組網及說明
1. 適用產品係列
本案例提到的MSR V7平台路由器是指Comware V7平台的MSR830-WiNet係列路由器,如MSR830-10BEI-WiNet 、MSR830-6EI-WiNet 、MSR830-5BEI-WiNet 、MSR830-6BHI-WiNet 、MSR830-10BHI-WiNet等
2. 配置需求及實現的效果
RTA路由器外網口G0/0的地址為1.1.1.1(模擬運營商公網固定地址環境),RTB路由器外網口G0/0的地址為2.2.2.1(模擬運營商公網固定地址環境),兩個路由器外網口地址之間路由可達可以互相ping通。要對RTA路由器所在的內網(192.168.1.0/24)與RTB路由器所在的內網(172.16.1.0/24),實現兩端內網終端通過GRE over IPsec VPN 隧道進行互訪。
配置步驟
1. 設置A路由器
#配置GRE隧道,
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C]interface Tunnel0 mode gre
[H3C-Tunnel0]ip address 10.1.2.1 24
[H3C-Tunnel0]source 1.1.1.1
[H3C-Tunnel0]destination 2.2.2.1
#配置一個訪問控製列表3000,定義由子網1.1.1.0/24去子網2.2.2.0/24的數據流,封裝GRE數據流。
[H3C]acl advanced 3000
[H3C-acl-ipv4-adv-3000]rule permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255
[H3C-acl-ipv4-adv-3000]quit
#配置公網口NAT要關聯的ACl 3001,作用是把IPSec感興趣流從NAT轉換的數據流deny掉,防止IPSec數據流被NAT優先轉換
[H3C]acl number 3001
[H3C-acl-adv-3001]rule 0 deny ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255
[H3C-acl-adv-3001]rule 1 permit ip
[H3C-acl-adv-3001]quit
#創建一條IKE提議1,指定IKE提議使用的認證算法為MD5,加密算法為3des-cbc
[H3C]ike proposal 1
[H3C-ike-proposal-1]authentication-algorithm md5
[H3C-ike-proposal-1]encryption-algorithm 3des-cbc
[H3C-ike-proposal-1]quit
#創建並配置IKE keychain,名稱為RTA。
[H3C]ike keychain RTA
#配置對端IP地址為2.2.2.1,使用的預共享密鑰為明文123456
[H3C-ike-keychain-RTA]pre-shared-key address 2.2.2.1 255.255.255.0 key simple 123456
[H3C-ike-keychain-RTA]quit
#創建並配置IKE profile,名稱為RTA,引用上麵配置的keychain RTA,配置本地地址為本端的公網接口地址1.1.1.1,對端地址為對端公網接口地址2.2.2.1,引用之前配置IKE提議1
[H3C]ike profile RTA
[H3C-ike-profile-RTA]keychain RTA
[H3C-ike-profile-RTA]local-identity address 1.1.1.1
[H3C-ike-profile-RTA]match remote identity address 2.2.2.1 255.255.255.0
[H3C-ike-profile-RTA]proposal 1
[H3C-ike-profile-RTA]quit
#配置IPsec安全提議1,ESP協議采用的加密算法為3des-cbc,認證算法為md5
[H3C]ipsec transform-set 1
[H3C-ipsec-transform-set-1]esp encryption-algorithm 3des-cbc
[H3C-ipsec-transform-set-1]esp authentication-algorithm md5
[H3C-ipsec-transform-set-1]quit
#創建IPsec安全策略,名稱為RTA,序列號為1,設置對端地址為對端公網地址2.2.2.1,引用之前創建的ACL3000,引用之前創建的IKE profile RTA,引用之前的IPSec安全提議1
[H3C]ipsec policy RTA 1 isakmp
[H3C-ipsec-policy-isakmp-RTA-1]remote-address 2.2.2.1
[H3C-ipsec-policy-isakmp-RTA-1]security acl 3000
[H3C-ipsec-policy-isakmp-RTA-1]transform-set 1
[H3C-ipsec-policy-isakmp-RTA-1]ike-profile RTA
[H3C-ipsec-policy-isakmp-RTA-1]quit
#設置外網口做NAT轉換的時候關聯ACL 3001 (如果之前已經在外網口配置了 nat outbound,需要先undo掉),並將IPSec安全策略RTA應用在外網接口
[H3C]interface GigabitEthernet 0/0
[H3C-GigabitEthernet0/0]undo nat outbound
[H3C-GigabitEthernet0/0]nat outbound 3001
[H3C-GigabitEthernet0/0]ipsec apply policy RTA
[H3C-GigabitEthernet0/0]quit
#配置到對端內網的路由
[H3C]ip route-static 172.16.1.0 24 Tunnel 0
#保存配置
[H3C]save
force
2 設置B路由器
#配置GRE隧道,
