F100-S-XI
- 0关注
- 0收藏,652浏览
问题描述:
F100-S-XI后期要和好几个点位建立ipsec,这个型号支持配置ipsec模板吗,如果支持,该怎么配置,如果不支持,那点到点建立ipsec怎么配置?
还有就是化三的交换机怎么查看桥(背板)MAC
- 2025-01-07提问
- 举报
-
(0)
最佳答案
支持的
看背板MAC干啥。。联系400咨询b
组网需求
如下图所示,某企业总部Device A有两条出口链路接入Internet,分支Device B和Device C各有一条出口链路接入Internet,要求实现如下需求:
企业总部与各企业分支之间使用基于路由的IPsec隧道接口方式建立IPsec隧道;
企业总部和各分支之间根据NQA探测结果,选择高质量、低延迟的链路动态建立IPsec隧道。
图-1 基于路由模式的总部采用双链路与分支建立IPsec隧道配置组网图
/images/m230712x1z15/x_Img_x_png_36.png)
配置步骤
配置Device A
配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
创建IPsec隧道接口
# 创建IPsec隧道接口Tunnel0,具体配置步骤如下。
[DeviceA] interface tunnel 0 mode ipsec
[DeviceA-Tunnel0] ip address 10.0.0.1 255.255.255.0
[DeviceA-Tunnel0] source 1.1.1.1
[DeviceA-Tunnel0] destination 3.3.3.3
[DeviceA-Tunnel0] quit
# 创建IPsec隧道接口Tunnel1,具体配置步骤如下。
[DeviceA] interface tunnel 1 mode ipsec
[DeviceA-Tunnel1] ip address 20.0.0.1 255.255.255.0
[DeviceA-Tunnel1] source 2.2.2.2
[DeviceA-Tunnel1] destination 3.3.3.3
[DeviceA-Tunnel1] quit
# 创建IPsec隧道接口Tunnel2,具体配置步骤如下。
[DeviceA] interface tunnel 2 mode ipsec
[DeviceA-Tunnel2] ip address 30.0.0.1 255.255.255.0
[DeviceA-Tunnel2] source 1.1.1.1
[DeviceA-Tunnel2] destination 4.4.4.4
[DeviceA-Tunnel2] quit
# 创建IPsec隧道接口Tunnel3,具体配置步骤如下。
[DeviceA] interface tunnel 3 mode ipsec
[DeviceA-Tunnel3] ip address 40.0.0.1 255.255.255.0
[DeviceA-Tunnel3] source 2.2.2.2
[DeviceA-Tunnel3] destination 4.4.4.4
[DeviceA-Tunnel3] quit
配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/3
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Untrust] import interface tunnel 0
[DeviceA-security-zone-Untrust] import interface tunnel 1
[DeviceA-security-zone-Untrust] import interface tunnel 2
[DeviceA-security-zone-Untrust] import interface tunnel 3
[DeviceA-security-zone-Untrust] quit
配置安全策略
配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策规则,使Device A可以向Device B和Device C发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name ipseclocalout
[DeviceA-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceA-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 1.1.1.1
[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.2
[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 3.3.3.3
[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 4.4.4.4
[DeviceA-security-policy-ip-1-ipseclocalout] action pass
[DeviceA-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device A可以接收和处理来自Device B和Device C的IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name ipseclocalin
[DeviceA-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceA-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 3.3.3.3
[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 4.4.4.4
[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 1.1.1.1
[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.2
[DeviceA-security-policy-ip-2-ipseclocalin] action pass
[DeviceA-security-policy-ip-2-ipseclocalin] quit
配置安全策略放行Host A与Host B、Host C之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host A访问Host B、Host C的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 192.168.11.0 24
[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 192.168.12.0 24
[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 192.168.13.0 24
[DeviceA-security-policy-ip-3-trust-untrust] action pass
[DeviceA-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host B、Host C访问Host A的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 192.168.12.0 24
[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 192.168.13.0 24
[DeviceA-security-policy-ip-4-untrust-trust] destination-ip-subnet 192.168.11.0 24
[DeviceA-security-policy-ip-4-untrust-trust] action pass
[DeviceA-security-policy-ip-4-untrust-trust] quit
[DeviceA-security-policy-ip] quit
配置IPsec安全框架,建立IPsec隧道,保护需要防护的数据流
# 配置IPsec安全框架t0,建立IPsec隧道,具体配置步骤如下。
[DeviceA] ike keychain t0
[DeviceA-ike-keychain-t0] pre-shared-key address 3.3.3.3 255.255.255.0 key simple 123456TESTplat&!
[DeviceA-ike-keychain-t0] quit
[DeviceA] ike profile t0
[DeviceA-ike-profile-t0] keychain t0
[DeviceA-ike-profile-t0] match local address Tunnel0
[DeviceA-ike-profile-t0] match remote identity address 3.3.3.3 24
[DeviceA-ike-profile-t0] exchange-mode aggressive
[DeviceA-ike-profile-t0] dpd interval 30 periodic
[DeviceA-ike-profile-t0] quit
[DeviceA] ipsec transform-set t0
[DeviceA-ipsec-transform-set-t0] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-t0] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-t0] quit
[DeviceA] ipsec profile t0 isakmp
[DeviceA-ipsec-profile-isakmp-t0] transform-set t0
[DeviceA-ipsec-profile-isakmp-t0] ike-profile t0
[DeviceA-ipsec-profile-isakmp-t0] quit
# 配置IPsec安全框架t1,建立IPsec隧道,具体配置步骤如下。
[DeviceA] ike keychain t1
[DeviceA-ike-keychain-t1] pre-shared-key address 3.3.3.3 255.255.255.0 key simple 123456TESTplat&!
