21
2024
11
11:19:02

H3C-IPsec vpn(一端固定ip地址,一端pppoe拨号)

公司总部用的是固定ip地址的宽带,分公司则用的是pppoe拨号宽带,现客户想让分部的人能直接访问公司总部的服务器!

设备一般默认开启nat-t,如果没有就开启nat穿越

分公司:192.168.1.0 总部:192.188.188.0

分公司(pppoe拨号端配置)

注:拨号端必须配置nqa配置,为防止静态地址端设备重启后,ipsec vpn建立不起来

nqa的作用就是触发下兴趣流的流量。让ike sa和ipsec sa建立起来

#

nqa entry 1 1 (nqa配置)

type icmp-echo

destination ip 192.188.188.1

frequency 5000

history-record enable

history-record number 10

probe count 10

probe timeout 500

source ip 192.168.1.1

#

nqa schedule 1 1 start-time now lifetime forever

#

acl advanced 3000 (兴趣流)

rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.188.188.0 0.0.0.255

#

acl advanced 3001 (nat策略,必须将192.168.1.0到192.188.188.0的流量deny掉,使其不直接走nat出去,而是走ipsec vpn隧道)

rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.188.188.0 0.0.0.255

rule 5 permit ip

#

ipsec sa global-duration time-based 180 (配置全局的IPsecSA生存时间)

#

ike keepalive interval 20 (配置IKE SA的Keeplive发送时间间隔)

ike keepalive timeout 30 (配置ISAKMP SA等待对端发送Keepalive报文的超时时间)

ike identity fqdn H3CGS

#

ike proposal 1 (ike加密算法,不是必配的)

encryption-algorithm aes-cbc-128

authentication-algorithm md5

#

ike keychain 1 (ike密钥串)

pre-shared-key address 9.9.9.9 255.255.255.0 key cipher $c$3$ofo9ztWA208y7sesKxidvKztjvtmug==

#

ike profile 1

keychain 1

exchange-mode aggressive (野蛮模式,野蛮模式协商比主模式协商更快。主模式需要交互6个消息,野蛮模式只需要交互3个消息)

local-identity fqdn H3CGS

match remote identity address 9.9.9.9 255.255.255.0

proposal 1

#

ipsec transform-set 1 (ipsec安全提议)

esp encryption-algorithm aes-cbc-128

esp authentication-algorithm md5

#

ipsec policy 1 1 isakmp (ipsec策略)

transform-set 1

security acl 3000

remote-address 9.9.9.9

ike-profile 1

#

interface Dialer1 (拨号wan口配置)

ppp chap password cipher $c$3$NulkvnhmythH+FCXLw2Quven+ymN+7y+2Xa5

ppp chap user 088888

ppp ipcp dns admit-any

ppp ipcp dns request

ppp pap local-user 088888 password cipher $c$3$b6mzPUuarKHeb6zxkrRU+qmGgqwCJSKDq6Ss

dialer bundle enable

dialer-group 1

dialer timer idle 0

dialer timer autodial 60

ip address ppp-negotiate

tcp mss 1310

nat outbound 3001

ipsec apply policy 1 (ipsec策略绑定在接口上)

#

interface GigabitEthernet0/0 (dialer 1绑定的物理接口)

port link-mode route

pppoe-client dial-bundle-number 1

#

ip route-static 0.0.0.0 0 Dialer1

ip route-static 192.188.188.0 24 Dialer1(必配:ipsec静态路由)

#

ntp-service unicast-server 129.7.1.66


总公司静态地址配置

acl advanced 3000 (兴趣流配置)

rule 0 permit ip source 192.188.188.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

#

acl advanced 3001 (出口nat配置,让ipsec vpn流量走ipsec隧道)

rule 0 deny ip source 192.188.188.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

rule 5 permit ip

#

ipsec sa global-duration time-based 180 (ipsec sa全局持续时间 基于时间为180s)

#

ike keepalive interval 20

ike keepalive timeout 30

ike identity fqdn H3CGC

#

ike proposal 1

encryption-algorithm aes-cbc-128

authentication-algorithm md5

#

ike keychain 1

pre-shared-key hostname H3CGS key cipher $c$3$Qu2ylSoKV/IuHdLVdoSTpl30WG6izA=

#

ike profile 1

keychain 1

exchange-mode aggressive

local-identity address 9.9.9.9

match remote identity fqdn H3CGS

proposal 1

#

ipsec transform-set 1

esp encryption-algorithm aes-cbc-128

esp authentication-algorithm md5

#

ipsec policy-template 1 1

transform-set 1

security acl 3000

ike-profile 1

#

ipsec policy 1 1 isakmp template 1

#

interface Ethernet0/0

port link-mode route

ip address 9.9.9.9 255.255.255.0

nat outbound 3001

iOSh0" style="margin-top: 1.4em; margin-bottom: 1.4em; color: rgb(25, 27, 31); font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Microsoft YaHei", "Source Han Sans SC", "Noto Sans CJK SC", "WenQuanYi Micro Hei", sans-serif; font-size: medium; text-wrap: wrap; background-color: rgb(255, 255, 255);">ipsec apply policy 1

#

ip route-static 192.168.1.0 24 9.9.9.1




推荐本站淘宝优惠价购买喜欢的宝贝:

image.png

本文链接:https://hqyman.cn/post/8521.html 非本站原创文章欢迎转载,原创文章需保留本站地址!

分享到:
打赏





休息一下~~


« 上一篇 下一篇 »

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

请先 登录 再评论,若不是会员请先 注册

您的IP地址是: