secrecy:
Path MTU: 1443
Tunnel:
local address: 102.168.1.11
remote address: 102.168.1.1
Flow:
sour addr: 102.168.1.11/255.255.255.255 port: 1701 protocol: udp
dest addr: 102.168.1.1/255.255.255.255 port: 0 protocol: udp
[Inbound ESP SAs]
SPI: 2187699078 (0x8265a386)
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843197/3294
Max received sequence-number: 51
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 3433374591 (0xcca5237f)
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843197/3294
Max sent sequence-number: 52
UDP encapsulation used for NAT traversal: N
Status: Active
#
interface Virtual-Template0
ppp authentication-mode pap
remote address 172.16.0.2
ip address 172.16.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 192.168.100.50 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 102.168.1.11 255.255.255.0
ipsec apply policy policy1
#
interface GigabitEthernet1/0/3
ip address 192.168.1.1 255.255.255.0
#
domain system
authentication ppp local
#
local-user l2tpuser class network
password cipher $c$3$nl46fURLtkCkcbdnB6irTXma+E6u0c+h
service-type ppp
authorization-attribute user-role network-operator
#
pki domain headgate
ca identifier LYQ
certificate request url http://192.168.1.51/certsrv/mscep/mscep.dll
certificate request from ra
certificate request entity security
public-key rsa general name abc
undo crl check enable
#
pki entity security
common-name device
#
ipsec transform-set tran1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm sha1
#
ipsec policy-template template1 1
transform-set tran1
ike-profile profile1
#
ipsec policy policy1 1 isakmp template template1
#
l2tp-group 1 mode lns
allow l2tp virtual-template 0
undo tunnel authentication
tunnel name lns
#
l2tp enable
#
ike signature-identity from-certificate
#
ike profile profile1
certificate domain headgate
local-identity dn
match remote certificate device
proposal 1
#
ike proposal 1
authentication-method rsa-signature
encryption-algorithm 3des-cbc
dh group2
#
如圖16所示,企業遠程辦公網絡通過IPsec VPN接入企業總部,要求:通過GRE隧道傳輸兩網絡之間的IPsec加密數據。
· 為了對數據先進行IPsec處理,再進行GRE封裝,訪問控製列表需匹配數據的原始範圍,並且要將IPsec應用到GRE隧道接口上。
· 為了對網絡間傳輸的數據先進行IPsec封裝,再進行GRE封裝,需要配置IPsec隧道的對端IP地址為GRE隧道的接口地址。
本配置舉例是在MSR3610-X1路由器Release 6749版本上進行配置和驗證的。
(1) 配置各接口IP地址
# 配置接口GigabitEthernet1/0/1的IP地址。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] tcp mss 1350
[DeviceA-GigabitEthernet1/0/1] quit
# 配置接口GigabitEthernet1/0/2的IP地址。
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] ip address 202.115.22.48 255.255.255.0
[DeviceA-GigabitEthernet1/0/2] quit
(2) 配置GRE隧道
# 創建Tunnel0接口,並指定隧道模式為GRE over IPv4隧道。
[DeviceA] interface tunnel 0 mode gre
# 配置Tunnel0接口的IP地址為10.1.1.1/24。
[DeviceA-Tunnel0] ip address 10.1.1.1 255.255.255.0
# 配置Tunnel0接口的源端地址為202.115.22.48/24(Device A的GigabitEthernet1/0/2的IP地址)。
[DeviceA-Tunnel0] source 202.115.22.48
# 配置Tunnel0接口的目的端地址為202.115.24.50/24(Device B的GigabitEthernet1/0/2的IP地址)。
[DeviceA-Tunnel0] destination 202.115.24.50
[DeviceA-Tunnel0] quit
