H3C GRE over IPSec配置
1、拓扑图
2、配置
(1)ISP---S5800
#
interface GigabitEthernet1/0/1
port link-mode route -----》转变为路由模式,可以直接配置IP地址
ip address 25.0.0.5255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 35.0.0.5255.255.255.0
#
(2)R1
interface LoopBack0
ip address 10.1.1.1255.255.255.255
#
interface GigabitEthernet0/1
port link-mode route
ip address 192.168.12.1255.255.255.0
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 0.0.0.0255.255.255.255
#
(2)R2
#
interface LoopBack0
ip address 10.2.2.2255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
ip address 25.0.0.2255.255.255.0
nat outbound 3001
ipsec apply policy r3
#
interface GigabitEthernet0/1
port link-mode route
ip address 192.168.12.2 255.255.255.0
#
interface Tunnel0 mode gre
ip address 172.16.0.2255.255.255.0
source 25.0.0.2
destination 35.0.0.3
#
#
acl number 3000
rule 0 permit gre source25.0.0.2 0 destination 35.0.0.3 0
#
acl number 3001
rule 5 permit ip
#
#
ospf 1 router-id 2.2.2.2
default-route-advertisealways
area 0.0.0.0
network 10.2.2.2 0.0.0.0
network 172.16.0.00.0.0.255
network 192.168.12.00.0.0.255
#
ip route-static 0.0.0.0 025.0.0.5
#
ipsec transform-set t1
esp encryption-algorithmdes-cbc
esp authentication-algorithmsha1
#
ipsec policy r3 1 isakmp
transform-set t1
security acl 3000
remote-address 35.0.0.3
#
ike keychain k1
pre-shared-key address35.0.0.3 255.255.255.0 key simple 123456
#
(3)R3
#
ospf 1 router-id 3.3.3.3
default-route-advertisealways
area 0.0.0.0
network 10.3.3.3 0.0.0.0
network 172.16.0.00.0.0.255
network 192.168.34.00.0.0.255
#
interface LoopBack0
ip address 10.3.3.3255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
ip address 35.0.0.3255.255.255.0
nat outbound 3001
ipsec apply policy r2
#
interface GigabitEthernet0/1
port link-mode route
ip address 192.168.34.3255.255.255.0
#
interface Tunnel0 mode gre
ip address 172.16.0.3255.255.255.0
source 35.0.0.3
destination 25.0.0.2
#
ip route-static 0.0.0.0 0 35.0.0.5
#
acl number 3000
rule 0 permit gre source35.0.0.3 0 destination 25.0.0.2 0
#
acl number 3001
rule5 permit ip
#
ipsec transform-set t1
esp encryption-algorithmdes-cbc
esp authentication-algorithmsha1
#
ipsec policy r2 1 isakmp
transform-set t1
security acl 3000
remote-address 25.0.0.2
#
ike keychain k1
pre-shared-key address25.0.0.2 255.255.255.0 key simple 123456
#
(4)R4
#
ospf 1 router-id 4.4.4.4
area 0.0.0.0
network 0.0.0.0255.255.255.255
#
interface LoopBack0
ip address 10.4.4.4255.255.255.255
#
interface GigabitEthernet0/1
port link-mode route
ip address 192.168.34.4255.255.255.0
#
3、检验
(1)检验数据传输的路径
<R1>ping -r 10.4.4.4
Ping 10.4.4.4 (10.4.4.4): 56 data bytes, press CTRL_C to break
56 bytes from 10.4.4.4: icmp_seq=0 ttl=253 time=1.252 ms
RR: 172.16.0.2
192.168.34.3
192.168.34.4
172.16.0.3
192.168.12.2
192.168.12.1
56 bytes from 10.4.4.4: icmp_seq=1 ttl=253 time=1.168 ms (same route)
56 bytes from 10.4.4.4: icmp_seq=2 ttl=253 time=1.144 ms (same route)
56 bytes from 10.4.4.4: icmp_seq=3 ttl=253 time=1.115 ms (same route)
56 bytes from 10.4.4.4: icmp_seq=4 ttl=253 time=1.139 ms (same route)
--- Ping statistics for 10.4.4.4 ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.115/1.164/1.252/0.047 ms
<R1>ping -r 35.0.0.3