[DeviceA-ike-keychain-t1] quit
[DeviceA] ike profile t1
[DeviceA-ike-profile-t1] keychain t1
[DeviceA-ike-profile-t1] match local address Tunnel1
[DeviceA-ike-profile-t1] match remote identity address 3.3.3.3 24
[DeviceA-ike-profile-t1] exchange-mode aggressive
[DeviceA-ike-profile-t1] dpd interval 30 periodic
[DeviceA-ike-profile-t1] quit
[DeviceA] ipsec transform-set t1
[DeviceA-ipsec-transform-set-t1] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-t1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-t1] quit
[DeviceA] ipsec profile t1 isakmp
[DeviceA-ipsec-profile-isakmp-t1] transform-set t1
[DeviceA-ipsec-profile-isakmp-t1] ike-profile t1
[DeviceA-ipsec-profile-isakmp-t1] quit
# 配置IPsec安全框架t2,建立IPsec隧道,具体配置步骤如下。
[DeviceA] ike keychain t2
[DeviceA-ike-keychain-t2] pre-shared-key address 4.4.4.4 255.255.255.0 key simple 123456TESTplat&!
[DeviceA-ike-keychain-t2] quit
[DeviceA] ike profile t2
[DeviceA-ike-profile-t2] keychain t2
[DeviceA-ike-profile-t2] match local address Tunnel2
[DeviceA-ike-profile-t2] match remote identity address 4.4.4.4 24
[DeviceA-ike-profile-t2] exchange-mode aggressive
[DeviceA-ike-profile-t2] dpd interval 30 periodic
[DeviceA-ike-profile-t2] quit
[DeviceA] ipsec transform-set t2
[DeviceA-ipsec-transform-set-t2] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-t2] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-t2] quit
[DeviceA] ipsec profile t2 isakmp
[DeviceA-ipsec-profile-isakmp-t2] transform-set t2
[DeviceA-ipsec-profile-isakmp-t2] ike-profile t2
[DeviceA-ipsec-profile-isakmp-t2] quit
# 配置IPsec安全框架t3,建立IPsec隧道,具体配置步骤如下。
[DeviceA] ike keychain t3
[DeviceA-ike-keychain-t3] pre-shared-key address 4.4.4.4 255.255.255.0 key simple 123456TESTplat&!
[DeviceA-ike-keychain-t3] quit
[DeviceA] ike profile t3
[DeviceA-ike-profile-t3] keychain t3
[DeviceA-ike-profile-t3] match local address Tunnel3
[DeviceA-ike-profile-t3] match remote identity address 4.4.4.4 24
[DeviceA-ike-profile-t3] exchange-mode aggressive
[DeviceA-ike-profile-t3] dpd interval 30 periodic
[DeviceA-ike-profile-t3] quit
[DeviceA] ipsec transform-set t3
[DeviceA-ipsec-transform-set-t3] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-t3] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-t3] quit
[DeviceA] ipsec profile t3 isakmp
[DeviceA-ipsec-profile-isakmp-t3] transform-set t3
[DeviceA-ipsec-profile-isakmp-t3] ike-profile t3
[DeviceA-ipsec-profile-isakmp-t3] quit
配置IPsec隧道接口,用于对需要保护的流量进行IPsec封装。
# 在IPsec隧道接口Tunnel0中引用IPsec安全框架t0,建立IPsec隧道。
[DeviceA] interface tunnel 0
[DeviceA-Tunnel0] tunnel protection ipsec profile t0
[DeviceA-Tunnel0] quit
# 在IPsec隧道接口Tunnel1中引用IPsec安全框架t1,建立IPsec隧道。
[DeviceA] interface tunnel 1
[DeviceA-Tunnel1] tunnel protection ipsec profile t1
[DeviceA-Tunnel1] quit
# 在IPsec隧道接口Tunnel2中引用IPsec安全框架t2,建立IPsec隧道。
[DeviceA] interface tunnel 2
[DeviceA-Tunnel2] tunnel protection ipsec profile t2
[DeviceA-Tunnel2] quit
# 在IPsec隧道接口Tunnel3中引用IPsec安全框架t3,建立IPsec隧道。
[DeviceA] interface tunnel 3
[DeviceA-Tunnel3] tunnel protection ipsec profile t3
[DeviceA-Tunnel3] quit
配置NQA测试组与Track项联动,用于探测链路状态。
# 配置NQA测试组(管理员为test1,操作标签为1),具体配置步骤如下。
[DeviceA] nqa entry admin test1
[DeviceA-nqa-admin-test1] type icmp-echo
[DeviceA-nqa-admin-test1-icmp-echo] destination ip 3.3.3.3
[DeviceA-nqa-admin-test1-icmp-echo] frequency 3000
[DeviceA-nqa-admin-test1-icmp-echo] history-record enable
[DeviceA-nqa-admin-test1-icmp-echo] next-hop ip 1.1.1.2
[DeviceA-nqa-admin-test1-icmp-echo] probe count 5
[DeviceA-nqa-admin-test1-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceA-nqa-admin-test1-icmp-echo] quit
[DeviceA] nqa schedule admin test1 start-time now lifetime forever
# 配置Track项110,关联NQA测试组(管理员为test1,操作标签为1)的联动项1,配置步骤如下。
[DeviceA] track 110 nqa entry admin test1 reaction 1
[DeviceA-track-110] quit
# 配置NQA测试组(管理员为test2,操作标签为1),具体配置步骤如下。
[DeviceA] nqa entry admin test2
[DeviceA-nqa-admin-test2] type icmp-echo
[DeviceA-nqa-admin-test2-icmp-echo] destination ip 3.3.3.3
[DeviceA-nqa-admin-test2-icmp-echo] frequency 3000
[DeviceA-nqa-admin-test2-icmp-echo] history-record enable
[DeviceA-nqa-admin-test2-icmp-echo] probe count 5
[DeviceA-nqa-admin-test2-icmp-echo] next-hop ip 2.2.2.3
[DeviceA-nqa-admin-test2-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceA-nqa-admin-test2-icmp-echo] quit
[DeviceA] nqa schedule admin test2 start-time now lifetime forever