# 配置從Device A經過Tunnel0接口到Remote office network的靜態路由。
[DeviceA] ip route-static 192.168.2.1 255.255.255.0 tunnel 0
(3) 配置IPsec VPN
# 配置IKE keychain。
[DeviceA] ike keychain keychain1
[DeviceA-ike-keychain-keychain1] pre-shared-key address 10.1.1.2 255.255.255.0 key simple 123
[DeviceA-ike-keychain-keychain1] quit
# 創建ACL3000,定義需要IPsec保護的數據流。
[DeviceA] acl number 3000
[DeviceA-acl-adv-3000] rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[DeviceA-acl-adv-3000] quit
# 配置IPsec安全提議。
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
# 創建一條IKE協商方式的IPsec安全策略,名稱為policy1,序列號為1。
[DeviceA] ipsec policy policy1 1 isakmp
[DeviceA-ipsec-policy-isakmp-policy1-1] security acl 3000
[DeviceA-ipsec-policy-isakmp-policy1-1] remote-address 10.1.1.2
[DeviceA-ipsec-policy-isakmp-policy1-1] transform-set tran1
[DeviceA-ipsec-policy-isakmp-policy1-1] quit
# 在GRE隧道接口上應用安全策略。
[DeviceA] interface tunnel 0
[DeviceA-Tunnel0] ipsec apply policy policy1
[DeviceA-Tunnel0] quit
(1) 配置各接口IP地址
# 配置接口GigabitEthernet1/0/1的IP地址。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 192.168.2.1 255.255.255.0
[DeviceB-GigabitEthernet1/0/1] tcp mss 1350
[DeviceB-GigabitEthernet1/0/1] quit
# 配置接口GigabitEthernet1/0/2的IP地址。
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ip address 202.115.24.50 255.255.255.0
[DeviceB-GigabitEthernet1/0/2] quit
(2) 配置GRE隧道
# 創建Tunnel0接口,並指定隧道模式為GRE over IPv4隧道。
[DeviceB] interface tunnel 0 mode gre
# 配置Tunnel0接口的IP地址為10.1.1.2/24。
[DeviceB-Tunnel0] ip address 10.1.1.2 255.255.255.0
# 配置Tunnel0接口的源端地址為202.115.24.50/24(Device B的GigabitEthernet1/0/2的IP地址)。
[DeviceB-Tunnel0] source 202.115.24.50
# 配置Tunnel0接口的目的端地址為202.115.22.48/24(Device A的GigabitEthernet1/0/2的IP地址)。
[DeviceB-Tunnel0] destination 202.115.22.48
[DeviceB-Tunnel0] quit
# 配置從DeviceB經過Tunnel0接口到Corporate network的靜態路由。
[DeviceB] ip route-static 192.168.1.1 255.255.255.0 tunnel 0
(3) 配置IPsec VPN
# 配置IKE keychain。
[DeviceB] ike keychain keychain1
[DeviceB-ike-keychain-keychain1] pre-shared-key address 10.1.1.1 255.255.255.0 key simple 123
[DeviceB-ike-keychain-keychain1] quit
# 創建ACL3000,定義需要IPsec保護的數據流。
[DeviceB] acl number 3000
[DeviceB-acl-adv-3000] rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[DeviceB-acl-adv-3000] quit
# 配置IPsec安全提議。
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
# 創建一條IKE協商方式的IPsec安全策略,名稱為policy1,序列號為1。
[DeviceB] ipsec policy policy1 1 isakmp
[DeviceB-ipsec-policy-isakmp-policy1-1] security acl 3000
[DeviceB-ipsec-policy-isakmp-policy1-1] remote-address 10.1.1.1
[DeviceB-ipsec-policy-isakmp-policy1-1] transform-set tran1
[DeviceB-ipsec-policy-isakmp-policy1-1] quit
# 在GRE隧道接口上應用安全策略。
[DeviceB] interface tunnel 0
[DeviceB-Tunnel0] ipsec apply policy policy1
[DeviceB-Tunnel0] quit
# 以Corporate network的主機192.168.1.2向Remote office network的主機192.168.2.2發起通信為例,從192.168.1.2 ping 192.168.2.2,會觸發IPsec協商,建立IPsec隧道,在成功建立IPsec隧道後,可以ping通。
C:\Users\corporatenetwork> ping 192.168.2.2
Pinging 192.168.2.2 with 32 bytes of data:
Request timed out.
