F100-S-XI後期要和好幾個點位建立ipsec,這個型號支持配置ipsec模板嗎,如果支持,該怎麼配置,如果不支持,那點到點建立ipsec怎麼配置?
還有就是化三的交換機怎麼查看橋(背板)MAC
(0)
最佳答案
支持的
看背板MAC幹啥。。聯係400谘詢b
如下圖所示,某企業總部Device A有兩條出口鏈路接入Internet,分支Device B和Device C各有一條出口鏈路接入Internet,要求實現如下需求:
企業總部與各企業分支之間使用基於路由的IPsec隧道接口方式建立IPsec隧道;
企業總部和各分支之間根據NQA探測結果,選擇高質量、低延遲的鏈路動態建立IPsec隧道。
圖-1 基於路由模式的總部采用雙鏈路與分支建立IPsec隧道配置組網圖
配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] quit
請參考以上步驟配置其他接口的IP地址,具體配置步驟略。
創建IPsec隧道接口
# 創建IPsec隧道接口Tunnel0,具體配置步驟如下。
[DeviceA] interface tunnel 0 mode ipsec
[DeviceA-Tunnel0] ip address 10.0.0.1 255.255.255.0
[DeviceA-Tunnel0] source 1.1.1.1
[DeviceA-Tunnel0] destination 3.3.3.3
[DeviceA-Tunnel0] quit
# 創建IPsec隧道接口Tunnel1,具體配置步驟如下。
[DeviceA] interface tunnel 1 mode ipsec
[DeviceA-Tunnel1] ip address 20.0.0.1 255.255.255.0
[DeviceA-Tunnel1] source 2.2.2.2
[DeviceA-Tunnel1] destination 3.3.3.3
[DeviceA-Tunnel1] quit
# 創建IPsec隧道接口Tunnel2,具體配置步驟如下。
[DeviceA] interface tunnel 2 mode ipsec
[DeviceA-Tunnel2] ip address 30.0.0.1 255.255.255.0
[DeviceA-Tunnel2] source 1.1.1.1
[DeviceA-Tunnel2] destination 4.4.4.4
[DeviceA-Tunnel2] quit
# 創建IPsec隧道接口Tunnel3,具體配置步驟如下。
[DeviceA] interface tunnel 3 mode ipsec
[DeviceA-Tunnel3] ip address 40.0.0.1 255.255.255.0
[DeviceA-Tunnel3] source 2.2.2.2
[DeviceA-Tunnel3] destination 4.4.4.4
[DeviceA-Tunnel3] quit
配置接口加入安全域。
# 請根據組網圖中規劃的信息,將接口加入對應的安全域,具體配置步驟如下。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/3
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Untrust] import interface tunnel 0
[DeviceA-security-zone-Untrust] import interface tunnel 1
[DeviceA-security-zone-Untrust] import interface tunnel 2
[DeviceA-security-zone-Untrust] import interface tunnel 3
[DeviceA-security-zone-Untrust] quit
配置安全策略
配置安全策略放行Untrust與Local安全域之間的流量,用於設備之間可以建立IPsec隧道。
# 配置名稱為ipseclocalout的安全策規則,使Device A可以向Device B和Device C發送IPsec隧道協商報文,具體配置步驟如下。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name ipseclocalout
[DeviceA-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceA-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 1.1.1.1
[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.2
[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 3.3.3.3
[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 4.4.4.4
[DeviceA-security-policy-ip-1-ipseclocalout] action pass
[DeviceA-security-policy-ip-1-ipseclocalout] quit
# 配置名稱為ipseclocalin的安全策略規則,使Device A可以接收和處理來自Device B和Device C的IPsec隧道協商報文,具體配置步驟如下。
[DeviceA-security-policy-ip] rule name ipseclocalin
[DeviceA-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceA-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 3.3.3.3
[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 4.4.4.4
[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 1.1.1.1
[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.2
[DeviceA-security-policy-ip-2-ipseclocalin] action pass
[DeviceA-security-policy-ip-2-ipseclocalin] quit
配置安全策略放行Host A與Host B、Host C之間的流量
# 配置名稱為trust-untrust的安全策略規則,使Host A訪問Host B、Host C的報文可通,具體配置步驟如下。
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 192.168.11.0 24
[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 192.168.12.0 24
[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 192.168.13.0 24
[DeviceA-security-policy-ip-3-trust-untrust] action pass
[DeviceA-security-policy-ip-3-trust-untrust] quit
# 配置名稱為untrust-trust的安全策略規則,使Host B、Host C訪問Host A的報文可通,具體配置步驟如下。
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 192.168.12.0 24
[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 192.168.13.0 24
[DeviceA-security-policy-ip-4-untrust-trust] destination-ip-subnet 192.168.11.0 24
[DeviceA-security-policy-ip-4-untrust-trust] action pass
[DeviceA-security-policy-ip-4-untrust-trust] quit
[DeviceA-security-policy-ip] quit
配置IPsec安全框架,建立IPsec隧道,保護需要防護的數據流
# 配置IPsec安全框架t0,建立IPsec隧道,具體配置步驟如下。
[DeviceA] ike keychain t0
[DeviceA-ike-keychain-t0] pre-shared-key address 3.3.3.3 255.255.255.0 key simple 123456TESTplat&!
[DeviceA-ike-keychain-t0] quit
[DeviceA] ike profile t0
[DeviceA-ike-profile-t0] keychain t0
[DeviceA-ike-profile-t0] match local address Tunnel0
[DeviceA-ike-profile-t0] match remote identity address 3.3.3.3 24
[DeviceA-ike-profile-t0] exchange-mode aggressive
[DeviceA-ike-profile-t0] dpd interval 30 periodic
[DeviceA-ike-profile-t0] quit
[DeviceA] ipsec transform-set t0
[DeviceA-ipsec-transform-set-t0] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-t0] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-t0] quit
[DeviceA] ipsec profile t0 isakmp
[DeviceA-ipsec-profile-isakmp-t0] transform-set t0
[DeviceA-ipsec-profile-isakmp-t0] ike-profile t0
[DeviceA-ipsec-profile-isakmp-t0] quit
# 配置IPsec安全框架t1,建立IPsec隧道,具體配置步驟如下。
[DeviceA] ike keychain t1
[DeviceA-ike-keychain-t1] pre-shared-key address 3.3.3.3 255.255.255.0 key simple 123456TESTplat&!