# 配置Track项120,关联NQA测试组(管理员为test2,操作标签为1)的联动项1,配置步骤如下。
[DeviceA] track 120 nqa entry admin test2 reaction 1
[DeviceA-track-120] quit
# 配置NQA测试组(管理员为test3,操作标签为1),具体配置步骤如下。
[DeviceA] nqa entry admin test3
[DeviceA-nqa-admin-test3] type icmp-echo
[DeviceA-nqa-admin-test3-icmp-echo] destination ip 4.4.4.4
[DeviceA-nqa-admin-test3-icmp-echo] frequency 3000
[DeviceA-nqa-admin-test3-icmp-echo] history-record enable
[DeviceA-nqa-admin-test3-icmp-echo] probe count 5
[DeviceA-nqa-admin-test3-icmp-echo] next-hop ip 1.1.1.2
[DeviceA-nqa-admin-test3-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceA-nqa-admin-test3-icmp-echo] quit
[DeviceA] nqa schedule admin test3 start-time now lifetime forever
# 配置Track项130,关联NQA测试组(管理员为test3,操作标签为1)的联动项1,配置步骤如下。
[DeviceA] track 130 nqa entry admin test3 reaction 1
[DeviceA-track-130] quit
# 配置NQA测试组(管理员为test4,操作标签为1),具体配置步骤如下。
[DeviceA] nqa entry admin test4
[DeviceA-nqa-admin-test4] type icmp-echo
[DeviceA-nqa-admin-test4-icmp-echo] destination ip 4.4.4.4
[DeviceA-nqa-admin-test4-icmp-echo] frequency 3000
[DeviceA-nqa-admin-test4-icmp-echo] history-record enable
[DeviceA-nqa-admin-test4-icmp-echo] probe count 5
[DeviceA-nqa-admin-test4-icmp-echo] next-hop ip 2.2.2.3
[DeviceA-nqa-admin-test4-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceA-nqa-admin-test4-icmp-echo] quit
[DeviceA] nqa schedule admin test4 start-time now lifetime forever
# 配置Track项140,关联NQA测试组(管理员为test4,操作标签为1)的联动项1,配置步骤如下。
[DeviceA] track 140 nqa entry admin test4 reaction 1
[DeviceA-track-140] quit
配置路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例的下一跳IP地址仅为示例,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceA] ip route-static 192.168.12.0 24 tunnel 0 track 110 preference 100
[DeviceA] ip route-static 192.168.12.0 24 tunnel 1 track 120 preference 110
[DeviceA] ip route-static 192.168.13.0 24 tunnel 2 track 130 preference 100
[DeviceA] ip route-static 192.168.13.0 24 tunnel 3 track 140 preference 110
[DeviceA] ip route-static 3.3.3.3 24 1.1.1.2 track 110 preference 100
[DeviceA] ip route-static 3.3.3.3 24 2.2.2.3 track 120 preference 110
[DeviceA] ip route-static 4.4.4.4 24 1.1.1.2 track 130 preference 100
[DeviceA] ip route-static 4.4.4.4 24 2.2.2.3 track 140 preference 110
配置Device B
配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 3.3.3.3 255.255.255.0
[DeviceB-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
创建IPsec隧道接口
# 创建IPsec隧道接口Tunnel0,具体配置步骤如下。
[DeviceB] interface tunnel 0 mode ipsec
[DeviceB-Tunnel0] ip address 50.0.0.1 255.255.255.0
[DeviceB-Tunnel0] source 3.3.3.3
[DeviceB-Tunnel0] destination 1.1.1.1
[DeviceB-Tunnel0] quit
# 创建IPsec隧道接口Tunnel1,具体配置步骤如下。
[DeviceB] interface tunnel 1 mode ipsec
[DeviceB-Tunnel1] ip address 60.0.0.1 255.255.255.0
[DeviceB-Tunnel1] source 3.3.3.3
[DeviceB-Tunnel1] destination 2.2.2.2
[DeviceB-Tunnel1] quit
配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Untrust] import interface tunnel 0
[DeviceB-security-zone-Untrust] import interface tunnel 1
[DeviceB-security-zone-Untrust] quit
配置安全策略
配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策规则,使Device B可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name ipseclocalout
[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 3.3.3.3
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.2
[DeviceB-security-policy-ip-1-ipseclocalout] action pass
[DeviceB-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device B可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name ipseclocalin
[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.2
[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 3.3.3.3
[DeviceB-security-policy-ip-2-ipseclocalin] action pass
[DeviceB-security-policy-ip-2-ipseclocalin] quit
配置安全策略放行Host B与Host A之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 192.168.12.0 24
[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 192.168.11.0 24
[DeviceB-security-policy-ip-3-trust-untrust] action pass
[DeviceB-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 192.168.11.0 24
[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 192.168.12.0 24
[DeviceB-security-policy-ip-4-untrust-trust] action pass
[DeviceB-security-policy-ip-4-untrust-trust] quit
[DeviceB-security-policy-ip] quit
配置IPsec安全框架,建立IPsec隧道,保护需要防护的数据流
# 配置IPsec安全框架t0,建立IPsec隧道,具体配置步骤如下。
[DeviceB] ike keychain t0
[DeviceB-ike-keychain-t0] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!