Reply from 192.168.2.2: bytes=32 time=2ms TTL=254
Reply from 192.168.2.2: bytes=32 time=2ms TTL=254
Reply from 192.168.2.2: bytes=32 time=1ms TTL=254
Ping statistics for 192.168.2.2:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms
# 在Device A上使用display ike sa命令,可以看到第一階段的SA正常建立。
<DeviceA> display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
1 10.1.1.2 RD IPSEC
Flags:
RD--READY RL--REPLACED FD-FADING
# 在Device A上使用display ipsec sa命令可以看到IPsec SA的建立情況。
<DeviceA> display ipsec sa
-------------------------------
Interface: Tunnel0
-------------------------------
-----------------------------
IPsec policy: policy1
Sequence number: 1
Mode: isakmp
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect forward secrecy:
Path MTU: 1419
Tunnel:
local address: 10.1.1.1
remote address: 10.1.1.2
Flow:
sour addr: 192.168.1.1/255.255.255.255 port: 0 protocol: ip
dest addr: 192.168.2.1/255.255.255.255 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3128557135 (0xba79fe4f)
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3550
Max received sequence-number: 3
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 2643166978 (0x9d8b8702)
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3550
Max sent sequence-number: 3
UDP encapsulation used for NAT traversal: N
Status: Active
# 在Device A上通過命令display interface tunnel 0可以查看經過GRE隧道傳輸的流量情況。
<DeviceA> display interface tunnel 0
Tunnel0
Current state: UP
Line protocol state: UP
Description: Tunnel0 Interface
Bandwidth: 64kbps
Maximum Transmit Unit: 1476
Internet Address is 10.1.1.1/24 Primary
Tunnel source 202.115.22.48, destination 202.115.24.50
Tunnel keepalive disabled
Tunnel TTL 255
Tunnel protocol/transport GRE/IP
GRE key disabled
Checksumming of GRE packets disabled
Output queue - Urgent queuing: Size/Length/Discards 0/100/0
Output queue - Protocol queuing: Size/Length/Discards 0/500/0
Output queue - FIFO queuing: Size/Length/Discards 0/75/0
Last clearing of counters: Never
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 40 packets, 3300 bytes, 0 drops
Output: 41 packets, 3464 bytes, 0 drops
# 從Remote office network的主機向Corporate network的主機發起通信驗證方法相同,此不贅述。
· Device A:
#
interface GigabitEthernet1/0/1
ip address 192.168.1.1 255.255.255.0
tcp mss 1350
#
interface GigabitEthernet1/0/2
ip address 202.115.22.48 255.255.255.0
#
interface Tunnel0 mode gre
ip address 10.1.1.1 255.255.255.0
source 202.115.22.48
destination 202.115.24.50
ipsec apply policy policy1
#
ip route-static 192.168.2.1 24 Tunnel0
#
acl number 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec transform-set tran1
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec policy policy1 1 isakmp
transform-set tran1
security acl 3000
remote-address 10.1.1.2
#
ike keychain keychain1
pre-shared-key address 10.1.1.2 255.255.255.0 key cipher $c$3$n6jdlYtuR+K6mijQ8qp4hMMjV/iteA==
#
· Device B
#
interface GigabitEthernet1/0/1
ip address 192.168.2.1 255.255.255.0
tcp mss 1350
#
interface GigabitEthernet1/0/2
