需求:
1.在保证可以访问互联网2.2.2.2的情况下,分支成都和总部北京通过ipsec vpn实现内网的互通。
电脑pc1和pc2的ip如下:
AR1配置如下:
<AR1>dis cu
#
sysname AR1
#
acl number 3000
rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.
255
acl number 3001
rule 10 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.25
5
rule 20 permit ip
#
ipsec proposal chengdu
#
ipsec policy cd 10 manual
security acl 3000
proposal chengdu
tunnel local 100.1.1.1
tunnel remote 200.1.1.1
sa spi inbound esp 54321
sa string-key inbound esp cipher %$%$Tx-‘+:\GD>F2sD;Bm!eV,.2n%$%$
sa spi outbound esp 12345
sa string-key outbound esp cipher %$%$Tx-‘+:\GD>F2sD;Bm!eV,.2n%$%$
#
interface GigabitEthernet0/0/0
ip address 192.168.10.254 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 100.1.1.1 255.255.255.252
ipsec policy cd
nat outbound 3001
#
ip route-static 0.0.0.0 0.0.0.0 100.1.1.2
AR2配置如下:
<AR2>dis cu
#
sysname AR2
#
acl number 3000
rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.
255
acl number 3001
rule 10 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.25
5
rule 20 permit ip
#
ipsec proposal beijing
#
ipsec policy bj 10 manual
security acl 3000
proposal beijing
tunnel local 200.1.1.1
tunnel remote 100.1.1.1
sa spi inbound esp 12345
sa string-key inbound esp cipher %$%$Tx-‘+:\GD>F2sD;Bm!eV,.2n%$%$
sa spi outbound esp 54321
sa string-key outbound esp cipher %$%$Tx-‘+:\GD>F2sD;Bm!eV,.2n%$%$
#
interface GigabitEthernet0/0/0
ip address 192.168.20.254 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 200.1.1.1 255.255.255.252
ipsec policy bj
nat outbound 3001
#
ip route-static 0.0.0.0 0.0.0.0 200.1.1.2
ISP配置如下:
<ISP>dis cu
#
sysname ISP
#
interface GigabitEthernet0/0/0
ip address 100.1.1.2 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 200.1.1.2 255.255.255.252
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
附配置步骤:
AR1上的操作如下:
第一步:配置网络可达
[AR1]ip route-static 0.0.0.0 0 100.1.1.2
第二步:匹配流量策略[AR1]acl 3000
[AR1-acl-adv-3000]rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.
168.20.0 0.0.0.255除了acl 3001里面的禁止转nat外其他都可以转nat
[AR1]acl 3001
[AR1-acl-adv-3001]rule 10 deny ip source 192.168.10.0 0.0.0.255 destination 192.
168.20.0 0.0.0.255
[AR1-acl-adv-3001]rule 20 permit ip
[AR1-acl-adv-3001]q
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]nat outbound 3001[AR1]ipsec proposal chengdu
[AR1-ipsec-proposal-chengdu]esp authentication-algorithm md5
[AR1-ipsec-proposal-chengdu]esp encryption-algorithm des
[AR1-ipsec-proposal-chengdu]q
[AR1]dis ipsec proposalNumber of proposals: 1
IPSec proposal name: chengdu
Encapsulation mode: Tunnel
Transform : esp-new
ESP protocol : Authentication MD5-HMAC-96
Encryption DES
[AR1]
第三步:配置安全策略
[AR1]ipsec policy cd 10 manual
[AR1-ipsec-policy-manual-cd-10]
[AR1-ipsec-policy-manual-cd-10]security acl 3000
[AR1-ipsec-policy-manual-cd-10]proposal chengdu
[AR1-ipsec-policy-manual-cd-10]tunnel local 100.1.1.1
[AR1-ipsec-policy-manual-cd-10]tunnel remote 200.1.1.1
[AR1-ipsec-policy-manual-cd-10]sa spi inbound esp 54321
[AR1-ipsec-policy-manual-cd-10]sa string-key inbound esp cipher summer
[AR1-ipsec-policy-manual-cd-10]sa spi outbound esp 12345
[AR1-ipsec-policy-manual-cd-10]sa string-key outbound esp cipher summer
[AR1-ipsec-policy-manual-cd-10]q
[AR1]
第四步:应用策略
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]ipsec policy cd
AR2上配置如下:
第一步:配置网络可达
[AR2]ip route-static 0.0.0.0 0 200.1.1.2
第二步:匹配流量策略
[AR2]acl 3000
[AR2-acl-adv-3000]rule
[AR2-acl-adv-3000]rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 19
2.168.10.0 0.0.0.255除了acl 3001里面的禁止转nat外其他都可以转nat
[AR2-acl-adv-3001]rule 10 deny ip source 192.168.20.0 0.0.0.255 destination 192.
168.10.0 0.0.0.255
[AR2-acl-adv-3001]rule 20 permit ip
[AR2]int g0/0/1
[AR2-GigabitEthernet0/0/1]nat outbound 3001[AR2]ipsec proposal beijing
[AR2-ipsec-proposal-beijing]esp authentication-algorithm md5
[AR2-ipsec-proposal-beijing]esp encryption-algorithm des
第三步:配置安全策略
[AR2]ipsec policy bj 10 manual
[AR2-ipsec-policy-manual-bj-10]security acl 3000
[AR2-ipsec-policy-manual-bj-10]proposal beijing
[AR2-ipsec-policy-manual-bj-10]tunnel local 200.1.1.1
[AR2-ipsec-policy-manual-bj-10]tunnel remote 100.1.1.1
[AR2-ipsec-policy-manual-bj-10]sa spi inbound esp 12345
[AR2-ipsec-policy-manual-bj-10]sa string-key inbound esp cipher summer
[AR2-ipsec-policy-manual-bj-10]sa sp outbound esp 54321
[AR2-ipsec-policy-manual-bj-10]sa string-key outbound esp cipher summer
[AR2-ipsec-policy-manual-bj-10]
[AR2-ipsec-policy-manual-bj-10]q第四步:应用策略
[AR2]int g0/0/1
[AR2-GigabitEthernet0/0/1]ipsec policy bj
验证
192.168.10.1这台电脑ping192.168.20.1发现可以ping通,代表ipsec vpn打通完成
ping互联网2.2.2.2也可以通,代表nat正常
路由策略实验配置
路由策略配置
bgp ospf rip 综合实验
防火墙实验
综合实验:dhcp nat bfd 策略路由等
WLAN无线直接转发和隧道转发实验
vrrp网关冗余实验
bgp经典实验