[DeviceB-ike-keychain-t0] quit
[DeviceB] ike profile t0
[DeviceB-ike-profile-t0] keychain t0
[DeviceB-ike-profile-t0] match local address Tunnel0
[DeviceB-ike-profile-t0] match remote identity address 1.1.1.1 24
[DeviceB-ike-profile-t0] exchange-mode aggressive
[DeviceB-ike-profile-t0] dpd interval 30 periodic
[DeviceB-ike-profile-t0] quit
[DeviceB] ipsec transform-set t0
[DeviceB-ipsec-transform-set-t0] esp encryption-algorithm aes-cbc-128
[DeviceB-ipsec-transform-set-t0] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-t0] quit
[DeviceB] ipsec profile t0 isakmp
[DeviceB-ipsec-profile-isakmp-t0] transform-set t0
[DeviceB-ipsec-profile-isakmp-t0] ike-profile t0
[DeviceB-ipsec-profile-isakmp-t0] quit
# 配置IPsec安全框架t1,建立IPsec隧道,具体配置步骤如下。
[DeviceB] ike keychain t1
[DeviceB-ike-keychain-t1] pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&!
[DeviceB-ike-keychain-t1] quit
[DeviceB] ike profile t1
[DeviceB-ike-profile-t1] keychain t1
[DeviceB-ike-profile-t1] match local address Tunnel1
[DeviceB-ike-profile-t1] match remote identity address 2.2.2.2 24
[DeviceB-ike-profile-t1] exchange-mode aggressive
[DeviceB-ike-profile-t1] dpd interval 30 periodic
[DeviceB-ike-profile-t1] quit
[DeviceB] ipsec transform-set t1
[DeviceB-ipsec-transform-set-t1] esp encryption-algorithm aes-cbc-128
[DeviceB-ipsec-transform-set-t1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-t1] quit
[DeviceB] ipsec profile t1 isakmp
[DeviceB-ipsec-profile-isakmp-t1] transform-set t1
[DeviceB-ipsec-profile-isakmp-t1] ike-profile t1
[DeviceB-ipsec-profile-isakmp-t1] quit
配置IPsec隧道接口,用于对需要保护的流量进行IPsec封装。
# 在IPsec隧道接口Tunnel0中引用IPsec安全框架t0,建立IPsec隧道。
[DeviceB] interface tunnel 0
[DeviceB-Tunnel0] tunnel protection ipsec profile t0
[DeviceB-Tunnel0] quit
# 在IPsec隧道接口Tunnel1中引用IPsec安全框架t1,建立IPsec隧道。
[DeviceB] interface tunnel 1
[DeviceB-Tunnel1] tunnel protection ipsec profile t1
[DeviceB-Tunnel1] quit
配置NQA测试组与Track项联动,用于探测链路状态。
# 配置NQA测试组(管理员为test1,操作标签为1),具体配置步骤如下。
[DeviceB] nqa entry admin test1
[DeviceB-nqa-admin-test1] type icmp-echo
[DeviceB-nqa-admin-test1-icmp-echo] destination ip 1.1.1.1
[DeviceB-nqa-admin-test1-icmp-echo] frequency 3000
[DeviceB-nqa-admin-test1-icmp-echo] history-record enable
[DeviceB-nqa-admin-test1-icmp-echo] probe count 5
[DeviceB-nqa-admin-test1-icmp-echo] next-hop ip 3.3.3.4
[DeviceB-nqa-admin-test1-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceB-nqa-admin-test1-icmp-echo] quit
[DeviceB] nqa schedule admin test1 start-time now lifetime forever
# 配置Track项110,关联NQA测试组(管理员为test1,操作标签为1)的联动项1,配置步骤如下。
[DeviceB] track 110 nqa entry admin test1 reaction 1
[DeviceB-track-110] quit
# 配置NQA测试组(管理员为test2,操作标签为1),具体配置步骤如下。
[DeviceB] nqa entry admin test2
[DeviceB-nqa-admin-test2] type icmp-echo
[DeviceB-nqa-admin-test2-icmp-echo] destination ip 2.2.2.2
[DeviceB-nqa-admin-test2-icmp-echo] frequency 3000
[DeviceB-nqa-admin-test2-icmp-echo] history-record enable
[DeviceB-nqa-admin-test2-icmp-echo] probe count 5
[DeviceB-nqa-admin-test2-icmp-echo] next-hop ip 3.3.3.4
[DeviceB-nqa-admin-test2-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceB-nqa-admin-test2-icmp-echo] quit
[DeviceB] nqa schedule admin test2 start-time now lifetime forever
# 配置Track项120,关联NQA测试组(管理员为test2,操作标签为1)的联动项1,配置步骤如下。
[DeviceB] track 120 nqa entry admin test2 reaction 1
[DeviceB-track-120] quit
配置路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例的下一跳IP地址仅为示例,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceB] ip route-static 192.168.11.0 24 tunnel 0 track 110 preference 100
[DeviceB] ip route-static 192.168.11.0 24 tunnel 1 track 120 preference 110
[DeviceB] ip route-static 1.1.1.1 24 3.3.3.4
[DeviceB] ip route-static 2.2.2.2 24 3.3.3.4
配置Device C
配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceC> system-view
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] ip address 4.4.4.4 255.255.255.0
[DeviceC-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
创建IPsec隧道接口
# 创建IPsec隧道接口Tunnel0,具体配置步骤如下。
[DeviceC] interface tunnel 0 mode ipsec
[DeviceC-Tunnel0] ip address 70.0.0.1 255.255.255.0
[DeviceC-Tunnel0] source 4.4.4.4
[DeviceC-Tunnel0] destination 1.1.1.1
[DeviceC-Tunnel0] quit
# 创建IPsec隧道接口Tunnel1,具体配置步骤如下。
[DeviceC] interface tunnel 1 mode ipsec
[DeviceC-Tunnel1] ip address 80.0.0.1 255.255.255.0
[DeviceC-Tunnel1] source 4.4.4.4
[DeviceC-Tunnel1] destination 2.2.2.2
[DeviceC-Tunnel1] quit
配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceC] security-zone name trust
