当分支1和总部建立连接,分支2和总部建立连接后。分支1和分支2不想再建立ipsec vpn,想要通过总部进行分支互访。
总部采用中心端模式(安全模板模式)
总部和分支采用野蛮模式对接
附网络拓扑:
总部配置:
interface LoopBack0
ip address 172.16.1.1 255.255.255.0
interface GigabitEthernet0/0
ip address 192.168.1.2 255.255.255.0
nat outbound 3001
ipsec apply policy MSR1
ip route-static 0.0.0.0 0 192.168.1.1
acl advanced 3001
rule 10 deny ip source 172.16.1.0 0.0.0.255 destination 172.16.2.0 0.0.0.255
rule 15 deny ip source 172.16.1.0 0.0.0.255 destination 172.16.3.0 0.0.0.255
rule 30 deny ip source 172.16.2.0 0.0.0.255 destination 172.16.3.0 0.0.0.255
rule 35 deny ip source 172.16.3.0 0.0.0.255 destination 172.16.2.0 0.0.0.255
rule 300 permit ip
ipsec transform-set R1-tran
esp encryption-algorithm 3des-cbc
esp authentication-algorithm sha1
ipsec policy-template tem 1
transform-set R1-tran
ike-profile R1-profile
ipsec policy MSR1 1 isakmp template tem
ike identity fqdn zongbu
ike profile R1-profile
keychain R1-keychain
dpd interval 10 on-demand
exchange-mode aggressive
local-identity fqdn zongbu
match remote identity fqdn client
match remote identity address 0.0.0.0 0.0.0.0
proposal 1
ike proposal 1
ike keychain R1-keychain
pre-shared-key hostname client key simple 12345
分支1侧配置:
interface LoopBack0
ip address 172.16.2.1 255.255.255.0
interface GigabitEthernet0/0
ip address 192.168.2.2 255.255.255.0
nat outbound 3001
ipsec apply policy MSR2
ip route-static 0.0.0.0 0 192.168.2.1
acl advanced 3000
rule 10 permit ip source 172.16.2.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
rule 15 permit ip source 172.16.2.0 0.0.0.255 destination 172.16.3.0 0.0.0.255
acl advanced 3001
rule 10 deny ip source 172.16.2.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
rule 15 deny ip source 172.16.2.0 0.0.0.255 destination 172.16.3.0 0.0.0.255
rule 300 permit ip
ipsec transform-set R2-tran
esp encryption-algorithm 3des-cbc
esp authentication-algorithm sha1
ipsec policy MSR2 1 isakmp
transform-set R2-tran
security acl 3000
remote-address 192.168.1.2
ike-profile R2-profile
ike identity fqdn client
ike profile R2-profile
keychain R2-keychain
dpd interval 10 on-demand
exchange-mode aggressive
local-identity fqdn client
match remote identity address 192.168.1.2 255.255.255.255
match remote identity fqdn zongbu
proposal 1
ike proposal 1
ike keychain R2-keychain
pre-shared-key address 192.168.1.2 255.255.255.255 key simple 12345
分支2侧配置:
interface LoopBack0
ip address 172.16.3.1 255.255.255.0
interface GigabitEthernet0/0
ip address 192.168.3.2 255.255.255.0
nat outbound 3001
ipsec apply policy MSR3
ip route-static 0.0.0.0 0 192.168.3.1
acl advanced 3000
rule 5 permit ip source 172.16.3.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
rule 10 permit ip source 172.16.3.0 0.0.0.255 destination 172.16.2.0 0.0.0.255
acl advanced 3001
rule 5 deny ip source 172.16.3.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
rule 10 deny ip source 172.16.3.0 0.0.0.255 destination 172.16.2.0 0.0.0.255
rule 300 permit ip
ipsec transform-set R3-tran
esp encryption-algorithm 3des-cbc
esp authentication-algorithm sha1
ipsec policy MSR3 1 isakmp
transform-set R3-tran
security acl 3000
remote-address 192.168.1.2
ike-profile R3-profile
ike identity user-fqdn client
ike profile R3-profile
keychain R3-keychain
dpd interval 10 on-demand
exchange-mode aggressive
local-identity fqdn client
match remote identity address 192.168.1.2 255.255.255.255
match remote identity fqdn zongbu
proposal 1
ike proposal 1
ike keychain R3-keychain pre-shared-key address 192.168.1.2 255.255.255.255 key simple 12345
结果测试:
总部端测试:
分支1测试:
分支2测试:
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作