ip address 202.115.24.50 255.255.255.0
#
interface Tunnel0 mode gre
ip address 10.1.1.2 255.255.255.0
source 202.115.24.50
destination 202.115.22.48
ipsec apply policy policy1
#
ip route-static 192.168.1.1 24 Tunnel0
#
acl number 3000
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec transform-set tran1
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec policy policy1 1 isakmp
transform-set tran1
security acl 3000
remote-address 10.1.1.1
#
ike keychain keychain1
pre-shared-key address 10.1.1.1 255.255.255.0 key cipher $c$3$n6jdlYtuR+K6mijQ8qp4hMMjV/iteA==
#
如圖17所示,企業遠程辦公網絡通過GRE隧道與企業總部傳輸數據,要求:對通過GRE隧道的數據進行IPsec加密處理。
· 為了對經GRE封裝的數據進行IPsec加密,將IPsec策略應用在物理接口上,訪問控製列表源和目的地址為物理接口地址。
· 為了使IPsec保護整個GRE隧道,應用IPsec策略的接口和GRE隧道源、目的接口必須是同一接口。
本配置舉例是在MSR3610-X1路由器Release 6749版本上進行配置和驗證的。
(1) 配置各接口IP地址
# 配置接口GigabitEthernet1/0/1的IP地址。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] quit
# 配置接口GigabitEthernet1/0/2的IP地址。
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] ip address 202.115.22.48 255.255.255.0
[DeviceA-GigabitEthernet1/0/2] quit
(2) 配置GRE隧道
# 創建Tunnel0接口,並指定隧道模式為GRE over IPv4隧道。
[DeviceA] interface tunnel 0 mode gre
# 配置Tunnel0接口的IP地址為10.1.1.1/24。
[DeviceA-Tunnel0] ip address 10.1.1.1 255.255.255.0
# 配置Tunnel0接口的源端地址為202.115.22.48/24(Device A的GigabitEthernet1/0/2的IP地址)。
[DeviceA-Tunnel0] source 202.115.22.48
# 配置Tunnel0接口的目的端地址為202.115.24.50/24(Device B的GigabitEthernet1/0/2的IP地址)。
[DeviceA-Tunnel0] destination 202.115.24.50
[DeviceA-Tunnel0] quit
# 配置從Device A經過Tunnel0接口到Remote office network的靜態路由。
[DeviceA] ip route-static 192.168.2.1 255.255.255.0 tunnel 0
(3) 配置IPsec VPN
# 配置IKE keychain。
[DeviceA] ike keychain keychain1
[DeviceA-ike-keychain-keychain1] pre-shared-key address 202.115.24.50 255.255.255.0 key simple 123
[DeviceA-ike-keychain-keychain1] quit
# 創建ACL3000,定義需要IPsec保護的數據流。
[DeviceA] acl number 3000
[DeviceA-acl-adv-3000] rule 0 permit gre source 202.115.22.48 0 destination 202.115.24.50 0
[DeviceA-acl-adv-3000] quit
# 配置IPsec安全提議。
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
# 創建一條IKE協商方式的IPsec安全策略,名稱為policy1,序列號為1。
[DeviceA] ipsec policy policy1 1 isakmp
[DeviceA-ipsec-policy-isakmp-policy1-1] security acl 3000
[DeviceA-ipsec-policy-isakmp-policy1-1] remote-address 202.115.24.50
[DeviceA-ipsec-policy-isakmp-policy1-1] transform-set tran1
[DeviceA-ipsec-policy-isakmp-policy1-1] quit
# 在接口GigabitEthernet1/0/2上應用安全策略。
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] ipsec apply policy policy1
[DeviceA-GigabitEthernet1/0/2] quit
(1) 配置各接口IP地址
# 配置接口GigabitEthernet1/0/1的IP地址。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 192.168.2.1 255.255.255.0
[DeviceB-GigabitEthernet1/0/1] quit
# 配置接口GigabitEthernet1/0/2的IP地址。
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ip address 202.115.24.50 255.255.255.0
[DeviceB-GigabitEthernet1/0/2] quit
(2) 配置GRE隧道
# 創建Tunnel0接口,並指定隧道模式為GRE over IPv4隧道。
[DeviceB] interface tunnel 0 mode gre
# 配置Tunnel0接口的IP地址為10.1.1.2/24。
[DeviceB-Tunnel0] ip address 10.1.1.2 255.255.255.0