[DeviceC-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceC-security-zone-Trust] quit
[DeviceC] security-zone name untrust
[DeviceC-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceC-security-zone-Untrust] import interface tunnel 0
[DeviceC-security-zone-Untrust] import interface tunnel 1
[DeviceC-security-zone-Untrust] quit
配置安全策略
配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策规则,使Device B可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceC] security-policy ip
[DeviceC-security-policy-ip] rule name ipseclocalout
[DeviceC-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceC-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceC-security-policy-ip-1-ipseclocalout] source-ip-host 4.4.4.4
[DeviceC-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1
[DeviceC-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.2
[DeviceC-security-policy-ip-1-ipseclocalout] action pass
[DeviceC-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device B可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceC-security-policy-ip] rule name ipseclocalin
[DeviceC-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceC-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceC-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1
[DeviceC-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.2
[DeviceC-security-policy-ip-2-ipseclocalin] destination-ip-host 4.4.4.4
[DeviceC-security-policy-ip-2-ipseclocalin] action pass
[DeviceC-security-policy-ip-2-ipseclocalin] quit
配置安全策略放行Host B与Host A之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceC-security-policy-ip] rule name trust-untrust
[DeviceC-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceC-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceC-security-policy-ip-3-trust-untrust] source-ip-subnet 192.168.13.0 24
[DeviceC-security-policy-ip-3-trust-untrust] destination-ip-subnet 192.168.11.0 24
[DeviceC-security-policy-ip-3-trust-untrust] action pass
[DeviceC-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceC-security-policy-ip] rule name untrust-trust
[DeviceC-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceC-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceC-security-policy-ip-4-untrust-trust] source-ip-subnet 192.168.11.0 24
[DeviceC-security-policy-ip-4-untrust-trust] destination-ip-subnet 192.168.13.0 24
[DeviceC-security-policy-ip-4-untrust-trust] action pass
[DeviceC-security-policy-ip-4-untrust-trust] quit
[DeviceC-security-policy-ip] quit
配置IPsec安全框架,建立IPsec隧道,保护需要防护的数据流
# 配置IPsec安全框架t0,建立IPsec隧道,具体配置步骤如下。
[DeviceC] ike keychain t0
[DeviceC-ike-keychain-t0] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!
[DeviceC-ike-keychain-t0] quit
[DeviceC] ike profile t0
[DeviceC-ike-profile-t0] keychain t0
[DeviceC-ike-profile-t0] match local address Tunnel0
[DeviceC-ike-profile-t0] match remote identity address 1.1.1.1 24
[DeviceC-ike-profile-t0] exchange-mode aggressive
[DeviceC-ike-profile-t0] dpd interval 30 periodic
[DeviceC-ike-profile-t0] quit
[DeviceC] ipsec transform-set t0
[DeviceC-ipsec-transform-set-t0] esp encryption-algorithm aes-cbc-128
[DeviceC-ipsec-transform-set-t0] esp authentication-algorithm sha1
[DeviceC-ipsec-transform-set-t0] quit
[DeviceC] ipsec profile t0 isakmp
[DeviceC-ipsec-profile-isakmp-t0] transform-set t0
[DeviceC-ipsec-profile-isakmp-t0] ike-profile t0
[DeviceC-ipsec-profile-isakmp-t0] quit
# 配置IPsec安全框架t1,建立IPsec隧道,具体配置步骤如下。
[DeviceC] ike keychain t1
[DeviceC-ike-keychain-t1] pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&!
[DeviceC-ike-keychain-t1] quit
[DeviceC] ike profile t1
[DeviceC-ike-profile-t1] keychain t1
[DeviceC-ike-profile-t1] match local address Tunnel1
[DeviceC-ike-profile-t1] match remote identity address 2.2.2.2 24
[DeviceC-ike-profile-t1] exchange-mode aggressive
[DeviceC-ike-profile-t1] dpd interval 30 periodic
[DeviceC-ike-profile-t1] quit
[DeviceC] ipsec transform-set t1
[DeviceC-ipsec-transform-set-t1] esp encryption-algorithm aes-cbc-128
[DeviceC-ipsec-transform-set-t1] esp authentication-algorithm sha1
[DeviceC-ipsec-transform-set-t1] quit
[DeviceC] ipsec profile t1 isakmp
[DeviceC-ipsec-profile-isakmp-t1] transform-set t1
[DeviceC-ipsec-profile-isakmp-t1] ike-profile t1
[DeviceC-ipsec-profile-isakmp-t1] quit
配置IPsec隧道接口,用于对需要保护的流量进行IPsec封装
# 在IPsec隧道接口Tunnel0中引用IPsec安全框架t0,建立IPsec隧道。
[DeviceC] interface tunnel 0
[DeviceC-Tunnel0] tunnel protection ipsec profile t0
[DeviceC-Tunnel0] quit
# 在IPsec隧道接口Tunnel1中引用IPsec安全框架t1,建立IPsec隧道。
[DeviceC] interface tunnel 1
