二十一、小项目（IPSec+PPPOE）

本次实验主要是通过PPPOE和IPSec实现的，拓扑图如下：

PC2、PC3可代表为内网，R2、R3可表示为网关路由器，连接外网用。R4为运营商路由器，与公司网关路由器相连。在R4和R2、R3的链路上配置PPPOE+IPSec抱枕了网络的安全性和冗余。配置如下：
R1：

[V200R003C00]
#
 sysname R1
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
 drop illegal-mac alarm
#
 wlan ac-global carrier id other ac id 0
#
 set cpu-usage threshold 80 restore 75
#
acl number 3000  
 rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 
 rule 10 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 
 rule 15 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.4.0 0.0.0.255 
 rule 20 permit ip 
#
ipsec proposal test
 esp encryption-algorithm aes-128
#
ike proposal 1
 encryption-algorithm aes-cbc-128
 authentication-algorithm md5
#
ike peer test v1
 pre-shared-key cipher %$%${"@cGFyLlVmL@4G,4=J.,.2n%$%$
 ike-proposal 1
#
ipsec policy-template test 1
 ike-peer test
 proposal test
#
ipsec policy 1 10 isakmp template test
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 192.168.1.254 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 14.1.1.1 255.255.255.0 
 ipsec policy 1
 nat outbound 3000
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 14.1.1.4
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

R2

[V200R003C00]
#
 sysname R2
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
 drop illegal-mac alarm
#
 wlan ac-global carrier id other ac id 0
#
 set cpu-usage threshold 80 restore 75
#
acl number 3000  
 rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 
 rule 10 permit ip 
acl number 3001  
 rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
 
#
ipsec proposal 1
 esp encryption-algorithm aes-128
#
ike proposal 1
 encryption-algorithm aes-cbc-128
 authentication-algorithm md5
#
ike peer test v1
 pre-shared-key cipher %$%${"@cGFyLlVmL@4G,4=J.,.2n%$%$
 ike-proposal 1
 remote-address 14.1.1.1
#
ipsec policy test 10 isakmp
 security acl 3001
 ike-peer test
 proposal 1
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 42.1.1.2 255.255.255.0 
 ipsec policy test
 nat outbound 3000
#
interface GigabitEthernet0/0/1
 ip address 192.168.2.254 255.255.255.0 
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 42.1.1.4
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

R3

[V200R003C00]
#
 sysname R3
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
 drop illegal-mac alarm
#
 wlan ac-global carrier id other ac id 0
#
 set cpu-usage threshold 80 restore 75
#
acl number 3000  
 rule 5 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 
 rule 10 permit ip 
acl number 3001  
 rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
 
#
ipsec proposal 1
 esp encryption-algorithm aes-128
#
ike proposal 1
 encryption-algorithm aes-cbc-128
 authentication-algorithm md5
#
ike peer test v1
 pre-shared-key cipher %$%${"@cGFyLlVmL@4G,4=J.,.2n%$%$
 ike-proposal 1
 remote-address 14.1.1.1
#
ipsec policy test 10 isakmp
 security acl 3001
 ike-peer test
 proposal 1
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
 nat address-group 1 43.1.1.1 43.1.1.1
#
interface Dialer1
 link-protocol ppp
 ppp chap user huawei
 ppp chap password cipher %$%$8`>^Y.wWz1'u2Y90IQ9Y,"|&%$%$
 ip address ppp-negotiate
 dialer user user1
 dialer bundle 1
 dialer queue-length 8
 dialer timer idle 300
 dialer-group 1
 ipsec policy test
 nat outbound 3000
#
interface GigabitEthernet0/0/0
 pppoe-client dial-bundle-number 1 
#
interface GigabitEthernet0/0/1
 ip address 192.168.3.254 255.255.255.0 
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
dialer-rule
 dialer-rule 1 ip permit
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

R4

[V200R003C00]
#
 sysname R4
#
 board add 0/2 4GET 
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
 drop illegal-mac alarm
#
 wlan ac-global carrier id other ac id 0
#
 set cpu-usage threshold 80 restore 75
#
ip pool pool1
 gateway-list 43.1.1.254 
 network 43.1.1.0 mask 255.255.255.0 
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
 local-user huawei password cipher %$%$ST#,;a-@X"4NfJ:"}#DJXW7O%$%$
 local-user huawei service-type ppp
#
firewall zone Local
 priority 15
#
interface Virtual-Template1
 ppp authentication-mode chap 
 remote address pool pool1
 ip address 43.1.1.254 255.255.255.0 
#
interface GigabitEthernet0/0/0
 ip address 14.1.1.4 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 42.1.1.4 255.255.255.0 
#
interface GigabitEthernet0/0/2
 pppoe-server bind Virtual-Template 1
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet2/0/1
#
interface GigabitEthernet2/0/2
#
interface GigabitEthernet2/0/3
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 Virtual-Template1
ip route-static 192.168.1.0 255.255.255.0 14.1.1.1
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

图中有个小方框有标注，IPSec应用应该在PPPOE的虚拟接口中指定，包括NAT转换。