F100-S-XI

看背板MAC幹啥。。聯係400谘詢b

組網需求

如下圖所示，某企業總部Device A有兩條出口鏈路接入Internet，分支Device B和Device C各有一條出口鏈路接入Internet，要求實現如下需求：

• 企業總部與各企業分支之間使用基於路由的IPsec隧道接口方式建立IPsec隧道；

• 企業總部和各分支之間根據NQA探測結果，選擇高質量、低延遲的鏈路動態建立IPsec隧道。

圖-1 基於路由模式的總部采用雙鏈路與分支建立IPsec隧道配置組網圖

‌

配置步驟

配置Device A

1. 配置接口IP地址

# 根據組網圖中規劃的信息，配置各接口的IP地址，具體配置步驟如下。

<DeviceA> system-view

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0

[DeviceA-GigabitEthernet1/0/1] quit

請參考以上步驟配置其他接口的IP地址，具體配置步驟略。

2. 創建IPsec隧道接口

# 創建IPsec隧道接口Tunnel0，具體配置步驟如下。

[DeviceA] interface tunnel 0 mode ipsec

[DeviceA-Tunnel0] ip address 10.0.0.1 255.255.255.0

[DeviceA-Tunnel0] source 1.1.1.1

[DeviceA-Tunnel0] destination 3.3.3.3

[DeviceA-Tunnel0] quit

# 創建IPsec隧道接口Tunnel1，具體配置步驟如下。

[DeviceA] interface tunnel 1 mode ipsec

[DeviceA-Tunnel1] ip address 20.0.0.1 255.255.255.0

[DeviceA-Tunnel1] source 2.2.2.2

[DeviceA-Tunnel1] destination 3.3.3.3

[DeviceA-Tunnel1] quit

# 創建IPsec隧道接口Tunnel2，具體配置步驟如下。

[DeviceA] interface tunnel 2 mode ipsec

[DeviceA-Tunnel2] ip address 30.0.0.1 255.255.255.0

[DeviceA-Tunnel2] source 1.1.1.1

[DeviceA-Tunnel2] destination 4.4.4.4

[DeviceA-Tunnel2] quit

# 創建IPsec隧道接口Tunnel3，具體配置步驟如下。

[DeviceA] interface tunnel 3 mode ipsec

[DeviceA-Tunnel3] ip address 40.0.0.1 255.255.255.0

[DeviceA-Tunnel3] source 2.2.2.2

[DeviceA-Tunnel3] destination 4.4.4.4

[DeviceA-Tunnel3] quit

3. 配置接口加入安全域。

# 請根據組網圖中規劃的信息，將接口加入對應的安全域，具體配置步驟如下。

[DeviceA] security-zone name trust

[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/3

[DeviceA-security-zone-Trust] quit

[DeviceA] security-zone name untrust

[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/2

[DeviceA-security-zone-Untrust] import interface tunnel 0

[DeviceA-security-zone-Untrust] import interface tunnel 1

[DeviceA-security-zone-Untrust] import interface tunnel 2

[DeviceA-security-zone-Untrust] import interface tunnel 3

[DeviceA-security-zone-Untrust] quit

4. 配置安全策略

1. 配置安全策略放行Untrust與Local安全域之間的流量，用於設備之間可以建立IPsec隧道。

# 配置名稱為ipseclocalout的安全策規則，使Device A可以向Device B和Device C發送IPsec隧道協商報文，具體配置步驟如下。

[DeviceA] security-policy ip

[DeviceA-security-policy-ip] rule name ipseclocalout

[DeviceA-security-policy-ip-1-ipseclocalout] source-zone local

[DeviceA-security-policy-ip-1-ipseclocalout] destination-zone untrust

[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 1.1.1.1

[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.2

[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 3.3.3.3

[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 4.4.4.4

[DeviceA-security-policy-ip-1-ipseclocalout] action pass

[DeviceA-security-policy-ip-1-ipseclocalout] quit

# 配置名稱為ipseclocalin的安全策略規則，使Device A可以接收和處理來自Device B和Device C的IPsec隧道協商報文，具體配置步驟如下。

[DeviceA-security-policy-ip] rule name ipseclocalin

[DeviceA-security-policy-ip-2-ipseclocalin] source-zone untrust

[DeviceA-security-policy-ip-2-ipseclocalin] destination-zone local

[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 3.3.3.3

[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 4.4.4.4

[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 1.1.1.1

[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.2

[DeviceA-security-policy-ip-2-ipseclocalin] action pass

[DeviceA-security-policy-ip-2-ipseclocalin] quit

2. 配置安全策略放行Host A與Host B、Host C之間的流量

# 配置名稱為trust-untrust的安全策略規則，使Host A訪問Host B、Host C的報文可通，具體配置步驟如下。

[DeviceA-security-policy-ip] rule name trust-untrust

[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust

[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust

[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 192.168.11.0 24

[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 192.168.12.0 24

[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 192.168.13.0 24

[DeviceA-security-policy-ip-3-trust-untrust] action pass

[DeviceA-security-policy-ip-3-trust-untrust] quit

# 配置名稱為untrust-trust的安全策略規則，使Host B、Host C訪問Host A的報文可通，具體配置步驟如下。

[DeviceA-security-policy-ip] rule name untrust-trust

[DeviceA-security-policy-ip-4-untrust-trust] source-zone untrust

[DeviceA-security-policy-ip-4-untrust-trust] destination-zone trust

[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 192.168.12.0 24

[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 192.168.13.0 24

[DeviceA-security-policy-ip-4-untrust-trust] destination-ip-subnet 192.168.11.0 24

[DeviceA-security-policy-ip-4-untrust-trust] action pass

[DeviceA-security-policy-ip-4-untrust-trust] quit

[DeviceA-security-policy-ip] quit

5. 配置IPsec安全框架，建立IPsec隧道，保護需要防護的數據流

# 配置IPsec安全框架t0，建立IPsec隧道，具體配置步驟如下。

[DeviceA] ike keychain t0

[DeviceA-ike-keychain-t0] pre-shared-key address 3.3.3.3 255.255.255.0 key simple 123456TESTplat&!

[DeviceA-ike-keychain-t0] quit

[DeviceA] ike profile t0

[DeviceA-ike-profile-t0] keychain t0

[DeviceA-ike-profile-t0] match local address Tunnel0

[DeviceA-ike-profile-t0] match remote identity address 3.3.3.3 24

[DeviceA-ike-profile-t0] exchange-mode aggressive

[DeviceA-ike-profile-t0] dpd interval 30 periodic

[DeviceA-ike-profile-t0] quit

[DeviceA] ipsec transform-set t0

[DeviceA-ipsec-transform-set-t0] esp encryption-algorithm aes-cbc-128

[DeviceA-ipsec-transform-set-t0] esp authentication-algorithm sha1

[DeviceA-ipsec-transform-set-t0] quit

[DeviceA] ipsec profile t0 isakmp

[DeviceA-ipsec-profile-isakmp-t0] transform-set t0

[DeviceA-ipsec-profile-isakmp-t0] ike-profile t0

[DeviceA-ipsec-profile-isakmp-t0] quit

# 配置IPsec安全框架t1，建立IPsec隧道，具體配置步驟如下。

[DeviceA] ike keychain t1

[DeviceA-ike-keychain-t1] pre-shared-key address 3.3.3.3 255.255.255.0 key simple 123456TESTplat&!