[DeviceC-Tunnel1] tunnel protection ipsec profile t1
[DeviceC-Tunnel1] quit
配置NQA测试组与Track项联动,用于探测链路状态
# 配置NQA测试组(管理员为test1,操作标签为1),具体配置步骤如下。
[DeviceC] nqa entry admin test1
[DeviceC-nqa-admin-test1] type icmp-echo
[DeviceC-nqa-admin-test1-icmp-echo] destination ip 1.1.1.1
[DeviceC-nqa-admin-test1-icmp-echo] frequency 3000
[DeviceC-nqa-admin-test1-icmp-echo] history-record enable
[DeviceC-nqa-admin-test1-icmp-echo] probe count 5
[DeviceC-nqa-admin-test1-icmp-echo] next-hop ip 4.4.4.5
[DeviceC-nqa-admin-test1-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceC-nqa-admin-test1-icmp-echo] quit
[DeviceC] nqa schedule admin test1 start-time now lifetime forever
# 配置Track项110,关联NQA测试组(管理员为test1,操作标签为1)的联动项1,配置步骤如下。
[DeviceC] track 110 nqa entry admin test1 reaction 1
[DeviceC-track-110] quit
# 配置NQA测试组(管理员为test2,操作标签为1),具体配置步骤如下。
[DeviceC] nqa entry admin test2
[DeviceC-nqa-admin-test2] type icmp-echo
[DeviceC-nqa-admin-test2-icmp-echo] destination ip 2.2.2.2
[DeviceC-nqa-admin-test2-icmp-echo] frequency 3000
[DeviceC-nqa-admin-test2-icmp-echo] history-record enable
[DeviceC-nqa-admin-test2-icmp-echo] probe count 5
[DeviceC-nqa-admin-test2-icmp-echo] next-hop ip 4.4.4.5
[DeviceC-nqa-admin-test2-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceC-nqa-admin-test2-icmp-echo] quit
[DeviceC] nqa schedule admin test2 start-time now lifetime forever
# 配置Track项120,关联NQA测试组(管理员为test2,操作标签为1)的联动项1,配置步骤如下。
[DeviceC] track 120 nqa entry admin test2 reaction 1
[DeviceC-track-120] quit
配置路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例的下一跳IP地址仅为示例,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceC] ip route-static 192.168.11.0 24 tunnel 0 track 110 preference 100
[DeviceC] ip route-static 192.168.11.0 24 tunnel 1 track 120 preference 110
[DeviceC] ip route-static 1.1.1.1 24 4.4.4.5
[DeviceC] ip route-static 2.2.2.2 24 4.4.4.5
验证配置
以上配置完成后,Device A会自动与Device B、Device C进行IKE协商。当IKE协商完成后,Device A、Device B和Device C上的IPsec 虚拟隧道接口都将up,即可对总部和分支的数据流进行安全保护。
# 通过display ip interface brief命令可查看Device A的接口状态如下。
<DeviceA> display ip interface brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE1/0/1 up up 1.1.1.1/24 -- --
GE1/0/2 up up 2.2.2.2/24 -- --
GE1/0/3 up up 192.168.11.1/24 -- --
Tun0 up up 10.0.0.1/24 -- --
Tun1 up up 20.0.0.1/24 -- --
Tun2 up up 30.0.0.1/24 -- --
Tun3 up up 40.0.0.1/24 -- --
# 通过display ip routing-table命令可查看Device A的路由状态如下。
<DeviceA> display ip routing-table
Destinations : 14 Routes : 14
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.0/24 Direct 0 0 1.1.1.1 GE1/0/1
1.1.1.255/32 Direct 0 0 1.1.1.1 GE1/0/1
2.2.2.0/24 Direct 0 0 2.2.2.2 GE1/0/2
2.2.2.255/32 Direct 0 0 2.2.2.2 GE1/0/2
3.3.3.0/24 Static 100 0 1.1.1.2 GE1/0/1
4.4.4.0/24 Static 100 0 1.1.1.2 GE1/0/1
10.0.0.0/24 Direct 0 0 10.0.0.1 Tun0
10.0.0.255/32 Direct 0 0 10.0.0.1 Tun0
20.0.0.0/24 Direct 0 0 20.0.0.1 Tun1
20.0.0.255/32 Direct 0 0 20.0.0.1 Tun1
192.168.11.0/24 Direct 0 0 192.168.11.1 GE1/0/3
192.168.11.255/32 Direct 0 0 192.168.11.1 GE1/0/3
192.168.12.0/24 Static 100 0 0.0.0.0 Tun0
192.168.13.0/24 Static 100 0 0.0.0.0 Tun2
# Host A可以Ping通Host B,此时IPsec流量在Tunnel0所在链路传输。
C:\Users\hosta> ping 192.168.12.2
正在 Ping 192.168.12.2 具有 32 字节的数据:
来自 192.168.12.2 的回复: 字节=32 时间=1ms TTL=254
来自 192.168.12.2 的回复: 字节=32 时间<1ms TTL=254
来自 192.168.12.2 的回复: 字节=32 时间<1ms TTL=254
来自 192.168.12.2 的回复: 字节=32 时间<1ms TTL=254
192.168.12.2 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 1ms,平均 = 0ms
# 当Device A的GigabitEthernet1/0/1接口所在链路发生故障时,Host A仍然可以Ping通Host B,此时IPsec流量在Tunnel1所在链路传输。
C:\Users\hosta> ping 192.168.12.2
正在 Ping 192.168.12.2 具有 32 字节的数据:
来自 192.168.12.2 的回复: 字节=32 时间=1ms TTL=254
来自 192.168.12.2 的回复: 字节=32 时间<1ms TTL=254
来自 192.168.12.2 的回复: 字节=32 时间<1ms TTL=254
来自 192.168.12.2 的回复: 字节=32 时间<1ms TTL=254
192.168.12.2 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 1ms,平均 = 0ms
# 通过display ip interface brief命令可查看Device A的接口状态如下。
<DeviceA> display ip interface brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE1/0/1 down down 1.1.1.1/24 -- --
GE1/0/2 up up 2.2.2.2/24 -- --
GE1/0/3 up up 192.168.11.1/24 -- --
Tun0 down down 10.0.0.1/24 -- --
Tun1 up up 20.0.0.1/24 -- --
Tun2 down down 30.0.0.1/24 -- --
Tun3 up up 40.0.0.1/24 -- --
# 通过display ip routing-table命令可查看Device A的路由状态如下。
<DeviceA> display ip routing-table
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost NextHop Interface
2.2.2.0/24 Direct 0 0 2.2.2.2 GE1/0/2
2.2.2.255/32 Direct 0 0 2.2.2.2 GE1/0/2
3.3.3.0/24 Static 110 0 2.2.2.3 GE1/0/2
