• 全部
  • 經驗案例
  • 典型配置
  • 技術公告
  • FAQ
  • 漏洞說明
  • 全部
  • 全部
  • 大數據引擎
  • 知了引擎
產品線
搜索
取消
案例類型
發布者
是否解決
是否官方
時間
搜索引擎
匹配模式
高級搜索

F100-S-XI

2025-01-07提問
  • 0關注
  • 0收藏,536瀏覽
粉絲:0人 關注:2人

問題描述:

F100-S-XI後期要和好幾個點位建立ipsec,這個型號支持配置ipsec模板嗎,如果支持,該怎麼配置,如果不支持,那點到點建立ipsec怎麼配置?

還有就是化三的交換機怎麼查看橋(背板)MAC

最佳答案

粉絲:115人 關注:8人

支持的

看背板MAC幹啥。。聯係400谘詢b


 

組網需求

如下圖所示,某企業總部Device A有兩條出口鏈路接入Internet,分支Device BDevice C各有一條出口鏈路接入Internet,要求實現如下需求:

  • 企業總部與各企業分支之間使用基於路由的IPsec隧道接口方式建立IPsec隧道;

  • 企業總部和各分支之間根據NQA探測結果,選擇高質量、低延遲的鏈路動態建立IPsec隧道。

圖-1 基於路由模式的總部采用雙鏈路與分支建立IPsec隧道配置組網圖

配置步驟

配置Device A

  1. 配置接口IP地址

根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<DeviceA> system-view

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0

[DeviceA-GigabitEthernet1/0/1] quit

請參考以上步驟配置其他接口的IP地址,具體配置步驟略。

  1. 創建IPsec隧道接口

創建IPsec隧道接口Tunnel0,具體配置步驟如下。

[DeviceA] interface tunnel 0 mode ipsec

[DeviceA-Tunnel0] ip address 10.0.0.1 255.255.255.0

[DeviceA-Tunnel0] source 1.1.1.1

[DeviceA-Tunnel0] destination 3.3.3.3

[DeviceA-Tunnel0] quit

創建IPsec隧道接口Tunnel1,具體配置步驟如下。

[DeviceA] interface tunnel 1 mode ipsec

[DeviceA-Tunnel1] ip address 20.0.0.1 255.255.255.0

[DeviceA-Tunnel1] source 2.2.2.2

[DeviceA-Tunnel1] destination 3.3.3.3

[DeviceA-Tunnel1] quit

創建IPsec隧道接口Tunnel2,具體配置步驟如下。

[DeviceA] interface tunnel 2 mode ipsec

[DeviceA-Tunnel2] ip address 30.0.0.1 255.255.255.0

[DeviceA-Tunnel2] source 1.1.1.1

[DeviceA-Tunnel2] destination 4.4.4.4

[DeviceA-Tunnel2] quit

創建IPsec隧道接口Tunnel3,具體配置步驟如下。

[DeviceA] interface tunnel 3 mode ipsec

[DeviceA-Tunnel3] ip address 40.0.0.1 255.255.255.0

[DeviceA-Tunnel3] source 2.2.2.2

[DeviceA-Tunnel3] destination 4.4.4.4

[DeviceA-Tunnel3] quit

  1. 配置接口加入安全域。

請根據組網圖中規劃的信息,將接口加入對應的安全域,具體配置步驟如下。

[DeviceA] security-zone name trust

[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/3

[DeviceA-security-zone-Trust] quit

[DeviceA] security-zone name untrust

[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/2

[DeviceA-security-zone-Untrust] import interface tunnel 0

[DeviceA-security-zone-Untrust] import interface tunnel 1

[DeviceA-security-zone-Untrust] import interface tunnel 2

[DeviceA-security-zone-Untrust] import interface tunnel 3

[DeviceA-security-zone-Untrust] quit

  1. 配置安全策略

  1. 配置安全策略放行UntrustLocal安全域之間的流量,用於設備之間可以建立IPsec隧道。

配置名稱為ipseclocalout的安全策規則,使Device A可以向Device BDevice C發送IPsec隧道協商報文,具體配置步驟如下。

[DeviceA] security-policy ip

[DeviceA-security-policy-ip] rule name ipseclocalout

[DeviceA-security-policy-ip-1-ipseclocalout] source-zone local

[DeviceA-security-policy-ip-1-ipseclocalout] destination-zone untrust

[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 1.1.1.1

[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.2

[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 3.3.3.3

[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 4.4.4.4

[DeviceA-security-policy-ip-1-ipseclocalout] action pass

[DeviceA-security-policy-ip-1-ipseclocalout] quit

配置名稱為ipseclocalin的安全策略規則,使Device A可以接收和處理來自Device BDevice CIPsec隧道協商報文,具體配置步驟如下。

[DeviceA-security-policy-ip] rule name ipseclocalin

[DeviceA-security-policy-ip-2-ipseclocalin] source-zone untrust

[DeviceA-security-policy-ip-2-ipseclocalin] destination-zone local

[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 3.3.3.3

[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 4.4.4.4

[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 1.1.1.1

[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.2

[DeviceA-security-policy-ip-2-ipseclocalin] action pass

[DeviceA-security-policy-ip-2-ipseclocalin] quit

  1. 配置安全策略放行Host AHost BHost C之間的流量

配置名稱為trust-untrust的安全策略規則,使Host A訪問Host BHost C的報文可通,具體配置步驟如下。

[DeviceA-security-policy-ip] rule name trust-untrust

[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust

[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust

[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 192.168.11.0 24

[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 192.168.12.0 24

[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 192.168.13.0 24

[DeviceA-security-policy-ip-3-trust-untrust] action pass

[DeviceA-security-policy-ip-3-trust-untrust] quit

配置名稱為untrust-trust的安全策略規則,使Host BHost C訪問Host A的報文可通,具體配置步驟如下。

[DeviceA-security-policy-ip] rule name untrust-trust

[DeviceA-security-policy-ip-4-untrust-trust] source-zone untrust

[DeviceA-security-policy-ip-4-untrust-trust] destination-zone trust

[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 192.168.12.0 24

[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 192.168.13.0 24

[DeviceA-security-policy-ip-4-untrust-trust] destination-ip-subnet 192.168.11.0 24

[DeviceA-security-policy-ip-4-untrust-trust] action pass

[DeviceA-security-policy-ip-4-untrust-trust] quit

[DeviceA-security-policy-ip] quit

  1. 配置IPsec安全框架,建立IPsec隧道,保護需要防護的數據流

配置IPsec安全框架t0,建立IPsec隧道,具體配置步驟如下。

[DeviceA] ike keychain t0

[DeviceA-ike-keychain-t0] pre-shared-key address 3.3.3.3 255.255.255.0 key simple 123456TESTplat&!

[DeviceA-ike-keychain-t0] quit

[DeviceA] ike profile t0

[DeviceA-ike-profile-t0] keychain t0

[DeviceA-ike-profile-t0] match local address Tunnel0

[DeviceA-ike-profile-t0] match remote identity address 3.3.3.3 24

[DeviceA-ike-profile-t0] exchange-mode aggressive

[DeviceA-ike-profile-t0] dpd interval 30 periodic

[DeviceA-ike-profile-t0] quit

[DeviceA] ipsec transform-set t0

[DeviceA-ipsec-transform-set-t0] esp encryption-algorithm aes-cbc-128

[DeviceA-ipsec-transform-set-t0] esp authentication-algorithm sha1

[DeviceA-ipsec-transform-set-t0] quit

[DeviceA] ipsec profile t0 isakmp

[DeviceA-ipsec-profile-isakmp-t0] transform-set t0

[DeviceA-ipsec-profile-isakmp-t0] ike-profile t0

[DeviceA-ipsec-profile-isakmp-t0] quit

配置IPsec安全框架t1,建立IPsec隧道,具體配置步驟如下。

[DeviceA] ike keychain t1

[DeviceA-ike-keychain-t1] pre-shared-key address 3.3.3.3 255.255.255.0 key simple 123456TESTplat&!

