GRE over IPSec配置（DCR--H3C）

最新推荐文章于 2024-03-10 21:49:54 发布

aphero

最新推荐文章于 2024-03-10 21:49:54 发布

阅读量2.3k

点赞数

本文链接：https://blog.csdn.net/aphero/article/details/53610696

版权

1.DCR配置

//设置loopback地址，防止接入端为动态地址
R-config#show run
Building configuration...

Current configuration:
!
hostname R
!
isdn switch-type basic-5ess
!
!
aaa authentication login default local
aaa authentication enable default none
aaa authorization exec default local
aaa authorization network default local
!         
username admin password 0 12345
!
enable password 0 smarteye level 15
!
!
crypto isakmp key 0 12345 address 10.170.3.0 255.255.255.0 
crypto isakmp key 0 12345 address 10.217.250.0 255.255.255.0 
crypto isakmp nat keepalive 20
crypto isakmp policy 1
 authentication pre-share
 lifetime 86400
!
crypto ipsec transform-set TS_TP0_1 esp-3des esp-md5-hmac
!
crypto dynamic-map DYN_TP0_1 1
 set security-association lifetime seconds 86400
 set transform-set TS_TP0_1
 Insert access-list extended NAT_WAN0_LIST rule deny
!
crypto map IPSEC_TUNNEL_TP0 1 ipsec-isakmp dynamic DYN_TP0_1

!
!
crypto key load-keyconf end
!
!
interface Null0
!
interface Tunnel0
 mtu 1376
 ip address 192.200.254.1 255.255.255.252
 no ip directed-broadcast
 tunnel source GigaEthernet0/0
 tunnel destination 128.8.8.8
 keepalive period 10
 tunnel speed-up
!
interface GigaEthernet0/0
 mtu 1400
 ip address 192.200.253.2 255.255.255.0
 ip tcp adjust-mss 1200
 no ip directed-broadcast
 ip http firewalltype 0
 crypto map IPSEC_TUNNEL_TP0
!
interface GigaEthernet0/1
 ip address 172.200.253.1 255.255.255.0
 ip address 192.168.2.1 255.255.255.0 secondary
 no ip directed-broadcast
 ip http firewalltype 0
!
interface Async0/0
 no ip address
 no ip directed-broadcast
!
interface Async20/0
 no ip address
 no ip directed-broadcast
!
!
!
!
!
!
!
!
ip route cache 
ip route default 192.200.253.1 
ip route 192.168.1.0 255.255.255.0 Tunnel0 
!
!
dial-peer terminator #
dial-peer auto-terminated 3
!
dsp-kernel-ver g729
!
!
sipua-cfg
 sipua keepAlive 60
 shutdown
!
!
!
gbsc app-ctrl priority onlinegames all
no gbsc app-ctrl drop onlinegames all
gbsc group default
!
gbsc pushto mode text
no gbsc filter-url enable
gbsc filter-url mode forbid
no gbsc filter-key enable
gbsc record-filter-url enable
!
!
ip access-list extended NAT_WAN0_LIST
!
ip access-list extended vpn1
!
!

!
!
ip http ispmode 1
ip http server
ip http language chinese
ip http timeout 10
ip http set-name-value 0
!
no ip proxy enable
ip proxy redirect 
!
!

!
!

2.H3C配置

//设置loopback为gre地址，因为动态地址
<H3C>dis cu  
#
 version 5.20, Release 2514P14
#
 sysname H3C
#
 domain default enable system
#
 telnet server enable
#
 dar p2p signature-file flash:/p2p_default.mtd
#
 port-security enable
#
 password-recovery enable
#
acl number 3000
 rule 5 permit ip source 128.8.8.8 0 destination 192.200.253.2 0
acl number 3001
 rule 5 deny ip destination 172.200.253.0 0.0.0.255
 rule 10 permit ip
#
vlan 1
#
domain system   
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable
 ip pool 1 192.168.1.2 192.168.1.100
#
ike proposal 1
#
ike peer vpn
 proposal 1
 pre-shared-key cipher $c$3$Uzit1ieJJ+tyj/xwj4gxbYWdXSoT3thPOyry
 remote-address 192.200.253.2
 nat traversal
#
ipsec transform-set vpn
 encapsulation-mode tunnel
 transform esp
 esp authentication-algorithm md5
 esp encryption-algorithm 3des
#
ipsec policy vpn 1 isakmp
 connection-name vpn
 security acl 3000
 ike-peer vpn   
 transform-set vpn
#
dhcp server ip-pool 1
 network 192.168.1.0 mask 255.255.255.0
 gateway-list 192.168.1.1
#
user-group system
 group-attribute allow-guest
#
local-user admin
 password cipher $c$3$40gC1cxf/wIJNa1ufFPJsjKAof+QP5aV
 authorization-attribute level 3
 service-type telnet
 service-type web
#
wlan rrm
 dot11b mandatory-rate 1 2
 dot11b supported-rate 5.5 11
 dot11g mandatory-rate 1 2 5.5 11
 dot11g supported-rate 6 9 12 18 24 36 48 54
#
wlan service-template 1 crypto
 ssid ChinaNet-wlan
 cipher-suite ccmp
 security-ie rsn
 service-template enable
#
cwmp
 undo cwmp enable
#
interface Aux0
 async mode flow
 link-protocol ppp
#
interface Cellular0/0
 async mode protocol
 link-protocol ppp
#
interface NULL0
#
interface LoopBack0
 ip address 128.8.8.8 255.255.255.255
#
interface Vlan-interface1
 ip address 192.168.1.1 255.255.255.0
#               
interface GigabitEthernet0/0
 port link-mode route
#
interface GigabitEthernet0/1
 port link-mode bridge
#
interface GigabitEthernet0/2
 port link-mode bridge
#
interface GigabitEthernet0/3
 port link-mode bridge
#
interface GigabitEthernet0/4
 port link-mode bridge
#
interface Cellular-Ethernet2/0
 mtu 1400
 ip address cellular-allocated
 tcp mss 1200
 dialer enable-circular
 dialer-group 1
 dialer timer idle 0
 dialer timer autodial 5
 dialer number *99# autodial
 nat outbound 3001
 ipsec policy vpn
#
interface Tunnel0
 ip address 192.200.254.2 255.255.255.252
 source LoopBack0
 destination 192.200.253.2
 keepalive 10 3
#
interface WLAN-BSS31
 port link-type hybrid
 port hybrid vlan 1 untagged
 port-security port-mode psk
 port-security tx-key-type 11key
 port-security preshared-key pass-phrase cipher $c$3$HifQCK1SwKYALDZ+IzsznpHZ0IwrS7sCob5B
#
interface WLAN-BSS32
 port link-type hybrid
 port hybrid vlan 1 untagged
 port-security port-mode psk
 port-security tx-key-type 11key
 port-security preshared-key pass-phrase cipher $c$3$HifQCK1SwKYALDZ+IzsznpHZ0IwrS7sCob5B
#
interface WLAN-Radio3/0
 service-template 1 interface wlan-bss 31
#
 ip route-static 0.0.0.0 0.0.0.0 Cellular-Ethernet2/0
 ip route-static 172.200.253.0 255.255.255.0 Tunnel0
#
 dhcp enable
#
 load xml-configuration
#
 load tr069-configuration
#
user-interface tty 12
user-interface aux 0
user-interface vty 0 4
 authentication-mode scheme
#
return
<H3C>