4.4.4.0/24 Static 110 0 2.2.2.3 GE1/0/2
20.0.0.0/24 Direct 0 0 20.0.0.1 Tun1
20.0.0.255/32 Direct 0 0 20.0.0.1 Tun1
192.168.11.0/24 Direct 0 0 192.168.11.1 GE1/0/3
192.168.11.255/32 Direct 0 0 192.168.11.1 GE1/0/3
192.168.12.0/24 Static 110 0 0.0.0.0 Tun1
192.168.13.0/24 Static 110 0 0.0.0.0 Tun3
# 当Device A的GigabitEthernet1/0/1接口所在链路故障恢复时,IPsec流量将切换到Tunnel0所在链路传输。、
配置文件
Device A
#
track 110 nqa entry admin test1 reaction 1
#
track 120 nqa entry admin test2 reaction 1
#
track 130 nqa entry admin test3 reaction 1
#
track 140 nqa entry admin test4 reaction 1
#
nqa entry admin test1
type icmp-echo
destination ip 3.3.3.3
frequency 3000
history-record enable
next-hop ip 1.1.1.2
probe count 5
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa entry admin test2
type icmp-echo
destination ip 3.3.3.3
frequency 3000
history-record enable
next-hop ip 2.2.2.3
probe count 5
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa entry admin test3
type icmp-echo
destination ip 4.4.4.4
frequency 3000
history-record enable
next-hop ip 1.1.1.2
probe count 5
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa entry admin test4
type icmp-echo
destination ip 4.4.4.4
frequency 3000
history-record enable
next-hop ip 2.2.2.3
probe count 5
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa schedule admin test1 start-time now lifetime forever
nqa schedule admin test2 start-time now lifetime forever
nqa schedule admin test3 start-time now lifetime forever
nqa schedule admin test4 start-time now lifetime forever
#
interface GigabitEthernet1/0/1
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 2.2.2.2 255.255.255.0
#
interface GigabitEthernet1/0/3
ip address 192.168.11.1 255.255.255.0
#
interface Tunnel0 mode ipsec
ip address 10.0.0.1 255.255.255.0
source 1.1.1.1
destination 3.3.3.3
tunnel protection ipsec profile t0
#
interface Tunnel1 mode ipsec
ip address 20.0.0.1 255.255.255.0
source 2.2.2.2
destination 3.3.3.3
tunnel protection ipsec profile t1
#
interface Tunnel2 mode ipsec
ip address 30.0.0.1 255.255.255.0
source 1.1.1.1
destination 4.4.4.4
tunnel protection ipsec profile t2
#
interface Tunnel3 mode ipsec
ip address 40.0.0.1 255.255.255.0
source 2.2.2.2
destination 4.4.4.4
tunnel protection ipsec profile t3
#
security-zone name Trust
import interface GigabitEthernet1/0/3
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/2
import interface Tunnel0
import interface Tunnel1
import interface Tunnel2
import interface Tunnel3
#
ip route-static 3.3.3.0 24 1.1.1.2 track 110 preference 100
ip route-static 3.3.3.0 24 2.2.2.3 track 120 preference 110
ip route-static 4.4.4.0 24 1.1.1.2 track 130 preference 100
ip route-static 4.4.4.0 24 2.2.2.3 track 140 preference 110
ip route-static 192.168.12.0 24 Tunnel0 track 110 preference 100
ip route-static 192.168.12.0 24 Tunnel1 track 120 preference 110
ip route-static 192.168.13.0 24 Tunnel2 track 130 preference 100
ip route-static 192.168.13.0 24 Tunnel3 track 140 preference 110
#
ipsec transform-set t0
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec transform-set t1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec transform-set t2
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec transform-set t3
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile t0 isakmp
transform-set t0
ike-profile t0
#
ipsec profile t1 isakmp
transform-set t1
ike-profile t1
#
ipsec profile t2 isakmp
transform-set t2
ike-profile t2
#
ipsec profile t3 isakmp
transform-set t3
ike-profile t3
#
ike profile t0
keychain t0
dpd interval 30 periodic
exchange-mode aggressive
match remote identity address 3.3.3.3 255.255.255.0
match local address Tunnel0
#
ike profile t1
keychain t1
dpd interval 30 periodic
exchange-mode aggressive
match remote identity address 3.3.3.3 255.255.255.0
match local address Tunnel1
#
ike profile t2
keychain t2
dpd interval 30 periodic
exchange-mode aggressive
match remote identity address 4.4.4.4 255.255.255.0
match local address Tunnel2
#
ike profile t3
keychain t3
dpd interval 30 periodic
exchange-mode aggressive
match remote identity address 4.4.4.4 255.255.255.0
match local address Tunnel3
#
ike keychain t0
pre-shared-key address 3.3.3.3 255.255.255.0 key simple 123456TESTplat&!
#
ike keychain t1
pre-shared-key address 3.3.3.3 255.255.255.0 key simple 123456TESTplat&!
#
ike keychain t2
pre-shared-key address 4.4.4.4 255.255.255.0 key simple 123456TESTplat&!
#
ike keychain t3
pre-shared-key address 4.4.4.4 255.255.255.0 key simple 123456TESTplat&!
