• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

GRE over ipsec VPN实现多分支互访

2020-06-16 发表
  • 0关注
  • 7收藏 5417浏览
胡琪 五段
粉丝:7人 关注:1人

组网及说明

1、组网



2、需求

建立GRE over ipsec vpn实现各分支和总部之间互通,并且各分支之间也能通过总部访问。总部是固定ip地址,分支IP地址不固定,并且分支AB处无人值守且分支无主动自动访问总部的业务运行,所以为了防止分支设备断电重启后无法主动建立隧道,需要通过NQA来实现设备断电重启后自动触发隧道建立。

3、配置思路

由于各分支和总部之间建立的是GRE over ipsec VPNipsec保护是GRE流量,所以要实现多分支和总部之间互访,只需要将分支访问总部或者别的分支的流量送到GRE tunnel接口进行GRE封装,然后被ipsec保护由ipsec隧道来传输至总部,在总部由ipsec 解封装后再送到GRE 对应的tunnel接口解封装。(如果是访问别的分支的流量,会在总部再匹配静态路由,又送到对应的tunnel接口进行封装走ipsec 隧道到达对应的分支)


配置步骤

4、关键配置

总部:

#

sysname Headquarters

#

interface LoopBack0

 ip address 192.168.1.1 255.255.255.0

#

interface GigabitEthernet0/0

 port link-mode route

 combo enable copper

 ip address 1.1.1.2 255.255.255.252

//GRE报文不会做NAT,所以此处NAT处不用deny ipsec感兴趣流

 nat outbound

 ipsec apply policy test

#

interface Tunnel0 mode gre

 description toBrabchA

 ip address 172.16.1.1 255.255.255.0

 source 1.1.1.2

 destination 2.2.2.2

#

interface Tunnel1 mode gre

 description toBrabchB

 ip address 172.16.2.11 255.255.255.0

 source 1.1.1.2

 destination 3.3.3.2

#

 ip route-static 0.0.0.0 0 1.1.1.1

 ip route-static 192.168.2.0 24 tunnel0

 ip route-static 192.168.3.0 24 tunnel1

#

acl advanced 3000

 description toBranchA

 rule 0 permit ip source 1.1.1.2 0.0.0.0 destination 2.2.2.2 0.0.0.0

#

acl advanced 3001

 description toBranchB

 rule 0 permit ip source 1.1.1.2 0.0.0.0 destination 3.3.3.2 0.0.0.0

#

ipsec transform-set 1

 esp encryption-algorithm 3des-cbc

 esp authentication-algorithm md5

#

ipsec policy-template branchA 1

 transform-set 1

 security acl 3000

 ike-profile branchA

#

ipsec policy-template branchB 1

 transform-set 1

 security acl 3001

 ike-profile branchB

#

ipsec policy test 1 isakmp template branchA

#

ipsec policy test 2 isakmp template branchB

#

ike profile branchA

 keychain branchA

 exchange-mode aggressive

 local-identity fqdn headquarters

 match remote identity fqdn branchA

#

ike profile branchB

 keychain branchB

 exchange-mode aggressive

 local-identity fqdn headquarters

 match remote identity fqdn branchB

#

ike proposal 1

 encryption-algorithm 3des-cbc

 authentication-algorithm md5

#

ike keychain branchA

 match local address 1.1.1.2

 pre-shared-key hostname branchA key cipher $c$3$nng95cm/zlG3ghvIRim5saZ3bMEhoJD+Ow==

#

ike keychain branchB

 match local address 1.1.1.2

 pre-shared-key hostname branchB key cipher $c$3$Rl2okdkTYNBEYWd32X25LOWYkYo5YCcrgw==

#

 

