公司内部的网络并不是很复杂,典型的星型结构。总部与多个分支建立了×××,同时还需要跑一些组播以及OSPF的东西,所以采用了比较经典的 GRE OVER IPSEC 的配置。之前的H3C设备上配置没有发现什么问题,但最近基于设备性能的考虑准备换用华为的AR系列产品。相对而言华为的设备较H3C价格稍贵,但性能上要强不少。此次使用的设备主要是华为AR2220以及AR151。
华为设备在配置ipsec ***的时候如果采用传统的方式配置则每个2220路由器只能和16个分支建立***连接,超过16个变无法配置成功。对于这个问题华为提出了在核心网一侧的路由器上采用策略模板的方式来建立多个ipsec ***,这种方式在核心网一侧不需要配置ACL,在分支一侧需要指定acl。另外如果华为跟其他厂商的设备配置IPSEC ××× 则应该选择配置v1版本的ike peer。以下是我核心网采用2220 分支采用151的配置。
网络结构比较简单
[V200R002C01SPC200]
#
sysname SZ_CR_1
#
snmp-agent local-engineid 800007DB03E0247F20C08B
snmp-agent
#
drop illegal-mac alarm
#
acl number 3000
#
ipsec proposal 1
#
ike peer br v1
pre-shared-key simple 123
local-address 202.96.1.9
#
ipsec policy-template br 1
ike-peer br
proposal 1
#
ipsec policy cr 1 isakmp template br
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%${*|FV4WA)E/|SkH9I0I7gulc%$%$
local-user admin privilege level 3
local-user admin service-type telnet ssh
#
interface GigabitEthernet0/0/0
description connect to sz_cs_1/0/0/48
ip address 20.0.29.1 255.255.255.252
#
interface GigabitEthernet0/0/1
description connect to internet
ip address 202.96.1.1 255.255.255.252
ipsec policy cr
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
interface Tunnel0/0/0
description connect to sz_brr_1
ip address 20.0.1.1 255.255.255.248
tunnel-protocol gre
source 202.96.1.9
destination 202.96.1.1
#
ip route-static 20.0.0.0 255.255.255.248 Tunnel0/0/0
ip route-static 202.96.0.0 255.255.0.0 202.96.1.2
#
user-interface con 0
authentication-mode password
set authentication password cipher %$%$}vVu=u!Vr.+&il)6m3#',"vm+Mx[TaM\W!+abu=@)VPR#(|w%$%$
user-interface vty 0 4
authentication-mode aaa
user-interface vty 16 20
#
voice
#
diagnose
#
Return
[V200R002C01SPC200]
#
sysname sz_br_1
#
snmp-agent local-engineid 800007DB03CCCC8174F532
snmp-agent
#
drop illegal-mac alarm
#
acl number 3000
rule 0 permit ip source 202.96.1.9 0.0.0.0 destination 202.96.1.1 0.0.0.0
#
ipsec proposal 1
#
ike peer cr v1
pre-shared-key simple 123
local-address 202.96.1.9
remote-address 202.96.1.1
#
ipsec policy br 1 isakmp
security acl 3000
ike-peer cr
proposal 1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$Z'#iOA:^$!]-{U(C97{XhH~6%$%$
local-user admin privilege level 3
local-user admin service-type telnet ssh
#
interface Vlanif1
ip address 20.0.0.1 255.255.255.248
#
interface Ethernet0/0/0
port link-type access
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
description connect to internet
ip address 202.96.1.9 255.255.255.252
ipsec policy br
#
interface NULL0
#
interface Tunnel0/0/0
description connect to sz_cr_1
ip address 20.0.1.2 255.255.255.248
tunnel-protocol gre
source 202.96.1.1
destination 202.96.1.9
#
ip route-static 20.0.0.0 255.255.0.0 Tunnel0/0/0
ip route-static 202.96.0.0 255.255.0.0 202.96.1.10
#
user-interface con 0
authentication-mode password
set authentication password cipher %$%$n~z&;^8SvD+%tH'4{pn0,md[".Y^'ppeO$Ut&ZSQb*73*sje%$%$
user-interface vty 0
authentication-mode aaa
user privilege level 15
user-interface vty 1 4
authentication-mode aaa
user-interface vty 16 20
#
voice
#
diagnose
#
return