#
security-policy ip
rule 0 name ipseclocalout
action pass
source-zone local
destination-zone untrust
source-ip-host 1.1.1.1
source-ip-host 2.2.2.2
destination-ip-host 3.3.3.3
destination-ip-host 4.4.4.4
rule 1 name ipseclocalin
action pass
source-zone untrust
destination-zone local
source-ip-host 3.3.3.3
source-ip-host 4.4.4.4
destination-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
rule 2 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 192.168.11.0 255.255.255.0
destination-ip-subnet 192.168.12.0 255.255.255.0
destination-ip-subnet 192.168.13.0 255.255.255.0
rule 3 name untrust-trust
action pass
source-zone untrust
destination-zone trust
source-ip-subnet 192.168.12.0 255.255.255.0
source-ip-subnet 192.168.13.0 255.255.255.0
destination-ip-subnet 192.168.11.0 255.255.255.0
#
Device B
#
track 110 nqa entry admin test1 reaction 1
#
track 120 nqa entry admin test2 reaction 1
#
nqa entry admin test1
type icmp-echo
destination ip 1.1.1.1
frequency 3000
history-record enable
next-hop ip 3.3.3.4
probe count 5
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa entry admin test2
type icmp-echo
destination ip 2.2.2.2
frequency 3000
history-record enable
next-hop ip 3.3.3.4
probe count 5
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa schedule admin test1 start-time now lifetime forever
nqa schedule admin test2 start-time now lifetime forever
#
interface GigabitEthernet1/0/1
ip address 3.3.3.3 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 192.168.12.1 255.255.255.0
#
interface Tunnel0 mode ipsec
ip address 50.0.0.1 255.255.255.0
source 3.3.3.3
destination 1.1.1.1
tunnel protection ipsec profile t0
#
interface Tunnel1 mode ipsec
ip address 60.0.0.1 255.255.255.0
source 3.3.3.3
destination 2.2.2.2
tunnel protection ipsec profile t1
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface Tunnel0
import interface Tunnel1
#
ip route-static 1.1.1.0 24 3.3.3.4
ip route-static 2.2.2.0 24 3.3.3.4
ip route-static 192.168.11.0 24 Tunnel0 track 110 preference 100
ip route-static 192.168.11.0 24 Tunnel1 track 120 preference 110
#
ipsec transform-set t0
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec transform-set t1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile t0 isakmp
transform-set t0
ike-profile t0
#
ipsec profile t1 isakmp
transform-set t1
ike-profile t1
#
ike profile t0
keychain t0
dpd interval 30 periodic
exchange-mode aggressive
match remote identity address 1.1.1.1 255.255.255.0
match local address Tunnel0
#
ike profile t1
keychain t1
dpd interval 30 periodic
exchange-mode aggressive
match remote identity address 2.2.2.2 255.255.255.0
match local address Tunnel1
#
ike keychain t0
pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!
#
ike keychain t1
pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&!
#
security-policy ip
rule 0 name ipseclocalout
action pass
source-zone local
destination-zone untrust
source-ip-host 3.3.3.3
destination-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
rule 1 name ipseclocalin
action pass
source-zone untrust
destination-zone local
source-ip-host 1.1.1.1
source-ip-host 2.2.2.2
destination-ip-host 3.3.3.3
rule 2 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 192.168.12.0 255.255.255.0
destination-ip-subnet 192.168.11.0 255.255.255.0
rule 3 name untrust-trust
action pass
source-zone untrust
destination-zone trust
source-ip-subnet 192.168.11.0 255.255.255.0
destination-ip-subnet 192.168.12.0 255.255.255.0
#
Device C
#
track 110 nqa entry admin test1 reaction 1
#
track 120 nqa entry admin test2 reaction 1
#
nqa entry admin test1
type icmp-echo
destination ip 1.1.1.1
frequency 3000
history-record enable
next-hop ip 4.4.4.5
probe count 5
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa entry admin test2
type icmp-echo
destination ip 2.2.2.2
frequency 3000
history-record enable
next-hop ip 4.4.4.5
probe count 5
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa schedule admin test1 start-time now lifetime forever
nqa schedule admin test2 start-time now lifetime forever
#
interface GigabitEthernet1/0/1
ip address 4.4.4.4 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 192.168.13.1 255.255.255.0
#
interface Tunnel0 mode ipsec
ip address 70.0.0.1 255.255.255.0
source 4.4.4.4
destination 1.1.1.1
tunnel protection ipsec profile t0
#
interface Tunnel1 mode ipsec
ip address 80.0.0.1 255.255.255.0
source 4.4.4.4
destination 2.2.2.2
tunnel protection ipsec profile t1
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface Tunnel0
import interface Tunnel1
#
ip route-static 1.1.1.0 24 4.4.4.5
ip route-static 2.2.2.0 24 4.4.4.5
ip route-static 192.168.11.0 24 Tunnel0 track 110 preference 100
ip route-static 192.168.11.0 24 Tunnel1 track 120 preference 110
#
ipsec transform-set t0
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec transform-set t1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile t0 isakmp
transform-set t0
ike-profile t0
#
ipsec profile t1 isakmp
transform-set t1
ike-profile t1
#
ike profile t0
keychain t0
dpd interval 30 periodic
exchange-mode aggressive
match remote identity address 1.1.1.1 255.255.255.0
match local address Tunnel0
#
ike profile t1
keychain t1
dpd interval 30 periodic
exchange-mode aggressive
match remote identity address 2.2.2.2 255.255.255.0
match local address Tunnel1
#
ike keychain t0
pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!
#
ike keychain t1
pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&!
#
security-policy ip
rule 0 name ipseclocalout
action pass
source-zone local
destination-zone untrust
source-ip-host 4.4.4.4
destination-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
rule 1 name ipseclocalin
action pass
source-zone untrust
destination-zone local
source-ip-host 1.1.1.1
source-ip-host 2.2.2.2
destination-ip-host 4.4.4.4
rule 2 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 192.168.13.0 255.255.255.0
destination-ip-subnet 192.168.11.0 255.255.255.0
rule 3 name untrust-trust
action pass
source-zone untrust
destination-zone trust
source-ip-subnet 192.168.11.0 255.255.255.0
destination-ip-subnet 192.168.13.0 255.255.255.0
- 2025-01-07回答
- 评论(1)
- 举报
-
(0)
这个好复杂
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
这个好复杂