分支A

#

sysname branchA

#

nqa entry admin test

 type icmp-echo

  destination ip 1.1.1.2

  frequency 5000

  history-record enable

  history-record number 10

  probe count 10

  probe timeout 500

  source ip 2.2.2.2

#

 nqa schedule admin test start-time now lifetime forever

#

interface LoopBack0

 ip address 192.168.2.1 255.255.255.0

#

interface GigabitEthernet0/0

 port link-mode route

 combo enable copper

 ip address 2.2.2.2 255.255.255.252

 nat outbound

 ipsec apply policy 1

#

interface Tunnel0 mode gre

 ip address 172.16.1.2 255.255.255.0

 source 2.2.2.2

 destination 1.1.1.2

#

 ip route-static 0.0.0.0 0 2.2.2.1

 ip route-static 192.168.1.0 24 Tunnel0

 ip route-static 192.168.3.0 24 Tunnel0

#

acl advanced 3000

 rule 0 permit ip source 2.2.2.2 0.0.0.0 destination 1.1.1.2 0.0.0.0

#

ipsec transform-set 1

 esp encryption-algorithm 3des-cbc

 esp authentication-algorithm md5

#

ipsec policy 1 1 isakmp

 transform-set 1

 security acl 3000

 remote-address 1.1.1.2

 ike-profile 1

#

 ike dpd interval 10 on-demand

#

ike profile 1

 keychain 1

 exchange-mode aggressive

 local-identity fqdn branchA

 match remote identity fqdn headquarters

#

ike proposal 1

 encryption-algorithm 3des-cbc

 authentication-algorithm md5

#

ike keychain 1

 pre-shared-key address 1.1.1.2 255.255.255.0 key cipher $c$3$5QlYyBFEZTju/oTPut9zgP5JNpmVleBIbA==

#

 

分支B

#

sysname branchB

#

nqa entry admin test

 type icmp-echo

  destination ip 1.1.1.2

  frequency 5000

  history-record enable

  history-record number 10

  probe count 10

  probe timeout 500

  source ip 3.3.3.2

#

 nqa schedule admin test start-time now lifetime forever

#

interface LoopBack0

 ip address 192.168.3.1 255.255.255.0

#

interface GigabitEthernet0/0

 port link-mode route

 combo enable copper

 ip address 3.3.3.2 255.255.255.252

 nat outbound

 ipsec apply policy 1

#

interface Tunnel0 mode gre

 ip address 172.16.1.3 255.255.255.0

 source 3.3.3.2

 destination 1.1.1.2

#

 ip route-static 0.0.0.0 0 3.3.3.1

 ip route-static 192.168.1.0 24 Tunnel0

 ip route-static 192.168.2.0 24 Tunnel0

#

acl advanced 3000

 rule 0 permit ip source 3.3.3.2 0.0.0.0 destination 1.1.1.2 0.0.0.0

#

ipsec transform-set 1

 esp encryption-algorithm 3des-cbc

 esp authentication-algorithm md5

#

ipsec policy 1 1 isakmp

 transform-set 1

 security acl 3000

 remote-address 1.1.1.2

 ike-profile 1

#

 ike dpd interval 10 on-demand

#

ike profile 1

 keychain 1

 exchange-mode aggressive

 local-identity fqdn branchB

 match remote identity fqdn headquarters

#

ike proposal 1

 encryption-algorithm 3des-cbc

 authentication-algorithm md5

#

ike keychain 1

 pre-shared-key address 1.1.1.2 255.255.255.0 key cipher $c$3$5QlYyBFEZTju/oTPut9zgP5JNpmVleBIbA==

#

5、测试

分支A侧可以ping通总部和分支B


 分支B侧可以ping通总部和分支A


在总部侧查看ike sa ipsec sa

<Headquarters>dis ike sa

Connection-ID   Remote                Flag         DOI   

------------------------------------------------------------------

    1               2.2.2.2               RD           IPsec 

    2               3.3.3.2               RD           IPsec 

Flags:

RD--READY RL--REPLACED FD-FADING RK-REKEY

<Headquarters>dis ipsec sa

-------------------------------

Interface: GigabitEthernet0/0

-------------------------------

  -----------------------------

  IPsec policy: test

  Sequence number: 1

  Mode: Template

  -----------------------------

    Tunnel id: 0

    Encapsulation mode: tunnel

    Perfect Forward Secrecy:

    Inside VPN:

    Extended Sequence Numbers enable: N

    Traffic Flow Confidentiality enable: N

    Path MTU: 1444

    Tunnel:

        local  address: 1.1.1.2

        remote address: 2.2.2.2

    Flow:

        sour addr: 1.1.1.2/255.255.255.255  port: 0  protocol: ip

        dest addr: 2.2.2.2/255.255.255.255  port: 0  protocol: ip

    [Inbound ESP SAs]

      SPI: 3870699250 (0xe6b62ef2)

      Connection ID: 4294967296

      Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843142/3365

      Max received sequence-number: 430

      Anti-replay check enable: Y

      Anti-replay window size: 64

      UDP encapsulation used for NAT traversal: N

      Status: Active

    [Outbound ESP SAs]

      SPI: 3823032807 (0xe3ded9e7)

      Connection ID: 4294967297

      Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843142/3365

      Max sent sequence-number: 430

      UDP encapsulation used for NAT traversal: N

      Status: Active

  -----------------------------

  IPsec policy: test

  Sequence number: 2

  Mode: Template

  -----------------------------

    Tunnel id: 1

    Encapsulation mode: tunnel

    Perfect Forward Secrecy:

    Inside VPN:

    Extended Sequence Numbers enable: N

    Traffic Flow Confidentiality enable: N

    Path MTU: 1444

    Tunnel:

        local  address: 1.1.1.2

        remote address: 3.3.3.2

    Flow:

        sour addr: 1.1.1.2/255.255.255.255  port: 0  protocol: ip

        dest addr: 3.3.3.2/255.255.255.255  port: 0  protocol: ip

    [Inbound ESP SAs]

      SPI: 3360931740 (0xc853bf9c)

      Connection ID: 4294967298

      Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843138/3366

      Max received sequence-number: 460

      Anti-replay check enable: Y

      Anti-replay window size: 64

      UDP encapsulation used for NAT traversal: N

      Status: Active

 

    [Outbound ESP SAs]

      SPI: 1888065202 (0x708996b2)

      Connection ID: 4294967299

      Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843138/3366

      Max sent sequence-number: 460

      UDP encapsulation used for NAT traversal: N

      Status: Active

在分支A侧查看ike sa ipsec sa相关信息

<branchA>dis ike sa

    Connection-ID   Remote                Flag         DOI   

------------------------------------------------------------------

    1               1.1.1.2               RD           IPsec 

Flags:

RD--READY RL--REPLACED FD-FADING RK-REKEY

<branchA>dis ipsec sa

-------------------------------

Interface: GigabitEthernet0/0

-------------------------------

 

  -----------------------------

  IPsec policy: 1

  Sequence number: 1

  Mode: ISAKMP

  -----------------------------

    Tunnel id: 0

    Encapsulation mode: tunnel

    Perfect Forward Secrecy:

    Inside VPN:

    Extended Sequence Numbers enable: N

    Traffic Flow Confidentiality enable: N

    Path MTU: 1444

    Tunnel:

        local  address: 2.2.2.2

        remote address: 1.1.1.2

    Flow:

        sour addr: 2.2.2.2/255.255.255.255  port: 0  protocol: ip

        dest addr: 1.1.1.2/255.255.255.255  port: 0  protocol: ip

 

    [Inbound ESP SAs]

      SPI: 3823032807 (0xe3ded9e7)

      Connection ID: 4294967296

      Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843081/3156

      Max received sequence-number: 895

      Anti-replay check enable: Y

      Anti-replay window size: 64

      UDP encapsulation used for NAT traversal: N

      Status: Active

 

    [Outbound ESP SAs]

      SPI: 3870699250 (0xe6b62ef2)

      Connection ID: 4294967297

      Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843081/3156

      Max sent sequence-number: 895

      UDP encapsulation used for NAT traversal: N

      Status: Active

在分支B侧查看ike sa ipsec sa相关信息

<branchB>dis ike sa

    Connection-ID   Remote                Flag         DOI   

------------------------------------------------------------------

    1               1.1.1.2               RD           IPsec 

Flags:

RD--READY RL--REPLACED FD-FADING RK-REKEY

<branchB>dis ipsec sa

-------------------------------

Interface: GigabitEthernet0/0

-------------------------------

 

  -----------------------------

  IPsec policy: 1

  Sequence number: 1

  Mode: ISAKMP

  -----------------------------

    Tunnel id: 0

    Encapsulation mode: tunnel

    Perfect Forward Secrecy:

    Inside VPN:

    Extended Sequence Numbers enable: N

    Traffic Flow Confidentiality enable: N

    Path MTU: 1444

    Tunnel:

        local  address: 3.3.3.2

        remote address: 1.1.1.2

    Flow:

        sour addr: 3.3.3.2/255.255.255.255  port: 0  protocol: ip

        dest addr: 1.1.1.2/255.255.255.255  port: 0  protocol: ip

 

    [Inbound ESP SAs]

      SPI: 1888065202 (0x708996b2)

      Connection ID: 4294967296

      Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843029/2961

      Max received sequence-number: 1285

      Anti-replay check enable: Y

      Anti-replay window size: 64

      UDP encapsulation used for NAT traversal: N

      Status: Active

 

    [Outbound ESP SAs]

      SPI: 3360931740 (0xc853bf9c)

      Connection ID: 4294967297

      Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843029/2961

      Max sent sequence-number: 1285

      UDP encapsulation used for NAT traversal: N

      Status: Active

 

在总部开启debug GRE alldebug ip packet,然后在分支A分别访问总部和分支B,收集debug信息分析一下报文在总部的解封装然后又封装的过程。

 [branchA]ping  -c 1 -a 192.168.2.1 192.168.1.1

 

//收到ESP封装的ipsec报文

<Headquarters>*Jun 15 12:42:35:746 2020 Headquarters IPFW/7/IPFW_PACKET:

Receiving, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,

pktlen = 160, pktid = 10759, offset = 0, ttl = 254, protocol = 50,

checksum = 35870, s = 2.2.2.2, d = 1.1.1.2

prompt: Receiving IP packet.

 

//进行ipsec解封装,解封装之后为GRE报文

*Jun 15 12:42:35:746 2020 Headquarters IPFW/7/IPFW_PACKET:

Receiving, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,

pktlen = 108, pktid = 10758, offset = 0, ttl = 255, protocol = 47,

checksum = 35670, s = 2.2.2.2, d = 1.1.1.2

prompt: Receiving IP packet.

 

//送到GRE tunnel0接口进行GRE解封装

*Jun 15 12:42:35:746 2020 Headquarters IPFW/7/IPFW_PACKET:

Delivering, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,

pktlen = 108, pktid = 10758, offset = 0, ttl = 255, protocol = 47,

checksum = 35670, s = 2.2.2.2, d = 1.1.1.2

prompt: IP packet is delivering up.

 

*Jun 15 12:42:35:746 2020 Headquarters GRE/7/packet:

 Tunnel0 packet: Before de-encapsulation,

   2.2.2.2->1.1.1.2 (length = 108)

*Jun 15 12:42:35:746 2020 Headquarters GRE/7/packet:

 Tunnel0 packet: After de-encapsulation,

   192.168.2.1->192.168.1.1 (length = 84)

*Jun 15 12:42:35:746 2020 Headquarters IPFW/7/IPFW_PACKET:

Receiving, interface = Tunnel0, version = 4, headlen = 20, tos = 0,

pktlen = 84, pktid = 10757, offset = 0, ttl = 255, protocol = 1,

checksum = 3409, s = 192.168.2.1, d = 192.168.1.1

prompt: Receiving IP packet.

 

*Jun 15 12:42:35:746 2020 Headquarters IPFW/7/IPFW_PACKET:

Delivering, interface = Tunnel0, version = 4, headlen = 20, tos = 0,

pktlen = 84, pktid = 10757, offset = 0, ttl = 255, protocol = 1,

checksum = 3409, s = 192.168.2.1, d = 192.168.1.1

prompt: IP packet is delivering up.

