-
IPSec&GRE
手工方式建立IPSec隧道组网
实验拓扑
配置步骤
第一步配置IP地址
RouterA
sysname RouterA # interface GigabitEthernet0/0/0 ip address 12.1.1.1 255.255.255.0 ipsec policy map1 # interface GigabitEthernet0/0/1 ip address 10.1.1.1 255.255.255.0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
Internet
sysname Internet # interface GigabitEthernet0/0/0 ip address 12.1.1.2 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 23.1.1.2 255.255.255.0- 1
- 2
- 3
- 4
- 5
- 6
- 7
RouterB
sysname RouterB # interface GigabitEthernet0/0/0 ip address 23.1.1.3 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 10.1.2.1 255.255.255.0- 1
- 2
- 3
- 4
- 5
- 6
- 7
第二步配置静态路由
RouterA
ip route-static 10.1.2.0 255.255.255.0 12.1.1.2 //配置一条目的地址是总部内网的静态路由 ip route-static 23.1.1.0 255.255.255.0 12.1.1.2 //配置一条目的地址是总部外网出口的静态路由- 1
- 2
RouterB
ip route-static 10.1.1.0 255.255.255.0 23.1.1.2 //配置一条目的地址是分支内网的静态路由 ip route-static 12.1.1.0 255.255.255.0 23.1.1.2 //配置一条目的地址是分支外网出口的静态路由- 1
- 2
第三步配置IPSec
RouterA
acl number 3101 //配置ACL 3101,匹配从分支子网到总部子网的流量 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 # ipsec proposal tran1 //配置IPSec安全提议 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ipsec policy map1 10 manual //配置手动方式安全策略 security acl 3101 proposal tran1 tunnel local 12.1.1.1 tunnel remote 23.1.1.3 sa spi inbound esp 54321 sa string-key inbound esp cipher wml sa spi outbound esp 12345 sa string-key outbound esp cipher wml # interface GigabitEthernet0/0/0 ipsec policy map1- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
RouterB
acl number 3101 //配置ACL 3101,匹配从总部子网到分支子网的流量 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # ipsec proposal tran1 //配置IPSec安全提议 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ipsec policy use1 10 manual //配置手动方式安全策略 security acl 3101 proposal tran1 tunnel local 23.1.1.3 tunnel remote 12.1.1.1 sa spi inbound esp 12345 sa string-key inbound esp cipher wml sa spi outbound esp 54321 sa string-key outbound esp cipher wml # interface GigabitEthernet0/0/0 ipsec policy use1- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 在Router上执行命令display ike sa,可以看到SA建立成功。
抓包测试
GRE Over IPSec功能的配置组网
实验拓扑
配置命令
RouterA
sysname RouterA //在RouterA上配置IPSec安全提议。 ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorith#m aes-128 //在RouterA上配置IKE安全提议 ike proposal 5 encryption-algorithm aes-cbc-128 dh group14 //在RouterA上配置IKE对等体。 ike peer spub v1 pre-shared-key cipher wml ike-proposal 5 //在RouterA上配置安全框架。 ipsec profile profile1 ike-peer spub proposal tran1 # interface GigabitEthernet0/0/0 ip address 14.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 10.1.1.1 255.255.255.0 # interface Tunnel0/0/0 ip address 192.168.1.1 255.255.255.0 tunnel-protocol gre source 14.1.1.1 destination 24.1.1.2 ipsec profile profile1 //在RouterA的接口上引用安全框架。 # ip route-static 10.1.2.0 255.255.255.0 Tunnel0/0/0 ip route-static 24.1.1.0 255.255.255.0 14.1.1.4- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
RouterB
sysname RouterB # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal 5 encryption-algorithm aes-cbc-128 dh group14 # ike peer spua v1 pre-shared-key cipher wml ike-proposal 5 # ipsec profile profile1 ike-peer spua proposal tran1 # interface GigabitEthernet0/0/0 ip address 10.1.2.1 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 24.1.1.2 255.255.255.0 # interface Tunnel0/0/0 ip address 192.168.1.2 255.255.255.0 tunnel-protocol gre source 24.1.1.2 destination 14.1.1.1 ipsec profile profile1 # ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/0 ip route-static 14.1.1.0 255.255.255.0 24.1.1.4- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
R4
//只需要正常配置两个接口得IP地址即可 interface GigabitEthernet0/0/0 ip address 14.1.1.4 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 24.1.1.4 255.255.255.0- 1
- 2
- 3
- 4
- 5
- 6
配置GRE使用静态路由组网图
实验拓扑
配置步骤
1.配置RouterA
sysname RouterA # interface GigabitEthernet1/0/0 //配置公网出接口 ip address 20.1.1.1 255.255.255.0 # interface GigabitEthernet2/0/0 //配置私网出接口 ip address 10.1.1.2 255.255.255.0 # interface Tunnel0/0/1 //配置Tunnel接口,Tunnel的源地址是发出报文的实际接口IP地址,目的地址是接收报文的实际接口IP地址 ip address 10.3.1.1 255.255.255.0 tunnel-protocol gre source 20.1.1.1 destination 30.1.1.2 # ospf 1 //配置公网路由 area 0.0.0.0 network 20.1.1.0 0.0.0.255 # ip route-static 10.2.1.0 255.255.255.0 Tunnel0/0/1 //配置私网静态路由,下一条接口为Tunnel接口- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
2.配置RouterB
sysname RouterB # interface GigabitEthernet1/0/0 ip address 20.1.1.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 30.1.1.1 255.255.255.0 # ospf 1 //配置公网路由 area 0.0.0.0 network 20.1.1.0 0.0.0.255 network 30.1.1.0 0.0.0.255- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
3.配置RouterC
sysname RouterC # interface GigabitEthernet1/0/0 //配置公网出接口 ip address 30.1.1.2 255.255.255.0 # interface GigabitEthernet2/0/0 //配置私网出接口 ip address 10.2.1.2 255.255.255.0 # interface Tunnel0/0/1 //配置Tunnel接口,Tunnel的源地址是发出报文的实际接口IP地址,目的地址是接收报文的实际接口IP地址 ip address 10.3.1.2 255.255.255.0 tunnel-protocol gre source 30.1.1.2 destination 20.1.1.1 # ospf 1 //配置公网路由 area 0.0.0.0 network 30.1.1.0 0.0.0.255 # ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/1 //配置私网静态路由,下一条接口为Tunnel接口- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
4.验证配置结果
- 在RouterA和RouterC上执行display ip routing-table命令,可以看到去往对端目的地址的出接口为Tunnel接口。
- PC1和PC2能互相Ping通。
-
相关阅读:
Android 7 btsnoop代码介绍
IPv6实现内网穿透,极低成本保姆级教程
操作系统P,V操作大总结(包含例题)上篇
基于SSM的电动车上牌管理系统设计与实现
看动画,学Java基础教程12:关键字
《树莓派python编程指南》摘要
编写字符串发送在开发板操作
多个PDF发票合并实现一张A4纸打印2张电子/数电发票功能
首款内置电源的迷你主机,不到千元的办公神器 | 零刻EQ13评测报告
b和B的区别?大B与小b的区别(Bps与bps)以及b、B、KB、MB、TB、PB、EB的换算
- 原文地址:https://blog.csdn.net/qq_33794290/article/details/134476703
