IPSEC over GRE with BGP

【实验拓扑和软件】

 

本文实验采用的交换机是H3C模拟器,下载地址如下: http://forum.h3c.com/forum.php? mod=viewthread&tid=109740&highlight=H3C%E6%A8%A1%E6% 8B%9F%E5%99%A8 有兴趣的朋 友可以在论坛上去下载 

【需求信息】

 

R2和R4建立EBGP邻居信息,邻居都是tunnel口的地址,而流经tunnel口的数据包都是需要ipsec加密 的!

 

 

 

【配置信息】

R2

 

vlan 1024

#

domain system

 access-limit disable

 state active

 idle-cut disable

 self-service-url disable

#

ike peer r4

 pre-shared-key simple 1234567

 remote-address 192.168.24.4

#

ipsec proposal 1

#

ipsec policy jc 10 isakmp

 security acl 3000

 ike-peer r4

 proposal 1

#

acl number 3000

 rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.11.0 0.0.0.255

 rule 5 permit ip source 172.16.1.0 0.0.0.255 destination 172.16.11.0 0.0.0.255

#

 

#

interface LoopBack0

 ip address 192.168.1.1 255.255.255.255

#

interface Vlan-interface1024

 ip address 192.168.28.2 255.255.255.0

#

 

interface Tunnel0

 ip address 192.168.24.2 255.255.255.0

 source 192.168.28.2

 destination 192.168.48.4

 ipsec policy jc

#

bgp 65001

 network 192.168.1.1 255.255.255.255

 undo synchronization

 peer 192.168.24.4 as-number 65002

#

 ip route-static 0.0.0.0 0.0.0.0 192.168.28.8

 

 

 

 

SW4

 

 

#

interface Vlan-interface1024

 ip address 192.168.28.8 255.255.255.0

#

interface Vlan-interface1044

 ip address 192.168.48.8 255.255.255.0

#

interface Ethernet0/4/0

 port link-mode bridge

#

interface Ethernet0/4/1

 port link-mode bridge

#

interface Ethernet0/4/2

 port link-mode bridge

 port access vlan 1024

#

interface Ethernet0/4/3

 port link-mode bridge

#

interface Ethernet0/4/4

 port link-mode bridge

 port access vlan 1044

 

 

R4

 

 

 

 

#

vlan 1044

#

domain system

 access-limit disable

 state active

 idle-cut disable

 self-service-url disable

#

ike peer r2

 pre-shared-key simple 1234567

 remote-address 192.168.24.2

#

ipsec proposal 1

#

ipsec policy jc 10 isakmp

 security acl 3000

 ike-peer r2

 proposal 1

#

acl number 3000

 rule 0 permit ip source 192.168.11.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

 rule 5 permit ip source 172.16.11.0 0.0.0.255 destination 172.16.1.0 0.0.0.255

#

interface Serial0/6/0

 link-protocol ppp

#

interface Serial0/6/1

 link-protocol ppp

#

interface Serial0/6/2

 link-protocol ppp

#

interface Serial0/6/3

 link-protocol ppp

#

interface NULL0

#

interface LoopBack0

 ip address 192.168.11.1 255.255.255.255

#

interface Vlan-interface1044

 ip address 192.168.48.4 255.255.255.0

#

interface Ethernet0/4/0

 port link-mode bridge

#

interface Ethernet0/4/1

 port link-mode bridge

 port access vlan 1044

 

 

 

 

interface Tunnel0

 ip address 192.168.24.4 255.255.255.0

 source 192.168.48.4

 destination 192.168.28.2

 ipsec policy jc

#

bgp 65002

 network 192.168.11.1 255.255.255.255

 undo synchronization

 peer 192.168.24.2 as-number 65001

#

 ip route-static 0.0.0.0 0.0.0.0 192.168.48.8

#

 

 

 

【验证】

 

