分支与总部建立ipsec,因为安全要求,两边需要隐藏真实ip地址。地址对应关系如下:
192.168.1.2--------11.156.15.2
192.168.2.2--------188.1.102.2
总部配置
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 172.168.1.1 255.255.255.0
nat outbound 3002
nat static enable
ipsec apply policy 1
#
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 192.168.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0 172.168.1.2
#
acl advanced 3000
rule 0 permit ip source 11.156.15.0 0.0.0.255 destination 188.1.102.0 0.0.0.255
#
acl advanced 3001
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 188.1.102.0 0.0.0.255
#
acl advanced 3002
rule 0 deny ip source 11.156.15.0 0.0.0.255 destination 188.1.102.0 0.0.0.255
rule 5 permit ip
#
ipsec transform-set 1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm sha1
#
ipsec policy 1 1 isakmp
transform-set 1
security acl 3000
local-address 172.168.1.1
remote-address 172.168.2.1
ike-profile 1
#
nat static outbound 192.168.1.2 11.156.15.2 acl 3001 reversible
#
ike profile 1
keychain 1
local-identity address 172.168.1.1
match remote identity address 172.168.2.1 255.255.255.255
match local address 172.168.1.1
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm md5
#
ike keychain 1
pre-shared-key address 172.168.2.1 255.255.255.255 key cipher $c$3$q2ZNr6l8Ppj147aKkeLLNDOofxOajA==
#
分支配置 interface GigabitEthernet0/0 port
link-mode route combo enable copper ip
address 172.168.2.1 255.255.255.0 nat
static enable ipsec apply policy 1 # interface GigabitEthernet0/1 port
link-mode route combo enable copper ip
address 192.168.2.1 255.255.255.0 # ip
route-static 0.0.0.0 0 172.168.2.2 # acl advanced 3000 rule
0 permit ip source 188.1.102.0 0.0.0.255 destination 11.156.15.0 0.0.0.255 # acl advanced 3001 rule
0 permit ip source 192.168.2.0 0.0.0.255 destination 11.156.15.0 0.0.0.255 # acl advanced 3002 rule
0 deny ip source 188.1.102.0 0.0.0.255 destination 11.156.15.0 0.0.0.255 rule
5 permit ip # ipsec transform-set 1 esp
encryption-algorithm 3des-cbc esp
authentication-algorithm sha1 # ipsec policy 1 1 isakmp transform-set 1 security acl 3000 local-address 172.168.2.1 remote-address 172.168.1.1 ike-profile 1 # nat
static outbound 192.168.2.2 188.1.102.2 acl 3001 reversible # ike profile 1 keychain 1 local-identity address 172.168.2.1 match remote identity address 172.168.1.1
255.255.255.255 match local address 172.168.2.1 proposal 1 # ike proposal 1 encryption-algorithm 3des-cbc authentication-algorithm md5 # ike keychain 1 pre-shared-key address 172.168.1.1
255.255.255.255 key cipher $c$3$MWlDyiWv5eklRKunSbCXO0OgTDSX6w== #
验证配置 从分支内网ping 11.156.15.2 在分支查看ike sa及ipsec sa [fenzhi]dis ike sa
Connection-ID Remote Flag DOI ------------------------------------------------------------------
1 172.168.1.1 RD IPsec Flags: RD--READY RL--REPLACED FD-FADING RK-REKEY [fenzhi]dis ipse s [fenzhi]dis ipse sa ------------------------------- Interface: GigabitEthernet0/0 -------------------------------
-----------------------------
IPsec policy: 1
Sequence number: 1
Mode: ISAKMP -----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1444
Tunnel:
local address: 172.168.2.1
remote address: 172.168.1.1
Flow:
sour addr: 188.1.102.0/255.255.255.0
port: 0 protocol: ip
dest addr: 11.156.15.0/255.255.255.0
port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3984720542 (0xed82029e)
Connection ID: 4294967296
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843197/1785
Max received sequence-number: 24
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 3385141009 (0xc9c52711)
Connection ID: 4294967297
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843197/1785
Max sent sequence-number: 24
UDP encapsulation used for NAT traversal: N
Status: Active 在分支查看nat 会话 [fenzhi]dis nat session verbose Slot 0: Initiator:
Source IP/port:
192.168.2.2/206
Destination IP/port: 11.156.15.2/2048
DS-Lite tunnel peer: - VPN
instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet0/1 Responder:
Source IP/port:
11.156.15.2/206
Destination IP/port: 188.1.102.2/0
DS-Lite tunnel peer: - VPN
instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet0/0 State: ICMP_REPLY Application: OTHER Start time: 2022-05-31 23:38:59 TTL: 25s Initiator->Responder: 5 packets 420 bytes Responder->Initiator: 5 packets 420 bytes Total sessions found: 1
在总部查看ike sa及ipsec sa <zongbu>dis ike sa
Connection-ID Remote Flag DOI ------------------------------------------------------------------
1 172.168.2.1 RD IPsec Flags: RD--READY RL--REPLACED FD-FADING RK-REKEY <zongbu>dis ipse <zongbu>dis ipsec sa ------------------------------- Interface: GigabitEthernet0/0 -------------------------------
-----------------------------
IPsec policy: 1
Sequence number: 1
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1444
Tunnel:
local address: 172.168.1.1
remote address: 172.168.2.1
Flow:
sour addr: 11.156.15.0/255.255.255.0
port: 0 protocol: ip
dest addr: 188.1.102.0/255.255.255.0
port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3385141009 (0xc9c52711)
Connection ID: 4294967296
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843197/1617
Max received sequence-number: 29
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 3984720542 (0xed82029e)
Connection ID: 4294967297
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843197/1617
Max sent sequence-number: 29
UDP encapsulation used for NAT traversal: N
Status: Active 在总部查看会话 [zongbu]dis nat session verbose Slot 0: Initiator:
Source IP/port:
188.1.102.2/207
Destination IP/port: 11.156.15.2/2048
DS-Lite tunnel peer: - VPN
instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet0/0 Responder:
Source IP/port:
192.168.1.2/207
Destination IP/port: 188.1.102.2/0
DS-Lite tunnel peer: - VPN
instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet0/1 State: ICMP_REPLY Application: OTHER Start time: 2022-05-31 23:40:50 TTL: 27s Initiator->Responder: 5 packets 420 bytes Responder->Initiator: 5 packets 420 bytes Total sessions found: 1
1、
nat static outbound 192.168.2.2 188.1.102.2 acl 3001 reversible
2、
3、
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作