[DeviceA-ike-keychain-t1] quit

[DeviceA] ike profile t1

[DeviceA-ike-profile-t1] keychain t1

[DeviceA-ike-profile-t1] match local address Tunnel1

[DeviceA-ike-profile-t1] match remote identity address 3.3.3.3 24

[DeviceA-ike-profile-t1] exchange-mode aggressive

[DeviceA-ike-profile-t1] dpd interval 30 periodic

[DeviceA-ike-profile-t1] quit

[DeviceA] ipsec transform-set t1

[DeviceA-ipsec-transform-set-t1] esp encryption-algorithm aes-cbc-128

[DeviceA-ipsec-transform-set-t1] esp authentication-algorithm sha1

[DeviceA-ipsec-transform-set-t1] quit

[DeviceA] ipsec profile t1 isakmp

[DeviceA-ipsec-profile-isakmp-t1] transform-set t1

[DeviceA-ipsec-profile-isakmp-t1] ike-profile t1

[DeviceA-ipsec-profile-isakmp-t1] quit

# 配置IPsec安全框架t2，建立IPsec隧道，具體配置步驟如下。

[DeviceA] ike keychain t2

[DeviceA-ike-keychain-t2] pre-shared-key address 4.4.4.4 255.255.255.0 key simple 123456TESTplat&!

[DeviceA-ike-keychain-t2] quit

[DeviceA] ike profile t2

[DeviceA-ike-profile-t2] keychain t2

[DeviceA-ike-profile-t2] match local address Tunnel2

[DeviceA-ike-profile-t2] match remote identity address 4.4.4.4 24

[DeviceA-ike-profile-t2] exchange-mode aggressive

[DeviceA-ike-profile-t2] dpd interval 30 periodic

[DeviceA-ike-profile-t2] quit

[DeviceA] ipsec transform-set t2

[DeviceA-ipsec-transform-set-t2] esp encryption-algorithm aes-cbc-128

[DeviceA-ipsec-transform-set-t2] esp authentication-algorithm sha1

[DeviceA-ipsec-transform-set-t2] quit

[DeviceA] ipsec profile t2 isakmp

[DeviceA-ipsec-profile-isakmp-t2] transform-set t2

[DeviceA-ipsec-profile-isakmp-t2] ike-profile t2

[DeviceA-ipsec-profile-isakmp-t2] quit

# 配置IPsec安全框架t3，建立IPsec隧道，具體配置步驟如下。

[DeviceA] ike keychain t3

[DeviceA-ike-keychain-t3] pre-shared-key address 4.4.4.4 255.255.255.0 key simple 123456TESTplat&!