 

//对设备回应的报文继续进行GRE封装

*Jun 15 12:42:35:746 2020 Headquarters IPFW/7/IPFW_PACKET:

Sending, interface = Tunnel0, version = 4, headlen = 20, tos = 0,

pktlen = 84, pktid = 10757, offset = 0, ttl = 255, protocol = 1,

checksum = 3409, s = 192.168.1.1, d = 192.168.2.1

prompt: Sending the packet from local at Tunnel0.

 

*Jun 15 12:42:35:746 2020 Headquarters GRE/7/packet:

 Tunnel0 packet: Before encapsulation according to adjacency table,

   192.168.1.1->192.168.2.1 (length = 84)

*Jun 15 12:42:35:746 2020 Headquarters GRE/7/packet:

 Tunnel0 packet: After encapsulation,

   1.1.1.2->2.2.2.2 (length = 108)

*Jun 15 12:42:35:746 2020 Headquarters IPFW/7/IPFW_PACKET:

 

//GRE封装完成之后从外网接口从ipsec隧道转发

Sending, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,

pktlen = 160, pktid = 10715, offset = 0, ttl = 255, protocol = 50,

checksum = 35658, s = 1.1.1.2, d = 2.2.2.2

prompt: Sending the packet from local at GigabitEthernet0/0.

 

 

 [branchA]ping  -c 1 -a 192.168.2.1 192.168.3.1

//如下的解封装、封装过程与上面类似,不在赘述。

 

<Headquarters>

//收到ESP封装的ipsec报文

*Jun 15 14:49:10:944 2020 Headquarters IPFW/7/IPFW_PACKET:

Receiving, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,

pktlen = 160, pktid = 8947, offset = 0, ttl = 254, protocol = 50,

checksum = 37682, s = 2.2.2.2, d = 1.1.1.2

prompt: Receiving IP packet.

 

//进行ipsec解封装,解封装之后为GRE报文

*Jun 15 14:49:10:944 2020 Headquarters IPFW/7/IPFW_PACKET:

Receiving, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,

pktlen = 108, pktid = 8946, offset = 0, ttl = 255, protocol = 47,

checksum = 37482, s = 2.2.2.2, d = 1.1.1.2

prompt: Receiving IP packet.

 

//送到GRE tunnel0接口进行GRE解封装

*Jun 15 14:49:10:944 2020 Headquarters IPFW/7/IPFW_PACKET:

Delivering, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,

pktlen = 108, pktid = 8946, offset = 0, ttl = 255, protocol = 47,

checksum = 37482, s = 2.2.2.2, d = 1.1.1.2

prompt: IP packet is delivering up.

 

*Jun 15 14:49:10:944 2020 Headquarters GRE/7/packet:

 Tunnel0 packet: Before de-encapsulation,

   2.2.2.2->1.1.1.2 (length = 108)

*Jun 15 14:49:10:944 2020 Headquarters GRE/7/packet:

 Tunnel0 packet: After de-encapsulation,

   192.168.2.1->192.168.3.1 (length = 84)

*Jun 15 14:49:10:944 2020 Headquarters IPFW/7/IPFW_PACKET:

Receiving, interface = Tunnel0, version = 4, headlen = 20, tos = 0,

pktlen = 84, pktid = 8945, offset = 0, ttl = 255, protocol = 1,

checksum = 4709, s = 192.168.2.1, d = 192.168.3.1

prompt: Receiving IP packet.

 

//根据静态路由将分支A访问分支B的报文又送到tunnel1接口进行GRE封装

*Jun 15 14:49:10:944 2020 Headquarters IPFW/7/IPFW_PACKET:

Sending, interface = Tunnel1, version = 4, headlen = 20, tos = 0,

pktlen = 84, pktid = 8945, offset = 0, ttl = 254, protocol = 1,

checksum = 4965, s = 192.168.2.1, d = 192.168.3.1

prompt: Sending the packet from Tunnel0 at Tunnel1.