# 配置Tunnel0接口的源端地址為202.115.24.50/24(Device B的GigabitEthernet1/0/2的IP地址)。
[DeviceB-Tunnel0] source 202.115.24.50
# 配置Tunnel0接口的目的端地址為202.115.22.48/24(Device A的GigabitEthernet1/0/2的IP地址)。
[DeviceB-Tunnel0] destination 202.115.22.48
[DeviceB-Tunnel0] quit
# 配置從DeviceB經過Tunnel0接口到Corporate network的靜態路由。
[DeviceB] ip route-static 192.168.1.1 255.255.255.0 tunnel 0
(3) 配置IPsec VPN
# 配置IKE keychain。
[DeviceB] ike keychain keychain1
[DeviceB-ike-keychain-keychain1] pre-shared-key address 202.115.22.48 255.255.255.0 key simple 123
[DeviceB-ike-keychain-keychain1] quit
# 創建ACL3000,定義需要IPsec保護的數據流。
[DeviceB] acl number 3000
[DeviceB-acl-adv-3000] rule 0 permit gre source 202.115.24.50 0 destination 202.115.22.48 0
[DeviceB-acl-adv-3000] quit
# 配置IPsec安全提議。
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
# 創建一條IKE協商方式的IPsec安全策略,名稱為policy1,序列號為1。
[DeviceB] ipsec policy policy1 1 isakmp
[DeviceB-ipsec-policy-isakmp-policy1-1] security acl 3000
[DeviceB-ipsec-policy-isakmp-policy1-1] remote-address 202.115.22.48
[DeviceB-ipsec-policy-isakmp-policy1-1] transform-set tran1
[DeviceB-ipsec-policy-isakmp-policy1-1] quit
# 在接口GigabitEthernet1/0/2上應用安全策略。
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ipsec apply policy policy1
[DeviceB-GigabitEthernet1/0/2] quit
# 以Corporate network的主機192.168.1.2向Remote office network的主機192.168.2.2發起通信為例,從192.168.1.2 ping 192.168.2.2,會觸發IPsec協商,建立IPsec隧道,在成功建立IPsec隧道後,可以ping通。
C:\Users\corporatenetwork> ping 192.168.2.2
Pinging 192.168.2.2 with 32 bytes of data:
Request timed out.
Reply from 192.168.2.2: bytes=32 time=2ms TTL=254
Reply from 192.168.2.2: bytes=32 time=2ms TTL=254
Reply from 192.168.2.2: bytes=32 time=1ms TTL=254
Ping statistics for 192.168.2.2:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms
# 在Device A上使用display ike sa命令,可以看到第一階段的SA正常建立。
<DeviceA> display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
2 202.115.24.50 RD IPSEC
Flags:
RD--READY RL--REPLACED FD-FADING
# 在Device A上使用display ipsec sa命令可以看到IPsec SA的建立情況。
<DeviceA> display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/2
-------------------------------
-----------------------------
IPsec policy: policy1
Sequence number: 1
Mode: isakmp
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect forward secrecy:
Path MTU: 1443
Tunnel:
local address: 202.115.22.48
remote address: 202.115.24.50
Flow:
sour addr: 202.115.22.48/255.255.255.255 port: 0 protocol: gre
dest addr: 202.115.24.50/255.255.255.255 port: 0 protocol: gre
[Inbound ESP SAs]
SPI: 2130348402 (0x7efa8972)
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3573
Max received sequence-number: 3
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 2811839266 (0xa7994322)
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3573
Max sent sequence-number: 3
UDP encapsulation used for NAT traversal: N
Status: Active
# 在Device A上通過命令display interface tunnel 0可以查看經過GRE隧道傳輸的流量情況。
<DeviceA> display interface tunnel 0
Tunnel0
Current state: UP
Line protocol state: UP