[DeviceA-ike-keychain-t3] quit

[DeviceA] ike profile t3

[DeviceA-ike-profile-t3] keychain t3

[DeviceA-ike-profile-t3] match local address Tunnel3

[DeviceA-ike-profile-t3] match remote identity address 4.4.4.4 24

[DeviceA-ike-profile-t3] exchange-mode aggressive

[DeviceA-ike-profile-t3] dpd interval 30 periodic

[DeviceA-ike-profile-t3] quit

[DeviceA] ipsec transform-set t3

[DeviceA-ipsec-transform-set-t3] esp encryption-algorithm aes-cbc-128

[DeviceA-ipsec-transform-set-t3] esp authentication-algorithm sha1

[DeviceA-ipsec-transform-set-t3] quit

[DeviceA] ipsec profile t3 isakmp

[DeviceA-ipsec-profile-isakmp-t3] transform-set t3

[DeviceA-ipsec-profile-isakmp-t3] ike-profile t3

[DeviceA-ipsec-profile-isakmp-t3] quit

6. 配置IPsec隧道接口，用於對需要保護的流量進行IPsec封裝。

# 在IPsec隧道接口Tunnel0中引用IPsec安全框架t0，建立IPsec隧道。

[DeviceA] interface tunnel 0

[DeviceA-Tunnel0] tunnel protection ipsec profile t0

[DeviceA-Tunnel0] quit

# 在IPsec隧道接口Tunnel1中引用IPsec安全框架t1，建立IPsec隧道。

[DeviceA] interface tunnel 1

[DeviceA-Tunnel1] tunnel protection ipsec profile t1

[DeviceA-Tunnel1] quit

# 在IPsec隧道接口Tunnel2中引用IPsec安全框架t2，建立IPsec隧道。

[DeviceA] interface tunnel 2

[DeviceA-Tunnel2] tunnel protection ipsec profile t2

[DeviceA-Tunnel2] quit

# 在IPsec隧道接口Tunnel3中引用IPsec安全框架t3，建立IPsec隧道。

[DeviceA] interface tunnel 3

[DeviceA-Tunnel3] tunnel protection ipsec profile t3

[DeviceA-Tunnel3] quit

7. 配置NQA測試組與Track項聯動，用於探測鏈路狀態。

# 配置NQA測試組（管理員為test1，操作標簽為1），具體配置步驟如下。

[DeviceA] nqa entry admin test1

[DeviceA-nqa-admin-test1] type icmp-echo

[DeviceA-nqa-admin-test1-icmp-echo] destination ip 3.3.3.3

[DeviceA-nqa-admin-test1-icmp-echo] frequency 3000

[DeviceA-nqa-admin-test1-icmp-echo] history-record enable

[DeviceA-nqa-admin-test1-icmp-echo] next-hop ip 1.1.1.2

[DeviceA-nqa-admin-test1-icmp-echo] probe count 5

[DeviceA-nqa-admin-test1-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

[DeviceA-nqa-admin-test1-icmp-echo] quit

[DeviceA] nqa schedule admin test1 start-time now lifetime forever

# 配置Track項110，關聯NQA測試組（管理員為test1，操作標簽為1）的聯動項1，配置步驟如下。

[DeviceA] track 110 nqa entry admin test1 reaction 1

[DeviceA-track-110] quit

# 配置NQA測試組（管理員為test2，操作標簽為1），具體配置步驟如下。

[DeviceA] nqa entry admin test2

[DeviceA-nqa-admin-test2] type icmp-echo

[DeviceA-nqa-admin-test2-icmp-echo] destination ip 3.3.3.3

[DeviceA-nqa-admin-test2-icmp-echo] frequency 3000

[DeviceA-nqa-admin-test2-icmp-echo] history-record enable

[DeviceA-nqa-admin-test2-icmp-echo] probe count 5

[DeviceA-nqa-admin-test2-icmp-echo] next-hop ip 2.2.2.3

[DeviceA-nqa-admin-test2-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

[DeviceA-nqa-admin-test2-icmp-echo] quit

[DeviceA] nqa schedule admin test2 start-time now lifetime forever

# 配置Track項120，關聯NQA測試組（管理員為test2，操作標簽為1）的聯動項1，配置步驟如下。

[DeviceA] track 120 nqa entry admin test2 reaction 1

[DeviceA-track-120] quit

# 配置NQA測試組（管理員為test3，操作標簽為1），具體配置步驟如下。

[DeviceA] nqa entry admin test3

[DeviceA-nqa-admin-test3] type icmp-echo

[DeviceA-nqa-admin-test3-icmp-echo] destination ip 4.4.4.4

[DeviceA-nqa-admin-test3-icmp-echo] frequency 3000

[DeviceA-nqa-admin-test3-icmp-echo] history-record enable

[DeviceA-nqa-admin-test3-icmp-echo] probe count 5

[DeviceA-nqa-admin-test3-icmp-echo] next-hop ip 1.1.1.2

[DeviceA-nqa-admin-test3-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

[DeviceA-nqa-admin-test3-icmp-echo] quit

[DeviceA] nqa schedule admin test3 start-time now lifetime forever

# 配置Track項130，關聯NQA測試組（管理員為test3，操作標簽為1）的聯動項1，配置步驟如下。

[DeviceA] track 130 nqa entry admin test3 reaction 1

[DeviceA-track-130] quit

# 配置NQA測試組（管理員為test4，操作標簽為1），具體配置步驟如下。

[DeviceA] nqa entry admin test4

[DeviceA-nqa-admin-test4] type icmp-echo

[DeviceA-nqa-admin-test4-icmp-echo] destination ip 4.4.4.4

[DeviceA-nqa-admin-test4-icmp-echo] frequency 3000

[DeviceA-nqa-admin-test4-icmp-echo] history-record enable

[DeviceA-nqa-admin-test4-icmp-echo] probe count 5

[DeviceA-nqa-admin-test4-icmp-echo] next-hop ip 2.2.2.3

[DeviceA-nqa-admin-test4-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

[DeviceA-nqa-admin-test4-icmp-echo] quit

[DeviceA] nqa schedule admin test4 start-time now lifetime forever

# 配置Track項140，關聯NQA測試組（管理員為test4，操作標簽為1）的聯動項1，配置步驟如下。

[DeviceA] track 140 nqa entry admin test4 reaction 1

[DeviceA-track-140] quit

8. 配置路由

本舉例僅以靜態路由方式配置路由信息。實際組網中，請根據具體情況選擇相應的路由配置方式。

# 請根據組網圖中規劃的信息，配置靜態路由，本舉例的下一跳IP地址僅為示例，實際使用中請以具體組網情況為準，具體配置步驟如下。

[DeviceA] ip route-static 192.168.12.0 24 tunnel 0 track 110 preference 100

[DeviceA] ip route-static 192.168.12.0 24 tunnel 1 track 120 preference 110

[DeviceA] ip route-static 192.168.13.0 24 tunnel 2 track 130 preference 100

[DeviceA] ip route-static 192.168.13.0 24 tunnel 3 track 140 preference 110

[DeviceA] ip route-static 3.3.3.3 24 1.1.1.2 track 110 preference 100

[DeviceA] ip route-static 3.3.3.3 24 2.2.2.3 track 120 preference 110

[DeviceA] ip route-static 4.4.4.4 24 1.1.1.2 track 130 preference 100

[DeviceA] ip route-static 4.4.4.4 24 2.2.2.3 track 140 preference 110

配置Device B

1. 配置接口IP地址

# 根據組網圖中規劃的信息，配置各接口的IP地址，具體配置步驟如下。

<DeviceB> system-view

[DeviceB] interface gigabitethernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] ip address 3.3.3.3 255.255.255.0

[DeviceB-GigabitEthernet1/0/1] quit

請參考以上步驟配置其他接口的IP地址，具體配置步驟略。

2. 創建IPsec隧道接口

# 創建IPsec隧道接口Tunnel0，具體配置步驟如下。

[DeviceB] interface tunnel 0 mode ipsec

[DeviceB-Tunnel0] ip address 50.0.0.1 255.255.255.0

[DeviceB-Tunnel0] source 3.3.3.3

[DeviceB-Tunnel0] destination 1.1.1.1

[DeviceB-Tunnel0] quit

# 創建IPsec隧道接口Tunnel1，具體配置步驟如下。

[DeviceB] interface tunnel 1 mode ipsec

[DeviceB-Tunnel1] ip address 60.0.0.1 255.255.255.0

[DeviceB-Tunnel1] source 3.3.3.3

[DeviceB-Tunnel1] destination 2.2.2.2

[DeviceB-Tunnel1] quit

3. 配置接口加入安全域。

# 請根據組網圖中規劃的信息，將接口加入對應的安全域，具體配置步驟如下。

[DeviceB] security-zone name trust

[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceB-security-zone-Trust] quit

[DeviceB] security-zone name untrust

[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceB-security-zone-Untrust] import interface tunnel 0

[DeviceB-security-zone-Untrust] import interface tunnel 1

[DeviceB-security-zone-Untrust] quit

4. 配置安全策略

1. 配置安全策略放行Untrust與Local安全域之間的流量，用於設備之間可以建立IPsec隧道。

# 配置名稱為ipseclocalout的安全策規則，使Device B可以向Device A發送IPsec隧道協商報文，具體配置步驟如下。

[DeviceB] security-policy ip

[DeviceB-security-policy-ip] rule name ipseclocalout

[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local

[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust

[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 3.3.3.3

[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1

[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.2

[DeviceB-security-policy-ip-1-ipseclocalout] action pass

[DeviceB-security-policy-ip-1-ipseclocalout] quit

# 配置名稱為ipseclocalin的安全策略規則，使Device B可以接收和處理來自Device A的IPsec隧道協商報文，具體配置步驟如下。

[DeviceB-security-policy-ip] rule name ipseclocalin

[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust

[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local

[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1

[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.2

[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 3.3.3.3

[DeviceB-security-policy-ip-2-ipseclocalin] action pass

[DeviceB-security-policy-ip-2-ipseclocalin] quit

2. 配置安全策略放行Host B與Host A之間的流量

# 配置名稱為trust-untrust的安全策略規則，使Host B訪問Host A的報文可通，具體配置步驟如下。

[DeviceB-security-policy-ip] rule name trust-untrust

[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust

[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust

[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 192.168.12.0 24

[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 192.168.11.0 24

[DeviceB-security-policy-ip-3-trust-untrust] action pass

[DeviceB-security-policy-ip-3-trust-untrust] quit

# 配置名稱為untrust-trust的安全策略規則，使Host A訪問Host B的報文可通，具體配置步驟如下。

[DeviceB-security-policy-ip] rule name untrust-trust

[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust

[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust

[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 192.168.11.0 24

[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 192.168.12.0 24

[DeviceB-security-policy-ip-4-untrust-trust] action pass

[DeviceB-security-policy-ip-4-untrust-trust] quit

[DeviceB-security-policy-ip] quit

5. 配置IPsec安全框架，建立IPsec隧道，保護需要防護的數據流

# 配置IPsec安全框架t0，建立IPsec隧道，具體配置步驟如下。

[DeviceB] ike keychain t0

[DeviceB-ike-keychain-t0] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!