 

*Jun 15 14:49:10:944 2020 Headquarters GRE/7/packet:

 Tunnel1 packet: Before encapsulation according to adjacency table,

   192.168.2.1->192.168.3.1 (length = 84)

*Jun 15 14:49:10:944 2020 Headquarters GRE/7/packet:

 Tunnel1 packet: After encapsulation,

   1.1.1.2->3.3.3.2 (length = 108)

*Jun 15 14:49:10:945 2020 Headquarters IPFW/7/IPFW_PACKET:

 

//GRE封装完成之后从外网接口从ipsec隧道转发至分支B

Sending, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,

pktlen = 160, pktid = 9356, offset = 0, ttl = 255, protocol = 50,

checksum = 36504, s = 1.1.1.2, d = 3.3.3.2

prompt: Sending the packet from local at GigabitEthernet0/0.

 

//收到从分支B返回的回应

*Jun 15 14:49:10:946 2020 Headquarters IPFW/7/IPFW_PACKET:

Receiving, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,

pktlen = 160, pktid = 9816, offset = 0, ttl = 254, protocol = 50,

checksum = 36300, s = 3.3.3.2, d = 1.1.1.2

prompt: Receiving IP packet.

 

//进行ipsec解封装,解封装之后为GRE报文

*Jun 15 14:49:10:946 2020 Headquarters IPFW/7/IPFW_PACKET:

Receiving, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,

pktlen = 108, pktid = 9815, offset = 0, ttl = 255, protocol = 47,

checksum = 36100, s = 3.3.3.2, d = 1.1.1.2

prompt: Receiving IP packet.

 

//送到GRE tunnel1接口进行GRE解封装

*Jun 15 14:49:10:946 2020 Headquarters IPFW/7/IPFW_PACKET:

Delivering, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,

pktlen = 108, pktid = 9815, offset = 0, ttl = 255, protocol = 47,

checksum = 36100, s = 3.3.3.2, d = 1.1.1.2

prompt: IP packet is delivering up.

 

*Jun 15 14:49:10:946 2020 Headquarters GRE/7/packet:

 Tunnel1 packet: Before de-encapsulation,

   3.3.3.2->1.1.1.2 (length = 108)

*Jun 15 14:49:10:946 2020 Headquarters GRE/7/packet:

 Tunnel1 packet: After de-encapsulation,

   192.168.3.1->192.168.2.1 (length = 84)

*Jun 15 14:49:10:946 2020 Headquarters IPFW/7/IPFW_PACKET:

Receiving, interface = Tunnel1, version = 4, headlen = 20, tos = 0,

pktlen = 84, pktid = 8945, offset = 0, ttl = 255, protocol = 1,

checksum = 4709, s = 192.168.3.1, d = 192.168.2.1

prompt: Receiving IP packet.

 

//tunnel1解封装完成根据静态路由又送到tunnel0接口进行GRE封装

*Jun 15 14:49:10:946 2020 Headquarters IPFW/7/IPFW_PACKET:

Sending, interface = Tunnel0, version = 4, headlen = 20, tos = 0,

pktlen = 84, pktid = 8945, offset = 0, ttl = 254, protocol = 1,

checksum = 4965, s = 192.168.3.1, d = 192.168.2.1

prompt: Sending the packet from Tunnel1 at Tunnel0.

 

*Jun 15 14:49:10:946 2020 Headquarters GRE/7/packet:

 Tunnel0 packet: Before encapsulation according to adjacency table,

   192.168.3.1->192.168.2.1 (length = 84)

*Jun 15 14:49:10:946 2020 Headquarters GRE/7/packet:

 Tunnel0 packet: After encapsulation,

   1.1.1.2->2.2.2.2 (length = 108)

*Jun 15 14:49:10:946 2020 Headquarters IPFW/7/IPFW_PACKET:

 

//GRE封装完成之后从外网接口从ipsec隧道转发至分支A

Sending, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,

pktlen = 160, pktid = 9359, offset = 0, ttl = 255, protocol = 50,

checksum = 37014, s = 1.1.1.2, d = 2.2.2.2

prompt: Sending the packet from local at GigabitEthernet0/0.


配置关键点

该案例对您是否有帮助:

您的评价:1

若您有关于案例的建议,请反馈:

0 个评论

该案例暂时没有网友评论

编辑评论

举报

×

侵犯我的权益 >
对根叔知了社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔知了社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明

提出建议

    +

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作