Description: Tunnel0 Interface
Bandwidth: 64kbps
Maximum Transmit Unit: 1476
Internet Address is 10.1.1.1/24 Primary
Tunnel source 202.115.22.48, destination 202.115.24.50
Tunnel keepalive disabled
Tunnel TTL 255
Tunnel protocol/transport GRE/IP
GRE key disabled
Checksumming of GRE packets disabled
Output queue - Urgent queuing: Size/Length/Discards 0/100/0
Output queue - Protocol queuing: Size/Length/Discards 0/500/0
Output queue - FIFO queuing: Size/Length/Discards 0/75/0
Last clearing of counters: Never
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 43 packets, 3480 bytes, 0 drops
Output: 45 packets, 3740 bytes, 2 drops
# 從Remote office network的主機向Corporate network的主機發起通信驗證方法相同,此不贅述。
· Device A:
#
interface GigabitEthernet1/0/1
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 202.115.22.48 255.255.255.0
ipsec apply policy policy1
#
interface Tunnel0 mode gre
ip address 10.1.1.1 255.255.255.0
source 202.115.22.48
destination 202.115.24.50
#
ip route-static 192.168.2.1 24 Tunnel0
#
acl number 3000
rule 0 permit gre source 202.115.22.48 0 destination 202.115.24.50 0
#
ipsec transform-set tran1
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec policy policy1 1 isakmp
transform-set tran1
security acl 3000
remote-address 202.115.24.50
#
ike keychain keychain1
pre-shared-key address 202.115.24.50 255.255.255.0 key cipher $c$3$n6jdlYtuR+K6mijQ8
qp4hMMjV/iteA==
#
· Device B:
#
interface GigabitEthernet1/0/1
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 202.115.24.50 255.255.255.0
ipsec apply policy policy1
#
interface Tunnel0 mode gre
ip address 10.1.1.2 255.255.255.0
source 202.115.24.50
destination 202.115.22.48
#
ip route-static 192.168.1.1 24 Tunnel0
#
acl number 3000
rule 0 permit gre source 202.115.24.50 0 destination 202.115.22.48 0
#
ipsec transform-set tran1
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec policy policy1 1 isakmp
transform-set tran1
security acl 3000
remote-address 202.115.22.48
#
ike keychain keychain1
pre-shared-key address 202.115.22.48 255.255.255.0 key cipher $c$3$n6jdlYtuR+K6mijQ8
qp4hMMjV/iteA==
#
如圖18所示組網,要求:
· 在Device A和Device B之間建立IPsec隧道,對Host A所在的子網(10.1.1.0/24)與Host B所在的子網(10.1.2.0/24)之間的數據流進行安全保護。
· Device B上通過兩條鏈路接入互聯網,在這兩條鏈路上配置相同的IPsec隧道形成備份。
· 使用IKE自動協商方式建立SA,安全協議采用ESP協議,加密算法采用DES,認證算法采用SHA1-HMAC-96。
· 在Device B上配置共享源接口安全策略,實現數據流量在不同接口間平滑切換。
圖18 IPsec同流雙隧道組網圖
本配置舉例是在MSR3610-X1路由器Release 6749版本上進行配置和驗證的。
(1) 配置各接口IP地址
# 配置接口GigabitEthernet1/0/1的IP地址。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 2.2.1.2 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] quit
# 配置接口GigabitEthernet1/0/2的IP地址。
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] ip address 10.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/2] quit
# 配置訪問10.1.2.0網段的靜態路由。
[DeviceA] ip route-static 10.1.2.0 255.255.255.0 2.2.2.3
[DeviceA] ip route-static 10.1.2.0 255.255.255.0 4.4.4.5
# 配置到Device B上Loopback0接口的靜態路由。
[DeviceA] ip route-static 3.3.3.3 255.255.255.255 2.2.2.3
[DeviceA] ip route-static 3.3.3.3 255.255.255.255 4.4.4.5
