|
此方案能够解决分支机构的IP地址是通过ISP动态获取,而且Secpath网关互相备份,同时在GRE封装上实现ipsec加密等多个需求。 1. 组网需求 分支机构的用户访问公司总部过程如下: 分支机构的用户上网方式没有限制,拨号或者固定IP上网。 分支机构的网关设备接口地址是动态获取的 公司总部有两台SecPath,两台SecPath互相备份 公司总部与分支机构之间的数据连接要求IPSEC加密 3680模拟Internet,为分支结构动态分配IP地址 2. 组网图  3. 配置步骤 (1) 2630的配置 # sysname Quidway # ike local-name client # //由于2630要与SecPath1与SecPath2都建立GRE连接,所以需要建立两个ike协商 ike peer 1 //ike对等体的名字为1 exchange-mode aggressive pre-shared-key 1 //配置身份验证字为1 id-type name //使用name方式作为ike协商的ID类型 remote-name 1 //指定对端的name,也就是SecPath1的name remote-address 2.1.1.2 //指定对端的IP地址 nat traversal # ike peer 2 //第二个ike exchange-mode aggressive pre-shared-key 1 id-type name remote-name 2 remote-address 3.1.1.2 nat traversal # ipsec proposal 1 //配置一个安全提议,使用默认的安全提议参数 # ipsec policy 1 1 isakmp //使用IKE创建第一个安全策略,第一个1是安全策略组的名字, 第二个1是安全策略的序列号 security acl 3000 //引用访问控制列表3000 ike-peer 1 //引用ike对等体1,注意1是ike对等体的名字,而不是编号 proposal 1 //引用安全提议1 # ipsec policy 1 2 isakmp//使用IKE创建第二个安全策略,安全策略组的名字为1 security acl 3001 ike-peer 2 proposal 1 # controller T1 2/0 # controller T1 2/1 # interface Virtual-Template1 //l2tp配置使用虚拟模板用于配置动态创建的虚接口的参数 ip address 172.31.4.1 255.255.255.0 # interface Aux0 async mode flow link-protocol ppp # interface Dialer1 //创建一个共享式拨号接口1 link-protocol ppp //拨号接口封装的链路层协议为PPP mtu 1450 ip address ppp-negotiate //拨号接口的地址采用PPP协商方式得到 dialer user test //配置呼叫对端的用户 dialer bundle 1 //创建拨号接口池1 ipsec policy 1 # interface Ethernet0/0 pppoe-client dial-bundle-number 1 //pppoe client配置在以太网接口上配置, 也可以在virtual-ethernet上配置,此配置是配置pppoe会话,一个拨号接口对应创建一个pppoe会话 # interface Tunnel0 ip address 6.1.1.3 255.255.255.0 source 192.168.0.4 destination 192.168.0.1 ospf cost 100 # interface Tunnel1 ip address 7.1.1.3 255.255.255.0 source 192.168.0.4 destination 192.168.0.2 ospf cost 99 # interface NULL0 # interface LoopBack0 //这里配置loopback解决的目的是为了给tunnel接口配置源ip地址 ip address 192.168.0.4 255.255.255.255 # acl number 3000 rule 0 permit ip source 192.168.0.4 0 destination 192.168.0.1 0 acl number 3001 rule 0 permit ip source 192.168.0.4 0 destination 192.168.0.2 0 # ospf 1 area 0.0.0.0 network 6.1.1.0 0.0.0.255 network 7.1.1.0 0.0.0.255 network 172.31.4.0 0.0.0.255 # ip route-static 0.0.0.0 0.0.0.0 Dialer 1 preference 60 # user-interface con 0 user-interface aux 0 user-interface vty 0 4 # return (2)3640的配置 # sysname Quidway # ike local-name client # ike peer 1 exchange-mode aggressive pre-shared-key 1 id-type name remote-name 1 remote-address 2.1.1.2 nat traversal # ike peer 2 exchange-mode aggressive pre-shared-key 1 id-type name remote-name 2 remote-address 3.1.1.2 nat traversal # ipsec proposal 1 # ipsec policy 1 1 isakmp security acl 3000 ike-peer 1 proposal 1 # ipsec policy 1 2 isakmp security acl 3001 ike-peer 2 proposal 1 # interface Virtual-Template1 ip address 172.31.3.1 255.255.255.0 # interface Aux0 async mode flow link-protocol ppp # interface Dialer1 link-protocol ppp ppp pap local-user 1 password simple 1 mtu 1450 ip address ppp-negotiate dialer user test dialer bundle 1 ipsec policy 1 # interface Ethernet2/0 pppoe-client dial-bundle-number 1 # interface Ethernet2/1 # interface Ethernet3/0 # interface Serial0/0 link-protocol ppp # interface Serial0/1 clock DTECLK1 link-protocol ppp # interface GigabitEthernet1/0 # interface Tunnel0 ip address 4.1.1.3 255.255.255.0 source 192.168.0.3 destination 192.168.0.1 ospf cost 100 # interface Tunnel1 ip address 5.1.1.3 255.255.255.0 source 192.168.0.3 destination 192.168.0.2 ospf cost 99 # interface Tunnel9 # interface NULL0 # interface LoopBack0 ip address 192.168.0.3 255.255.255.255 # acl number 3000 rule 0 permit ip source 192.168.0.3 0 destination 192.168.0.1 0 acl number 3001 rule 0 permit ip source 192.168.0.3 0 destination 192.168.0.2 0 # ospf 1 area 0.0.0.0 network 4.1.1.0 0.0.0.255 network 5.1.1.0 0.0.0.255 network 172.31.3.0 0.0.0.255 # ip route-static 0.0.0.0 0.0.0.0 Dialer 1 preference 60 # user-interface con 0 user-interface aux 0 user-interface vty 0 4 # return |
|
|