Ping 35.0.0.3 (35.0.0.3): 56 data bytes, press CTRL_C to break
56 bytes from 35.0.0.3: icmp_seq=0 ttl=253 time=2.001 ms
RR: 25.0.0.2
35.0.0.5
35.0.0.3
25.0.0.5
192.168.12.2
192.168.12.1
56 bytes from 35.0.0.3: icmp_seq=1 ttl=253 time=3.449 ms (same route)
56 bytes from 35.0.0.3: icmp_seq=2 ttl=253 time=1.829 ms (same route)
56 bytes from 35.0.0.3: icmp_seq=3 ttl=253 time=1.955 ms (same route)
56 bytes from 35.0.0.3: icmp_seq=4 ttl=253 time=13.771 ms (same route)
--- Ping statistics for 35.0.0.3 ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.829/4.601/13.771/4.623 ms
<R4>ping -a 10.4.4.4 -r 10.1.1.1
Ping 10.1.1.1 (10.1.1.1) from 10.4.4.4: 56 data bytes, press CTRL_Cto break
56 bytes from 10.1.1.1: icmp_seq=0 ttl=253 time=1.207 ms
RR: 172.16.0.3
192.168.12.2
192.168.12.1
172.16.0.2
192.168.34.3
192.168.34.4
56 bytes from 10.1.1.1: icmp_seq=1 ttl=253 time=1.084 ms (same route)
56 bytes from 10.1.1.1: icmp_seq=2 ttl=253 time=1.158 ms (same route)
56 bytes from 10.1.1.1: icmp_seq=3 ttl=253 time=1.106 ms (same route)
56 bytes from 10.1.1.1: icmp_seq=4 ttl=253 time=1.151 ms (same route)
--- Ping statistics for 10.1.1.1 ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.084/1.141/1.207/0.043 ms
<R4>ping -a 10.4.4.4 -r 25.0.0.2
Ping 25.0.0.2 (25.0.0.2) from 10.4.4.4: 56 data bytes, press CTRL_Cto break
56 bytes from 25.0.0.2: icmp_seq=0 ttl=253 time=2.081 ms
RR: 35.0.0.3
25.0.0.5
25.0.0.2
35.0.0.5
192.168.34.3
192.168.34.4
56 bytes from 25.0.0.2: icmp_seq=1 ttl=253 time=1.841 ms (same route)
56 bytes from 25.0.0.2: icmp_seq=2 ttl=253 time=6.496 ms (same route)
56 bytes from 25.0.0.2: icmp_seq=3 ttl=253 time=1.907 ms (same route)
56 bytes from 25.0.0.2: icmp_seq=4 ttl=253 time=2.418 ms (same route)
--- Ping statistics for 25.0.0.2 ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.841/2.949/6.496/1.785 ms
(2)R2查看IKE SA和IPSEC SA
[R2]dis ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
1 35.0.0.3 RD IPSEC
Flags:
RD--READY RL--REPLACED FD-FADING
[R2]dis ipsec sa
-------------------------------
Interface: GigabitEthernet0/0
-------------------------------
-----------------------------
IPsec policy: r3
Sequence number: 1
Mode: isakmp
-----------------------------
Tunnel id: 0
Encapsulation mode:tunnel
Perfect forward secrecy:
Path MTU: 1443
Tunnel:
local address: 25.0.0.2
remote address:35.0.0.3
Flow:
sour addr:25.0.0.2/255.255.255.255 port: 0 protocol: gre
dest addr:35.0.0.3/255.255.255.255 port: 0 protocol: gre
[Inbound ESP SAs]
SPI: 4271560800(0xfe9ad860)
Transform set:ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration(kilobytes/sec): 1843200/3600
SA remaining duration(kilobytes/sec): 1843199/3586
Max receivedsequence-number: 1
Anti-replay checkenable: Y
Anti-replay windowsize: 64
UDP encapsulation usedfor NAT traversal: N
Status: active
[Outbound ESP SAs]
SPI: 1089462129(0x40efdf71)
Transform set:ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration(kilobytes/sec): 1843200/3600
SA remaining duration(kilobytes/sec): 1843199/3586
Max sentsequence-number: 1
UDP encapsulation usedfor NAT traversal: N
Status: active
即使再增加新的网络,对方也可以学到:
[R1]int loopback 1
ip add 10.10.10.1 32
[R4]dis ospf ro
可以看到刚刚新增的网络10.10.10.1/32