[DeviceA-ike-keychain-t1] quit

[DeviceA] ike profile t1

[DeviceA-ike-profile-t1] keychain t1

[DeviceA-ike-profile-t1] match local address Tunnel1

[DeviceA-ike-profile-t1] match remote identity address 3.3.3.3 24

[DeviceA-ike-profile-t1] exchange-mode aggressive

[DeviceA-ike-profile-t1] dpd interval 30 periodic

[DeviceA-ike-profile-t1] quit

[DeviceA] ipsec transform-set t1

[DeviceA-ipsec-transform-set-t1] esp encryption-algorithm aes-cbc-128

[DeviceA-ipsec-transform-set-t1] esp authentication-algorithm sha1

[DeviceA-ipsec-transform-set-t1] quit

[DeviceA] ipsec profile t1 isakmp

[DeviceA-ipsec-profile-isakmp-t1] transform-set t1

[DeviceA-ipsec-profile-isakmp-t1] ike-profile t1

[DeviceA-ipsec-profile-isakmp-t1] quit

配置IPsec安全框架t2,建立IPsec隧道,具體配置步驟如下。

[DeviceA] ike keychain t2

[DeviceA-ike-keychain-t2] pre-shared-key address 4.4.4.4 255.255.255.0 key simple 123456TESTplat&!

[DeviceA-ike-keychain-t2] quit

[DeviceA] ike profile t2

[DeviceA-ike-profile-t2] keychain t2

[DeviceA-ike-profile-t2] match local address Tunnel2

[DeviceA-ike-profile-t2] match remote identity address 4.4.4.4 24

[DeviceA-ike-profile-t2] exchange-mode aggressive

[DeviceA-ike-profile-t2] dpd interval 30 periodic

[DeviceA-ike-profile-t2] quit

[DeviceA] ipsec transform-set t2

[DeviceA-ipsec-transform-set-t2] esp encryption-algorithm aes-cbc-128

[DeviceA-ipsec-transform-set-t2] esp authentication-algorithm sha1

[DeviceA-ipsec-transform-set-t2] quit

[DeviceA] ipsec profile t2 isakmp

[DeviceA-ipsec-profile-isakmp-t2] transform-set t2

[DeviceA-ipsec-profile-isakmp-t2] ike-profile t2

[DeviceA-ipsec-profile-isakmp-t2] quit

配置IPsec安全框架t3,建立IPsec隧道,具體配置步驟如下。

[DeviceA] ike keychain t3

[DeviceA-ike-keychain-t3] pre-shared-key address 4.4.4.4 255.255.255.0 key simple 123456TESTplat&!