[DeviceA-ike-keychain-t1] quit
[DeviceA] ike profile t1
[DeviceA-ike-profile-t1] keychain t1
[DeviceA-ike-profile-t1] match local address Tunnel1
[DeviceA-ike-profile-t1] match remote identity address 3.3.3.3 24
[DeviceA-ike-profile-t1] exchange-mode aggressive
[DeviceA-ike-profile-t1] dpd interval 30 periodic
[DeviceA-ike-profile-t1] quit
[DeviceA] ipsec transform-set t1
[DeviceA-ipsec-transform-set-t1] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-t1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-t1] quit
[DeviceA] ipsec profile t1 isakmp
[DeviceA-ipsec-profile-isakmp-t1] transform-set t1
[DeviceA-ipsec-profile-isakmp-t1] ike-profile t1
[DeviceA-ipsec-profile-isakmp-t1] quit
# 配置IPsec安全框架t2,建立IPsec隧道,具體配置步驟如下。
[DeviceA] ike keychain t2
[DeviceA-ike-keychain-t2] pre-shared-key address 4.4.4.4 255.255.255.0 key simple 123456TESTplat&!
[DeviceA-ike-keychain-t2] quit
[DeviceA] ike profile t2
[DeviceA-ike-profile-t2] keychain t2
[DeviceA-ike-profile-t2] match local address Tunnel2
[DeviceA-ike-profile-t2] match remote identity address 4.4.4.4 24
[DeviceA-ike-profile-t2] exchange-mode aggressive
[DeviceA-ike-profile-t2] dpd interval 30 periodic
[DeviceA-ike-profile-t2] quit
[DeviceA] ipsec transform-set t2
[DeviceA-ipsec-transform-set-t2] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-t2] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-t2] quit
[DeviceA] ipsec profile t2 isakmp
[DeviceA-ipsec-profile-isakmp-t2] transform-set t2
[DeviceA-ipsec-profile-isakmp-t2] ike-profile t2
[DeviceA-ipsec-profile-isakmp-t2] quit
# 配置IPsec安全框架t3,建立IPsec隧道,具體配置步驟如下。
[DeviceA] ike keychain t3
[DeviceA-ike-keychain-t3] pre-shared-key address 4.4.4.4 255.255.255.0 key simple 123456TESTplat&!
[DeviceA-ike-keychain-t3] quit
[DeviceA] ike profile t3
[DeviceA-ike-profile-t3] keychain t3
[DeviceA-ike-profile-t3] match local address Tunnel3
[DeviceA-ike-profile-t3] match remote identity address 4.4.4.4 24
[DeviceA-ike-profile-t3] exchange-mode aggressive
[DeviceA-ike-profile-t3] dpd interval 30 periodic
[DeviceA-ike-profile-t3] quit
[DeviceA] ipsec transform-set t3
[DeviceA-ipsec-transform-set-t3] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-t3] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-t3] quit
[DeviceA] ipsec profile t3 isakmp
[DeviceA-ipsec-profile-isakmp-t3] transform-set t3
[DeviceA-ipsec-profile-isakmp-t3] ike-profile t3
[DeviceA-ipsec-profile-isakmp-t3] quit
配置IPsec隧道接口,用於對需要保護的流量進行IPsec封裝。
# 在IPsec隧道接口Tunnel0中引用IPsec安全框架t0,建立IPsec隧道。
[DeviceA] interface tunnel 0
[DeviceA-Tunnel0] tunnel protection ipsec profile t0
[DeviceA-Tunnel0] quit
# 在IPsec隧道接口Tunnel1中引用IPsec安全框架t1,建立IPsec隧道。
[DeviceA] interface tunnel 1
[DeviceA-Tunnel1] tunnel protection ipsec profile t1
[DeviceA-Tunnel1] quit
# 在IPsec隧道接口Tunnel2中引用IPsec安全框架t2,建立IPsec隧道。
[DeviceA] interface tunnel 2
[DeviceA-Tunnel2] tunnel protection ipsec profile t2
[DeviceA-Tunnel2] quit
# 在IPsec隧道接口Tunnel3中引用IPsec安全框架t3,建立IPsec隧道。
[DeviceA] interface tunnel 3
[DeviceA-Tunnel3] tunnel protection ipsec profile t3
[DeviceA-Tunnel3] quit
配置NQA測試組與Track項聯動,用於探測鏈路狀態。
# 配置NQA測試組(管理員為test1,操作標簽為1),具體配置步驟如下。
[DeviceA] nqa entry admin test1
[DeviceA-nqa-admin-test1] type icmp-echo
[DeviceA-nqa-admin-test1-icmp-echo] destination ip 3.3.3.3
[DeviceA-nqa-admin-test1-icmp-echo] frequency 3000
[DeviceA-nqa-admin-test1-icmp-echo] history-record enable
[DeviceA-nqa-admin-test1-icmp-echo] next-hop ip 1.1.1.2
[DeviceA-nqa-admin-test1-icmp-echo] probe count 5
[DeviceA-nqa-admin-test1-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceA-nqa-admin-test1-icmp-echo] quit
[DeviceA] nqa schedule admin test1 start-time now lifetime forever
# 配置Track項110,關聯NQA測試組(管理員為test1,操作標簽為1)的聯動項1,配置步驟如下。
[DeviceA] track 110 nqa entry admin test1 reaction 1
[DeviceA-track-110] quit
# 配置NQA測試組(管理員為test2,操作標簽為1),具體配置步驟如下。
[DeviceA] nqa entry admin test2
[DeviceA-nqa-admin-test2] type icmp-echo
[DeviceA-nqa-admin-test2-icmp-echo] destination ip 3.3.3.3
[DeviceA-nqa-admin-test2-icmp-echo] frequency 3000
[DeviceA-nqa-admin-test2-icmp-echo] history-record enable
[DeviceA-nqa-admin-test2-icmp-echo] probe count 5
[DeviceA-nqa-admin-test2-icmp-echo] next-hop ip 2.2.2.3
[DeviceA-nqa-admin-test2-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceA-nqa-admin-test2-icmp-echo] quit
[DeviceA] nqa schedule admin test2 start-time now lifetime forever
# 配置Track項120,關聯NQA測試組(管理員為test2,操作標簽為1)的聯動項1,配置步驟如下。
[DeviceA] track 120 nqa entry admin test2 reaction 1
[DeviceA-track-120] quit
