华为路由器IPSec -Over-GRE典型配置
2006-11-10 08:34
381 查看
需求』
分部1和分部2通过野蛮IPSec的方式连接到中心,采用IPSec-Over-GRE的方式,在tunnel上运行OSPF协议来实现总部和分部之间的互通。
192.168.1.1/24
|
ROUTER1 202.101.1.2/30
| |
| |
2.2 ROUTER2 ROUTER3 202.101.3.2/30
| |
192.168.2.1/24 192.168.3.1/24
【Center配置】
#
sysname Center
#
ike local-name center /中心ike的local-name为:center/
#
router id 1.1.1.1
#
radius scheme system
#
domain system
#
ike peer branch1 /配置到分部1的ike peer/
exchange-mode aggressive /设置IPSec为野蛮方式/
pre-shared-key abc /预共享密钥为abc/
id-type name /选择名字作为ike协商过程中使用的ID/
remote-name branch1 /分部1的名字为branch1/
#
ike peer branch2 /配置到分部2的ike peer/
exchange-mode aggressive
pre-shared-key abc
id-type name
remote-name branch2
#
ipsec proposal 1 /定义ipsec proposal/
#
ipsec policy center 10 isakmp /配置到分部1的ipsec policy/
security acl 3001 /指定安全策略所引用的访问控制列表号/
ike-peer branch1 /引用ike peer/
proposal 1 /引用ipsec proposal/
#
ipsec policy center 20 isakmp /到分部2的配置和分部1的配置类似/
security acl 3002
ike-peer branch2
proposal 1
#
acl number 3001 /定义从中心到分部1的内网数据流/
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
acl number 3002 /定义从中心到分部2的内网数据流/
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
interface Serial2/0
link-protocol ppp
ip address 202.101.1.2 255.255.255.252
#
interface Tunnel0 /配置中心和分部1之间的GRE tunnel/
ip address 10.0.0.1 255.255.255.252
source 202.101.1.2
destination 202.101.2.2
ipsec policy branch1 /在tunnel 0上应用IPSec policy branch1/
#
interface Tunnel1 /配置中心和分部2之间的GRE tunnel/
ip address 10.0.0.5 255.255.255.252
source 202.101.1.2
destination 202.101.3.2
ipsec policy branch2 /在tunnel 1上应用IPSec policy branch2/
#
interface NULL0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0 /中心的内网地址/
#
ospf 1
area 0.0.0.10 /分部1属于area 10/
network 10.0.0.0 0.0.0.3
#
area 0.0.0.20 /分部2属于area 20/
network 10.0.0.4 0.0.0.3
#
area 0.0.0.0 /总部属于area 0/
network 1.1.1.1 0.0.0.0
network 192.168.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.101.1.1 preference 60
#
user-interface con 0
user-interface vty 0 4
#
return
【分部1配置】
#
sysname Branch1
#
ike local-name branch1 /分部1的ike的local-name为:branch1/
#
radius scheme system
#
domain system
#
ike peer center /配置到中心的ike peer/
exchange-mode aggressive /设置IPSec为野蛮方式/
pre-shared-key abc /预共享密钥为abc/
id-type name /选择名字作为ike协商过程中使用的ID/
remote-name center /对端的名字为center/
remote-address 10.0.0.1 /对端的地址为10.0.0.1(中心的tunnel地址)/
#
ipsec proposal 1 /定义ipsec proposal/
#
ipsec policy branch1 10 isakmp /配置到中心的ipsec policy/
security acl 3001 /指定安全策略所引用的访问控制列表号/
ike-peer center /引用ike peer/
proposal 1 /引用ipsec proposal/
#
acl number 3001 /定义从分部1到中心的内网数据流/
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
interface Serial2/0
link-protocol ppp
ip address 202.101.2.2 255.255.255.252
#
interface Tunnel0 /配置分部1和中心之间的GRE tunnel/
ip address 10.0.0.2 255.255.255.252
source 202.101.2.2
destination 202.101.1.2
ipsec policy branch1 /在tunnel 0上应用IPSec policy branch1/
#
interface NULL0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface Ethernet0/0 /配置分部1的内网地址/
ip address 192.168.2.1 255.255.255.0
#
ospf 1
area 0.0.0.10 /分部1属于area 10/
network 2.2.2.2 0.0.0.0
network 10.0.0.0 0.0.0.3
network 192.168.2.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.101.2.1 preference 60
#
user-interface con 0
user-interface vty 0 4
#
return
【分部2配置】
#
sysname Branch2
#
ike local-name branch1 /分部2的ike的local-name为:branch2/