[DeviceA-ike-keychain-t3] quit

[DeviceA] ike profile t3

[DeviceA-ike-profile-t3] keychain t3

[DeviceA-ike-profile-t3] match local address Tunnel3

[DeviceA-ike-profile-t3] match remote identity address 4.4.4.4 24

[DeviceA-ike-profile-t3] exchange-mode aggressive

[DeviceA-ike-profile-t3] dpd interval 30 periodic

[DeviceA-ike-profile-t3] quit

[DeviceA] ipsec transform-set t3

[DeviceA-ipsec-transform-set-t3] esp encryption-algorithm aes-cbc-128

[DeviceA-ipsec-transform-set-t3] esp authentication-algorithm sha1

[DeviceA-ipsec-transform-set-t3] quit

[DeviceA] ipsec profile t3 isakmp

[DeviceA-ipsec-profile-isakmp-t3] transform-set t3

[DeviceA-ipsec-profile-isakmp-t3] ike-profile t3

[DeviceA-ipsec-profile-isakmp-t3] quit

  1. 配置IPsec隧道接口,用於對需要保護的流量進行IPsec封裝。

IPsec隧道接口Tunnel0中引用IPsec安全框架t0,建立IPsec隧道。

[DeviceA] interface tunnel 0

[DeviceA-Tunnel0] tunnel protection ipsec profile t0

[DeviceA-Tunnel0] quit

IPsec隧道接口Tunnel1中引用IPsec安全框架t1,建立IPsec隧道。

[DeviceA] interface tunnel 1

[DeviceA-Tunnel1] tunnel protection ipsec profile t1

[DeviceA-Tunnel1] quit

IPsec隧道接口Tunnel2中引用IPsec安全框架t2,建立IPsec隧道。

[DeviceA] interface tunnel 2

[DeviceA-Tunnel2] tunnel protection ipsec profile t2

[DeviceA-Tunnel2] quit

IPsec隧道接口Tunnel3中引用IPsec安全框架t3,建立IPsec隧道。

[DeviceA] interface tunnel 3

[DeviceA-Tunnel3] tunnel protection ipsec profile t3

[DeviceA-Tunnel3] quit

  1. 配置NQA測試組與Track項聯動,用於探測鏈路狀態。

配置NQA測試組(管理員為test1,操作標簽為1),具體配置步驟如下。

[DeviceA] nqa entry admin test1

[DeviceA-nqa-admin-test1] type icmp-echo

[DeviceA-nqa-admin-test1-icmp-echo] destination ip 3.3.3.3

[DeviceA-nqa-admin-test1-icmp-echo] frequency 3000

[DeviceA-nqa-admin-test1-icmp-echo] history-record enable

[DeviceA-nqa-admin-test1-icmp-echo] next-hop ip 1.1.1.2

[DeviceA-nqa-admin-test1-icmp-echo] probe count 5

[DeviceA-nqa-admin-test1-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

[DeviceA-nqa-admin-test1-icmp-echo] quit

[DeviceA] nqa schedule admin test1 start-time now lifetime forever

配置Track110,關聯NQA測試組(管理員為test1,操作標簽為1)的聯動項1,配置步驟如下。

[DeviceA] track 110 nqa entry admin test1 reaction 1

[DeviceA-track-110] quit

配置NQA測試組(管理員為test2,操作標簽為1),具體配置步驟如下。

[DeviceA] nqa entry admin test2

[DeviceA-nqa-admin-test2] type icmp-echo

[DeviceA-nqa-admin-test2-icmp-echo] destination ip 3.3.3.3

[DeviceA-nqa-admin-test2-icmp-echo] frequency 3000

[DeviceA-nqa-admin-test2-icmp-echo] history-record enable

[DeviceA-nqa-admin-test2-icmp-echo] probe count 5

[DeviceA-nqa-admin-test2-icmp-echo] next-hop ip 2.2.2.3

[DeviceA-nqa-admin-test2-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

[DeviceA-nqa-admin-test2-icmp-echo] quit

[DeviceA] nqa schedule admin test2 start-time now lifetime forever

配置Track120,關聯NQA測試組(管理員為test2,操作標簽為1)的聯動項1,配置步驟如下。

[DeviceA] track 120 nqa entry admin test2 reaction 1

[DeviceA-track-120] quit

配置NQA測試組(管理員為test3,操作標簽為1),具體配置步驟如下。

[DeviceA] nqa entry admin test3

[DeviceA-nqa-admin-test3] type icmp-echo

[DeviceA-nqa-admin-test3-icmp-echo] destination ip 4.4.4.4

[DeviceA-nqa-admin-test3-icmp-echo] frequency 3000

[DeviceA-nqa-admin-test3-icmp-echo] history-record enable

[DeviceA-nqa-admin-test3-icmp-echo] probe count 5

[DeviceA-nqa-admin-test3-icmp-echo] next-hop ip 1.1.1.2

[DeviceA-nqa-admin-test3-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

[DeviceA-nqa-admin-test3-icmp-echo] quit

[DeviceA] nqa schedule admin test3 start-time now lifetime forever

配置Track130,關聯NQA測試組(管理員為test3,操作標簽為1)的聯動項1,配置步驟如下。

[DeviceA] track 130 nqa entry admin test3 reaction 1

[DeviceA-track-130] quit

配置NQA測試組(管理員為test4,操作標簽為1),具體配置步驟如下。

[DeviceA] nqa entry admin test4

[DeviceA-nqa-admin-test4] type icmp-echo

[DeviceA-nqa-admin-test4-icmp-echo] destination ip 4.4.4.4

[DeviceA-nqa-admin-test4-icmp-echo] frequency 3000

[DeviceA-nqa-admin-test4-icmp-echo] history-record enable

[DeviceA-nqa-admin-test4-icmp-echo] probe count 5

[DeviceA-nqa-admin-test4-icmp-echo] next-hop ip 2.2.2.3

[DeviceA-nqa-admin-test4-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

[DeviceA-nqa-admin-test4-icmp-echo] quit

[DeviceA] nqa schedule admin test4 start-time now lifetime forever

配置Track140,關聯NQA測試組(管理員為test4,操作標簽為1)的聯動項1,配置步驟如下。

[DeviceA] track 140 nqa entry admin test4 reaction 1

[DeviceA-track-140] quit

  1. 配置路由

本舉例僅以靜態路由方式配置路由信息。實際組網中,請根據具體情況選擇相應的路由配置方式。

請根據組網圖中規劃的信息,配置靜態路由,本舉例的下一跳IP地址僅為示例,實際使用中請以具體組網情況為準,具體配置步驟如下。

[DeviceA] ip route-static 192.168.12.0 24 tunnel 0 track 110 preference 100

[DeviceA] ip route-static 192.168.12.0 24 tunnel 1 track 120 preference 110

[DeviceA] ip route-static 192.168.13.0 24 tunnel 2 track 130 preference 100

[DeviceA] ip route-static 192.168.13.0 24 tunnel 3 track 140 preference 110

[DeviceA] ip route-static 3.3.3.3 24 1.1.1.2 track 110 preference 100

[DeviceA] ip route-static 3.3.3.3 24 2.2.2.3 track 120 preference 110

[DeviceA] ip route-static 4.4.4.4 24 1.1.1.2 track 130 preference 100

[DeviceA] ip route-static 4.4.4.4 24 2.2.2.3 track 140 preference 110

配置Device B

  1. 配置接口IP地址

根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<DeviceB> system-view

[DeviceB] interface gigabitethernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] ip address 3.3.3.3 255.255.255.0

[DeviceB-GigabitEthernet1/0/1] quit

請參考以上步驟配置其他接口的IP地址,具體配置步驟略。

  1. 創建IPsec隧道接口

創建IPsec隧道接口Tunnel0,具體配置步驟如下。

[DeviceB] interface tunnel 0 mode ipsec

[DeviceB-Tunnel0] ip address 50.0.0.1 255.255.255.0

[DeviceB-Tunnel0] source 3.3.3.3

[DeviceB-Tunnel0] destination 1.1.1.1

[DeviceB-Tunnel0] quit

創建IPsec隧道接口Tunnel1,具體配置步驟如下。

[DeviceB] interface tunnel 1 mode ipsec

[DeviceB-Tunnel1] ip address 60.0.0.1 255.255.255.0

[DeviceB-Tunnel1] source 3.3.3.3

[DeviceB-Tunnel1] destination 2.2.2.2

[DeviceB-Tunnel1] quit

  1. 配置接口加入安全域。

請根據組網圖中規劃的信息,將接口加入對應的安全域,具體配置步驟如下。

[DeviceB] security-zone name trust

[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceB-security-zone-Trust] quit

[DeviceB] security-zone name untrust

[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceB-security-zone-Untrust] import interface tunnel 0

[DeviceB-security-zone-Untrust] import interface tunnel 1

[DeviceB-security-zone-Untrust] quit

  1. 配置安全策略

  1. 配置安全策略放行UntrustLocal安全域之間的流量,用於設備之間可以建立IPsec隧道。

配置名稱為ipseclocalout的安全策規則,使Device B可以向Device A發送IPsec隧道協商報文,具體配置步驟如下。

[DeviceB] security-policy ip

[DeviceB-security-policy-ip] rule name ipseclocalout

[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local

[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust

[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 3.3.3.3

[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1

[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.2

[DeviceB-security-policy-ip-1-ipseclocalout] action pass

[DeviceB-security-policy-ip-1-ipseclocalout] quit

配置名稱為ipseclocalin的安全策略規則,使Device B可以接收和處理來自Device AIPsec隧道協商報文,具體配置步驟如下。

[DeviceB-security-policy-ip] rule name ipseclocalin

[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust

[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local

[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1

[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.2

[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 3.3.3.3

[DeviceB-security-policy-ip-2-ipseclocalin] action pass

[DeviceB-security-policy-ip-2-ipseclocalin] quit

  1. 配置安全策略放行Host BHost A之間的流量

配置名稱為trust-untrust的安全策略規則,使Host B訪問Host A的報文可通,具體配置步驟如下。

[DeviceB-security-policy-ip] rule name trust-untrust

[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust

[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust

[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 192.168.12.0 24

[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 192.168.11.0 24

[DeviceB-security-policy-ip-3-trust-untrust] action pass

[DeviceB-security-policy-ip-3-trust-untrust] quit

配置名稱為untrust-trust的安全策略規則,使Host A訪問Host B的報文可通,具體配置步驟如下。

[DeviceB-security-policy-ip] rule name untrust-trust

[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust

[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust

[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 192.168.11.0 24

[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 192.168.12.0 24

[DeviceB-security-policy-ip-4-untrust-trust] action pass

[DeviceB-security-policy-ip-4-untrust-trust] quit

[DeviceB-security-policy-ip] quit

  1. 配置IPsec安全框架,建立IPsec隧道,保護需要防護的數據流

配置IPsec安全框架t0,建立IPsec隧道,具體配置步驟如下。

[DeviceB] ike keychain t0

[DeviceB-ike-keychain-t0] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!

[DeviceB-ike-keychain-t0] quit

[DeviceB] ike profile t0

[DeviceB-ike-profile-t0] keychain t0

[DeviceB-ike-profile-t0] match local address Tunnel0

[DeviceB-ike-profile-t0] match remote identity address 1.1.1.1 24

[DeviceB-ike-profile-t0] exchange-mode aggressive

[DeviceB-ike-profile-t0] dpd interval 30 periodic

[DeviceB-ike-profile-t0] quit

[DeviceB] ipsec transform-set t0

[DeviceB-ipsec-transform-set-t0] esp encryption-algorithm aes-cbc-128

[DeviceB-ipsec-transform-set-t0] esp authentication-algorithm sha1

[DeviceB-ipsec-transform-set-t0] quit

[DeviceB] ipsec profile t0 isakmp

[DeviceB-ipsec-profile-isakmp-t0] transform-set t0

[DeviceB-ipsec-profile-isakmp-t0] ike-profile t0

[DeviceB-ipsec-profile-isakmp-t0] quit

配置IPsec安全框架t1,建立IPsec隧道,具體配置步驟如下。

[DeviceB] ike keychain t1

[DeviceB-ike-keychain-t1] pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&!

[DeviceB-ike-keychain-t1] quit

[DeviceB] ike profile t1

[DeviceB-ike-profile-t1] keychain t1

[DeviceB-ike-profile-t1] match local address Tunnel1

[DeviceB-ike-profile-t1] match remote identity address 2.2.2.2 24

[DeviceB-ike-profile-t1] exchange-mode aggressive

[DeviceB-ike-profile-t1] dpd interval 30 periodic

[DeviceB-ike-profile-t1] quit

[DeviceB] ipsec transform-set t1

[DeviceB-ipsec-transform-set-t1] esp encryption-algorithm aes-cbc-128

[DeviceB-ipsec-transform-set-t1] esp authentication-algorithm sha1

[DeviceB-ipsec-transform-set-t1] quit

[DeviceB] ipsec profile t1 isakmp

[DeviceB-ipsec-profile-isakmp-t1] transform-set t1

[DeviceB-ipsec-profile-isakmp-t1] ike-profile t1

[DeviceB-ipsec-profile-isakmp-t1] quit

  1. 配置IPsec隧道接口,用於對需要保護的流量進行IPsec封裝。

IPsec隧道接口Tunnel0中引用IPsec安全框架t0,建立IPsec隧道。

[DeviceB] interface tunnel 0

[DeviceB-Tunnel0] tunnel protection ipsec profile t0

[DeviceB-Tunnel0] quit

IPsec隧道接口Tunnel1中引用IPsec安全框架t1,建立IPsec隧道。

[DeviceB] interface tunnel 1

[DeviceB-Tunnel1] tunnel protection ipsec profile t1

[DeviceB-Tunnel1] quit

  1. 配置NQA測試組與Track項聯動,用於探測鏈路狀態。

配置NQA測試組(管理員為test1,操作標簽為1),具體配置步驟如下。

[DeviceB] nqa entry admin test1

[DeviceB-nqa-admin-test1] type icmp-echo

[DeviceB-nqa-admin-test1-icmp-echo] destination ip 1.1.1.1

[DeviceB-nqa-admin-test1-icmp-echo] frequency 3000

[DeviceB-nqa-admin-test1-icmp-echo] history-record enable

[DeviceB-nqa-admin-test1-icmp-echo] probe count 5

[DeviceB-nqa-admin-test1-icmp-echo] next-hop ip 3.3.3.4

[DeviceB-nqa-admin-test1-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

[DeviceB-nqa-admin-test1-icmp-echo] quit

[DeviceB] nqa schedule admin test1 start-time now lifetime forever

配置Track110,關聯NQA測試組(管理員為test1,操作標簽為1)的聯動項1,配置步驟如下。

[DeviceB] track 110 nqa entry admin test1 reaction 1

[DeviceB-track-110] quit

配置NQA測試組(管理員為test2,操作標簽為1),具體配置步驟如下。

[DeviceB] nqa entry admin test2

[DeviceB-nqa-admin-test2] type icmp-echo

[DeviceB-nqa-admin-test2-icmp-echo] destination ip 2.2.2.2

[DeviceB-nqa-admin-test2-icmp-echo] frequency 3000

[DeviceB-nqa-admin-test2-icmp-echo] history-record enable

[DeviceB-nqa-admin-test2-icmp-echo] probe count 5

[DeviceB-nqa-admin-test2-icmp-echo] next-hop ip 3.3.3.4

[DeviceB-nqa-admin-test2-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

[DeviceB-nqa-admin-test2-icmp-echo] quit

[DeviceB] nqa schedule admin test2 start-time now lifetime forever

配置Track120,關聯NQA測試組(管理員為test2,操作標簽為1)的聯動項1,配置步驟如下。

[DeviceB] track 120 nqa entry admin test2 reaction 1

[DeviceB-track-120] quit

  1. 配置路由

本舉例僅以靜態路由方式配置路由信息。實際組網中,請根據具體情況選擇相應的路由配置方式。

請根據組網圖中規劃的信息,配置靜態路由,本舉例的下一跳IP地址僅為示例,實際使用中請以具體組網情況為準,具體配置步驟如下。

[DeviceB] ip route-static 192.168.11.0 24 tunnel 0 track 110 preference 100

[DeviceB] ip route-static 192.168.11.0 24 tunnel 1 track 120 preference 110

[DeviceB] ip route-static 1.1.1.1 24 3.3.3.4

[DeviceB] ip route-static 2.2.2.2 24 3.3.3.4

配置Device C

  1. 配置接口IP地址

根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<DeviceC> system-view

[DeviceC] interface gigabitethernet 1/0/1

[DeviceC-GigabitEthernet1/0/1] ip address 4.4.4.4 255.255.255.0

[DeviceC-GigabitEthernet1/0/1] quit

請參考以上步驟配置其他接口的IP地址,具體配置步驟略。

  1. 創建IPsec隧道接口

創建IPsec隧道接口Tunnel0,具體配置步驟如下。

[DeviceC] interface tunnel 0 mode ipsec

[DeviceC-Tunnel0] ip address 70.0.0.1 255.255.255.0

[DeviceC-Tunnel0] source 4.4.4.4

[DeviceC-Tunnel0] destination 1.1.1.1

[DeviceC-Tunnel0] quit

創建IPsec隧道接口Tunnel1,具體配置步驟如下。

[DeviceC] interface tunnel 1 mode ipsec

[DeviceC-Tunnel1] ip address 80.0.0.1 255.255.255.0

[DeviceC-Tunnel1] source 4.4.4.4

[DeviceC-Tunnel1] destination 2.2.2.2

[DeviceC-Tunnel1] quit

  1. 配置接口加入安全域。

請根據組網圖中規劃的信息,將接口加入對應的安全域,具體配置步驟如下。

[DeviceC] security-zone name trust

[DeviceC-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceC-security-zone-Trust] quit

[DeviceC] security-zone name untrust

[DeviceC-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceC-security-zone-Untrust] import interface tunnel 0

[DeviceC-security-zone-Untrust] import interface tunnel 1

[DeviceC-security-zone-Untrust] quit

  1. 配置安全策略

  1. 配置安全策略放行UntrustLocal安全域之間的流量,用於設備之間可以建立IPsec隧道。

配置名稱為ipseclocalout的安全策規則,使Device B可以向Device A發送IPsec隧道協商報文,具體配置步驟如下。

[DeviceC] security-policy ip

[DeviceC-security-policy-ip] rule name ipseclocalout

[DeviceC-security-policy-ip-1-ipseclocalout] source-zone local

[DeviceC-security-policy-ip-1-ipseclocalout] destination-zone untrust

[DeviceC-security-policy-ip-1-ipseclocalout] source-ip-host 4.4.4.4

[DeviceC-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1

[DeviceC-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.2

[DeviceC-security-policy-ip-1-ipseclocalout] action pass

[DeviceC-security-policy-ip-1-ipseclocalout] quit

配置名稱為ipseclocalin的安全策略規則,使Device B可以接收和處理來自Device AIPsec隧道協商報文,具體配置步驟如下。

[DeviceC-security-policy-ip] rule name ipseclocalin

[DeviceC-security-policy-ip-2-ipseclocalin] source-zone untrust

[DeviceC-security-policy-ip-2-ipseclocalin] destination-zone local

[DeviceC-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1

[DeviceC-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.2

[DeviceC-security-policy-ip-2-ipseclocalin] destination-ip-host 4.4.4.4

[DeviceC-security-policy-ip-2-ipseclocalin] action pass

[DeviceC-security-policy-ip-2-ipseclocalin] quit

  1. 配置安全策略放行Host BHost A之間的流量

配置名稱為trust-untrust的安全策略規則,使Host B訪問Host A的報文可通,具體配置步驟如下。

[DeviceC-security-policy-ip] rule name trust-untrust

[DeviceC-security-policy-ip-3-trust-untrust] source-zone trust

[DeviceC-security-policy-ip-3-trust-untrust] destination-zone untrust

[DeviceC-security-policy-ip-3-trust-untrust] source-ip-subnet 192.168.13.0 24

[DeviceC-security-policy-ip-3-trust-untrust] destination-ip-subnet 192.168.11.0 24

[DeviceC-security-policy-ip-3-trust-untrust] action pass

[DeviceC-security-policy-ip-3-trust-untrust] quit

配置名稱為untrust-trust的安全策略規則,使Host A訪問Host B的報文可通,具體配置步驟如下。

[DeviceC-security-policy-ip] rule name untrust-trust

[DeviceC-security-policy-ip-4-untrust-trust] source-zone untrust

[DeviceC-security-policy-ip-4-untrust-trust] destination-zone trust

[DeviceC-security-policy-ip-4-untrust-trust] source-ip-subnet 192.168.11.0 24

[DeviceC-security-policy-ip-4-untrust-trust] destination-ip-subnet 192.168.13.0 24

[DeviceC-security-policy-ip-4-untrust-trust] action pass

[DeviceC-security-policy-ip-4-untrust-trust] quit

[DeviceC-security-policy-ip] quit

  1. 配置IPsec安全框架,建立IPsec隧道,保護需要防護的數據流

配置IPsec安全框架t0,建立IPsec隧道,具體配置步驟如下。

[DeviceC] ike keychain t0

[DeviceC-ike-keychain-t0] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!

[DeviceC-ike-keychain-t0] quit

[DeviceC] ike profile t0

[DeviceC-ike-profile-t0] keychain t0

[DeviceC-ike-profile-t0] match local address Tunnel0

[DeviceC-ike-profile-t0] match remote identity address 1.1.1.1 24

[DeviceC-ike-profile-t0] exchange-mode aggressive

[DeviceC-ike-profile-t0] dpd interval 30 periodic

[DeviceC-ike-profile-t0] quit

[DeviceC] ipsec transform-set t0

[DeviceC-ipsec-transform-set-t0] esp encryption-algorithm aes-cbc-128

[DeviceC-ipsec-transform-set-t0] esp authentication-algorithm sha1

[DeviceC-ipsec-transform-set-t0] quit

[DeviceC] ipsec profile t0 isakmp

[DeviceC-ipsec-profile-isakmp-t0] transform-set t0

[DeviceC-ipsec-profile-isakmp-t0] ike-profile t0

[DeviceC-ipsec-profile-isakmp-t0] quit

配置IPsec安全框架t1,建立IPsec隧道,具體配置步驟如下。

[DeviceC] ike keychain t1

[DeviceC-ike-keychain-t1] pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&!

[DeviceC-ike-keychain-t1] quit

[DeviceC] ike profile t1

[DeviceC-ike-profile-t1] keychain t1

[DeviceC-ike-profile-t1] match local address Tunnel1

[DeviceC-ike-profile-t1] match remote identity address 2.2.2.2 24

[DeviceC-ike-profile-t1] exchange-mode aggressive

[DeviceC-ike-profile-t1] dpd interval 30 periodic

[DeviceC-ike-profile-t1] quit

[DeviceC] ipsec transform-set t1

[DeviceC-ipsec-transform-set-t1] esp encryption-algorithm aes-cbc-128

[DeviceC-ipsec-transform-set-t1] esp authentication-algorithm sha1

[DeviceC-ipsec-transform-set-t1] quit

[DeviceC] ipsec profile t1 isakmp

[DeviceC-ipsec-profile-isakmp-t1] transform-set t1

[DeviceC-ipsec-profile-isakmp-t1] ike-profile t1

[DeviceC-ipsec-profile-isakmp-t1] quit

  1. 配置IPsec隧道接口,用於對需要保護的流量進行IPsec封裝

IPsec隧道接口Tunnel0中引用IPsec安全框架t0,建立IPsec隧道。

[DeviceC] interface tunnel 0

[DeviceC-Tunnel0] tunnel protection ipsec profile t0

[DeviceC-Tunnel0] quit

IPsec隧道接口Tunnel1中引用IPsec安全框架t1,建立IPsec隧道。

[DeviceC] interface tunnel 1

[DeviceC-Tunnel1] tunnel protection ipsec profile t1

[DeviceC-Tunnel1] quit

  1. 配置NQA測試組與Track項聯動,用於探測鏈路狀態

配置NQA測試組(管理員為test1,操作標簽為1),具體配置步驟如下。

[DeviceC] nqa entry admin test1

[DeviceC-nqa-admin-test1] type icmp-echo

[DeviceC-nqa-admin-test1-icmp-echo] destination ip 1.1.1.1

[DeviceC-nqa-admin-test1-icmp-echo] frequency 3000

[DeviceC-nqa-admin-test1-icmp-echo] history-record enable

[DeviceC-nqa-admin-test1-icmp-echo] probe count 5

[DeviceC-nqa-admin-test1-icmp-echo] next-hop ip 4.4.4.5

[DeviceC-nqa-admin-test1-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

[DeviceC-nqa-admin-test1-icmp-echo] quit

[DeviceC] nqa schedule admin test1 start-time now lifetime forever

配置Track110,關聯NQA測試組(管理員為test1,操作標簽為1)的聯動項1,配置步驟如下。

[DeviceC] track 110 nqa entry admin test1 reaction 1

[DeviceC-track-110] quit

配置NQA測試組(管理員為test2,操作標簽為1),具體配置步驟如下。

[DeviceC] nqa entry admin test2

[DeviceC-nqa-admin-test2] type icmp-echo

[DeviceC-nqa-admin-test2-icmp-echo] destination ip 2.2.2.2

[DeviceC-nqa-admin-test2-icmp-echo] frequency 3000

[DeviceC-nqa-admin-test2-icmp-echo] history-record enable

[DeviceC-nqa-admin-test2-icmp-echo] probe count 5

[DeviceC-nqa-admin-test2-icmp-echo] next-hop ip 4.4.4.5

[DeviceC-nqa-admin-test2-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

[DeviceC-nqa-admin-test2-icmp-echo] quit

[DeviceC] nqa schedule admin test2 start-time now lifetime forever

配置Track120,關聯NQA測試組(管理員為test2,操作標簽為1)的聯動項1,配置步驟如下。

[DeviceC] track 120 nqa entry admin test2 reaction 1

[DeviceC-track-120] quit

  1. 配置路由

本舉例僅以靜態路由方式配置路由信息。實際組網中,請根據具體情況選擇相應的路由配置方式。

請根據組網圖中規劃的信息,配置靜態路由,本舉例的下一跳IP地址僅為示例,實際使用中請以具體組網情況為準,具體配置步驟如下。

[DeviceC] ip route-static 192.168.11.0 24 tunnel 0 track 110 preference 100

[DeviceC] ip route-static 192.168.11.0 24 tunnel 1 track 120 preference 110

[DeviceC] ip route-static 1.1.1.1 24 4.4.4.5

[DeviceC] ip route-static 2.2.2.2 24 4.4.4.5

驗證配置

以上配置完成後,Device A會自動與Device BDevice C進行IKE協商。當IKE協商完成後,Device ADevice BDevice C上的IPsec 虛擬隧道接口都將up,即可對總部和分支的數據流進行安全保護。

通過display ip interface brief命令可查看Device A的接口狀態如下。

<DeviceA> display ip interface brief

*down: administratively down

(s): spoofing  (l): loopback

Interface           Physical Protocol IP address/Mask    VPN instance Description

GE1/0/1             up       up       1.1.1.1/24          --           --

GE1/0/2             up       up       2.2.2.2/24          --           --

GE1/0/3             up       up       192.168.11.1/24     --           --

Tun0                up       up       10.0.0.1/24         --           --

Tun1                up       up       20.0.0.1/24         --           --

Tun2                up       up       30.0.0.1/24         --           --

Tun3                up       up       40.0.0.1/24         --           --

通過display ip routing-table命令可查看Device A的路由狀態如下。

<DeviceA> display ip routing-table

 

Destinations : 14        Routes : 14

 

Destination/Mask   Proto   Pre Cost        NextHop         Interface

1.1.1.0/24         Direct  0   0           1.1.1.1         GE1/0/1

1.1.1.255/32       Direct  0   0           1.1.1.1         GE1/0/1

2.2.2.0/24         Direct  0   0           2.2.2.2         GE1/0/2

2.2.2.255/32       Direct  0   0           2.2.2.2         GE1/0/2

3.3.3.0/24         Static  100 0           1.1.1.2         GE1/0/1

4.4.4.0/24         Static  100 0           1.1.1.2         GE1/0/1

10.0.0.0/24        Direct  0   0           10.0.0.1        Tun0

10.0.0.255/32      Direct  0   0           10.0.0.1        Tun0

20.0.0.0/24        Direct  0   0           20.0.0.1        Tun1

20.0.0.255/32      Direct  0   0           20.0.0.1        Tun1

192.168.11.0/24    Direct  0   0           192.168.11.1    GE1/0/3

192.168.11.255/32  Direct  0   0           192.168.11.1    GE1/0/3

192.168.12.0/24    Static  100 0           0.0.0.0         Tun0

192.168.13.0/24    Static  100 0           0.0.0.0         Tun2

# Host A可以PingHost B,此時IPsec流量在Tunnel0所在鏈路傳輸。

C:\Users\hosta> ping 192.168.12.2

 

正在 Ping 192.168.12.2 具有 32 字節的數據:

來自 192.168.12.2 的回複字節=32 時間=1ms TTL=254

來自 192.168.12.2 的回複字節=32 時間<1ms TTL=254

來自 192.168.12.2 的回複字節=32 時間<1ms TTL=254

來自 192.168.12.2 的回複字節=32 時間<1ms TTL=254

 

192.168.12.2  Ping 統計信息:

    數據包已發送 = 4,已接收 = 4,丟失 = 0 (0% 丟失)

往返行程的估計時間(以毫秒為單位):

    最短 = 0ms,最長 = 1ms,平均 = 0ms

Device AGigabitEthernet1/0/1接口所在鏈路發生故障時,Host A仍然可以PingHost B,此時IPsec流量在Tunnel1所在鏈路傳輸。

C:\Users\hosta> ping 192.168.12.2

 

正在 Ping 192.168.12.2 具有 32 字節的數據:

來自 192.168.12.2 的回複字節=32 時間=1ms TTL=254

來自 192.168.12.2 的回複字節=32 時間<1ms TTL=254

來自 192.168.12.2 的回複字節=32 時間<1ms TTL=254

來自 192.168.12.2 的回複字節=32 時間<1ms TTL=254

 

192.168.12.2  Ping 統計信息:

    數據包已發送 = 4,已接收 = 4,丟失 = 0 (0% 丟失)

往返行程的估計時間(以毫秒為單位):

    最短 = 0ms,最長 = 1ms,平均 = 0ms

通過display ip interface brief命令可查看Device A的接口狀態如下。

<DeviceA> display ip interface brief

*down: administratively down

(s): spoofing  (l): loopback

Interface           Physical Protocol IP address/Mask    VPN instance Description

GE1/0/1             down     down     1.1.1.1/24          --           --

GE1/0/2             up       up       2.2.2.2/24          --           --

GE1/0/3             up       up       192.168.11.1/24     --           --

Tun0                down     down     10.0.0.1/24         --           --

Tun1                up       up       20.0.0.1/24         --           --

Tun2                down     down     30.0.0.1/24         --           --

Tun3                up       up       40.0.0.1/24         --           --

通過display ip routing-table命令可查看Device A的路由狀態如下。

<DeviceA> display ip routing-table

 

Destinations : 10        Routes : 10

 

