DVPN和GRE配合使用典型组网
一、 组网需求
如下图所示,总部需要与分支A通过DVPN构建虚拟私有网络,与分支B通过GRE构建虚拟私有网络,这样总部与分支A及分支B共同构建一个大的VPN网络。在该网络中需要实现:
? Server对接入DVPN的分支A进行身份认证;
? 分支A对需要接入的Server也进行身份认证。
二、 组网图
三、 配置步骤
1. 配置Server
配置Ethernet0/0/0接口
[Server] interface Ethernet0/0/0
[Server-Ethernet0/0/0] ip address 201.1.1.1 255.255.255.0
[Server-Ethernet0/0/0] quit
配置Ethernet0/0/1接口
[Server] interface Ethernet0/0/1
[Server-Ethernet0/0/1] ip address 10.0.1.1 255.255.255.0
[Server-Ethernet0/0/1] quit
配置Server的身份pre-shared-key。
[Server] dvpn server pre-shared-key 123456
配置DVPN policy
[Server] dvpn policy testpolicy
[Server-Policy-testpolicy] authentication-client method chap domain dvpn
[Server-Policy-testpolicy] data algorithm-suite 7
[Server-Policy-testpolicy] session algorithm-suite 12
[Server-Policy-testpolicy] quit
配置DVPN使用的验证域使用本地验证
[Server] domain dvpn
[Server-isp-domain] access-limit disable
[Server-isp-domain] state active
[Server-isp-domain] quit
配置DVPN本地用户
[Server] local-user dvpnuser
[Server-luser-dvpnuser] password simple dvpnuser
[Server-luser-dvpnuser] service-type dvpn
[Server-luser-dvpnuser] quit
配置DVPN使用的Tunnel0接口
[Server] interface tunnel 0
[Server-Tunnel0] tunnel-protocol udp dvpn
[Server-Tunnel0] dvpn interface-type server
[Server-Tunnel0] ip address 10.0.0.1 255.255.255.0
[Server-Tunnel0] source Ethernet0/0/0
[Server-Tunnel0] dvpn dvpn-id 1
[Server-Tunnel0] dvpn policy testpolicy
[Server-Tunnel0] quit
配置GRE使用的Tunnel1接口
[Server] interface tunnel 1
[Server-Tunnel1] ip address 10.1.0.1 255.255.255.0
[Server-Tunnel1] destination 211.1.1.3
[Server-Tunnel1] source Ethernet0/0/0
[Server-Tunnel1] quit
配置路由信息
[Server] ip route-static 0.0.0.0 255.255.255.0 201.1.1.2
[Server] ip route-static 10.1.2.0 255.255.255.0 tunnel1
[Server] ip route-static 10.0.2.0 255.255.255.0 10.0.0.2
2. 配置分支A
配置Ethernet0/0/0接口通过DHCP获取地址
[Client1] interface Ethernet0/0/0
[Client1-Ethernet0/0/0] ip address 201.1.2.1 255.255.255.0
[Client1-Ethernet0/0/0] quit
配置Ethernet0/0/1接口
[Client1] interface Ethernet0/0/1
[Client1-Ethernet0/0/1] ip address 10.0.2.1 255.255.255.0
[Client1-Ethernet0/0/1] quit
配置dvpn-class
[Client2] dvpn class testserver
[Client1-class-testserver] public-ip 201.1.1.1
[Client1-class-testserver] authentication-server method pre-share
[Client1-class-testserver] pre-shared-key 123456
[Client1-class-testserver] local-user dvpnuser password simple dvpnuser
[Client1-class-testserver] quit
配置Tunnel0接口属性
[Client1] interface tunnel 0
[Client1-Tunnel0] ip address 10.0.0.2 255.255.255.0
[Client1-Tunnel0] tunnel-protocol udp dvpn
[Client1-Tunnel0] source Ethernet0/0/0
[Client1-Tunnel0] dvpn interface-type client
[Client1-Tunnel0] dvpn server testserver
[Client1-Tunnel0] dvpn vpn-id 1
[Client1-Tunnel0] quit
配置静态路由
[Client1] ip route-static 0.0.0.0 255.255.255.0 201.1.2.2
[Client1] ip route-static 10.0.1.0 255.255.255.0 10.0.0.1
[Client1] ip route-static 10.1.2.0 255.255.255.0 10.0.0.1
3. 配置分支B
配置Ethernet0/0/0接口
[Client2] interface Ethernet0/0/0
[Client2-Ethernet0/0/0] ip address 201.1.3.1 255.255.255.0
[Client2-Ethernet0/0/0] quit
配置Ethernet0/0/1接口
[Client2] interface Ethernet0/0/1
[Client2-Ethernet0/0/1] ip address 10.1.2.1 255.255.255.0
[Client2-Ethernet0/0/1] quit
配置Tunnel0接口属性
[Client2] interface tunnel 0
[Client2-Tunnel0] ip address 10.1.0.2 255.255.255.0
[Client2-Tunnel0] source Ethernet0/0/0
[Client2-Tunnel0] destination 201.1.1.1
[Client2-Tunnel0] quit
配置静态路由
[Client2] ip route-static 0.0.0.0 255.255.255.0 201.1.3.2
[Client2] ip route-static 10.0.1.0 255.255.255.0 10.0.0.1
[Client2] ip route-static 10.0.2.0 255.255.255.0 10.0.0.2
四、 配置关键点
1、只需要在Server端配置Policy,DVPN建立成功后,会下发给分支;
2、DVPN支持加密,GRE不支持加密;
3、 GRE两端配置需要固定IP,DVPN支持NAT穿越。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作