#
radius scheme system
#
domain system
#
ike peer center /配置到中心的ike peer/
exchange-mode aggressive /设置IPSec为野蛮方式/
pre-shared-key abc /预共享密钥为abc/
id-type name /选择名字作为ike协商过程中使用的ID/
remote-name center /对端的名字为center/
remote-address 10.0.0.5 /对端的地址为10.0.0.5(中心的tunnel地址)/
#
ipsec proposal 1 /定义ipsec proposal/
#
ipsec policy branch1 10 isakmp /配置到中心的ipsec policy/
security acl 3001 /指定安全策略所引用的访问控制列表号/
ike-peer center /引用ike peer/
proposal 1 /引用ipsec proposal/
#
acl number 3001 /定义从分部2到中心的GRE数据流/
rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
interface Serial2/0
link-protocol ppp
ip address 202.101.3.2 255.255.255.252
#
interface Tunnel0 /配置分部1和中心之间的GRE tunnel/
ip address 10.0.0.6 255.255.255.252
source 202.101.3.2
destination 202.101.1.2
ipsec policy branch2 /在tunnel 0上应用IPSec policy branch2/
#
interface NULL0
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface Ethernet0/0 /配置分部1的内网地址/
ip address 192.168.3.1 255.255.255.0
#
ospf 1
area 0.0.0.20 /分部2属于area 20/
network 3.3.3.3 0.0.0.0
network 10.0.0.4 0.0.0.3
network 192.168.3.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.101.3.1 preference 60
#
user-interface con 0
user-interface vty 0 4
#
return
【相关信息】
1、中心上的ike sa 状态:
disp ike sa
connection-id peer flag phase doi
----------------------------------------------------------
44 10.0.0.2 RD 1 IPSEC
48 10.0.0.6 RD 2 IPSEC
47 10.0.0.6 RD 1 IPSEC
45 10.0.0.2 RD 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT
2、中心上的IPSec sa状态:
disp ipsec sa
===============================
Interface: Tunnel0
path MTU: 64000
===============================
-----------------------------
IPsec policy name: "branch1"
sequence number: 10
mode: isakmp
-----------------------------
connection id: 8
encapsulation mode: tunnel
perfect forward secrecy: None
tunnel:
local address: 10.0.0.1
remote address: 10.0.0.2
flow: (4 times matched)
sour addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP
dest addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP
[inbound ESP SAs]
spi: 2701983530 (0xa10cff2a)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436664/2136
max received sequence-number: 2
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 2132567950 (0x7f1c678e)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436632/2136
max sent sequence-number: 3
udp encapsulation used for nat traversal: N
===============================
Interface: Tunnel1
path MTU: 64000
===============================
-----------------------------
IPsec policy name: "branch2"
sequence number: 10
mode: isakmp
-----------------------------
connection id: 9
encapsulation mode: tunnel
perfect forward secrecy: None
tunnel:
local address: 10.0.0.5
remote address: 10.0.0.6
flow: (18 times matched)
sour addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP
dest addr: 192.168.3.0/255.255.255.0 port: 0 protocol: IP
[inbound ESP SAs]
spi: 1612204948 (0x60184b94)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436188/2886
max received sequence-number: 9
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 3432409622 (0xcc966a16)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436044/2886
max sent sequence-number: 10
udp encapsulation used for nat traversal: N
3、中心路由表
disp ip rout
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
0.0.0.0/0 STATIC 60 0 202.101.1.1 Serial2/0/0