Destination/Mask   Proto   Pre Cost        NextHop         Interface

2.2.2.0/24         Direct  0   0           2.2.2.2         GE1/0/2

2.2.2.255/32       Direct  0   0           2.2.2.2         GE1/0/2

3.3.3.0/24         Static  110 0           2.2.2.3         GE1/0/2

4.4.4.0/24         Static  110 0           2.2.2.3         GE1/0/2

20.0.0.0/24        Direct  0   0           20.0.0.1        Tun1

20.0.0.255/32      Direct  0   0           20.0.0.1        Tun1

192.168.11.0/24    Direct  0   0           192.168.11.1    GE1/0/3

192.168.11.255/32  Direct  0   0           192.168.11.1    GE1/0/3

192.168.12.0/24    Static  110 0           0.0.0.0         Tun1

192.168.13.0/24    Static  110 0           0.0.0.0         Tun3

Device AGigabitEthernet1/0/1接口所在鏈路故障恢複時,IPsec流量將切換到Tunnel0所在鏈路傳輸。、

配置文件

Device A

#

track 110 nqa entry admin test1 reaction 1

#

track 120 nqa entry admin test2 reaction 1

#

track 130 nqa entry admin test3 reaction 1

#

track 140 nqa entry admin test4 reaction 1

#

nqa entry admin test1

 type icmp-echo

  destination ip 3.3.3.3

  frequency 3000

  history-record enable

  next-hop ip 1.1.1.2

  probe count 5

  reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

#

nqa entry admin test2

 type icmp-echo

  destination ip 3.3.3.3

  frequency 3000

  history-record enable

  next-hop ip 2.2.2.3

  probe count 5

  reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

#

nqa entry admin test3

 type icmp-echo

  destination ip 4.4.4.4

  frequency 3000

  history-record enable

  next-hop ip 1.1.1.2

  probe count 5

  reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

#

nqa entry admin test4

 type icmp-echo

  destination ip 4.4.4.4

  frequency 3000

  history-record enable

  next-hop ip 2.2.2.3

  probe count 5

  reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

#

 nqa schedule admin test1 start-time now lifetime forever

 nqa schedule admin test2 start-time now lifetime forever

 nqa schedule admin test3 start-time now lifetime forever

 nqa schedule admin test4 start-time now lifetime forever

#

interface GigabitEthernet1/0/1

 ip address 1.1.1.1 255.255.255.0

#

interface GigabitEthernet1/0/2

 ip address 2.2.2.2 255.255.255.0

#

interface GigabitEthernet1/0/3

 ip address 192.168.11.1 255.255.255.0

#

interface Tunnel0 mode ipsec

 ip address 10.0.0.1 255.255.255.0

 source 1.1.1.1

 destination 3.3.3.3

 tunnel protection ipsec profile t0

#

interface Tunnel1 mode ipsec

 ip address 20.0.0.1 255.255.255.0

 source 2.2.2.2

 destination 3.3.3.3

 tunnel protection ipsec profile t1

#

interface Tunnel2 mode ipsec

 ip address 30.0.0.1 255.255.255.0

 source 1.1.1.1

 destination 4.4.4.4

 tunnel protection ipsec profile t2

#

interface Tunnel3 mode ipsec

 ip address 40.0.0.1 255.255.255.0

 source 2.2.2.2

 destination 4.4.4.4

 tunnel protection ipsec profile t3

#

security-zone name Trust

 import interface GigabitEthernet1/0/3

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1

 import interface GigabitEthernet1/0/2

 import interface Tunnel0

 import interface Tunnel1

 import interface Tunnel2

 import interface Tunnel3

#

 ip route-static 3.3.3.0 24 1.1.1.2 track 110 preference 100

 ip route-static 3.3.3.0 24 2.2.2.3 track 120 preference 110

 ip route-static 4.4.4.0 24 1.1.1.2 track 130 preference 100

 ip route-static 4.4.4.0 24 2.2.2.3 track 140 preference 110

 ip route-static 192.168.12.0 24 Tunnel0 track 110 preference 100

 ip route-static 192.168.12.0 24 Tunnel1 track 120 preference 110

 ip route-static 192.168.13.0 24 Tunnel2 track 130 preference 100

 ip route-static 192.168.13.0 24 Tunnel3 track 140 preference 110

#

ipsec transform-set t0

 encapsulation-mode tunnel

 protocol esp

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha1

#

ipsec transform-set t1

 encapsulation-mode tunnel

 protocol esp

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha1

#

ipsec transform-set t2

 encapsulation-mode tunnel

 protocol esp

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha1

#

ipsec transform-set t3

 encapsulation-mode tunnel

 protocol esp

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha1

#

ipsec profile t0 isakmp

 transform-set t0

 ike-profile t0

#

ipsec profile t1 isakmp

 transform-set t1

 ike-profile t1

#

ipsec profile t2 isakmp

 transform-set t2

 ike-profile t2

#

ipsec profile t3 isakmp

 transform-set t3

 ike-profile t3

#

ike profile t0

 keychain t0

 dpd interval 30 periodic

 exchange-mode aggressive

 match remote identity address 3.3.3.3 255.255.255.0

 match local address Tunnel0

#

ike profile t1

 keychain t1

 dpd interval 30 periodic

 exchange-mode aggressive

 match remote identity address 3.3.3.3 255.255.255.0

 match local address Tunnel1

#

ike profile t2

 keychain t2

 dpd interval 30 periodic

 exchange-mode aggressive

 match remote identity address 4.4.4.4 255.255.255.0

 match local address Tunnel2

#

ike profile t3

 keychain t3

 dpd interval 30 periodic

 exchange-mode aggressive

 match remote identity address 4.4.4.4 255.255.255.0

 match local address Tunnel3

#

ike keychain t0

 pre-shared-key address 3.3.3.3 255.255.255.0 key simple 123456TESTplat&!

#

ike keychain t1

 pre-shared-key address 3.3.3.3 255.255.255.0 key simple 123456TESTplat&!

#

ike keychain t2

 pre-shared-key address 4.4.4.4 255.255.255.0 key simple 123456TESTplat&!

#

ike keychain t3

 pre-shared-key address 4.4.4.4 255.255.255.0 key simple 123456TESTplat&!

#

security-policy ip

 rule 0 name ipseclocalout

  action pass

  source-zone local

  destination-zone untrust

  source-ip-host 1.1.1.1

  source-ip-host 2.2.2.2

  destination-ip-host 3.3.3.3

  destination-ip-host 4.4.4.4

 rule 1 name ipseclocalin

  action pass

  source-zone untrust

  destination-zone local

  source-ip-host 3.3.3.3

  source-ip-host 4.4.4.4

  destination-ip-host 1.1.1.1

  destination-ip-host 2.2.2.2

 rule 2 name trust-untrust

  action pass

  source-zone trust

  destination-zone untrust

  source-ip-subnet 192.168.11.0 255.255.255.0

  destination-ip-subnet 192.168.12.0 255.255.255.0

  destination-ip-subnet 192.168.13.0 255.255.255.0

 rule 3 name untrust-trust

  action pass

  source-zone untrust

  destination-zone trust

  source-ip-subnet 192.168.12.0 255.255.255.0

  source-ip-subnet 192.168.13.0 255.255.255.0

  destination-ip-subnet 192.168.11.0 255.255.255.0

#

Device B

#

track 110 nqa entry admin test1 reaction 1

#

track 120 nqa entry admin test2 reaction 1

#

nqa entry admin test1

 type icmp-echo

  destination ip 1.1.1.1

  frequency 3000

  history-record enable

  next-hop ip 3.3.3.4

  probe count 5

  reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

#

nqa entry admin test2

 type icmp-echo

  destination ip 2.2.2.2

  frequency 3000

  history-record enable

  next-hop ip 3.3.3.4

  probe count 5

  reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

#

 nqa schedule admin test1 start-time now lifetime forever

 nqa schedule admin test2 start-time now lifetime forever

#

interface GigabitEthernet1/0/1

 ip address 3.3.3.3 255.255.255.0

#

interface GigabitEthernet1/0/2

 ip address 192.168.12.1 255.255.255.0

#

interface Tunnel0 mode ipsec

 ip address 50.0.0.1 255.255.255.0

 source 3.3.3.3

 destination 1.1.1.1

 tunnel protection ipsec profile t0

#

interface Tunnel1 mode ipsec

 ip address 60.0.0.1 255.255.255.0

 source 3.3.3.3

 destination 2.2.2.2

 tunnel protection ipsec profile t1

#

security-zone name Trust

 import interface GigabitEthernet1/0/2

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1

 import interface Tunnel0

 import interface Tunnel1

#

 ip route-static 1.1.1.0 24 3.3.3.4

 ip route-static 2.2.2.0 24 3.3.3.4

 ip route-static 192.168.11.0 24 Tunnel0 track 110 preference 100

 ip route-static 192.168.11.0 24 Tunnel1 track 120 preference 110

#

ipsec transform-set t0

 encapsulation-mode tunnel

 protocol esp

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha1

#

ipsec transform-set t1

 encapsulation-mode tunnel

 protocol esp

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha1

#

ipsec profile t0 isakmp

 transform-set t0

 ike-profile t0

#

ipsec profile t1 isakmp

 transform-set t1

 ike-profile t1

#

ike profile t0

 keychain t0

 dpd interval 30 periodic

 exchange-mode aggressive

 match remote identity address 1.1.1.1 255.255.255.0

 match local address Tunnel0

#

ike profile t1

 keychain t1

 dpd interval 30 periodic

 exchange-mode aggressive

 match remote identity address 2.2.2.2 255.255.255.0

 match local address Tunnel1

#

ike keychain t0

 pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!