# 配置NQA測試組(管理員為test3,操作標簽為1),具體配置步驟如下。
[DeviceA] nqa entry admin test3
[DeviceA-nqa-admin-test3] type icmp-echo
[DeviceA-nqa-admin-test3-icmp-echo] destination ip 4.4.4.4
[DeviceA-nqa-admin-test3-icmp-echo] frequency 3000
[DeviceA-nqa-admin-test3-icmp-echo] history-record enable
[DeviceA-nqa-admin-test3-icmp-echo] probe count 5
[DeviceA-nqa-admin-test3-icmp-echo] next-hop ip 1.1.1.2
[DeviceA-nqa-admin-test3-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceA-nqa-admin-test3-icmp-echo] quit
[DeviceA] nqa schedule admin test3 start-time now lifetime forever
# 配置Track項130,關聯NQA測試組(管理員為test3,操作標簽為1)的聯動項1,配置步驟如下。
[DeviceA] track 130 nqa entry admin test3 reaction 1
[DeviceA-track-130] quit
# 配置NQA測試組(管理員為test4,操作標簽為1),具體配置步驟如下。
[DeviceA] nqa entry admin test4
[DeviceA-nqa-admin-test4] type icmp-echo
[DeviceA-nqa-admin-test4-icmp-echo] destination ip 4.4.4.4
[DeviceA-nqa-admin-test4-icmp-echo] frequency 3000
[DeviceA-nqa-admin-test4-icmp-echo] history-record enable
[DeviceA-nqa-admin-test4-icmp-echo] probe count 5
[DeviceA-nqa-admin-test4-icmp-echo] next-hop ip 2.2.2.3
[DeviceA-nqa-admin-test4-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceA-nqa-admin-test4-icmp-echo] quit
[DeviceA] nqa schedule admin test4 start-time now lifetime forever
# 配置Track項140,關聯NQA測試組(管理員為test4,操作標簽為1)的聯動項1,配置步驟如下。
[DeviceA] track 140 nqa entry admin test4 reaction 1
[DeviceA-track-140] quit
配置路由
本舉例僅以靜態路由方式配置路由信息。實際組網中,請根據具體情況選擇相應的路由配置方式。
# 請根據組網圖中規劃的信息,配置靜態路由,本舉例的下一跳IP地址僅為示例,實際使用中請以具體組網情況為準,具體配置步驟如下。
[DeviceA] ip route-static 192.168.12.0 24 tunnel 0 track 110 preference 100
[DeviceA] ip route-static 192.168.12.0 24 tunnel 1 track 120 preference 110
[DeviceA] ip route-static 192.168.13.0 24 tunnel 2 track 130 preference 100
[DeviceA] ip route-static 192.168.13.0 24 tunnel 3 track 140 preference 110
[DeviceA] ip route-static 3.3.3.3 24 1.1.1.2 track 110 preference 100
[DeviceA] ip route-static 3.3.3.3 24 2.2.2.3 track 120 preference 110
[DeviceA] ip route-static 4.4.4.4 24 1.1.1.2 track 130 preference 100
[DeviceA] ip route-static 4.4.4.4 24 2.2.2.3 track 140 preference 110
配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 3.3.3.3 255.255.255.0
[DeviceB-GigabitEthernet1/0/1] quit
請參考以上步驟配置其他接口的IP地址,具體配置步驟略。
創建IPsec隧道接口
# 創建IPsec隧道接口Tunnel0,具體配置步驟如下。
[DeviceB] interface tunnel 0 mode ipsec
[DeviceB-Tunnel0] ip address 50.0.0.1 255.255.255.0
[DeviceB-Tunnel0] source 3.3.3.3
[DeviceB-Tunnel0] destination 1.1.1.1
[DeviceB-Tunnel0] quit
# 創建IPsec隧道接口Tunnel1,具體配置步驟如下。
[DeviceB] interface tunnel 1 mode ipsec
[DeviceB-Tunnel1] ip address 60.0.0.1 255.255.255.0
[DeviceB-Tunnel1] source 3.3.3.3
[DeviceB-Tunnel1] destination 2.2.2.2
[DeviceB-Tunnel1] quit
配置接口加入安全域。
# 請根據組網圖中規劃的信息,將接口加入對應的安全域,具體配置步驟如下。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Untrust] import interface tunnel 0
[DeviceB-security-zone-Untrust] import interface tunnel 1
[DeviceB-security-zone-Untrust] quit
配置安全策略
配置安全策略放行Untrust與Local安全域之間的流量,用於設備之間可以建立IPsec隧道。
# 配置名稱為ipseclocalout的安全策規則,使Device B可以向Device A發送IPsec隧道協商報文,具體配置步驟如下。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name ipseclocalout
[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 3.3.3.3
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.2
[DeviceB-security-policy-ip-1-ipseclocalout] action pass
[DeviceB-security-policy-ip-1-ipseclocalout] quit
# 配置名稱為ipseclocalin的安全策略規則,使Device B可以接收和處理來自Device A的IPsec隧道協商報文,具體配置步驟如下。
[DeviceB-security-policy-ip] rule name ipseclocalin
[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.2
[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 3.3.3.3
[DeviceB-security-policy-ip-2-ipseclocalin] action pass
[DeviceB-security-policy-ip-2-ipseclocalin] quit
配置安全策略放行Host B與Host A之間的流量
# 配置名稱為trust-untrust的安全策略規則,使Host B訪問Host A的報文可通,具體配置步驟如下。
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 192.168.12.0 24
[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 192.168.11.0 24
[DeviceB-security-policy-ip-3-trust-untrust] action pass
[DeviceB-security-policy-ip-3-trust-untrust] quit
# 配置名稱為untrust-trust的安全策略規則,使Host A訪問Host B的報文可通,具體配置步驟如下。
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 192.168.11.0 24
[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 192.168.12.0 24
[DeviceB-security-policy-ip-4-untrust-trust] action pass
[DeviceB-security-policy-ip-4-untrust-trust] quit
[DeviceB-security-policy-ip] quit
配置IPsec安全框架,建立IPsec隧道,保護需要防護的數據流
# 配置IPsec安全框架t0,建立IPsec隧道,具體配置步驟如下。
[DeviceB] ike keychain t0
[DeviceB-ike-keychain-t0] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!