1.1.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
2.2.2.2/32 OSPF 10 1563 10.0.0.2 Tunnel0
3.3.3.3/32 OSPF 10 1563 10.0.0.6 Tunnel1
10.0.0.0/30 DIRECT 0 0 10.0.0.1 Tunnel0
10.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
10.0.0.4/30 DIRECT 0 0 10.0.0.5 Tunnel1
10.0.0.5/32 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.1.0/24 DIRECT 0 0 192.168.1.1 LoopBack10
192.168.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.2.0/24 OSPF 10 1563 10.0.0.2 Tunnel0
192.168.3.0/24 OSPF 10 1563 10.0.0.6 Tunnel1
202.101.1.0/30 DIRECT 0 0 202.101.1.2 Serial2/0/0
202.101.1.1/32 DIRECT 0 0 202.101.1.1 Serial2/0/0
202.101.1.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
4、分部1的ike sa状态:
disp ike sa
connection-id peer flag phase doi
----------------------------------------------------------
27 10.0.0.1 RD|ST 1 IPSEC
28 10.0.0.1 RD|ST 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT
5、分部1的ipsec sa状态:
disp ipsec sa
===============================
Interface: Tunnel0
path MTU: 64000
===============================
-----------------------------
IPsec policy name: "branch1"
sequence number: 10
mode: isakmp
-----------------------------
connection id: 6
encapsulation mode: tunnel
perfect forward secrecy: None
tunnel:
local address: 10.0.0.2
remote address: 10.0.0.1
flow: (4 times matched)
sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP
dest addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP
[inbound ESP SAs]
spi: 2132567950 (0x7f1c678e)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436664/2054
max received sequence-number: 2
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 2701983530 (0xa10cff2a)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436632/2054
max sent sequence-number: 3
udp encapsulation used for nat traversal: N
6、分部1的路由表:
disp ip rout
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
0.0.0.0/0 STATIC 60 0 202.101.2.1 Serial2/0/0
1.1.1.1/32 OSPF 10 1563 10.0.0.1 Tunnel0
2.2.2.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
3.3.3.3/32 OSPF 10 3125 10.0.0.1 Tunnel0
10.0.0.0/30 DIRECT 0 0 10.0.0.2 Tunnel0
10.0.0.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
10.0.0.4/30 OSPF 10 3124 10.0.0.1 Tunnel0
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.1.0/24 OSPF 10 1563 10.0.0.1 Tunnel0
192.168.2.0/24 DIRECT 0 0 192.168.2.1 LoopBack10
192.168.2.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.3.0/24 OSPF 10 3125 10.0.0.1 Tunnel0
202.101.2.0/30 DIRECT 0 0 202.101.2.2 Serial2/0/0
202.101.2.1/32 DIRECT 0 0 202.101.2.1 Serial2/0/0
202.101.2.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
【注意】
1、IPSec-Over-GRE和GRE-Over-IPSec方式配置上的区别为:
2、各个分部和总部之间通过OSPF路由来实现互访,如果没有运行OSPF则必需在分部和总部配置静态路由。
【Center配置】
ip route-static 192.168.2.0 255.255.255.0 Tunnel 0 preference 60 /访问分部1内网的数据从tunnel 0走/
ip route-static 192.168.3.0 255.255.255.0 Tunnel 1 preference 60 /访问分部2内网的数据从tunnel 1走/
【分部1配置】
ip route-static 192.168.1.0 255.255.255.0 Tunnel 0 preference 60 /访问中心内网的数据从tunnel 0走/
【分部2配置】
ip route-static 192.168.1.0 255.255.255.0 Tunnel 0 preference 60 /访问中心内网的数据从tunnel 0走/
分部1和分部2通过野蛮IPSec的方式连接到中心,采用IPSec-Over-GRE的方式,在tunnel上运行OSPF协议来实现总部和分部之间的互通。
192.168.1.1/24
|
ROUTER1 202.101.1.2/30
| |
| |
2.2 ROUTER2 ROUTER3 202.101.3.2/30
| |
192.168.2.1/24 192.168.3.1/24
【Center配置】
#
sysname Center