#

ike keychain t1

 pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&!

#

security-policy ip

 rule 0 name ipseclocalout

  action pass

  source-zone local

  destination-zone untrust

  source-ip-host 3.3.3.3

  destination-ip-host 1.1.1.1

  destination-ip-host 2.2.2.2

 rule 1 name ipseclocalin

  action pass

  source-zone untrust

  destination-zone local

  source-ip-host 1.1.1.1

  source-ip-host 2.2.2.2

  destination-ip-host 3.3.3.3

 rule 2 name trust-untrust

  action pass

  source-zone trust

  destination-zone untrust

  source-ip-subnet 192.168.12.0 255.255.255.0

  destination-ip-subnet 192.168.11.0 255.255.255.0

 rule 3 name untrust-trust

  action pass

  source-zone untrust

  destination-zone trust

  source-ip-subnet 192.168.11.0 255.255.255.0

  destination-ip-subnet 192.168.12.0 255.255.255.0

#

Device C

#

track 110 nqa entry admin test1 reaction 1

#

track 120 nqa entry admin test2 reaction 1

#

nqa entry admin test1

 type icmp-echo

  destination ip 1.1.1.1

  frequency 3000

  history-record enable

  next-hop ip 4.4.4.5

  probe count 5

  reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

#

nqa entry admin test2

 type icmp-echo

  destination ip 2.2.2.2

  frequency 3000

  history-record enable

  next-hop ip 4.4.4.5

  probe count 5

  reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

#

 nqa schedule admin test1 start-time now lifetime forever

 nqa schedule admin test2 start-time now lifetime forever

#

interface GigabitEthernet1/0/1

 ip address 4.4.4.4 255.255.255.0

#

interface GigabitEthernet1/0/2

 ip address 192.168.13.1 255.255.255.0

#

interface Tunnel0 mode ipsec

 ip address 70.0.0.1 255.255.255.0

 source 4.4.4.4

 destination 1.1.1.1

 tunnel protection ipsec profile t0

#

interface Tunnel1 mode ipsec

 ip address 80.0.0.1 255.255.255.0

 source 4.4.4.4

 destination 2.2.2.2

 tunnel protection ipsec profile t1

#

security-zone name Trust

 import interface GigabitEthernet1/0/2

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1

 import interface Tunnel0

 import interface Tunnel1

#

 ip route-static 1.1.1.0 24 4.4.4.5

 ip route-static 2.2.2.0 24 4.4.4.5

 ip route-static 192.168.11.0 24 Tunnel0 track 110 preference 100

 ip route-static 192.168.11.0 24 Tunnel1 track 120 preference 110

#

ipsec transform-set t0

 encapsulation-mode tunnel

 protocol esp

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha1

#

ipsec transform-set t1

 encapsulation-mode tunnel

 protocol esp

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha1

#

ipsec profile t0 isakmp

 transform-set t0

 ike-profile t0

#

ipsec profile t1 isakmp

 transform-set t1

 ike-profile t1

#

ike profile t0

 keychain t0

 dpd interval 30 periodic

 exchange-mode aggressive

 match remote identity address 1.1.1.1 255.255.255.0

 match local address Tunnel0

#

ike profile t1

 keychain t1

 dpd interval 30 periodic

 exchange-mode aggressive

 match remote identity address 2.2.2.2 255.255.255.0

 match local address Tunnel1

#

ike keychain t0

 pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!

#

ike keychain t1

 pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&!

#

security-policy ip

 rule 0 name ipseclocalout

  action pass

  source-zone local

  destination-zone untrust

  source-ip-host 4.4.4.4

  destination-ip-host 1.1.1.1

  destination-ip-host 2.2.2.2

 rule 1 name ipseclocalin

  action pass

  source-zone untrust

  destination-zone local

  source-ip-host 1.1.1.1

  source-ip-host 2.2.2.2

  destination-ip-host 4.4.4.4

 rule 2 name trust-untrust

  action pass

  source-zone trust

  destination-zone untrust

  source-ip-subnet 192.168.13.0 255.255.255.0

  destination-ip-subnet 192.168.11.0 255.255.255.0

 rule 3 name untrust-trust

  action pass

  source-zone untrust

  destination-zone trust

  source-ip-subnet 192.168.11.0 255.255.255.0

  destination-ip-subnet 192.168.13.0 255.255.255.0

這個好複雜

小白的逆襲 發表時間:2025-01-07 更多>>

這個好複雜

小白的逆襲 發表時間:2025-01-07
0 個回答

該問題暫時沒有網友解答

編輯答案

你正在編輯答案

如果你要對問題或其他回答進行點評或詢問,請使用評論功能。

分享擴散:

提出建議

    +

親~登錄後才可以操作哦!

確定

親~檢測到您登陸的賬號未在http://hclhub.h3c.com進行注冊

注冊後可訪問此模塊

跳轉hclhub

你的郵箱還未認證,請認證郵箱或綁定手機後進行當前操作

舉報

×

侵犯我的權益 >
對根叔社區有害的內容 >
辱罵、歧視、挑釁等(不友善)

侵犯我的權益

×

泄露了我的隱私 >
侵犯了我企業的權益 >
抄襲了我的內容 >
誹謗我 >
辱罵、歧視、挑釁等(不友善)
騷擾我

泄露了我的隱私

×

您好,當您發現根叔知了上有泄漏您隱私的內容時,您可以向根叔知了進行舉報。 請您把以下內容通過郵件發送到pub.zhiliao@h3c.com 郵箱,我們會盡快處理。
  • 1. 您認為哪些內容泄露了您的隱私?(請在郵件中列出您舉報的內容、鏈接地址,並給出簡短的說明)
  • 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)

侵犯了我企業的權益

×

您好,當您發現根叔知了上有關於您企業的造謠與誹謗、商業侵權等內容時,您可以向根叔知了進行舉報。 請您把以下內容通過郵件發送到 pub.zhiliao@h3c.com 郵箱,我們會在審核後盡快給您答複。
  • 1. 您舉報的內容是什麼?(請在郵件中列出您舉報的內容和鏈接地址)
  • 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)
  • 3. 是哪家企業?(營業執照,單位登記證明等證件)
  • 4. 您與該企業的關係是?(您是企業法人或被授權人,需提供企業委托授權書)
我們認為知名企業應該坦然接受公眾討論,對於答案中不準確的部分,我們歡迎您以正式或非正式身份在根叔知了上進行澄清。

抄襲了我的內容

×

原文鏈接或出處

誹謗我

×

您好,當您發現根叔知了上有誹謗您的內容時,您可以向根叔知了進行舉報。 請您把以下內容通過郵件發送到pub.zhiliao@h3c.com 郵箱,我們會盡快處理。
  • 1. 您舉報的內容以及侵犯了您什麼權益?(請在郵件中列出您舉報的內容、鏈接地址,並給出簡短的說明)
  • 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)
我們認為知名企業應該坦然接受公眾討論,對於答案中不準確的部分,我們歡迎您以正式或非正式身份在根叔知了上進行澄清。

對根叔社區有害的內容

×

垃圾廣告信息
色情、暴力、血腥等違反法律法規的內容
政治敏感
不規範轉載 >
辱罵、歧視、挑釁等(不友善)
騷擾我
誘導投票

不規範轉載

×

舉報說明