公司总部用的是固定ip地址的宽带,分公司则用的是pppoe拨号宽带,现客户想让分部的人能直接访问公司总部的服务器!
设备一般默认开启nat-t,如果没有就开启nat穿越
分公司:192.168.1.0 总部:192.188.188.0
分公司(pppoe拨号端配置)
注:拨号端必须配置nqa配置,为防止静态地址端设备重启后,ipsec vpn建立不起来
nqa的作用就是触发下兴趣流的流量。让ike sa和ipsec sa建立起来
#
nqa entry 1 1 (nqa配置)
type icmp-echo
destination ip 192.188.188.1
frequency 5000
history-record enable
history-record number 10
probe count 10
probe timeout 500
source ip 192.168.1.1
#
nqa schedule 1 1 start-time now lifetime forever
#
acl advanced 3000 (兴趣流)
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.188.188.0 0.0.0.255
#
acl advanced 3001 (nat策略,必须将192.168.1.0到192.188.188.0的流量deny掉,使其不直接走nat出去,而是走ipsec vpn隧道)
rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.188.188.0 0.0.0.255
rule 5 permit ip
#
ipsec sa global-duration time-based 180 (配置全局的IPsecSA生存时间)
#
ike keepalive interval 20 (配置IKE SA的Keeplive发送时间间隔)
ike keepalive timeout 30 (配置ISAKMP SA等待对端发送Keepalive报文的超时时间)
ike identity fqdn H3CGS
#
ike proposal 1 (ike加密算法,不是必配的)
encryption-algorithm aes-cbc-128
authentication-algorithm md5
#
ike keychain 1 (ike密钥串)
pre-shared-key address 9.9.9.9 255.255.255.0 key cipher $c$3$ofo9ztWA208y7sesKxidvKztjvtmug==
#
ike profile 1
keychain 1
exchange-mode aggressive (野蛮模式,野蛮模式协商比主模式协商更快。主模式需要交互6个消息,野蛮模式只需要交互3个消息)
local-identity fqdn H3CGS
match remote identity address 9.9.9.9 255.255.255.0
proposal 1
#
ipsec transform-set 1 (ipsec安全提议)
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm md5
#
ipsec policy 1 1 isakmp (ipsec策略)
transform-set 1
security acl 3000
remote-address 9.9.9.9
ike-profile 1
#
interface Dialer1 (拨号wan口配置)
ppp chap password cipher $c$3$NulkvnhmythH+FCXLw2Quven+ymN+7y+2Xa5
ppp chap user 088888
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user 088888 password cipher $c$3$b6mzPUuarKHeb6zxkrRU+qmGgqwCJSKDq6Ss
dialer bundle enable
dialer-group 1
dialer timer idle 0
dialer timer autodial 60
ip address ppp-negotiate
tcp mss 1310
nat outbound 3001
ipsec apply policy 1 (ipsec策略绑定在接口上)
#
interface GigabitEthernet0/0 (dialer 1绑定的物理接口)
port link-mode route
pppoe-client dial-bundle-number 1
#
ip route-static 0.0.0.0 0 Dialer1
ip route-static 192.188.188.0 24 Dialer1(必配:ipsec静态路由)
#
ntp-service unicast-server 129.7.1.66
总公司静态地址配置
acl advanced 3000 (兴趣流配置)
rule 0 permit ip source 192.188.188.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
acl advanced 3001 (出口nat配置,让ipsec vpn流量走ipsec隧道)
rule 0 deny ip source 192.188.188.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 5 permit ip
#
ipsec sa global-duration time-based 180 (ipsec sa全局持续时间 基于时间为180s)
#
ike keepalive interval 20
ike keepalive timeout 30
ike identity fqdn H3CGC
#
ike proposal 1
encryption-algorithm aes-cbc-128
authentication-algorithm md5
#
ike keychain 1
pre-shared-key hostname H3CGS key cipher $c$3$Qu2ylSoKV/IuHdLVdoSTpl30WG6izA=
#
ike profile 1
keychain 1
exchange-mode aggressive
local-identity address 9.9.9.9
match remote identity fqdn H3CGS
proposal 1
#
ipsec transform-set 1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm md5
#
ipsec policy-template 1 1
transform-set 1
security acl 3000
ike-profile 1
#
ipsec policy 1 1 isakmp template 1
#
interface Ethernet0/0
port link-mode route
ip address 9.9.9.9 255.255.255.0
nat outbound 3001
iOSh0" style="margin-top: 1.4em; margin-bottom: 1.4em; color: rgb(25, 27, 31); font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Microsoft YaHei", "Source Han Sans SC", "Noto Sans CJK SC", "WenQuanYi Micro Hei", sans-serif; font-size: medium; text-wrap: wrap; background-color: rgb(255, 255, 255);">ipsec apply policy 1
#
ip route-static 192.168.1.0 24 9.9.9.1
推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://hqyman.cn/post/8521.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
微信支付宝扫一扫,打赏作者吧~休息一下~~
官码2024000195号
萌ICP备20248119号