#
ike local-name center /中心ike的local-name为:center/
#
router id 1.1.1.1
#
radius scheme system
#
domain system
#
ike peer branch1 /配置到分部1的ike peer/
exchange-mode aggressive /设置IPSec为野蛮方式/
pre-shared-key abc /预共享密钥为abc/
id-type name /选择名字作为ike协商过程中使用的ID/
remote-name branch1 /分部1的名字为branch1/
#
ike peer branch2 /配置到分部2的ike peer/
exchange-mode aggressive
pre-shared-key abc
id-type name
remote-name branch2
#
ipsec proposal 1 /定义ipsec proposal/
#
ipsec policy center 10 isakmp /配置到分部1的ipsec policy/
security acl 3001 /指定安全策略所引用的访问控制列表号/
ike-peer branch1 /引用ike peer/
proposal 1 /引用ipsec proposal/
#
ipsec policy center 20 isakmp /到分部2的配置和分部1的配置类似/
security acl 3002
ike-peer branch2
proposal 1
#
acl number 3001 /定义从中心到分部1的内网数据流/
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
acl number 3002 /定义从中心到分部2的内网数据流/
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
interface Serial2/0
link-protocol ppp
ip address 202.101.1.2 255.255.255.252
#
interface Tunnel0 /配置中心和分部1之间的GRE tunnel/
ip address 10.0.0.1 255.255.255.252
source 202.101.1.2
destination 202.101.2.2
ipsec policy branch1 /在tunnel 0上应用IPSec policy branch1/
#
interface Tunnel1 /配置中心和分部2之间的GRE tunnel/
ip address 10.0.0.5 255.255.255.252
source 202.101.1.2
destination 202.101.3.2
ipsec policy branch2 /在tunnel 1上应用IPSec policy branch2/
#
interface NULL0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0 /中心的内网地址/
#
ospf 1
area 0.0.0.10 /分部1属于area 10/
network 10.0.0.0 0.0.0.3
#
area 0.0.0.20 /分部2属于area 20/
network 10.0.0.4 0.0.0.3
#
area 0.0.0.0 /总部属于area 0/
network 1.1.1.1 0.0.0.0
network 192.168.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.101.1.1 preference 60
#
user-interface con 0
user-interface vty 0 4
#
return
【分部1配置】
#
sysname Branch1
#
ike local-name branch1 /分部1的ike的local-name为:branch1/
#
radius scheme system
#
domain system
#
ike peer center /配置到中心的ike peer/
exchange-mode aggressive /设置IPSec为野蛮方式/
pre-shared-key abc /预共享密钥为abc/
id-type name /选择名字作为ike协商过程中使用的ID/
remote-name center /对端的名字为center/
remote-address 10.0.0.1 /对端的地址为10.0.0.1(中心的tunnel地址)/
#
ipsec proposal 1 /定义ipsec proposal/
#
ipsec policy branch1 10 isakmp /配置到中心的ipsec policy/
security acl 3001 /指定安全策略所引用的访问控制列表号/
ike-peer center /引用ike peer/
proposal 1 /引用ipsec proposal/
#
acl number 3001 /定义从分部1到中心的内网数据流/
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
interface Serial2/0
link-protocol ppp
ip address 202.101.2.2 255.255.255.252
#
interface Tunnel0 /配置分部1和中心之间的GRE tunnel/
ip address 10.0.0.2 255.255.255.252
source 202.101.2.2
destination 202.101.1.2
ipsec policy branch1 /在tunnel 0上应用IPSec policy branch1/
#
interface NULL0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface Ethernet0/0 /配置分部1的内网地址/
ip address 192.168.2.1 255.255.255.0
#
ospf 1
area 0.0.0.10 /分部1属于area 10/
network 2.2.2.2 0.0.0.0
network 10.0.0.0 0.0.0.3
network 192.168.2.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.101.2.1 preference 60
#
user-interface con 0
user-interface vty 0 4
#
return
【分部2配置】
#
sysname Branch2
#
ike local-name branch1 /分部2的ike的local-name为:branch2/
#
radius scheme system
#
domain system
#
ike peer center /配置到中心的ike peer/
exchange-mode aggressive /设置IPSec为野蛮方式/
pre-shared-key abc /预共享密钥为abc/
id-type name /选择名字作为ike协商过程中使用的ID/
remote-name center /对端的名字为center/
remote-address 10.0.0.5 /对端的地址为10.0.0.5(中心的tunnel地址)/