[DeviceB-ike-keychain-t0] quit

[DeviceB] ike profile t0

[DeviceB-ike-profile-t0] keychain t0

[DeviceB-ike-profile-t0] match local address Tunnel0

[DeviceB-ike-profile-t0] match remote identity address 1.1.1.1 24

[DeviceB-ike-profile-t0] exchange-mode aggressive

[DeviceB-ike-profile-t0] dpd interval 30 periodic

[DeviceB-ike-profile-t0] quit

[DeviceB] ipsec transform-set t0

[DeviceB-ipsec-transform-set-t0] esp encryption-algorithm aes-cbc-128

[DeviceB-ipsec-transform-set-t0] esp authentication-algorithm sha1

[DeviceB-ipsec-transform-set-t0] quit

[DeviceB] ipsec profile t0 isakmp

[DeviceB-ipsec-profile-isakmp-t0] transform-set t0

[DeviceB-ipsec-profile-isakmp-t0] ike-profile t0

[DeviceB-ipsec-profile-isakmp-t0] quit

# 配置IPsec安全框架t1，建立IPsec隧道，具體配置步驟如下。

[DeviceB] ike keychain t1

[DeviceB-ike-keychain-t1] pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&!

[DeviceB-ike-keychain-t1] quit

[DeviceB] ike profile t1

[DeviceB-ike-profile-t1] keychain t1

[DeviceB-ike-profile-t1] match local address Tunnel1

[DeviceB-ike-profile-t1] match remote identity address 2.2.2.2 24

[DeviceB-ike-profile-t1] exchange-mode aggressive

[DeviceB-ike-profile-t1] dpd interval 30 periodic

[DeviceB-ike-profile-t1] quit

[DeviceB] ipsec transform-set t1

[DeviceB-ipsec-transform-set-t1] esp encryption-algorithm aes-cbc-128

[DeviceB-ipsec-transform-set-t1] esp authentication-algorithm sha1

[DeviceB-ipsec-transform-set-t1] quit

[DeviceB] ipsec profile t1 isakmp

[DeviceB-ipsec-profile-isakmp-t1] transform-set t1

[DeviceB-ipsec-profile-isakmp-t1] ike-profile t1

[DeviceB-ipsec-profile-isakmp-t1] quit

6. 配置IPsec隧道接口，用於對需要保護的流量進行IPsec封裝。

# 在IPsec隧道接口Tunnel0中引用IPsec安全框架t0，建立IPsec隧道。

[DeviceB] interface tunnel 0

[DeviceB-Tunnel0] tunnel protection ipsec profile t0

[DeviceB-Tunnel0] quit

# 在IPsec隧道接口Tunnel1中引用IPsec安全框架t1，建立IPsec隧道。

[DeviceB] interface tunnel 1

[DeviceB-Tunnel1] tunnel protection ipsec profile t1

[DeviceB-Tunnel1] quit

7. 配置NQA測試組與Track項聯動，用於探測鏈路狀態。

# 配置NQA測試組（管理員為test1，操作標簽為1），具體配置步驟如下。

[DeviceB] nqa entry admin test1

[DeviceB-nqa-admin-test1] type icmp-echo

[DeviceB-nqa-admin-test1-icmp-echo] destination ip 1.1.1.1

[DeviceB-nqa-admin-test1-icmp-echo] frequency 3000

[DeviceB-nqa-admin-test1-icmp-echo] history-record enable

[DeviceB-nqa-admin-test1-icmp-echo] probe count 5

[DeviceB-nqa-admin-test1-icmp-echo] next-hop ip 3.3.3.4

[DeviceB-nqa-admin-test1-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

[DeviceB-nqa-admin-test1-icmp-echo] quit

[DeviceB] nqa schedule admin test1 start-time now lifetime forever

# 配置Track項110，關聯NQA測試組（管理員為test1，操作標簽為1）的聯動項1，配置步驟如下。

[DeviceB] track 110 nqa entry admin test1 reaction 1

[DeviceB-track-110] quit

# 配置NQA測試組（管理員為test2，操作標簽為1），具體配置步驟如下。

[DeviceB] nqa entry admin test2

[DeviceB-nqa-admin-test2] type icmp-echo

[DeviceB-nqa-admin-test2-icmp-echo] destination ip 2.2.2.2

[DeviceB-nqa-admin-test2-icmp-echo] frequency 3000

[DeviceB-nqa-admin-test2-icmp-echo] history-record enable

[DeviceB-nqa-admin-test2-icmp-echo] probe count 5

[DeviceB-nqa-admin-test2-icmp-echo] next-hop ip 3.3.3.4

[DeviceB-nqa-admin-test2-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

[DeviceB-nqa-admin-test2-icmp-echo] quit

[DeviceB] nqa schedule admin test2 start-time now lifetime forever

# 配置Track項120，關聯NQA測試組（管理員為test2，操作標簽為1）的聯動項1，配置步驟如下。

[DeviceB] track 120 nqa entry admin test2 reaction 1

[DeviceB-track-120] quit

8. 配置路由

本舉例僅以靜態路由方式配置路由信息。實際組網中，請根據具體情況選擇相應的路由配置方式。

# 請根據組網圖中規劃的信息，配置靜態路由，本舉例的下一跳IP地址僅為示例，實際使用中請以具體組網情況為準，具體配置步驟如下。

[DeviceB] ip route-static 192.168.11.0 24 tunnel 0 track 110 preference 100

[DeviceB] ip route-static 192.168.11.0 24 tunnel 1 track 120 preference 110

[DeviceB] ip route-static 1.1.1.1 24 3.3.3.4

[DeviceB] ip route-static 2.2.2.2 24 3.3.3.4

配置Device C

1. 配置接口IP地址

# 根據組網圖中規劃的信息，配置各接口的IP地址，具體配置步驟如下。

<DeviceC> system-view

[DeviceC] interface gigabitethernet 1/0/1

[DeviceC-GigabitEthernet1/0/1] ip address 4.4.4.4 255.255.255.0

[DeviceC-GigabitEthernet1/0/1] quit

請參考以上步驟配置其他接口的IP地址，具體配置步驟略。

2. 創建IPsec隧道接口

# 創建IPsec隧道接口Tunnel0，具體配置步驟如下。

[DeviceC] interface tunnel 0 mode ipsec

[DeviceC-Tunnel0] ip address 70.0.0.1 255.255.255.0

[DeviceC-Tunnel0] source 4.4.4.4

[DeviceC-Tunnel0] destination 1.1.1.1

[DeviceC-Tunnel0] quit

# 創建IPsec隧道接口Tunnel1，具體配置步驟如下。

[DeviceC] interface tunnel 1 mode ipsec

[DeviceC-Tunnel1] ip address 80.0.0.1 255.255.255.0

[DeviceC-Tunnel1] source 4.4.4.4

[DeviceC-Tunnel1] destination 2.2.2.2

[DeviceC-Tunnel1] quit

3. 配置接口加入安全域。

# 請根據組網圖中規劃的信息，將接口加入對應的安全域，具體配置步驟如下。

[DeviceC] security-zone name trust

[DeviceC-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceC-security-zone-Trust] quit

