05
2023
12
00:13:39

配置IPsec VPN 隧道(策略组)示例

配置IPsec  VPN 隧道(策略组)示例


要求:


如图所示,AR2和AR3为分支网关,AR1为总部网关。分支连接有多个私网网络,需要和总部建立安全的通信连接。在AR1部署IPSec策略组,就可以接入各分支发起的IPSec协商,完成多条IPSec隧道的建立。

 

9795bdda35b82db40b6c1d824f7ee05a_423e23d52992c911c0425afc7bbc163e.png


 


 


 


总部:

 


AR1:

 


#

 


 sysname AR1

 


#

 


acl number 3001 

 


 rule 1 permit ipsource 192.168.1.0 0.0.0.255

 


acl number 3002 

 


 rule 1 permit ipsource 192.168.1.0 0.0.0.255 destination 172.100.10.0 0.0.0.255  

 


                                     \\允许去往分部 1 的acl

 


acl number 3003 

 


 rule 1 permit ipsource 192.168.1.0 0.0.0.255 destination 100.100.100.0 0.0.0.255        

 


                                     \\允许去往分部 2 的acl

 


#

 


ipsec proposal tran1  \\配置安全提议

 


#

 


ike peer rut1 v2      \\配置IKE Peer (分部 1)  

 


 pre-shared-key simpleadmin

 


 remote-address111.111.111.1

 


ike peer rut2 v2      \\配置IKE Peer (分部 2)  

 


 pre-shared-key simpleadmin

 


 remote-address222.222.222.1

 


#

 


ipsec policy policy1 10isakmp     \\配置安全策略 1(分部 1)

 


 security acl 3002

 


 ike-peer rut1

 


 proposal tran1

 


ipsec policy policy2 11isakmp      \\配置安全策略 2(分部 2)

 


 security acl 3003

 


 ike-peer rut2

 


 proposal tran1

 


#

 


interfaceGigabitEthernet0/0/0

 


 ip address222.222.222.2 255.255.255.252

 


 ipsec policy policy2     \\在接口上引用安全策略 2

 


 nat outbound 3001

 


#

 


interfaceGigabitEthernet0/0/1

 


 ip address111.111.111.2 255.255.255.252

 


 ipsec policy policy1      \\在接口上引用安全策略 1

 


 nat outbound 3001

 


#

 


interfaceGigabitEthernet0/0/2

 


 ip address 10.10.10.1255.255.255.0

 


#

 


ip route-static 0.0.0.00.0.0.0 111.111.111.1

 


ip route-static 0.0.0.00.0.0.0 222.222.222.1

 


ip route-static100.100.100.0 255.255.255.0 222.222.222.1   \\配置到分部2内网的静态路由

 


ip route-static111.111.111.0 255.255.255.0 111.111.111.1   \\配置到分部1外网端的静态路由

 


ip route-static 172.100.10.0255.255.255.0 111.111.111.1    \\配置到分部1内网的静态路由

 


ip route-static 192.168.1.0255.255.255.0 10.10.10.2

 


ip route-static222.222.222.0 255.255.255.0 222.222.222.1    \\配置到分部2外网端的静态路由

 


 

 


 

 


S1:

 


 

 


#

 


sysname S1

 


#

 


vlan batch 10 20

 


#

 


dhcp enable

 


#

 


ip pool 1

 


 gateway-list192.168.1.1

 


 network 192.168.1.0mask 255.255.255.0

 


 dns-list 8.8.8.8 

 


#

 


interface Vlanif10

 


 ip address 10.10.10.2255.255.255.0

 


#

 


interface Vlanif20

 


 ip address 192.168.1.1255.255.255.0

 


 dhcp select global

 


#

 


interfaceGigabitEthernet0/0/1

 


 port link-type access

 


 port default vlan 20

 


#

 


interfaceGigabitEthernet0/0/2

 


 port link-type access

 


 port default vlan 10

 


#

 


ip route-static 0.0.0.00.0.0.0 10.10.10.1

 


 

 


 

 


分部1:

 


AR2:

 


 

 


#

 


 sysname AR2

 


#

 


acl number 3001 

 


 rule 1 permit ipsource 172.100.10.0 0.0.0.255 destination 192.168.1.0 0.0.0.255   

 


                                   \\允许去往总部的acl

 


acl number 3002 

 


 rule 1 permit ipsource 172.100.10.0 0.0.0.255

 


#

 


ipsec proposal tran1   \\配置安全提议

 


#

 


ike peer rut1 v2   \\配置IKE Peer

 


 pre-shared-key simpleadmin

 


 remote-address111.111.111.2

 