#
ipsec proposal 1 /定义ipsec proposal/
#
ipsec policy branch1 10 isakmp /配置到中心的ipsec policy/
security acl 3001 /指定安全策略所引用的访问控制列表号/
ike-peer center /引用ike peer/
proposal 1 /引用ipsec proposal/
#
acl number 3001 /定义从分部2到中心的GRE数据流/
rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
interface Serial2/0
link-protocol ppp
ip address 202.101.3.2 255.255.255.252
#
interface Tunnel0 /配置分部1和中心之间的GRE tunnel/
ip address 10.0.0.6 255.255.255.252
source 202.101.3.2
destination 202.101.1.2
ipsec policy branch2 /在tunnel 0上应用IPSec policy branch2/
#
interface NULL0
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface Ethernet0/0 /配置分部1的内网地址/
ip address 192.168.3.1 255.255.255.0
#
ospf 1
area 0.0.0.20 /分部2属于area 20/
network 3.3.3.3 0.0.0.0
network 10.0.0.4 0.0.0.3
network 192.168.3.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.101.3.1 preference 60
#
user-interface con 0
user-interface vty 0 4
#
return
【相关信息】
1、中心上的ike sa 状态:
disp ike sa
connection-id peer flag phase doi
----------------------------------------------------------
44 10.0.0.2 RD 1 IPSEC
48 10.0.0.6 RD 2 IPSEC
47 10.0.0.6 RD 1 IPSEC
45 10.0.0.2 RD 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT
2、中心上的IPSec sa状态:
disp ipsec sa
===============================
Interface: Tunnel0
path MTU: 64000
===============================
-----------------------------
IPsec policy name: "branch1"
sequence number: 10
mode: isakmp
-----------------------------
connection id: 8
encapsulation mode: tunnel
perfect forward secrecy: None
tunnel:
local address: 10.0.0.1
remote address: 10.0.0.2
flow: (4 times matched)
sour addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP
dest addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP
[inbound ESP SAs]
spi: 2701983530 (0xa10cff2a)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436664/2136
max received sequence-number: 2
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 2132567950 (0x7f1c678e)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436632/2136
max sent sequence-number: 3
udp encapsulation used for nat traversal: N
===============================
Interface: Tunnel1
path MTU: 64000
===============================
-----------------------------
IPsec policy name: "branch2"
sequence number: 10
mode: isakmp
-----------------------------
connection id: 9
encapsulation mode: tunnel
perfect forward secrecy: None
tunnel:
local address: 10.0.0.5
remote address: 10.0.0.6
flow: (18 times matched)
sour addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP
dest addr: 192.168.3.0/255.255.255.0 port: 0 protocol: IP
[inbound ESP SAs]
spi: 1612204948 (0x60184b94)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436188/2886
max received sequence-number: 9
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 3432409622 (0xcc966a16)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436044/2886
max sent sequence-number: 10
udp encapsulation used for nat traversal: N
3、中心路由表
disp ip rout
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
0.0.0.0/0 STATIC 60 0 202.101.1.1 Serial2/0/0
1.1.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
2.2.2.2/32 OSPF 10 1563 10.0.0.2 Tunnel0
3.3.3.3/32 OSPF 10 1563 10.0.0.6 Tunnel1
10.0.0.0/30 DIRECT 0 0 10.0.0.1 Tunnel0
10.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
10.0.0.4/30 DIRECT 0 0 10.0.0.5 Tunnel1