[DeviceC] security-zone name untrust

[DeviceC-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceC-security-zone-Untrust] import interface tunnel 0

[DeviceC-security-zone-Untrust] import interface tunnel 1

[DeviceC-security-zone-Untrust] quit

4. 配置安全策略

1. 配置安全策略放行Untrust與Local安全域之間的流量，用於設備之間可以建立IPsec隧道。

# 配置名稱為ipseclocalout的安全策規則，使Device B可以向Device A發送IPsec隧道協商報文，具體配置步驟如下。

[DeviceC] security-policy ip

[DeviceC-security-policy-ip] rule name ipseclocalout

[DeviceC-security-policy-ip-1-ipseclocalout] source-zone local

[DeviceC-security-policy-ip-1-ipseclocalout] destination-zone untrust

[DeviceC-security-policy-ip-1-ipseclocalout] source-ip-host 4.4.4.4

[DeviceC-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1

[DeviceC-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.2

[DeviceC-security-policy-ip-1-ipseclocalout] action pass

[DeviceC-security-policy-ip-1-ipseclocalout] quit

# 配置名稱為ipseclocalin的安全策略規則，使Device B可以接收和處理來自Device A的IPsec隧道協商報文，具體配置步驟如下。

[DeviceC-security-policy-ip] rule name ipseclocalin

[DeviceC-security-policy-ip-2-ipseclocalin] source-zone untrust

[DeviceC-security-policy-ip-2-ipseclocalin] destination-zone local

[DeviceC-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1

[DeviceC-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.2

[DeviceC-security-policy-ip-2-ipseclocalin] destination-ip-host 4.4.4.4

[DeviceC-security-policy-ip-2-ipseclocalin] action pass

[DeviceC-security-policy-ip-2-ipseclocalin] quit

2. 配置安全策略放行Host B與Host A之間的流量

# 配置名稱為trust-untrust的安全策略規則，使Host B訪問Host A的報文可通，具體配置步驟如下。

[DeviceC-security-policy-ip] rule name trust-untrust

[DeviceC-security-policy-ip-3-trust-untrust] source-zone trust

[DeviceC-security-policy-ip-3-trust-untrust] destination-zone untrust

[DeviceC-security-policy-ip-3-trust-untrust] source-ip-subnet 192.168.13.0 24

[DeviceC-security-policy-ip-3-trust-untrust] destination-ip-subnet 192.168.11.0 24

[DeviceC-security-policy-ip-3-trust-untrust] action pass

[DeviceC-security-policy-ip-3-trust-untrust] quit

# 配置名稱為untrust-trust的安全策略規則，使Host A訪問Host B的報文可通，具體配置步驟如下。

[DeviceC-security-policy-ip] rule name untrust-trust

[DeviceC-security-policy-ip-4-untrust-trust] source-zone untrust

[DeviceC-security-policy-ip-4-untrust-trust] destination-zone trust

[DeviceC-security-policy-ip-4-untrust-trust] source-ip-subnet 192.168.11.0 24

[DeviceC-security-policy-ip-4-untrust-trust] destination-ip-subnet 192.168.13.0 24

[DeviceC-security-policy-ip-4-untrust-trust] action pass

[DeviceC-security-policy-ip-4-untrust-trust] quit

[DeviceC-security-policy-ip] quit

5. 配置IPsec安全框架，建立IPsec隧道，保護需要防護的數據流

# 配置IPsec安全框架t0，建立IPsec隧道，具體配置步驟如下。

[DeviceC] ike keychain t0

[DeviceC-ike-keychain-t0] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!

[DeviceC-ike-keychain-t0] quit

[DeviceC] ike profile t0

[DeviceC-ike-profile-t0] keychain t0

[DeviceC-ike-profile-t0] match local address Tunnel0

[DeviceC-ike-profile-t0] match remote identity address 1.1.1.1 24

[DeviceC-ike-profile-t0] exchange-mode aggressive

[DeviceC-ike-profile-t0] dpd interval 30 periodic

[DeviceC-ike-profile-t0] quit

[DeviceC] ipsec transform-set t0

[DeviceC-ipsec-transform-set-t0] esp encryption-algorithm aes-cbc-128

[DeviceC-ipsec-transform-set-t0] esp authentication-algorithm sha1

[DeviceC-ipsec-transform-set-t0] quit

[DeviceC] ipsec profile t0 isakmp

[DeviceC-ipsec-profile-isakmp-t0] transform-set t0

[DeviceC-ipsec-profile-isakmp-t0] ike-profile t0

[DeviceC-ipsec-profile-isakmp-t0] quit

# 配置IPsec安全框架t1，建立IPsec隧道，具體配置步驟如下。

[DeviceC] ike keychain t1

[DeviceC-ike-keychain-t1] pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&!

