一、
组网需求:
MSR路由器通过野蛮模式与SecPath1000F建立IPSec ×××,再通过IPSec ×××通道与内网的MSR建立GRE隧道。该案例源自一个实际需求,某公司有多个分支以动态拨号的形式与总部互联,总部需要与分支传递组播数据,而该公司网管SecPath1000F不支持组播功能,因此通过内网设备直接与分支MSR建立GRE隧道传递组播数据。同时×××隧道必须保证在任何一台设备重启的情况下能够自动建立。
设备清单:
MSR30-60,一台,作为分支branch1;
MSR20-40,一台,做内网路由器OUT;
SecPath1000F,一台,做×××接入设备;
适用设备和版本:MSR系列、Version 5.20, 1205P01及后续版本。
SecPath系列,VRP software, Version 3.40, ESS 1622L02
二、组网图:
![](http://kms.h3c.com/kms/repository/repository/20380.jpg)
各接口IP地址如图中所示。
三、配置步骤:
1.
按照图1-1所示进行组网连接,配置各个接口IP地址;
2.
配置IPSec ×××,用loopback接口作为IPSec ×××端口地址;
3.
配置GRE,并将GRE的源地址设为loopback接口;
各设备的详细配置如下(关键部分见相关注释):
Branch1 MSR30-60配置
|
#
ike local-name branch1
#
ike proposal 1
#
ike dpd 1
#
ike peer 1
exchange-mode aggressive
pre-shared-key h3c
id-type name
remote-name center
remote-address 100.0.0.1
nat traversal
dpd 1
#
ipsec proposal 1
#
ipsec policy 1 1 isakmp
security acl 3001
ike-peer 1
proposal 1
#
acl number 3000
rule 0 permit ip
acl number 3001
rule 0 permit ip source 192.168.1.2 0 destination 192.168.1.1 0
rule 5 deny ip
#
interface LoopBack0
ip address 192.168.1.2 255.255.255.255
#
interface GigabitEthernet0/1
port link-mode route
ip address 100.0.0.2 255.0.0.0
ipsec policy 1
#
interface Tunnel1
ip address 172.16.1.2 255.255.255.0
source LoopBack0
destination 192.168.1.1
keepalive 3 3 //保证在有设备重新启动的情况下发送keepalive报文触发建立***
#
ip route-static 192.168.1.1 255.255.255.255 100.0.0.1
|
Center SecPath1000F配置
|
#
ipsec policy-template a 1
ike-peer 1
proposal 1
#
ipsec policy a1 1 isakmp template a
#
acl number 3001
rule 0 permit gre source 192.168.1.2 0 destination 192.168.2.1 0
#
interface GigabitEthernet0/0
ip address 101.0.0.1 255.0.0.0
#
interface GigabitEthernet0/1
ip address 100.0.0.1 255.0.0.0
ipsec policy a1
#
ip route-static 192.168.1.1 255.255.255.255 101.0.0.2 preference 60
ip route-static 192.168.1.2 255.255.255.255 100.0.0.2 preference 60
|
OUT MSR20-40配置
|
#
interface Ethernet0/1
port link-mode route
ip address 101.0.0.2 255.0.0.0
#
interface LoopBack0
ip address 192.168.1.1 255.255.255.255
#
interface Tunnel1
ip address 172.16.1.1 255.255.255.0
source LoopBack0
destination 192.168.1.2
keepalive 3 3
pim sm
#
ip route-static 192.168.1.2 255.255.255.255 101.0.0.1
|
:
四、结果分析
配置完成后在分支侧查看,有以下结果:
[branch1]dis ike sa
total phase-1 SAs: 0
connection-id peer flag phase doi
----------------------------------------------------------
3 100.0.0.1 RD|ST 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
[branch1]dis ips sa
===============================
Interface: GigabitEthernet0/1
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "1"
sequence number: 1
mode: isakmp
-----------------------------
connection id: 3
encapsulation mode: tunnel
perfect forward secrecy: None
tunnel:
local address: 100.0.0.2
remote address: 100.0.0.1
flow: (1091 times matched)
sour addr: 192.168.1.2/255.255.255.255 port: 0 protocol: IP
dest addr: 192.168.1.1/255.255.255.255 port: 0 protocol: IP
[inbound ESP SAs]
spi: 4128541965 (0xf6148d0d)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887393570/2044
max received sequence-number: 1090
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 472463532 (0x1c2938ac)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887397212/2044
max sent sequence-number: 1049
udp encapsulation used for nat traversal: N
并且从分支侧可以ping通内网GRE隧道接口地址:
[branch1]ping 172.16.1.1
PING 172.16.1.1: 56 data bytes, press CTRL_C to break
Reply from 172.16.1.1: bytes=56 Sequence=1 ttl=255 time=4 ms
Reply from 172.16.1.1: bytes=56 Sequence=2 ttl=255 time=2 ms
Reply from 172.16.1.1: bytes=56 Sequence=3 ttl=255 time=3 ms
Reply from 172.16.1.1: bytes=56 Sequence=4 ttl=255 time=2 ms
Reply from 172.16.1.1: bytes=56 Sequence=5 ttl=255 time=2 ms
--- 172.16.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/2/4 ms
转载于:https://blog.51cto.com/sfwang/355279