10.0.0.5/32 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.1.0/24 DIRECT 0 0 192.168.1.1 LoopBack10
192.168.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.2.0/24 OSPF 10 1563 10.0.0.2 Tunnel0
192.168.3.0/24 OSPF 10 1563 10.0.0.6 Tunnel1
202.101.1.0/30 DIRECT 0 0 202.101.1.2 Serial2/0/0
202.101.1.1/32 DIRECT 0 0 202.101.1.1 Serial2/0/0
202.101.1.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
4、分部1的ike sa状态:
disp ike sa
connection-id peer flag phase doi
----------------------------------------------------------
27 10.0.0.1 RD|ST 1 IPSEC
28 10.0.0.1 RD|ST 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT
5、分部1的ipsec sa状态:
disp ipsec sa
===============================
Interface: Tunnel0
path MTU: 64000
===============================
-----------------------------
IPsec policy name: "branch1"
sequence number: 10
mode: isakmp
-----------------------------
connection id: 6
encapsulation mode: tunnel
perfect forward secrecy: None
tunnel:
local address: 10.0.0.2
remote address: 10.0.0.1
flow: (4 times matched)
sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP
dest addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP
[inbound ESP SAs]
spi: 2132567950 (0x7f1c678e)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436664/2054
max received sequence-number: 2
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 2701983530 (0xa10cff2a)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436632/2054
max sent sequence-number: 3
udp encapsulation used for nat traversal: N
6、分部1的路由表:
disp ip rout
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
0.0.0.0/0 STATIC 60 0 202.101.2.1 Serial2/0/0
1.1.1.1/32 OSPF 10 1563 10.0.0.1 Tunnel0
2.2.2.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
3.3.3.3/32 OSPF 10 3125 10.0.0.1 Tunnel0
10.0.0.0/30 DIRECT 0 0 10.0.0.2 Tunnel0
10.0.0.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
10.0.0.4/30 OSPF 10 3124 10.0.0.1 Tunnel0
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.1.0/24 OSPF 10 1563 10.0.0.1 Tunnel0
192.168.2.0/24 DIRECT 0 0 192.168.2.1 LoopBack10
192.168.2.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.3.0/24 OSPF 10 3125 10.0.0.1 Tunnel0
202.101.2.0/30 DIRECT 0 0 202.101.2.2 Serial2/0/0
202.101.2.1/32 DIRECT 0 0 202.101.2.1 Serial2/0/0
202.101.2.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
【注意】
1、IPSec-Over-GRE和GRE-Over-IPSec方式配置上的区别为:
| GRE-Over-IPSec | IPSec-Over-GRE | |
| ACL定义 | GRE数据流 | 内网数据流 |
| Ike peer中指定的remote-address | 对方公网地址 | 对方GRE tunnel地址 |
| 应用端口 | 公网出口 | GRE tunnel上 |
【Center配置】
ip route-static 192.168.2.0 255.255.255.0 Tunnel 0 preference 60 /访问分部1内网的数据从tunnel 0走/
ip route-static 192.168.3.0 255.255.255.0 Tunnel 1 preference 60 /访问分部2内网的数据从tunnel 1走/
【分部1配置】
ip route-static 192.168.1.0 255.255.255.0 Tunnel 0 preference 60 /访问中心内网的数据从tunnel 0走/
【分部2配置】
ip route-static 192.168.1.0 255.255.255.0 Tunnel 0 preference 60 /访问中心内网的数据从tunnel 0走/
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- H3C SecPath防火墙GRE+IPSEC+OSPF典型配置举例
- cisco GRE Over Ipsec 配置
- cisco gre over ipsec详细配置
- GRE OVER IPSEC 普通命令配置
- MSR系列路由器总部多分支互通功能的配置(GRE OVER IPSEC)
- IPsec over GRE 和GRE over IPsec比较和区别与配置
- 大型网络配置系列课程详解(十一) ---IPSec over GRE隧道 ***实验
- GRE OVER IPSEC 新命令配置
- 大型网络配置系列课程详解(十一) ---IPSec over GRE隧道 ***实验
- 经典GRE Over IPSec配置 (3)