[DeviceB-ike-keychain-t0] quit
[DeviceB] ike profile t0
[DeviceB-ike-profile-t0] keychain t0
[DeviceB-ike-profile-t0] match local address Tunnel0
[DeviceB-ike-profile-t0] match remote identity address 1.1.1.1 24
[DeviceB-ike-profile-t0] exchange-mode aggressive
[DeviceB-ike-profile-t0] dpd interval 30 periodic
[DeviceB-ike-profile-t0] quit
[DeviceB] ipsec transform-set t0
[DeviceB-ipsec-transform-set-t0] esp encryption-algorithm aes-cbc-128
[DeviceB-ipsec-transform-set-t0] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-t0] quit
[DeviceB] ipsec profile t0 isakmp
[DeviceB-ipsec-profile-isakmp-t0] transform-set t0
[DeviceB-ipsec-profile-isakmp-t0] ike-profile t0
[DeviceB-ipsec-profile-isakmp-t0] quit
# 配置IPsec安全框架t1,建立IPsec隧道,具體配置步驟如下。
[DeviceB] ike keychain t1
[DeviceB-ike-keychain-t1] pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&!
[DeviceB-ike-keychain-t1] quit
[DeviceB] ike profile t1
[DeviceB-ike-profile-t1] keychain t1
[DeviceB-ike-profile-t1] match local address Tunnel1
[DeviceB-ike-profile-t1] match remote identity address 2.2.2.2 24
[DeviceB-ike-profile-t1] exchange-mode aggressive
[DeviceB-ike-profile-t1] dpd interval 30 periodic
[DeviceB-ike-profile-t1] quit
[DeviceB] ipsec transform-set t1
[DeviceB-ipsec-transform-set-t1] esp encryption-algorithm aes-cbc-128
[DeviceB-ipsec-transform-set-t1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-t1] quit
[DeviceB] ipsec profile t1 isakmp
[DeviceB-ipsec-profile-isakmp-t1] transform-set t1
[DeviceB-ipsec-profile-isakmp-t1] ike-profile t1
[DeviceB-ipsec-profile-isakmp-t1] quit
配置IPsec隧道接口,用於對需要保護的流量進行IPsec封裝。
# 在IPsec隧道接口Tunnel0中引用IPsec安全框架t0,建立IPsec隧道。
[DeviceB] interface tunnel 0
[DeviceB-Tunnel0] tunnel protection ipsec profile t0
[DeviceB-Tunnel0] quit
# 在IPsec隧道接口Tunnel1中引用IPsec安全框架t1,建立IPsec隧道。
[DeviceB] interface tunnel 1
[DeviceB-Tunnel1] tunnel protection ipsec profile t1
[DeviceB-Tunnel1] quit
配置NQA測試組與Track項聯動,用於探測鏈路狀態。
# 配置NQA測試組(管理員為test1,操作標簽為1),具體配置步驟如下。
[DeviceB] nqa entry admin test1
[DeviceB-nqa-admin-test1] type icmp-echo
[DeviceB-nqa-admin-test1-icmp-echo] destination ip 1.1.1.1
[DeviceB-nqa-admin-test1-icmp-echo] frequency 3000
[DeviceB-nqa-admin-test1-icmp-echo] history-record enable
[DeviceB-nqa-admin-test1-icmp-echo] probe count 5
[DeviceB-nqa-admin-test1-icmp-echo] next-hop ip 3.3.3.4
[DeviceB-nqa-admin-test1-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceB-nqa-admin-test1-icmp-echo] quit
[DeviceB] nqa schedule admin test1 start-time now lifetime forever
# 配置Track項110,關聯NQA測試組(管理員為test1,操作標簽為1)的聯動項1,配置步驟如下。
[DeviceB] track 110 nqa entry admin test1 reaction 1
[DeviceB-track-110] quit
# 配置NQA測試組(管理員為test2,操作標簽為1),具體配置步驟如下。
[DeviceB] nqa entry admin test2
[DeviceB-nqa-admin-test2] type icmp-echo
[DeviceB-nqa-admin-test2-icmp-echo] destination ip 2.2.2.2
[DeviceB-nqa-admin-test2-icmp-echo] frequency 3000
[DeviceB-nqa-admin-test2-icmp-echo] history-record enable
[DeviceB-nqa-admin-test2-icmp-echo] probe count 5
[DeviceB-nqa-admin-test2-icmp-echo] next-hop ip 3.3.3.4
[DeviceB-nqa-admin-test2-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceB-nqa-admin-test2-icmp-echo] quit
[DeviceB] nqa schedule admin test2 start-time now lifetime forever
# 配置Track項120,關聯NQA測試組(管理員為test2,操作標簽為1)的聯動項1,配置步驟如下。
[DeviceB] track 120 nqa entry admin test2 reaction 1
[DeviceB-track-120] quit
配置路由
本舉例僅以靜態路由方式配置路由信息。實際組網中,請根據具體情況選擇相應的路由配置方式。
# 請根據組網圖中規劃的信息,配置靜態路由,本舉例的下一跳IP地址僅為示例,實際使用中請以具體組網情況為準,具體配置步驟如下。
[DeviceB] ip route-static 192.168.11.0 24 tunnel 0 track 110 preference 100
[DeviceB] ip route-static 192.168.11.0 24 tunnel 1 track 120 preference 110
[DeviceB] ip route-static 1.1.1.1 24 3.3.3.4
[DeviceB] ip route-static 2.2.2.2 24 3.3.3.4
配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<DeviceC> system-view
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] ip address 4.4.4.4 255.255.255.0
[DeviceC-GigabitEthernet1/0/1] quit
請參考以上步驟配置其他接口的IP地址,具體配置步驟略。
創建IPsec隧道接口
# 創建IPsec隧道接口Tunnel0,具體配置步驟如下。
[DeviceC] interface tunnel 0 mode ipsec
[DeviceC-Tunnel0] ip address 70.0.0.1 255.255.255.0