#

 


ipsec policy policy1 10isakmp    \\配置安全策略

 


 security acl 3001

 


 ike-peer rut1

 


 proposal tran1

 


#

 


interfaceGigabitEthernet0/0/1

 


 ip address111.111.111.1 255.255.255.252

 


 ipsec policy policy1  \\在接口上引用安全策略

 


 nat outbound 3002

 


 

 


#

 


interfaceGigabitEthernet0/0/2

 


 ip address 20.20.20.1255.255.255.0

 


#

 


iproute-static 0.0.0.0 0.0.0.0 111.111.111.2

 


ip route-static111.111.111.0 255.255.255.0 111.111.111.2  \\配置到总部外网端的静态路由

 


ip route-static 172.100.10.0255.255.255.0 20.20.20.2

 


ip route-static 192.168.1.0255.255.255.0 111.111.111.2    \\配置到总部内网的静态路由

 


 

 


 

 


S2:

 


 

 


#

 


sysname S2

 


#

 


vlan batch 10 20

 


#

 


dhcp enable

 


#

 


ip pool 1

 


 gateway-list172.100.10.1

 


 network 172.100.10.0mask 255.255.255.0

 


 dns-list 8.8.8.8

 


#

 


interface Vlanif10

 


 ip address 20.20.20.2255.255.255.0

 


#

 


interface Vlanif20

 


 ip address172.100.10.1 255.255.255.0

 


 dhcp select global

 


#

 


interfaceGigabitEthernet0/0/1

 


 port link-type access

 


 port default vlan 20

 


#

 


interfaceGigabitEthernet0/0/2

 


 port link-type access

 


 port default vlan 10

 


#

 


ip route-static 0.0.0.00.0.0.0 20.20.20.1

 


 

 


 

 


分部2:

 


AR3:

 


 

 


#

 


 sysname AR3

 


#

 


acl number 3001 

 


 rule 1 permit ipsource 100.100.100.0 0.0.0.255 destination 192.168.1.0 0.0.0.2

 


55       \\允许去往总部的acl

 


acl number 3002 

 


 rule 1 permit ipsource 100.100.100.0 0.0.0.255

 


#

 


ipsec proposal tran1  \\配置安全提议

 


#

 


ike peer rut1 v2       \\配置IKE Peer

 


 pre-shared-key simpleadmin

 


 remote-address222.222.222.2

 


#

 


ipsec policy policy1 10isakmp     \\配置安全策略

 


 security acl 3001

 


 ike-peer rut1

 


 proposal tran1

 


#

 


interfaceGigabitEthernet0/0/0

 


 ip address222.222.222.1 255.255.255.252

 


 ipsec policy policy1       \\在接口上引用安全策略

 


 nat outbound 3002

 


#

 


interfaceGigabitEthernet0/0/1

 


 ip address 30.30.30.1255.255.255.0

 


#

 


interfaceGigabitEthernet0/0/2

 


#

 


ip route-static 0.0.0.00.0.0.0 222.222.222.2

 


ip route-static 192.168.1.0255.255.255.0 222.222.222.2      \\配置到总部内网的静态路由

 


ip route-static 100.100.100.0 255.255.255.0 30.30.30.2

 


ip route-static222.222.222.0 255.255.255.0 222.222.222.2     \\配置到总部外网端的静态路由

 


 

 


 

 


S3:

 


 

 


#

 


sysname S3

 


#

 


vlan batch 10 20

 


#

 


dhcp enable

 


#

 


ip pool 1

 


 gateway-list100.100.100.1

 


 network 100.100.100.0mask 255.255.255.0

 


 dns-list 8.8.8.8

 


#

 


interface Vlanif10

 


 ip address 30.30.30.2255.255.255.0

 


#

 


interface Vlanif20

 


 ip address100.100.100.1 255.255.255.0

 


 dhcp select global

 


#

 


interfaceGigabitEthernet0/0/1

 


 port link-type access

 


 port default vlan 10

 


#

 


interfaceGigabitEthernet0/0/2

 


 port link-type access

 


 port default vlan 20

 


#

 


ip route-static 0.0.0.00.0.0.0 30.30.30.1

 




推荐本站淘宝优惠价购买喜欢的宝贝:

image.png

本文链接:https://hqyman.cn/post/4647.html 非本站原创文章欢迎转载,原创文章需保留本站地址!

分享到:
打赏





休息一下~~


« 上一篇 下一篇 »

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

请先 登录 再评论,若不是会员请先 注册

您的IP地址是: