该场景中某大型企业,总部(Hub )和两个分公司(Spoke1/2)分布在不同地域,总部和分公司子网经常变动,分公司采用动态地址接入公网。企业规划使用OSPF路由协议,实现分分公司间的VPN互联,同时为保密安全需要,总部和分公司间及分公司间的数据传输采用加密保护。
分析思路:
根据需求采用DSVPN方式构建GRE隧道,数据需要先进行GRE封装,然后采用IPSec封装。同时提供身份认证、数据完整性检查,及抗重放功能。IPSec安全策略采用安全框架方式应用在mGRE隧道接口上。
配置如下:
【Hub】
<Huawei>system-view
[Huawei]sysname Hub
[Hub-GigabitEthernet0/0/1]ip address 202.1.1.1 24
[Hub-GigabitEthernet0/0/2]ip address 172.18.3.254 24
[Hub-Tunnel0/0/0]ip address 10.1.1.1 24
[Hub]ospf 2
[Hub-ospf-2]area 1
[Hub-ospf-2-area-0.0.0.1]network 202.1.1.0 0.0.0.255
[Hub]ospf 1 router-id 10.1.1.1
[Hub-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[Hub-ospf-1-area-0.0.0.0]network 172.18.3.0 0.0.0.255
[Hub]ike proposal 1 //创建IKE安全提议
[Hub-ike-proposal-1]dh group5 //指定IKE第一阶段协商使用DH5组
[Hub-ike-proposal-1]authentication-algorithm aes-xcbc-mac-96 //配置认证算法
[Hub-ike-proposal-1]prf aes-xcbc-128 //指定IKE协商算法
[Hub]ike peer hub v2
[Hub-ike-peer-hub]ike-proposal 1 //引用安全提议
[Hub-ike-peer-hub]pre-shared-key cipher huawei123 //配置预共享密钥
[Hub-ike-peer-hub]dpd type periodic //配置DPD为周期性检测
[Hub-ike-peer-hub]dpd idle-time 40 //配置DPD为检测周期
[Hub]ipsec proposal pro1
[Hub-ipsec-proposal-pro1]transform ah-esp
[Hub-ipsec-proposal-pro1]ah authentication-algorithm sha2-256
[Hub-ipsec-proposal-pro1]esp authentication-algorithm sha2-256
[Hub-ipsec-proposal-pro1]esp encryption-algorithm aes-192
[Hub]ipsec profile prof1
[Hub-ipsec-profile-prof1]ike-peer hub
[Hub-ipsec-profile-prof1]proposal pro1
[Hub-Tunnel0/0/0]tunnel-protocol gre p2mp
[Hub-Tunnel0/0/0]source GigabitEthernet 0/0/1
[Hub-Tunnel0/0/0]nhrp entry multicast dynamic
[Hub-Tunnel0/0/0]ospf network-type broadcast
[Hub-Tunnel0/0/0]ospf dr-priority 100
[Hub-Tunnel0/0/0]ipsec profile prof1
【Spoke 1】
<Huawei>system-view
[Huawei]sysname Spoke 1
[Spoke 1-GigabitEthernet0/0/1]ip address 202.1.2.1 24
[Spoke 1-GigabitEthernet0/0/2]ip address 172.18.1.254 24
[Spoke 1-Tunnel0/0/0]ip address 10.1.1.2 24
[Spoke 1]ospf 2
[Spoke 1-ospf-2]area 1
[Spoke 1-ospf-2-area-0.0.0.1]network 202.1.2.0 0.0.0.255
[Spoke 1]ospf 1 router-id 10.1.1.2
[Spoke 1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[Spoke 1-ospf-1-area-0.0.0.0]network 172.18.1.0 0.0.0.255
[Spoke 1]ike proposal 1
[Spoke 1-ike-proposal-1]dh group5
[Spoke 1-ike-proposal-1]authentic