H3C GRE over IPSec配置(comware v7)

H3C GRE over IPSec配置

1、拓扑图

wKiom1Z3ctiTx7g8AAA3TQYgD4k557.png

2、配置

1ISP—S5800

#

interface GigabitEthernet1/0/1

 port link-mode route —–》转变为路由模式,可以直接配置IP地址

 ip address 25.0.0.5255.255.255.0

#

interface GigabitEthernet1/0/2

 port link-mode route

 ip address 35.0.0.5255.255.255.0

#

 

2R1

interface LoopBack0

 ip address 10.1.1.1255.255.255.255

#

interface GigabitEthernet0/1

 port link-mode route

 ip address 192.168.12.1255.255.255.0

#

ospf 1 router-id 1.1.1.1

 area 0.0.0.0

  network 0.0.0.0255.255.255.255

#

 

2R2

#

interface LoopBack0

 ip address 10.2.2.2255.255.255.255

#

interface GigabitEthernet0/0

 port link-mode route

 ip address 25.0.0.2255.255.255.0

 nat outbound 3001

 ipsec apply policy r3

#

interface GigabitEthernet0/1

 port link-mode route

 ip address 192.168.12.2 255.255.255.0

#

interface Tunnel0 mode gre

 ip address 172.16.0.2255.255.255.0

 source 25.0.0.2

 destination 35.0.0.3

#

#

acl number 3000

 rule 0 permit gre source25.0.0.2 0 destination 35.0.0.3 0

#

acl number 3001

 rule 5 permit ip

#             

#

ospf 1 router-id 2.2.2.2

 default-route-advertisealways

 area 0.0.0.0

  network 10.2.2.2 0.0.0.0

  network 172.16.0.00.0.0.255

  network 192.168.12.00.0.0.255

#

 ip route-static 0.0.0.0 025.0.0.5

#

ipsec transform-set t1

 esp encryption-algorithmdes-cbc

 esp authentication-algorithmsha1

#

ipsec policy r3 1 isakmp

 transform-set t1

 security acl 3000

 remote-address 35.0.0.3

#

ike keychain k1

 pre-shared-key address35.0.0.3 255.255.255.0 key simple 123456

#

 

3R3

#

ospf 1 router-id 3.3.3.3

 default-route-advertisealways

 area 0.0.0.0

  network 10.3.3.3 0.0.0.0

  network 172.16.0.00.0.0.255

  network 192.168.34.00.0.0.255

#

interface LoopBack0

 ip address 10.3.3.3255.255.255.255

#

interface GigabitEthernet0/0

 port link-mode route

 ip address 35.0.0.3255.255.255.0

 nat outbound 3001

 ipsec apply policy r2

#

interface GigabitEthernet0/1

 port link-mode route

 ip address 192.168.34.3255.255.255.0

#

interface Tunnel0 mode gre

 ip address 172.16.0.3255.255.255.0

 source 35.0.0.3

 destination 25.0.0.2

#

ip route-static 0.0.0.0 0 35.0.0.5

#

acl number 3000

 rule 0 permit gre source35.0.0.3 0 destination 25.0.0.2 0

#

acl number 3001

rule5 permit ip

#

ipsec transform-set t1

 esp encryption-algorithmdes-cbc

 esp authentication-algorithmsha1

#

ipsec policy r2 1 isakmp

 transform-set t1

 security acl 3000

 remote-address 25.0.0.2

#

ike keychain k1

 pre-shared-key address25.0.0.2 255.255.255.0 key simple 123456

#

 

4R4

#

ospf 1 router-id 4.4.4.4

 area 0.0.0.0

  network 0.0.0.0255.255.255.255

#

interface LoopBack0

 ip address 10.4.4.4255.255.255.255

#

interface GigabitEthernet0/1

 port link-mode route

 ip address 192.168.34.4255.255.255.0

#

 

 

3、检验

1)检验数据传输的路径

<R1>ping -r 10.4.4.4

Ping 10.4.4.4 (10.4.4.4): 56 data bytes, press CTRL_C to break

56 bytes from 10.4.4.4: icmp_seq=0 ttl=253 time=1.252 ms

RR:     172.16.0.2

        192.168.34.3

        192.168.34.4

        172.16.0.3

        192.168.12.2

        192.168.12.1

56 bytes from 10.4.4.4: icmp_seq=1 ttl=253 time=1.168 ms        (same route)

56 bytes from 10.4.4.4: icmp_seq=2 ttl=253 time=1.144 ms        (same route)

56 bytes from 10.4.4.4: icmp_seq=3 ttl=253 time=1.115 ms        (same route)

56 bytes from 10.4.4.4: icmp_seq=4 ttl=253 time=1.139 ms        (same route)

 

— Ping statistics for 10.4.4.4 —

5 packets transmitted, 5 packets received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.115/1.164/1.252/0.047 ms

 