(2) 配置IPsec VPN
# 配置IKE keychain。
[DeviceA] ike keychain keychain1
[DeviceA-ike-keychain-keychain1] pre-shared-key address 3.3.3.3 255.255.255.255 key simple 123
[DeviceA-ike-keychain-keychain1] quit
# 創建ACL3000,定義需要IPsec保護的數據流。
[DeviceA] acl number 3000
[DeviceA-acl-adv-3000] rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[DeviceA-acl-adv-3000] quit
# 配置IPsec安全提議。
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
# 創建一條IKE協商方式的IPsec安全策略,名稱為policy1,序列號為1。
[DeviceA] ipsec policy policy1 1 isakmp
[DeviceA-ipsec-policy-isakmp-policy1-1] security acl 3000
[DeviceA-ipsec-policy-isakmp-policy1-1] remote-address 3.3.3.3
[DeviceA-ipsec-policy-isakmp-policy1-1] transform-set tran1
[DeviceA-ipsec-policy-isakmp-policy1-1] quit
# 在接口GigabitEthernet1/0/1上應用安全策略。
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ipsec apply policy policy1
[DeviceA-GigabitEthernet1/0/1] quit
(1) 配置各接口IP地址
# 配置接口GigabitEthernet1/0/1的IP地址。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 2.2.2.3 255.255.255.0
[DeviceB-GigabitEthernet1/0/1] quit
# 配置接口GigabitEthernet1/0/2的IP地址。
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ip address 4.4.4.5 255.255.255.0
[DeviceB-GigabitEthernet1/0/2] quit
# 配置接口GigabitEthernet1/0/3的IP地址。
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] ip address 10.1.2.1 255.255.255.0
[DeviceB-GigabitEthernet1/0/3] quit
# 配置接口Loopback 0的IP地址。
[DeviceB] interface loopback 0
[DeviceB-LoopBack0] ip address 3.3.3.3 255.255.255.0
[DeviceB-LoopBack0] quit
# 配置訪問10.1.1.0網段的靜態路由。
[DeviceB] ip route-static 10.1.1.0 255.255.255.0 gigabitethernet 1/0/1 2.2.1.2
[DeviceB] ip route-static 10.1.1.0 255.255.255.0 gigabitethernet 1/0/2 2.2.1.2
(2) 配置IPsec VPN
# 配置IKE keychain。
[DeviceB] ike keychain keychain1
[DeviceB-ike-keychain-keychain1] pre-shared-key address 2.2.1.2 255.255.255.0 key simple 123
[DeviceB-ike-keychain-keychain1] quit
# 創建ACL3000,定義需要IPsec保護的數據流。
[DeviceB] acl number 3000
[DeviceB-acl-adv-3000] rule 0 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[DeviceB-acl-adv-3000] quit
# 配置IPsec安全提議。
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
# 創建一條IKE協商方式的IPsec安全策略,名稱為policy1,序列號為1。
[DeviceB] ipsec policy policy1 1 isakmp
[DeviceB-ipsec-policy-isakmp-policy1-1] security acl 3000
[DeviceB-ipsec-policy-isakmp-policy1-1] remote-address 2.2.1.2
[DeviceB-ipsec-policy-isakmp-policy1-1] transform-set tran1
[Device-ipsec-policy-isakmp-policy1-1] quit
# 在接口GigabitEthernet1/0/1上應用安全策略。
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ipsec apply policy policy1
[DeviceB-GigabitEthernet1/0/1] quit
# 在接口GigabitEthernet1/0/2上應用安全策略。
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ipsec apply policy policy1
[DeviceB-GigabitEthernet1/0/2] quit
# 配置IPsec安全策略policy1為共享源接口安全策略,共享源接口為Loopback0。
[DeviceB] ipsec policy policy1 local-address loopback 0
# 從Host A ping Host B,會觸發IPsec協商,建立IPsec隧道,在成功建立IPsec隧道後,可以ping通。
C:\Users\hosta> ping 10.1.2.2
Pinging 10.1.2.2 with 32 bytes of data:
Request timed out.