[DeviceC-Tunnel0] source 4.4.4.4
[DeviceC-Tunnel0] destination 1.1.1.1
[DeviceC-Tunnel0] quit
# 創建IPsec隧道接口Tunnel1,具體配置步驟如下。
[DeviceC] interface tunnel 1 mode ipsec
[DeviceC-Tunnel1] ip address 80.0.0.1 255.255.255.0
[DeviceC-Tunnel1] source 4.4.4.4
[DeviceC-Tunnel1] destination 2.2.2.2
[DeviceC-Tunnel1] quit
配置接口加入安全域。
# 請根據組網圖中規劃的信息,將接口加入對應的安全域,具體配置步驟如下。
[DeviceC] security-zone name trust
[DeviceC-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceC-security-zone-Trust] quit
[DeviceC] security-zone name untrust
[DeviceC-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceC-security-zone-Untrust] import interface tunnel 0
[DeviceC-security-zone-Untrust] import interface tunnel 1
[DeviceC-security-zone-Untrust] quit
配置安全策略
配置安全策略放行Untrust與Local安全域之間的流量,用於設備之間可以建立IPsec隧道。
# 配置名稱為ipseclocalout的安全策規則,使Device B可以向Device A發送IPsec隧道協商報文,具體配置步驟如下。
[DeviceC] security-policy ip
[DeviceC-security-policy-ip] rule name ipseclocalout
[DeviceC-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceC-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceC-security-policy-ip-1-ipseclocalout] source-ip-host 4.4.4.4
[DeviceC-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1
[DeviceC-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.2
[DeviceC-security-policy-ip-1-ipseclocalout] action pass
[DeviceC-security-policy-ip-1-ipseclocalout] quit
# 配置名稱為ipseclocalin的安全策略規則,使Device B可以接收和處理來自Device A的IPsec隧道協商報文,具體配置步驟如下。
[DeviceC-security-policy-ip] rule name ipseclocalin
[DeviceC-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceC-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceC-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1
[DeviceC-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.2
[DeviceC-security-policy-ip-2-ipseclocalin] destination-ip-host 4.4.4.4
[DeviceC-security-policy-ip-2-ipseclocalin] action pass
[DeviceC-security-policy-ip-2-ipseclocalin] quit
配置安全策略放行Host B與Host A之間的流量
# 配置名稱為trust-untrust的安全策略規則,使Host B訪問Host A的報文可通,具體配置步驟如下。
[DeviceC-security-policy-ip] rule name trust-untrust
[DeviceC-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceC-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceC-security-policy-ip-3-trust-untrust] source-ip-subnet 192.168.13.0 24
[DeviceC-security-policy-ip-3-trust-untrust] destination-ip-subnet 192.168.11.0 24
[DeviceC-security-policy-ip-3-trust-untrust] action pass
[DeviceC-security-policy-ip-3-trust-untrust] quit
# 配置名稱為untrust-trust的安全策略規則,使Host A訪問Host B的報文可通,具體配置步驟如下。
[DeviceC-security-policy-ip] rule name untrust-trust
[DeviceC-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceC-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceC-security-policy-ip-4-untrust-trust] source-ip-subnet 192.168.11.0 24
[DeviceC-security-policy-ip-4-untrust-trust] destination-ip-subnet 192.168.13.0 24
[DeviceC-security-policy-ip-4-untrust-trust] action pass
[DeviceC-security-policy-ip-4-untrust-trust] quit
[DeviceC-security-policy-ip] quit
配置IPsec安全框架,建立IPsec隧道,保護需要防護的數據流
# 配置IPsec安全框架t0,建立IPsec隧道,具體配置步驟如下。
[DeviceC] ike keychain t0
[DeviceC-ike-keychain-t0] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!
[DeviceC-ike-keychain-t0] quit
[DeviceC] ike profile t0
[DeviceC-ike-profile-t0] keychain t0
[DeviceC-ike-profile-t0] match local address Tunnel0
[DeviceC-ike-profile-t0] match remote identity address 1.1.1.1 24
[DeviceC-ike-profile-t0] exchange-mode aggressive
[DeviceC-ike-profile-t0] dpd interval 30 periodic
[DeviceC-ike-profile-t0] quit
[DeviceC] ipsec transform-set t0
[DeviceC-ipsec-transform-set-t0] esp encryption-algorithm aes-cbc-128
[DeviceC-ipsec-transform-set-t0] esp authentication-algorithm sha1
[DeviceC-ipsec-transform-set-t0] quit
[DeviceC] ipsec profile t0 isakmp
[DeviceC-ipsec-profile-isakmp-t0] transform-set t0
[DeviceC-ipsec-profile-isakmp-t0] ike-profile t0
[DeviceC-ipsec-profile-isakmp-t0] quit
# 配置IPsec安全框架t1,建立IPsec隧道,具體配置步驟如下。
[DeviceC] ike keychain t1
[DeviceC-ike-keychain-t1] pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&!
