组网如下:
中心与分支建立IPSEC,中心使用模板的方式,并开启反向路由注入功能,使得中心
生成到分支10.1.0.1的静态路由,下一跳是中心应用IPSEC接口的下一跳,本案例即1.1.1.2
中心与分支的公网地址分别为1.1.1.1与1.1.1.2,中心与分支的私网地址分别为10.0.0.1与10.1.0.1
配置步骤
中心:
安全域及安全策略的配置
security-zone name Trust
import interface GigabitEthernet1/0/1
security-policy ip
rule 0 name 0
action pass
接口配置
interface LoopBack0
ip address 10.0.0.1 255.255.255.255
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 1.1.1.1 255.255.255.0
ipsec apply policy map1
IKE与IPSEC的配置(关键是要在ipsec策略模板视图下开启反向路由注入功能)
ipsec transform-set tran1
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec policy-template temp1 1
transform-set tran1
ike-profile profile1
reverse-route dynamic
reverse-route preference 100
reverse-route tag 1000
#
ipsec policy map1 10 isakmp template temp1
#
ike profile profile1
keychain key1
match remote identity address 1.1.1.2 255.255.255.0
#
ike proposal 1
#
ike keychain key1
pre-shared-key address 1.1.1.2 255.255.255.255 key simple 123456
分支:
安全域及安全策略的配置
security-zone name Trust
import interface GigabitEthernet1/0/1
security-policy ip
rule 0 name 0
action pass
接口配置
interface LoopBack0
ip address 10.1.0.1 255.255.255.255
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 1.1.1.2 255.255.255.0
ipsec apply policy map1
私网路由配置
ip route-static 10.0.0.0 24 1.1.1.1
IKE与IPSEC配置
acl advanced 3000
rule 0 permit ip source 10.1.0.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
ipsec transform-set tran1
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec policy map1 10 isakmp
transform-set tran1
security acl 3000
remote-address 1.1.1.1
ike-profile profile1
#
ike profile profile1
keychain key1
match remote identity address 1.1.1.1 255.255.255.0
#
ike proposal 1
#
ike keychain key1
pre-shared-key address 1.1.1.1 255.255.255.255 key simple 123456
使用分支带源ping中心触发一下,可以看到中心已经建立IKE SA与IPSEC SA以及生成一条10.1.0.0的静态路由,优先级100
[zhongxin]display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
2 1.1.1.2 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
[zhongxin]dis
[zhongxin]display ips
[zhongxin]display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/1
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: Template
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1444
Tunnel:
local address: 1.1.1.1
remote address: 1.1.1.2
Flow:
sour addr: 10.0.0.0/255.255.255.0 port: 0 protocol: ip
dest addr: 10.1.0.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 217522932 (0x0cf722f4)
Connection ID: 12884901889
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3504
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 1251243487 (0x4a9475df)
Connection ID: 12884901888
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3504
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
Status: Active
[zhongxin]
[zhongxin]
[zhongxin]dis
[zhongxin]display ip rou
[zhongxin]display ip routing-table
Destinations : 14 Routes : 14
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
1.1.1.0/24 Direct 0 0 1.1.1.1 GE1/0/1
1.1.1.0/32 Direct 0 0 1.1.1.1 GE1/0/1
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0
1.1.1.255/32 Direct 0 0 1.1.1.1 GE1/0/1
10.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
10.1.0.0/24 Static 100 0 1.1.1.2 GE1/0/1
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
配置关键点:
1.
2.
3.
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作