★ IPsec multi-branch mutual access + automatical tunnel establishment
- 0关注
- 0收藏 1694浏览
Network Topology
Establish ipsec vpn to realize intercommunication between each branch and headquarters, and each branch can also access through the headquarters.
Configuration Steps
Headquarters:
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 1.1.1.2 255.255.255.252
nat outbound 3002
ipsec apply policy test
#
ip route-static 0.0.0.0 0 1.1.1.1
#
acl advanced 3000
description toBranchA
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
acl advanced 3001
description toBranchB
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
#
acl advanced 3002
description outboundNATDenyFlow
rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 5 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 10 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 15 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 100 permit ip
#
ipsec transform-set 1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy-template branchA 1
transform-set 1
security acl 3000
ike-profile branchA
#
ipsec policy-template branchB 1
transform-set 1
security acl 3001
ike-profile branchB
#
ipsec policy test 1 isakmp template branchA
#
ipsec policy test 2 isakmp template branchB
#
ike dpd interval 10 on-deman
#
ike profile branchA
keychain branchA
exchange-mode aggressive
local-identity fqdn headquarters
match remote identity fqdn branchA
#
ike profile branchB
keychain branchB
exchange-mode aggressive
local-identity fqdn headquarters
match remote identity fqdn branchB
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm md5
#
ike keychain branchA
match local address 1.1.1.2
pre-shared-key hostname branchA key simple 12345678
#
ike keychain branchB
match local address 1.1.1.2
pre-shared-key hostname branchB key simple 12345678
#
Branch A :
#
nqa entry admin test
type icmp-echo
destination ip 192.168.1.1
frequency 5000
history-record enable
history-record number 10
probe count 10
probe timeout 500
source ip 192.168.2.1
#
nqa entry admin test1
type icmp-echo
destination ip 192.168.3.1
frequency 5000
history-record enable
history-record number 10
probe count 10
probe timeout 500
source ip 192.168.2.1
#
nqa schedule admin test start-time now lifetime forever
nqa schedule admin test1 start-time now lifetime forever
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 2.2.2.2 255.255.255.252
nat outbound 3001
ipsec apply policy 1
#
ip route-static 0.0.0.0 0 2.2.2.1
#
acl advanced 3000
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
#
acl advanced 3001
rule 0 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 100 permit ip
#
ipsec transform-set 1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy 1 1 isakmp
transform-set 1
security acl 3000
remote-address 1.1.1.2
ike-profile 1
#
ike dpd interval 10 on-demand
#
ike profile 1
keychain 1
exchange-mode aggressive
local-identity fqdn branchA
match remote identity fqdn headquarters
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm md5
#
ike keychain 1
pre-shared-key address 1.1.1.2 255.255.255.0 key simple 12345678
#
Branch B:
#
nqa entry admin test
type icmp-echo
destination ip 192.168.1.1
frequency 5000
history-record enable
history-record number 10
probe count 10
probe timeout 500
source ip 192.168.3.1
#
nqa entry admin test1
type icmp-echo
destination ip 192.168.2.1
frequency 5000
history-record enable
history-record number 10
probe count 10
probe timeout 500
source ip 192.168.3.1
#
nqa schedule admin test start-time now lifetime forever
nqa schedule admin test1 start-time now lifetime forever
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 3.3.3.2 255.255.255.252
nat outbound 3001
ipsec apply policy 1
#
ip route-static 0.0.0.0 0 3.3.3.1
#
acl advanced 3000
rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
acl advanced 3001
rule 0 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 5 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 100 permit ip
#
ipsec transform-set 1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy 1 1 isakmp
transform-set 1
security acl 3000
remote-address 1.1.1.2
ike-profile 1
#
ike dpd interval 10 on-demand
#
ike profile 1
keychain 1
exchange-mode aggressive
local-identity fqdn branchB
match remote identity fqdn headquarters
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm md5
#
ike keychain 1
pre-shared-key address 1.1.1.2 255.255.255.0 key simple 12345678
Test:
Key Configuration
In order to prevent the headquarters from restarting, the invalid ipsec sa of the branch was not deleted in time, which caused business failure after the headquarters restarted. Need to configure DPD on the branch.
ike dpd interval 10 on-demand
Only need to configure on two branches.
No comments
Add Comments:
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作