[DeviceC-ike-keychain-t1] quit
[DeviceC] ike profile t1
[DeviceC-ike-profile-t1] keychain t1
[DeviceC-ike-profile-t1] match local address Tunnel1
[DeviceC-ike-profile-t1] match remote identity address 2.2.2.2 24
[DeviceC-ike-profile-t1] exchange-mode aggressive
[DeviceC-ike-profile-t1] dpd interval 30 periodic
[DeviceC-ike-profile-t1] quit
[DeviceC] ipsec transform-set t1
[DeviceC-ipsec-transform-set-t1] esp encryption-algorithm aes-cbc-128
[DeviceC-ipsec-transform-set-t1] esp authentication-algorithm sha1
[DeviceC-ipsec-transform-set-t1] quit
[DeviceC] ipsec profile t1 isakmp
[DeviceC-ipsec-profile-isakmp-t1] transform-set t1
[DeviceC-ipsec-profile-isakmp-t1] ike-profile t1
[DeviceC-ipsec-profile-isakmp-t1] quit
配置IPsec隧道接口,用於對需要保護的流量進行IPsec封裝
# 在IPsec隧道接口Tunnel0中引用IPsec安全框架t0,建立IPsec隧道。
[DeviceC] interface tunnel 0
[DeviceC-Tunnel0] tunnel protection ipsec profile t0
[DeviceC-Tunnel0] quit
# 在IPsec隧道接口Tunnel1中引用IPsec安全框架t1,建立IPsec隧道。
[DeviceC] interface tunnel 1
[DeviceC-Tunnel1] tunnel protection ipsec profile t1
[DeviceC-Tunnel1] quit
配置NQA測試組與Track項聯動,用於探測鏈路狀態
# 配置NQA測試組(管理員為test1,操作標簽為1),具體配置步驟如下。
[DeviceC] nqa entry admin test1
[DeviceC-nqa-admin-test1] type icmp-echo
[DeviceC-nqa-admin-test1-icmp-echo] destination ip 1.1.1.1
[DeviceC-nqa-admin-test1-icmp-echo] frequency 3000
[DeviceC-nqa-admin-test1-icmp-echo] history-record enable
[DeviceC-nqa-admin-test1-icmp-echo] probe count 5
[DeviceC-nqa-admin-test1-icmp-echo] next-hop ip 4.4.4.5
[DeviceC-nqa-admin-test1-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceC-nqa-admin-test1-icmp-echo] quit
[DeviceC] nqa schedule admin test1 start-time now lifetime forever
# 配置Track項110,關聯NQA測試組(管理員為test1,操作標簽為1)的聯動項1,配置步驟如下。
[DeviceC] track 110 nqa entry admin test1 reaction 1
[DeviceC-track-110] quit
# 配置NQA測試組(管理員為test2,操作標簽為1),具體配置步驟如下。
[DeviceC] nqa entry admin test2
[DeviceC-nqa-admin-test2] type icmp-echo
[DeviceC-nqa-admin-test2-icmp-echo] destination ip 2.2.2.2
[DeviceC-nqa-admin-test2-icmp-echo] frequency 3000
[DeviceC-nqa-admin-test2-icmp-echo] history-record enable
[DeviceC-nqa-admin-test2-icmp-echo] probe count 5
[DeviceC-nqa-admin-test2-icmp-echo] next-hop ip 4.4.4.5
[DeviceC-nqa-admin-test2-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceC-nqa-admin-test2-icmp-echo] quit
[DeviceC] nqa schedule admin test2 start-time now lifetime forever
# 配置Track項120,關聯NQA測試組(管理員為test2,操作標簽為1)的聯動項1,配置步驟如下。
[DeviceC] track 120 nqa entry admin test2 reaction 1
[DeviceC-track-120] quit
配置路由
本舉例僅以靜態路由方式配置路由信息。實際組網中,請根據具體情況選擇相應的路由配置方式。
# 請根據組網圖中規劃的信息,配置靜態路由,本舉例的下一跳IP地址僅為示例,實際使用中請以具體組網情況為準,具體配置步驟如下。
[DeviceC] ip route-static 192.168.11.0 24 tunnel 0 track 110 preference 100
[DeviceC] ip route-static 192.168.11.0 24 tunnel 1 track 120 preference 110
[DeviceC] ip route-static 1.1.1.1 24 4.4.4.5
[DeviceC] ip route-static 2.2.2.2 24 4.4.4.5
以上配置完成後,Device A會自動與Device B、Device C進行IKE協商。當IKE協商完成後,Device A、Device B和Device C上的IPsec 虛擬隧道接口都將up,即可對總部和分支的數據流進行安全保護。
# 通過display ip interface brief命令可查看Device A的接口狀態如下。
<DeviceA> display ip interface brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE1/0/1 up up 1.1.1.1/24 -- --
GE1/0/2 up up 2.2.2.2/24 -- --
GE1/0/3 up up 192.168.11.1/24 -- --
Tun0 up up 10.0.0.1/24 -- --
Tun1 up up 20.0.0.1/24 -- --
Tun2 up up 30.0.0.1/24 -- --
Tun3 up up 40.0.0.1/24 -- --
# 通過display ip routing-table命令可查看Device A的路由狀態如下。
<DeviceA> display ip routing-table
Destinations : 14 Routes : 14
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.0/24 Direct 0 0 1.1.1.1 GE1/0/1
1.1.1.255/32 Direct 0 0 1.1.1.1 GE1/0/1
2.2.2.0/24 Direct 0 0 2.2.2.2 GE1/0/2
2.2.2.255/32 Direct 0 0 2.2.2.2 GE1/0/2
3.3.3.0/24 Static 100 0 1.1.1.2 GE1/0/1
4.4.4.0/24 Static 100 0 1.1.1.2 GE1/0/1
10.0.0.0/24 Direct 0 0 10.0.0.1 Tun0
10.0.0.255/32 Direct 0 0 10.0.0.1 Tun0
20.0.0.0/24 Direct 0 0 20.0.0.1 Tun1
20.0.0.255/32 Direct 0 0 20.0.0.1 Tun1
192.168.11.0/24 Direct 0 0 192.168.11.1 GE1/0/3
192.168.11.255/32 Direct 0 0 192.168.11.1 GE1/0/3
192.168.12.0/24 Static 100 0 0.0.0.0 Tun0
192.168.13.0/24 Static 100 0 0.0.0.0 Tun2
# Host A可以Ping通Host B,此時IPsec流量在Tunnel0所在鏈路傳輸。
C:\Users\hosta> ping 192.168.12.2
正在 Ping 192.168.12.2 具有 32 字節的數據:
來自 192.168.12.2 的回複: 字節=32 時間=1ms TTL=254
來自 192.168.12.2 的回複: 字節=32 時間<1ms TTL=254
來自 192.168.12.2 的回複: 字節=32 時間<1ms TTL=254
來自 192.168.12.2 的回複: 字節=32 時間<1ms TTL=254
192.168.12.2 的 Ping 統計信息:
數據包: 已發送 = 4,已接收 = 4,丟失 = 0 (0% 丟失),
往返行程的估計時間(以毫秒為單位):
最短 = 0ms,最長 = 1ms,平均 = 0ms
# 當Device A的GigabitEthernet1/0/1接口所在鏈路發生故障時,Host A仍然可以Ping通Host B,此時IPsec流量在Tunnel1所在鏈路傳輸。
C:\Users\hosta> ping 192.168.12.2
正在 Ping 192.168.12.2 具有 32 字節的數據:
來自 192.168.12.2 的回複: 字節=32 時間=1ms TTL=254
來自 192.168.12.2 的回複: 字節=32 時間<1ms TTL=254
來自 192.168.12.2 的回複: 字節=32 時間<1ms TTL=254
來自 192.168.12.2 的回複: 字節=32 時間<1ms TTL=254
192.168.12.2 的 Ping 統計信息:
數據包: 已發送 = 4,已接收 = 4,丟失 = 0 (0% 丟失),
往返行程的估計時間(以毫秒為單位):
最短 = 0ms,最長 = 1ms,平均 = 0ms
# 通過display ip interface brief命令可查看Device A的接口狀態如下。
<DeviceA> display ip interface brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE1/0/1 down down 1.1.1.1/24 -- --