[DeviceC-ike-keychain-t1] quit

[DeviceC] ike profile t1

[DeviceC-ike-profile-t1] keychain t1

[DeviceC-ike-profile-t1] match local address Tunnel1

[DeviceC-ike-profile-t1] match remote identity address 2.2.2.2 24

[DeviceC-ike-profile-t1] exchange-mode aggressive

[DeviceC-ike-profile-t1] dpd interval 30 periodic

[DeviceC-ike-profile-t1] quit

[DeviceC] ipsec transform-set t1

[DeviceC-ipsec-transform-set-t1] esp encryption-algorithm aes-cbc-128

[DeviceC-ipsec-transform-set-t1] esp authentication-algorithm sha1

[DeviceC-ipsec-transform-set-t1] quit

[DeviceC] ipsec profile t1 isakmp

[DeviceC-ipsec-profile-isakmp-t1] transform-set t1

[DeviceC-ipsec-profile-isakmp-t1] ike-profile t1

[DeviceC-ipsec-profile-isakmp-t1] quit

6. 配置IPsec隧道接口，用於對需要保護的流量進行IPsec封裝

# 在IPsec隧道接口Tunnel0中引用IPsec安全框架t0，建立IPsec隧道。

[DeviceC] interface tunnel 0

[DeviceC-Tunnel0] tunnel protection ipsec profile t0

[DeviceC-Tunnel0] quit

# 在IPsec隧道接口Tunnel1中引用IPsec安全框架t1，建立IPsec隧道。

[DeviceC] interface tunnel 1

[DeviceC-Tunnel1] tunnel protection ipsec profile t1

[DeviceC-Tunnel1] quit

7. 配置NQA測試組與Track項聯動，用於探測鏈路狀態

# 配置NQA測試組（管理員為test1，操作標簽為1），具體配置步驟如下。

[DeviceC] nqa entry admin test1

[DeviceC-nqa-admin-test1] type icmp-echo

[DeviceC-nqa-admin-test1-icmp-echo] destination ip 1.1.1.1

[DeviceC-nqa-admin-test1-icmp-echo] frequency 3000

[DeviceC-nqa-admin-test1-icmp-echo] history-record enable

[DeviceC-nqa-admin-test1-icmp-echo] probe count 5

[DeviceC-nqa-admin-test1-icmp-echo] next-hop ip 4.4.4.5

[DeviceC-nqa-admin-test1-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

[DeviceC-nqa-admin-test1-icmp-echo] quit

[DeviceC] nqa schedule admin test1 start-time now lifetime forever

# 配置Track項110，關聯NQA測試組（管理員為test1，操作標簽為1）的聯動項1，配置步驟如下。

[DeviceC] track 110 nqa entry admin test1 reaction 1

[DeviceC-track-110] quit

# 配置NQA測試組（管理員為test2，操作標簽為1），具體配置步驟如下。

[DeviceC] nqa entry admin test2

[DeviceC-nqa-admin-test2] type icmp-echo

[DeviceC-nqa-admin-test2-icmp-echo] destination ip 2.2.2.2

[DeviceC-nqa-admin-test2-icmp-echo] frequency 3000

[DeviceC-nqa-admin-test2-icmp-echo] history-record enable

[DeviceC-nqa-admin-test2-icmp-echo] probe count 5

[DeviceC-nqa-admin-test2-icmp-echo] next-hop ip 4.4.4.5

[DeviceC-nqa-admin-test2-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

[DeviceC-nqa-admin-test2-icmp-echo] quit

[DeviceC] nqa schedule admin test2 start-time now lifetime forever

# 配置Track項120，關聯NQA測試組（管理員為test2，操作標簽為1）的聯動項1，配置步驟如下。

[DeviceC] track 120 nqa entry admin test2 reaction 1

[DeviceC-track-120] quit

8. 配置路由

本舉例僅以靜態路由方式配置路由信息。實際組網中，請根據具體情況選擇相應的路由配置方式。

# 請根據組網圖中規劃的信息，配置靜態路由，本舉例的下一跳IP地址僅為示例，實際使用中請以具體組網情況為準，具體配置步驟如下。

[DeviceC] ip route-static 192.168.11.0 24 tunnel 0 track 110 preference 100

[DeviceC] ip route-static 192.168.11.0 24 tunnel 1 track 120 preference 110

[DeviceC] ip route-static 1.1.1.1 24 4.4.4.5

[DeviceC] ip route-static 2.2.2.2 24 4.4.4.5

驗證配置

以上配置完成後，Device A會自動與Device B、Device C進行IKE協商。當IKE協商完成後，Device A、Device B和Device C上的IPsec 虛擬隧道接口都將up，即可對總部和分支的數據流進行安全保護。

# 通過display ip interface brief命令可查看Device A的接口狀態如下。

<DeviceA> display ip interface brief

*down: administratively down

(s): spoofing  (l): loopback

Interface           Physical Protocol IP address/Mask    VPN instance Description

GE1/0/1             up       up       1.1.1.1/24          --           --

GE1/0/2             up       up       2.2.2.2/24          --           --

GE1/0/3             up       up       192.168.11.1/24     --           --

Tun0                up       up       10.0.0.1/24         --           --

Tun1                up       up       20.0.0.1/24         --           --

Tun2                up       up       30.0.0.1/24         --           --

Tun3                up       up       40.0.0.1/24         --           --

# 通過display ip routing-table命令可查看Device A的路由狀態如下。

<DeviceA> display ip routing-table

Destinations : 14        Routes : 14

Destination/Mask   Proto   Pre Cost        NextHop         Interface

1.1.1.0/24         Direct  0   0           1.1.1.1         GE1/0/1

1.1.1.255/32       Direct  0   0           1.1.1.1         GE1/0/1

2.2.2.0/24         Direct  0   0           2.2.2.2         GE1/0/2

2.2.2.255/32       Direct  0   0           2.2.2.2         GE1/0/2

3.3.3.0/24         Static  100 0           1.1.1.2         GE1/0/1

4.4.4.0/24         Static  100 0           1.1.1.2         GE1/0/1

10.0.0.0/24        Direct  0   0           10.0.0.1        Tun0

10.0.0.255/32      Direct  0   0           10.0.0.1        Tun0

20.0.0.0/24        Direct  0   0           20.0.0.1        Tun1

20.0.0.255/32      Direct  0   0           20.0.0.1        Tun1

192.168.11.0/24    Direct  0   0           192.168.11.1    GE1/0/3

192.168.11.255/32  Direct  0   0           192.168.11.1    GE1/0/3

192.168.12.0/24    Static  100 0           0.0.0.0         Tun0

192.168.13.0/24    Static  100 0           0.0.0.0         Tun2

# Host A可以Ping通Host B，此時IPsec流量在Tunnel0所在鏈路傳輸。

C:\Users\hosta> ping 192.168.12.2

正在 Ping 192.168.12.2 具有 32 字節的數據:

來自 192.168.12.2 的回複: 字節=32 時間=1ms TTL=254

來自 192.168.12.2 的回複: 字節=32 時間<1ms TTL=254

來自 192.168.12.2 的回複: 字節=32 時間<1ms TTL=254

來自 192.168.12.2 的回複: 字節=32 時間<1ms TTL=254

192.168.12.2 的 Ping 統計信息:

    數據包: 已發送 = 4，已接收 = 4，丟失 = 0 (0% 丟失)，

往返行程的估計時間(以毫秒為單位):

    最短 = 0ms，最長 = 1ms，平均 = 0ms

# 當Device A的GigabitEthernet1/0/1接口所在鏈路發生故障時，Host A仍然可以Ping通Host B，此時IPsec流量在Tunnel1所在鏈路傳輸。

C:\Users\hosta> ping 192.168.12.2

正在 Ping 192.168.12.2 具有 32 字節的數據:

來自 192.168.12.2 的回複: 字節=32 時間=1ms TTL=254

來自 192.168.12.2 的回複: 字節=32 時間<1ms TTL=254

來自 192.168.12.2 的回複: 字節=32 時間<1ms TTL=254

來自 192.168.12.2 的回複: 字節=32 時間<1ms TTL=254

192.168.12.2 的 Ping 統計信息:

    數據包: 已發送 = 4，已接收 = 4，丟失 = 0 (0% 丟失)，

往返行程的估計時間(以毫秒為單位):

    最短 = 0ms，最長 = 1ms，平均 = 0ms

# 通過display ip interface brief命令可查看Device A的接口狀態如下。

<DeviceA> display ip interface brief

*down: administratively down

(s): spoofing  (l): loopback

Interface           Physical Protocol IP address/Mask    VPN instance Description

GE1/0/1             down     down     1.1.1.1/24          --           --

GE1/0/2             up       up       2.2.2.2/24          --           --

GE1/0/3             up       up       192.168.11.1/24     --           --

Tun0                down     down     10.0.0.1/24         --           --

Tun1                up       up       20.0.0.1/24         --           --

Tun2                down     down     30.0.0.1/24         --           --

Tun3                up       up       40.0.0.1/24         --           --

# 通過display ip routing-table命令可查看Device A的路由狀態如下。

<DeviceA> display ip routing-table

Destinations : 10        Routes : 10

Destination/Mask   Proto   Pre Cost        NextHop         Interface

2.2.2.0/24         Direct  0   0           2.2.2.2         GE1/0/2

2.2.2.255/32       Direct  0   0           2.2.2.2         GE1/0/2

3.3.3.0/24         Static  110 0           2.2.2.3         GE1/0/2

4.4.4.0/24         Static  110 0           2.2.2.3         GE1/0/2

20.0.0.0/24        Direct  0   0           20.0.0.1        Tun1

20.0.0.255/32      Direct  0   0           20.0.0.1        Tun1

192.168.11.0/24    Direct  0   0           192.168.11.1    GE1/0/3

192.168.11.255/32  Direct  0   0           192.168.11.1    GE1/0/3

192.168.12.0/24    Static  110 0           0.0.0.0         Tun1

192.168.13.0/24    Static  110 0           0.0.0.0         Tun3

# 當Device A的GigabitEthernet1/0/1接口所在鏈路故障恢複時，IPsec流量將切換到Tunnel0所在鏈路傳輸。、

配置文件

Device A

#

track 110 nqa entry admin test1 reaction 1

#

track 120 nqa entry admin test2 reaction 1

#

track 130 nqa entry admin test3 reaction 1

#

track 140 nqa entry admin test4 reaction 1

#

nqa entry admin test1

 type icmp-echo

  destination ip 3.3.3.3

  frequency 3000

  history-record enable

  next-hop ip 1.1.1.2

  probe count 5

  reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

#

nqa entry admin test2

 type icmp-echo

  destination ip 3.3.3.3

  frequency 3000

  history-record enable

  next-hop ip 2.2.2.3

  probe count 5

  reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

#

nqa entry admin test3

 type icmp-echo

  destination ip 4.4.4.4

  frequency 3000

  history-record enable

  next-hop ip 1.1.1.2

  probe count 5

  reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

#

nqa entry admin test4

 type icmp-echo

  destination ip 4.4.4.4

  frequency 3000

  history-record enable

  next-hop ip 2.2.2.3

  probe count 5

  reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

#

 nqa schedule admin test1 start-time now lifetime forever

 nqa schedule admin test2 start-time now lifetime forever

 nqa schedule admin test3 start-time now lifetime forever

 nqa schedule admin test4 start-time now lifetime forever

#

interface GigabitEthernet1/0/1

 ip address 1.1.1.1 255.255.255.0

#

interface GigabitEthernet1/0/2

 ip address 2.2.2.2 255.255.255.0

#

interface GigabitEthernet1/0/3

 ip address 192.168.11.1 255.255.255.0

#

interface Tunnel0 mode ipsec

 ip address 10.0.0.1 255.255.255.0

 source 1.1.1.1

 destination 3.3.3.3

 tunnel protection ipsec profile t0

#

interface Tunnel1 mode ipsec

 ip address 20.0.0.1 255.255.255.0

 source 2.2.2.2

 destination 3.3.3.3

 tunnel protection ipsec profile t1

#

interface Tunnel2 mode ipsec

 ip address 30.0.0.1 255.255.255.0

 source 1.1.1.1

 destination 4.4.4.4

 tunnel protection ipsec profile t2

#

interface Tunnel3 mode ipsec

 ip address 40.0.0.1 255.255.255.0

 source 2.2.2.2

 destination 4.4.4.4

 tunnel protection ipsec profile t3

#

security-zone name Trust

 import interface GigabitEthernet1/0/3

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1

 import interface GigabitEthernet1/0/2

 import interface Tunnel0

 import interface Tunnel1

 import interface Tunnel2

 import interface Tunnel3

#

 ip route-static 3.3.3.0 24 1.1.1.2 track 110 preference 100

 ip route-static 3.3.3.0 24 2.2.2.3 track 120 preference 110

 ip route-static 4.4.4.0 24 1.1.1.2 track 130 preference 100

 ip route-static 4.4.4.0 24 2.2.2.3 track 140 preference 110

 ip route-static 192.168.12.0 24 Tunnel0 track 110 preference 100

 ip route-static 192.168.12.0 24 Tunnel1 track 120 preference 110

 ip route-static 192.168.13.0 24 Tunnel2 track 130 preference 100

 ip route-static 192.168.13.0 24 Tunnel3 track 140 preference 110

#

ipsec transform-set t0

 encapsulation-mode tunnel

 protocol esp

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha1

#

ipsec transform-set t1

 encapsulation-mode tunnel

 protocol esp

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha1

#

ipsec transform-set t2

 encapsulation-mode tunnel

 protocol esp

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha1

#

ipsec transform-set t3

 encapsulation-mode tunnel

 protocol esp

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha1

#

ipsec profile t0 isakmp

 transform-set t0

 ike-profile t0

#

ipsec profile t1 isakmp

 transform-set t1

 ike-profile t1

#

ipsec profile t2 isakmp

 transform-set t2

 ike-profile t2

#

ipsec profile t3 isakmp

 transform-set t3

 ike-profile t3

#

ike profile t0

 keychain t0

 dpd interval 30 periodic

 exchange-mode aggressive

 match remote identity address 3.3.3.3 255.255.255.0

 match local address Tunnel0

#

ike profile t1

 keychain t1

 dpd interval 30 periodic

 exchange-mode aggressive

 match remote identity address 3.3.3.3 255.255.255.0

 match local address Tunnel1

#

ike profile t2

 keychain t2

 dpd interval 30 periodic

 exchange-mode aggressive

 match remote identity address 4.4.4.4 255.255.255.0

 match local address Tunnel2

#

ike profile t3

 keychain t3

 dpd interval 30 periodic

 exchange-mode aggressive

 match remote identity address 4.4.4.4 255.255.255.0

 match local address Tunnel3

#

ike keychain t0

 pre-shared-key address 3.3.3.3 255.255.255.0 key simple 123456TESTplat&!

#

ike keychain t1

 pre-shared-key address 3.3.3.3 255.255.255.0 key simple 123456TESTplat&!

#

ike keychain t2

 pre-shared-key address 4.4.4.4 255.255.255.0 key simple 123456TESTplat&!

#

ike keychain t3

 pre-shared-key address 4.4.4.4 255.255.255.0 key simple 123456TESTplat&!