Reply from 10.1.2.2: bytes=32 time=3ms TTL=126
Reply from 10.1.2.2: bytes=32 time=1ms TTL=126
Reply from 10.1.2.2: bytes=32 time=5ms TTL=126
Ping statistics for 10.1.2.2:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 5ms, Average = 3ms
# 在Device A上使用display ike sa命令,可以看到第一階段的SA正常建立。
[DeviceA] display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
9 3.3.3.3 RD IPSEC
Flags:
RD--READY RL--REPLACED FD-FADING
# 在Device A上使用display ipsec sa命令可以看到IPsec SA的建立情況。
[DeviceA] display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/1
-------------------------------
-----------------------------
IPsec policy: policy1
Sequence number: 1
Mode: isakmp
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect forward secrecy:
Path MTU: 1443
Tunnel:
local address: 2.2.1.2
remote address: 3.3.3.3
Flow:
sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 1851852454 (0x6e6106a6)
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3035
Max received sequence-number: 3
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 718692851 (0x2ad661f3)
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3035
Max sent sequence-number: 3
UDP encapsulation used for NAT traversal: N
Status: Active
# 從Host B向Host A發起通信驗證方法相同,此不贅述。
· Device A:
#
interface GigabitEthernet1/0/1
ip address 2.2.1.2 255.255.255.0
ipsec apply policy policy1
#
interface GigabitEthernet1/0/2
ip address 10.1.1.1 255.255.255.0
#
ip route-static 3.3.3.3 32 2.2.2.3
ip route-static 3.3.3.3 32 4.4.4.5
ip route-static 10.1.2.0 24 2.2.2.3
ip route-static 10.1.2.0 24 4.4.4.5
#
acl number 3000
rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec transform-set tran1
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec policy policy1 1 isakmp
transform-set tran1
security acl 3000
remote-address 3.3.3.3
#
ike keychain keychain1
pre-shared-key address 3.3.3.3 255.255.255.255 key cipher $c$3$n6jdlYtuR+K6mijQ8qp4hMMjV/iteA==
#
· Device B:
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 2.2.2.3 255.255.255.0
ipsec apply policy policy1
#
interface GigabitEthernet1/0/2
ip address 4.4.4.5 255.255.255.0
ipsec apply policy policy1
#
interface GigabitEthernet1/0/3
ip address 10.1.2.1 255.255.255.0
#
ip route-static 10.1.1.0 24 GigabitEthernet1/0/1 2.2.1.2
ip route-static 10.1.1.0 24 GigabitEthernet1/0/2 2.2.1.2
#
acl number 3000
rule 0 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec transform-set tran1
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec policy policy1 1 isakmp
transform-set tran1
security acl 3000
remote-address 2.2.1.2
#
ipsec policy policy1 local-address LoopBack0
#
ike keychain keychain1
pre-shared-key address 2.2.1.2 255.255.255.0 key cipher $c$3$n6jdlYtuR+K6mijQ8
qp4hMMjV/iteA==
#
· 《H3C MSR 係列路由器 配置指導(V7)》中的“安全配置指導”
· 《H3C MSR 係列路由器 命令參考(V7)》中的“安全命令參考”
· 《H3C MSR 係列路由器 配置指導(V7)》中的“三層技術-IP業務配置指導”
· 《H3C MSR 係列路由器 命令參考(V7)》中的“三層技術-IP業務命令參考”
· 《H3C MSR 係列路由器 配置指導(V7)》中的“二層技術-廣域網接入配置指導”
· 《H3C MSR 係列路由器 命令參考(V7)》中的“二層技術-廣域網接入命令參考”
不同款型規格的資料略有差異, 詳細信息請向具體銷售和400谘詢。H3C保留在沒有任何通知或提示的情況下對資料內容進行修改的權利!
支持