GE1/0/2 up up 2.2.2.2/24 -- --
GE1/0/3 up up 192.168.11.1/24 -- --
Tun0 down down 10.0.0.1/24 -- --
Tun1 up up 20.0.0.1/24 -- --
Tun2 down down 30.0.0.1/24 -- --
Tun3 up up 40.0.0.1/24 -- --
# 通過display ip routing-table命令可查看Device A的路由狀態如下。
<DeviceA> display ip routing-table
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost NextHop Interface
2.2.2.0/24 Direct 0 0 2.2.2.2 GE1/0/2
2.2.2.255/32 Direct 0 0 2.2.2.2 GE1/0/2
3.3.3.0/24 Static 110 0 2.2.2.3 GE1/0/2
4.4.4.0/24 Static 110 0 2.2.2.3 GE1/0/2
20.0.0.0/24 Direct 0 0 20.0.0.1 Tun1
20.0.0.255/32 Direct 0 0 20.0.0.1 Tun1
192.168.11.0/24 Direct 0 0 192.168.11.1 GE1/0/3
192.168.11.255/32 Direct 0 0 192.168.11.1 GE1/0/3
192.168.12.0/24 Static 110 0 0.0.0.0 Tun1
192.168.13.0/24 Static 110 0 0.0.0.0 Tun3
# 當Device A的GigabitEthernet1/0/1接口所在鏈路故障恢複時,IPsec流量將切換到Tunnel0所在鏈路傳輸。、
#
track 110 nqa entry admin test1 reaction 1
#
track 120 nqa entry admin test2 reaction 1
#
track 130 nqa entry admin test3 reaction 1
#
track 140 nqa entry admin test4 reaction 1
#
nqa entry admin test1
type icmp-echo
destination ip 3.3.3.3
frequency 3000
history-record enable
next-hop ip 1.1.1.2
probe count 5
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa entry admin test2
type icmp-echo
destination ip 3.3.3.3
frequency 3000
history-record enable
next-hop ip 2.2.2.3
probe count 5
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa entry admin test3
type icmp-echo
destination ip 4.4.4.4
frequency 3000
history-record enable
next-hop ip 1.1.1.2
probe count 5
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa entry admin test4
type icmp-echo
destination ip 4.4.4.4
frequency 3000
history-record enable
next-hop ip 2.2.2.3
probe count 5
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa schedule admin test1 start-time now lifetime forever
nqa schedule admin test2 start-time now lifetime forever
nqa schedule admin test3 start-time now lifetime forever
nqa schedule admin test4 start-time now lifetime forever
#
interface GigabitEthernet1/0/1
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 2.2.2.2 255.255.255.0
#
interface GigabitEthernet1/0/3
ip address 192.168.11.1 255.255.255.0
#
interface Tunnel0 mode ipsec
ip address 10.0.0.1 255.255.255.0
source 1.1.1.1
destination 3.3.3.3
tunnel protection ipsec profile t0
#
interface Tunnel1 mode ipsec
ip address 20.0.0.1 255.255.255.0
source 2.2.2.2
destination 3.3.3.3
tunnel protection ipsec profile t1
#
interface Tunnel2 mode ipsec
ip address 30.0.0.1 255.255.255.0
source 1.1.1.1
destination 4.4.4.4
tunnel protection ipsec profile t2
#
interface Tunnel3 mode ipsec
ip address 40.0.0.1 255.255.255.0
source 2.2.2.2
destination 4.4.4.4
tunnel protection ipsec profile t3
#
security-zone name Trust
import interface GigabitEthernet1/0/3
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/2
import interface Tunnel0
import interface Tunnel1
import interface Tunnel2
import interface Tunnel3
#
ip route-static 3.3.3.0 24 1.1.1.2 track 110 preference 100
ip route-static 3.3.3.0 24 2.2.2.3 track 120 preference 110
ip route-static 4.4.4.0 24 1.1.1.2 track 130 preference 100
ip route-static 4.4.4.0 24 2.2.2.3 track 140 preference 110
ip route-static 192.168.12.0 24 Tunnel0 track 110 preference 100
ip route-static 192.168.12.0 24 Tunnel1 track 120 preference 110
ip route-static 192.168.13.0 24 Tunnel2 track 130 preference 100
ip route-static 192.168.13.0 24 Tunnel3 track 140 preference 110
#
ipsec transform-set t0
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec transform-set t1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec transform-set t2
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec transform-set t3
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile t0 isakmp
transform-set t0
ike-profile t0
#
ipsec profile t1 isakmp
transform-set t1
ike-profile t1
#
ipsec profile t2 isakmp
transform-set t2
ike-profile t2
#
ipsec profile t3 isakmp
transform-set t3
ike-profile t3
#
ike profile t0
keychain t0
dpd interval 30 periodic
exchange-mode aggressive
match remote identity address 3.3.3.3 255.255.255.0
match local address Tunnel0
#
ike profile t1
keychain t1
dpd interval 30 periodic
exchange-mode aggressive
match remote identity address 3.3.3.3 255.255.255.0
match local address Tunnel1
#
ike profile t2
keychain t2
dpd interval 30 periodic
exchange-mode aggressive
match remote identity address 4.4.4.4 255.255.255.0
match local address Tunnel2
#
ike profile t3
keychain t3
dpd interval 30 periodic
exchange-mode aggressive
match remote identity address 4.4.4.4 255.255.255.0
match local address Tunnel3
#
ike keychain t0
pre-shared-key address 3.3.3.3 255.255.255.0 key simple 123456TESTplat&!
#
ike keychain t1
pre-shared-key address 3.3.3.3 255.255.255.0 key simple 123456TESTplat&!
#
ike keychain t2
pre-shared-key address 4.4.4.4 255.255.255.0 key simple 123456TESTplat&!
#
ike keychain t3
pre-shared-key address 4.4.4.4 255.255.255.0 key simple 123456TESTplat&!