#

security-policy ip

 rule 0 name ipseclocalout

  action pass

  source-zone local

  destination-zone untrust

  source-ip-host 1.1.1.1

  source-ip-host 2.2.2.2

  destination-ip-host 3.3.3.3

  destination-ip-host 4.4.4.4

 rule 1 name ipseclocalin

  action pass

  source-zone untrust

  destination-zone local

  source-ip-host 3.3.3.3

  source-ip-host 4.4.4.4

  destination-ip-host 1.1.1.1

  destination-ip-host 2.2.2.2

 rule 2 name trust-untrust

  action pass

  source-zone trust

  destination-zone untrust

  source-ip-subnet 192.168.11.0 255.255.255.0

  destination-ip-subnet 192.168.12.0 255.255.255.0

  destination-ip-subnet 192.168.13.0 255.255.255.0

 rule 3 name untrust-trust

  action pass

  source-zone untrust

  destination-zone trust

  source-ip-subnet 192.168.12.0 255.255.255.0

  source-ip-subnet 192.168.13.0 255.255.255.0

  destination-ip-subnet 192.168.11.0 255.255.255.0

#

Device B

#

track 110 nqa entry admin test1 reaction 1

#

track 120 nqa entry admin test2 reaction 1

#

nqa entry admin test1

 type icmp-echo

  destination ip 1.1.1.1

  frequency 3000

  history-record enable

  next-hop ip 3.3.3.4

  probe count 5

  reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

#

nqa entry admin test2

 type icmp-echo

  destination ip 2.2.2.2

  frequency 3000

  history-record enable

  next-hop ip 3.3.3.4

  probe count 5

  reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

#

 nqa schedule admin test1 start-time now lifetime forever

 nqa schedule admin test2 start-time now lifetime forever

#

interface GigabitEthernet1/0/1

 ip address 3.3.3.3 255.255.255.0

#

interface GigabitEthernet1/0/2

 ip address 192.168.12.1 255.255.255.0

#

interface Tunnel0 mode ipsec

 ip address 50.0.0.1 255.255.255.0

 source 3.3.3.3

 destination 1.1.1.1

 tunnel protection ipsec profile t0

#

interface Tunnel1 mode ipsec

 ip address 60.0.0.1 255.255.255.0

 source 3.3.3.3

 destination 2.2.2.2

 tunnel protection ipsec profile t1

#

security-zone name Trust

 import interface GigabitEthernet1/0/2

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1

 import interface Tunnel0

 import interface Tunnel1

#

 ip route-static 1.1.1.0 24 3.3.3.4

 ip route-static 2.2.2.0 24 3.3.3.4

 ip route-static 192.168.11.0 24 Tunnel0 track 110 preference 100

 ip route-static 192.168.11.0 24 Tunnel1 track 120 preference 110

#

ipsec transform-set t0

 encapsulation-mode tunnel

 protocol esp

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha1

#

ipsec transform-set t1

 encapsulation-mode tunnel

 protocol esp

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha1

#

ipsec profile t0 isakmp

 transform-set t0

 ike-profile t0

#

ipsec profile t1 isakmp

 transform-set t1

 ike-profile t1

#

ike profile t0

 keychain t0

 dpd interval 30 periodic

 exchange-mode aggressive

 match remote identity address 1.1.1.1 255.255.255.0

 match local address Tunnel0

#

ike profile t1

 keychain t1

 dpd interval 30 periodic

 exchange-mode aggressive

 match remote identity address 2.2.2.2 255.255.255.0

 match local address Tunnel1

#

ike keychain t0

 pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!

#

ike keychain t1

 pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&!

#

security-policy ip

 rule 0 name ipseclocalout

  action pass

  source-zone local

  destination-zone untrust

  source-ip-host 3.3.3.3

  destination-ip-host 1.1.1.1

  destination-ip-host 2.2.2.2

 rule 1 name ipseclocalin

  action pass

  source-zone untrust

  destination-zone local

  source-ip-host 1.1.1.1

  source-ip-host 2.2.2.2

  destination-ip-host 3.3.3.3

 rule 2 name trust-untrust

  action pass

  source-zone trust

  destination-zone untrust

  source-ip-subnet 192.168.12.0 255.255.255.0

  destination-ip-subnet 192.168.11.0 255.255.255.0

 rule 3 name untrust-trust

  action pass

  source-zone untrust

  destination-zone trust

  source-ip-subnet 192.168.11.0 255.255.255.0

  destination-ip-subnet 192.168.12.0 255.255.255.0

#

Device C

#

track 110 nqa entry admin test1 reaction 1

#

track 120 nqa entry admin test2 reaction 1

#

nqa entry admin test1

 type icmp-echo

  destination ip 1.1.1.1

  frequency 3000

  history-record enable

  next-hop ip 4.4.4.5

  probe count 5

  reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

#

nqa entry admin test2

 type icmp-echo

  destination ip 2.2.2.2

  frequency 3000

  history-record enable

  next-hop ip 4.4.4.5

  probe count 5

  reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

#

 nqa schedule admin test1 start-time now lifetime forever

 nqa schedule admin test2 start-time now lifetime forever

#

interface GigabitEthernet1/0/1

 ip address 4.4.4.4 255.255.255.0

#

interface GigabitEthernet1/0/2

 ip address 192.168.13.1 255.255.255.0

#

interface Tunnel0 mode ipsec

 ip address 70.0.0.1 255.255.255.0

 source 4.4.4.4

 destination 1.1.1.1

 tunnel protection ipsec profile t0

#

interface Tunnel1 mode ipsec

 ip address 80.0.0.1 255.255.255.0

 source 4.4.4.4

 destination 2.2.2.2

 tunnel protection ipsec profile t1

#

security-zone name Trust

 import interface GigabitEthernet1/0/2

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1

 import interface Tunnel0

 import interface Tunnel1

#

 ip route-static 1.1.1.0 24 4.4.4.5

 ip route-static 2.2.2.0 24 4.4.4.5

 ip route-static 192.168.11.0 24 Tunnel0 track 110 preference 100

 ip route-static 192.168.11.0 24 Tunnel1 track 120 preference 110

#

ipsec transform-set t0

 encapsulation-mode tunnel

 protocol esp

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha1

#

ipsec transform-set t1

 encapsulation-mode tunnel

 protocol esp

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha1

#

ipsec profile t0 isakmp

 transform-set t0

 ike-profile t0

#

ipsec profile t1 isakmp

 transform-set t1

 ike-profile t1

#

ike profile t0

 keychain t0

 dpd interval 30 periodic

 exchange-mode aggressive

 match remote identity address 1.1.1.1 255.255.255.0

 match local address Tunnel0

#

ike profile t1

 keychain t1

 dpd interval 30 periodic

 exchange-mode aggressive

 match remote identity address 2.2.2.2 255.255.255.0

 match local address Tunnel1

#

ike keychain t0

 pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!

#

ike keychain t1

 pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&!

#

security-policy ip

 rule 0 name ipseclocalout

  action pass

  source-zone local

  destination-zone untrust

  source-ip-host 4.4.4.4

  destination-ip-host 1.1.1.1

  destination-ip-host 2.2.2.2

 rule 1 name ipseclocalin

  action pass

  source-zone untrust

  destination-zone local

  source-ip-host 1.1.1.1

  source-ip-host 2.2.2.2

  destination-ip-host 4.4.4.4

 rule 2 name trust-untrust

  action pass

  source-zone trust

  destination-zone untrust

  source-ip-subnet 192.168.13.0 255.255.255.0

  destination-ip-subnet 192.168.11.0 255.255.255.0

 rule 3 name untrust-trust

  action pass

  source-zone untrust

  destination-zone trust

  source-ip-subnet 192.168.11.0 255.255.255.0

  destination-ip-subnet 192.168.13.0 255.255.255.0