查看ike 和ipsec sa

<R2>

<R2>dis ike sa

    total phase-1 SAs:  0

    connection-id  peer            flag        phase   doi

  ----------------------------------------------------------

<R2>dis ipsec sa

<R2>

<R2>                  因为还没有数据包匹配,所以没有sa

 

 

 

 

<R2>ping -a 192.168.1.1 192.168.11.1

  PING 192.168.11.1: 56  data bytes, press CTRL_C to break

    Request time out

    Reply from 192.168.11.1: bytes=56 Sequence=2 ttl=255 time=50 ms

    Reply from 192.168.11.1: bytes=56 Sequence=3 ttl=255 time=44 ms

    Reply from 192.168.11.1: bytes=56 Sequence=4 ttl=255 time=45 ms

    Reply from 192.168.11.1: bytes=56 Sequence=5 ttl=255 time=50 ms

 

  --- 192.168.11.1 ping statistics ---

    5 packet(s) transmitted

    4 packet(s) received

    20.00% packet loss

    round-trip min/avg/max = 44/47/50 ms

 

<R2>dis ike sa

    total phase-1 SAs:  1

    connection-id  peer            flag        phase   doi

  ----------------------------------------------------------

        6          192.168.24.4    RD|ST         2     IPSEC 

        5          192.168.24.4    RD|ST         1     IPSEC 

 

  flag meaning

  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT

<R2>dis ipsec sa

===============================

Interface: Tunnel0

    path MTU: 1476

===============================

 

  -----------------------------

  IPsec policy name: "jc"

  sequence number: 10

  mode: isakmp

  -----------------------------

    connection id: 4

    encapsulation mode: tunnel

    perfect forward secrecy: None

    tunnel:

        local  address: 192.168.24.2

        remote address: 192.168.24.4

    Flow :

        sour addr: 192.168.1.0/255.255.255.0  port: 0  protocol: IP

        dest addr: 192.168.11.0/255.255.255.0  port: 0  protocol: IP

 

    [inbound ESP SAs] 

      spi: 2478830021 (0x93bff1c5)

      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

      sa remaining key duration (bytes/sec): 1887436464/3588

      max received sequence-number: 4

      udp encapsulation used for nat traversal: N

 

    [outbound ESP SAs] 

      spi: 645607044 (0x267b2e84)

      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

      sa remaining key duration (bytes/sec): 1887436464/3588

      max sent sequence-number: 5

      udp encapsulation used for nat traversal: N

<R2> 

 

 

 

 

 

<R4>

<R4>dis ike sa

    total phase-1 SAs:  1

    connection-id  peer            flag        phase   doi

  ----------------------------------------------------------

        4          192.168.24.2    RD            2     IPSEC 

        3          192.168.24.2    RD            1     IPSEC 

 

  flag meaning

  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT

<R4>

<R4>dis ipsec sa

===============================

Interface: Tunnel0

    path MTU: 1476

===============================

 

  -----------------------------

  IPsec policy name: "jc"

  sequence number: 10

  mode: isakmp

  -----------------------------

    connection id: 4

    encapsulation mode: tunnel

    perfect forward secrecy: None

    tunnel:

        local  address: 192.168.24.4

        remote address: 192.168.24.2

    Flow :

        sour addr: 192.168.11.0/255.255.255.0  port: 0  protocol: IP

        dest addr: 192.168.1.0/255.255.255.0  port: 0  protocol: IP

 

    [inbound ESP SAs] 

      spi: 645607044 (0x267b2e84)

      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

      sa remaining key duration (bytes/sec): 1887436464/3523

      max received sequence-number: 4

      udp encapsulation used for nat traversal: N

 

    [outbound ESP SAs] 

      spi: 2478830021 (0x93bff1c5)

      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

      sa remaining key duration (bytes/sec): 1887436464/3523

      max sent sequence-number: 5

      udp encapsulation used for nat traversal: N

<R4>  

你可能感兴趣的:(over,IPSec,gre)