#
security-policy ip
rule 0 name ipseclocalout
action pass
source-zone local
destination-zone untrust
source-ip-host 1.1.1.1
source-ip-host 2.2.2.2
destination-ip-host 3.3.3.3
destination-ip-host 4.4.4.4
rule 1 name ipseclocalin
action pass
source-zone untrust
destination-zone local
source-ip-host 3.3.3.3
source-ip-host 4.4.4.4
destination-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
rule 2 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 192.168.11.0 255.255.255.0
destination-ip-subnet 192.168.12.0 255.255.255.0
destination-ip-subnet 192.168.13.0 255.255.255.0
rule 3 name untrust-trust
action pass
source-zone untrust
destination-zone trust
source-ip-subnet 192.168.12.0 255.255.255.0
source-ip-subnet 192.168.13.0 255.255.255.0
destination-ip-subnet 192.168.11.0 255.255.255.0
#
#
track 110 nqa entry admin test1 reaction 1
#
track 120 nqa entry admin test2 reaction 1
#
nqa entry admin test1
type icmp-echo
destination ip 1.1.1.1
frequency 3000
history-record enable
next-hop ip 3.3.3.4
probe count 5
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa entry admin test2
type icmp-echo
destination ip 2.2.2.2
frequency 3000
history-record enable
next-hop ip 3.3.3.4
probe count 5
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa schedule admin test1 start-time now lifetime forever
nqa schedule admin test2 start-time now lifetime forever
#
interface GigabitEthernet1/0/1
ip address 3.3.3.3 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 192.168.12.1 255.255.255.0
#
interface Tunnel0 mode ipsec
ip address 50.0.0.1 255.255.255.0
source 3.3.3.3
destination 1.1.1.1
tunnel protection ipsec profile t0
#
interface Tunnel1 mode ipsec
ip address 60.0.0.1 255.255.255.0
source 3.3.3.3
destination 2.2.2.2
tunnel protection ipsec profile t1
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface Tunnel0
import interface Tunnel1
#
ip route-static 1.1.1.0 24 3.3.3.4
ip route-static 2.2.2.0 24 3.3.3.4
ip route-static 192.168.11.0 24 Tunnel0 track 110 preference 100
ip route-static 192.168.11.0 24 Tunnel1 track 120 preference 110
#
ipsec transform-set t0
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec transform-set t1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile t0 isakmp
transform-set t0
ike-profile t0
#
ipsec profile t1 isakmp
transform-set t1
ike-profile t1
#
ike profile t0
keychain t0
dpd interval 30 periodic
exchange-mode aggressive
match remote identity address 1.1.1.1 255.255.255.0
match local address Tunnel0
#
ike profile t1
keychain t1
dpd interval 30 periodic
exchange-mode aggressive
match remote identity address 2.2.2.2 255.255.255.0
match local address Tunnel1
#
ike keychain t0
pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!
#
ike keychain t1
pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&!
#
security-policy ip
rule 0 name ipseclocalout
action pass
source-zone local
destination-zone untrust
source-ip-host 3.3.3.3
destination-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
rule 1 name ipseclocalin
action pass
source-zone untrust
destination-zone local
source-ip-host 1.1.1.1
source-ip-host 2.2.2.2
destination-ip-host 3.3.3.3
rule 2 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 192.168.12.0 255.255.255.0
destination-ip-subnet 192.168.11.0 255.255.255.0
rule 3 name untrust-trust
action pass
source-zone untrust
destination-zone trust
source-ip-subnet 192.168.11.0 255.255.255.0
destination-ip-subnet 192.168.12.0 255.255.255.0
#
#
track 110 nqa entry admin test1 reaction 1
#
track 120 nqa entry admin test2 reaction 1
#
nqa entry admin test1
type icmp-echo
destination ip 1.1.1.1
frequency 3000
history-record enable
next-hop ip 4.4.4.5
probe count 5
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa entry admin test2
type icmp-echo
destination ip 2.2.2.2
frequency 3000
history-record enable
next-hop ip 4.4.4.5
probe count 5
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa schedule admin test1 start-time now lifetime forever
nqa schedule admin test2 start-time now lifetime forever
#
interface GigabitEthernet1/0/1
ip address 4.4.4.4 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 192.168.13.1 255.255.255.0
#
interface Tunnel0 mode ipsec
ip address 70.0.0.1 255.255.255.0
source 4.4.4.4
destination 1.1.1.1
tunnel protection ipsec profile t0
#
interface Tunnel1 mode ipsec
ip address 80.0.0.1 255.255.255.0
source 4.4.4.4
destination 2.2.2.2
tunnel protection ipsec profile t1
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface Tunnel0
import interface Tunnel1
#
ip route-static 1.1.1.0 24 4.4.4.5
ip route-static 2.2.2.0 24 4.4.4.5
ip route-static 192.168.11.0 24 Tunnel0 track 110 preference 100
ip route-static 192.168.11.0 24 Tunnel1 track 120 preference 110
#
ipsec transform-set t0
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec transform-set t1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile t0 isakmp
transform-set t0
ike-profile t0
#
ipsec profile t1 isakmp
transform-set t1
ike-profile t1
#
ike profile t0
keychain t0
dpd interval 30 periodic
exchange-mode aggressive
match remote identity address 1.1.1.1 255.255.255.0
match local address Tunnel0
#
ike profile t1
keychain t1
dpd interval 30 periodic
exchange-mode aggressive
match remote identity address 2.2.2.2 255.255.255.0
match local address Tunnel1
#
ike keychain t0
pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!
#
ike keychain t1
pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&!
#
security-policy ip
rule 0 name ipseclocalout
action pass
source-zone local
destination-zone untrust
source-ip-host 4.4.4.4
destination-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
rule 1 name ipseclocalin
action pass
source-zone untrust
destination-zone local
source-ip-host 1.1.1.1
source-ip-host 2.2.2.2
destination-ip-host 4.4.4.4
rule 2 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 192.168.13.0 255.255.255.0
destination-ip-subnet 192.168.11.0 255.255.255.0
rule 3 name untrust-trust
action pass
source-zone untrust
destination-zone trust
source-ip-subnet 192.168.11.0 255.255.255.0
destination-ip-subnet 192.168.13.0 255.255.255.0
(0)
這個好複雜
親~登錄後才可以操作哦!
確定你的郵箱還未認證,請認證郵箱或綁定手機後進行當前操作
舉報
×
侵犯我的權益
×
侵犯了我企業的權益
×
抄襲了我的內容
×
原文鏈接或出處
誹謗我
×
對根叔社區有害的內容
×
不規範轉載
×
舉報說明
這個好複雜