配置IPsec VPN 隧道(策略组)示例
要求:
如图所示,AR2和AR3为分支网关,AR1为总部网关。分支连接有多个私网网络,需要和总部建立安全的通信连接。在AR1部署IPSec策略组,就可以接入各分支发起的IPSec协商,完成多条IPSec隧道的建立。
总部:
AR1:
#
sysname AR1
#
acl number 3001
rule 1 permit ipsource 192.168.1.0 0.0.0.255
acl number 3002
rule 1 permit ipsource 192.168.1.0 0.0.0.255 destination 172.100.10.0 0.0.0.255
\\允许去往分部 1 的acl
acl number 3003
rule 1 permit ipsource 192.168.1.0 0.0.0.255 destination 100.100.100.0 0.0.0.255
\\允许去往分部 2 的acl
#
ipsec proposal tran1 \\配置安全提议
#
ike peer rut1 v2 \\配置IKE Peer (分部 1)
pre-shared-key simpleadmin
remote-address111.111.111.1
ike peer rut2 v2 \\配置IKE Peer (分部 2)
pre-shared-key simpleadmin
remote-address222.222.222.1
#
ipsec policy policy1 10isakmp \\配置安全策略 1(分部 1)
security acl 3002
ike-peer rut1
proposal tran1
ipsec policy policy2 11isakmp \\配置安全策略 2(分部 2)
security acl 3003
ike-peer rut2
proposal tran1
#
interfaceGigabitEthernet0/0/0
ip address222.222.222.2 255.255.255.252
ipsec policy policy2 \\在接口上引用安全策略 2
nat outbound 3001
#
interfaceGigabitEthernet0/0/1
ip address111.111.111.2 255.255.255.252
ipsec policy policy1 \\在接口上引用安全策略 1
nat outbound 3001
#
interfaceGigabitEthernet0/0/2
ip address 10.10.10.1255.255.255.0
#
ip route-static 0.0.0.00.0.0.0 111.111.111.1
ip route-static 0.0.0.00.0.0.0 222.222.222.1
ip route-static100.100.100.0 255.255.255.0 222.222.222.1 \\配置到分部2内网的静态路由
ip route-static111.111.111.0 255.255.255.0 111.111.111.1 \\配置到分部1外网端的静态路由
ip route-static 172.100.10.0255.255.255.0 111.111.111.1 \\配置到分部1内网的静态路由
ip route-static 192.168.1.0255.255.255.0 10.10.10.2
ip route-static222.222.222.0 255.255.255.0 222.222.222.1 \\配置到分部2外网端的静态路由
S1:
#
sysname S1
#
vlan batch 10 20
#
dhcp enable
#
ip pool 1
gateway-list192.168.1.1
network 192.168.1.0mask 255.255.255.0
dns-list 8.8.8.8
#
interface Vlanif10
ip address 10.10.10.2255.255.255.0
#
interface Vlanif20
ip address 192.168.1.1255.255.255.0
dhcp select global
#
interfaceGigabitEthernet0/0/1
port link-type access
port default vlan 20
#
interfaceGigabitEthernet0/0/2
port link-type access
port default vlan 10
#
ip route-static 0.0.0.00.0.0.0 10.10.10.1
分部1:
AR2:
#
sysname AR2
#
acl number 3001
rule 1 permit ipsource 172.100.10.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
\\允许去往总部的acl
acl number 3002
rule 1 permit ipsource 172.100.10.0 0.0.0.255
#
ipsec proposal tran1 \\配置安全提议
#
ike peer rut1 v2 \\配置IKE Peer
pre-shared-key simpleadmin
remote-address111.111.111.2
#
ipsec policy policy1 10isakmp \\配置安全策略
security acl 3001
ike-peer rut1
proposal tran1
#
interfaceGigabitEthernet0/0/1
ip address111.111.111.1 255.255.255.252
ipsec policy policy1 \\在接口上引用安全策略
nat outbound 3002
#
interfaceGigabitEthernet0/0/2
ip address 20.20.20.1255.255.255.0
#
iproute-static 0.0.0.0 0.0.0.0 111.111.111.2
ip route-static111.111.111.0 255.255.255.0 111.111.111.2 \\配置到总部外网端的静态路由
ip route-static 172.100.10.0255.255.255.0 20.20.20.2
ip route-static 192.168.1.0255.255.255.0 111.111.111.2 \\配置到总部内网的静态路由
S2:
#
sysname S2
#
vlan batch 10 20
#
dhcp enable
#
ip pool 1
gateway-list172.100.10.1
network 172.100.10.0mask 255.255.255.0
dns-list 8.8.8.8
#
interface Vlanif10
ip address 20.20.20.2255.255.255.0
#
interface Vlanif20
ip address172.100.10.1 255.255.255.0
dhcp select global
#
interfaceGigabitEthernet0/0/1
port link-type access
port default vlan 20
#
interfaceGigabitEthernet0/0/2
port link-type access
port default vlan 10
#
ip route-static 0.0.0.00.0.0.0 20.20.20.1
分部2:
AR3:
#
sysname AR3
#
acl number 3001
rule 1 permit ipsource 100.100.100.0 0.0.0.255 destination 192.168.1.0 0.0.0.2
55 \\允许去往总部的acl
acl number 3002
rule 1 permit ipsource 100.100.100.0 0.0.0.255
#
ipsec proposal tran1 \\配置安全提议
#
ike peer rut1 v2 \\配置IKE Peer
pre-shared-key simpleadmin
remote-address222.222.222.2
#
ipsec policy policy1 10isakmp \\配置安全策略
security acl 3001
ike-peer rut1
proposal tran1
#
interfaceGigabitEthernet0/0/0
ip address222.222.222.1 255.255.255.252
ipsec policy policy1 \\在接口上引用安全策略
nat outbound 3002
#
interfaceGigabitEthernet0/0/1
ip address 30.30.30.1255.255.255.0
#
interfaceGigabitEthernet0/0/2
#
ip route-static 0.0.0.00.0.0.0 222.222.222.2
ip route-static 192.168.1.0255.255.255.0 222.222.222.2 \\配置到总部内网的静态路由
ip route-static 100.100.100.0 255.255.255.0 30.30.30.2
ip route-static222.222.222.0 255.255.255.0 222.222.222.2 \\配置到总部外网端的静态路由
S3:
#
sysname S3
#
vlan batch 10 20
#
dhcp enable
#
ip pool 1
gateway-list100.100.100.1
network 100.100.100.0mask 255.255.255.0
dns-list 8.8.8.8
#
interface Vlanif10
ip address 30.30.30.2255.255.255.0
#
interface Vlanif20
ip address100.100.100.1 255.255.255.0
dhcp select global
#
interfaceGigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interfaceGigabitEthernet0/0/2
port link-type access
port default vlan 20
#
ip route-static 0.0.0.00.0.0.0 30.30.30.1
推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://hqyman.cn/post/4647.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
休息一下~~