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C]interface Tunnel0 mode gre
[H3C-Tunnel0]ip address 10.1.2.2 24
[H3C-Tunnel0]source 2.2.2.1
[H3C-Tunnel0]destination 1.1.1.1
#配置一個訪問控製列表3000,定義由子網1.1.1.0/24去子網2.2.2.0/24的數據流,封裝GRE數據流。
[H3C]acl advanced 3000
[H3C-acl-ipv4-adv-3000]rule permit ip source 2.2.2.0 0.0.0.255 destination 1.1.1.0 0.0.0.255
[H3C-acl-ipv4-adv-3000]quit
#配置公網口NAT要關聯的ACl 3001,作用是把IPSec感興趣流從NAT轉換的數據流deny掉,防止IPSec數據流被NAT優先轉換
[H3C]acl number 3001
[H3C-acl-adv-3001]rule 0 deny ip source 2.2.2.0 0.0.0.255 destination 1.1.1.0 0.0.0.255
[H3C-acl-adv-3001]rule 1 permit ip
[H3C-acl-adv-3001]quit
#創建一條IKE提議1,指定IKE提議使用的認證算法為MD5,加密算法為3des-cbc
[H3C]ike proposal 1
[H3C-ike-proposal-1]authentication-algorithm md5
[H3C-ike-proposal-1]encryption-algorithm 3des-cbc
[H3C-ike-proposal-1]quit
#創建並配置IKE keychain,名稱為RTA。
[H3C]ike keychain RTA
#配置對端IP地址為1.1.1.1,使用的預共享密鑰為明文123456
[H3C-ike-keychain-RTA]pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456
[H3C-ike-keychain-RTA]quit
#創建並配置IKE profile,名稱為RTA,引用上麵配置的keychain RTA,配置本地地址為本端的公網接口地址2.2.2.1,對端地址為對端公網接口地址1.1.1.1,引用之前配置IKE提議1
[H3C]ike profile RTA
[H3C-ike-profile-RTA]keychain RTA
[H3C-ike-profile-RTA]local-identity address 2.2.2.1
[H3C-ike-profile-RTA]match remote identity address 1.1.1.1 255.255.255.0
[H3C-ike-profile-RTA]proposal 1
[H3C-ike-profile-RTA]quit
#配置IPsec安全提議1,ESP協議采用的加密算法為3des-cbc,認證算法為md5
[H3C]ipsec transform-set 1
[H3C-ipsec-transform-set-1]esp encryption-algorithm 3des-cbc
[H3C-ipsec-transform-set-1]esp authentication-algorithm md5
[H3C-ipsec-transform-set-1]quit
#創建IPsec安全策略,名稱為RTA,序列號為1,設置對端地址為對端公網地址1.1.1.1,引用之前創建的ACL3000,引用之前創建的IKE profile RTA,引用之前的IPSec安全提議1
[H3C]ipsec policy RTA 1 isakmp
[H3C-ipsec-policy-isakmp-RTA-1]remote-address 1.1.1.1
[H3C-ipsec-policy-isakmp-RTA-1]security acl 3000
[H3C-ipsec-policy-isakmp-RTA-1]transform-set 1
[H3C-ipsec-policy-isakmp-RTA-1]ike-profile RTA
[H3C-ipsec-policy-isakmp-RTA-1]quit
#設置外網口做NAT轉換的時候關聯ACL 3001 (如果之前已經在外網口配置了 nat outbound,需要先undo掉),並將IPSec安全策略RTA應用在外網接口
[H3C]interface GigabitEthernet 0/0
[H3C-GigabitEthernet0/0]undo nat outbound
[H3C-GigabitEthernet0/0]nat outbound 3001
[H3C-GigabitEthernet0/0]ipsec apply policy RTA
[H3C-GigabitEthernet0/0]quit
#配置到對端內網的路由
[H3C]ip route-static 192.168.1.0 24 Tunnel 0
#保存配置
[H3C]save force
#配置公網口NAT要關聯的ACl 3001,作用是把IPSec感興趣流從NAT轉換的數據流deny掉,防止IPSec數據流被NAT優先轉換
[H3C]acl number 3001
[H3C-acl-adv-3001]rule 0 deny ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255
[H3C-acl-adv-3001]rule 1 permit ip
[H3C-acl-adv-3001]quit
這個rule 0 deny ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255對啊
不是應該是rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
?請教一下
- 2019-05-11回答
- 評論(0)
- 舉報
-
(0)
編輯評論
✖
案例意見反饋
親~登錄後才可以操作哦!
確定你的郵箱還未認證,請認證郵箱或綁定手機後進行當前操作