<R1>ping -r 35.0.0.3

Ping 35.0.0.3 (35.0.0.3): 56 data bytes, press CTRL_C to break

56 bytes from 35.0.0.3: icmp_seq=0 ttl=253 time=2.001 ms

RR:     25.0.0.2

        35.0.0.5

        35.0.0.3

        25.0.0.5

        192.168.12.2

        192.168.12.1

56 bytes from 35.0.0.3: icmp_seq=1 ttl=253 time=3.449 ms        (same route)

56 bytes from 35.0.0.3: icmp_seq=2 ttl=253 time=1.829 ms        (same route)

56 bytes from 35.0.0.3: icmp_seq=3 ttl=253 time=1.955 ms        (same route)

56 bytes from 35.0.0.3: icmp_seq=4 ttl=253 time=13.771 ms       (same route)

 

— Ping statistics for 35.0.0.3 —

5 packets transmitted, 5 packets received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.829/4.601/13.771/4.623 ms

<R4>ping -a 10.4.4.4 -r 10.1.1.1

Ping 10.1.1.1 (10.1.1.1) from 10.4.4.4: 56 data bytes, press CTRL_Cto break

56 bytes from 10.1.1.1: icmp_seq=0 ttl=253 time=1.207 ms

RR:     172.16.0.3

        192.168.12.2

        192.168.12.1

        172.16.0.2

        192.168.34.3

        192.168.34.4

56 bytes from 10.1.1.1: icmp_seq=1 ttl=253 time=1.084 ms        (same route)

56 bytes from 10.1.1.1: icmp_seq=2 ttl=253 time=1.158 ms        (same route)

56 bytes from 10.1.1.1: icmp_seq=3 ttl=253 time=1.106 ms        (same route)

56 bytes from 10.1.1.1: icmp_seq=4 ttl=253 time=1.151 ms        (same route)

 

— Ping statistics for 10.1.1.1 —

5 packets transmitted, 5 packets received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.084/1.141/1.207/0.043 ms

 

<R4>ping -a 10.4.4.4 -r 25.0.0.2

Ping 25.0.0.2 (25.0.0.2) from 10.4.4.4: 56 data bytes, press CTRL_Cto break

56 bytes from 25.0.0.2: icmp_seq=0 ttl=253 time=2.081 ms

RR:     35.0.0.3

        25.0.0.5

        25.0.0.2

        35.0.0.5

        192.168.34.3

        192.168.34.4

56 bytes from 25.0.0.2: icmp_seq=1 ttl=253 time=1.841 ms        (same route)

56 bytes from 25.0.0.2: icmp_seq=2 ttl=253 time=6.496 ms        (same route)

56 bytes from 25.0.0.2: icmp_seq=3 ttl=253 time=1.907 ms        (same route)

56 bytes from 25.0.0.2: icmp_seq=4 ttl=253 time=2.418 ms        (same route)

 

— Ping statistics for 25.0.0.2 —

5 packets transmitted, 5 packets received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.841/2.949/6.496/1.785 ms

 

2R2查看IKE SAIPSEC SA

[R2]dis ike sa

    Connection-ID   Remote                Flag         DOI   

——————————————————————

    1               35.0.0.3              RD           IPSEC 

Flags:

RD–READY RL–REPLACED FD-FADING

[R2]dis ipsec sa

——————————-

Interface: GigabitEthernet0/0

——————————-

 

 —————————–

  IPsec policy: r3

  Sequence number: 1

  Mode: isakmp

 —————————–

    Tunnel id: 0

    Encapsulation mode:tunnel

    Perfect forward secrecy:

    Path MTU: 1443

    Tunnel:

        local address: 25.0.0.2

        remote address:35.0.0.3

    Flow:

    sour addr:25.0.0.2/255.255.255.255  port: 0  protocol: gre

    dest addr:35.0.0.3/255.255.255.255  port: 0  protocol: gre

 

    [Inbound ESP SAs]

      SPI: 4271560800(0xfe9ad860)

      Transform set:ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1

      SA duration(kilobytes/sec): 1843200/3600

      SA remaining duration(kilobytes/sec): 1843199/3586

      Max receivedsequence-number: 1

      Anti-replay checkenable: Y

      Anti-replay windowsize: 64

      UDP encapsulation usedfor NAT traversal: N

      Status: active

 

    [Outbound ESP SAs]

      SPI: 1089462129(0x40efdf71)

      Transform set:ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1

      SA duration(kilobytes/sec): 1843200/3600

      SA remaining duration(kilobytes/sec): 1843199/3586

      Max sentsequence-number: 1

      UDP encapsulation usedfor NAT traversal: N

      Status: active

 

即使再增加新的网络,对方也可以学到:

[R1]int loopback 1

      ip add 10.10.10.1 32

 

[R4]dis ospf ro

可以看到刚刚新增的网络10.10.10.1/32

转载于:https://blog.51cto.com/xusongming/1726745

Published by

风君子

独自遨游何稽首 揭天掀地慰生平