F5040_1-1/0/1-----------专网--------reth1-F5040_2_IRF---环回lo0
其中F5040_2_IRF的外网口reth1及建立vpn使用的地址lo0加入vpn实例,与远端F5040_1对接ipsec vpn
跨专网对接ipsec vpn时设备部分接口加入vpn-instance
带有vpn实例的ipsec对接中注意在部分参数中必须带上vpn-instance否则vpn无法正常建立
1、不带实例侧F5040_1配置,安全策略正常放通
interface Route-Aggregation1
ip address 10.101.1.34 255.255.255.252
interface LoopBack999
ip address 3.3.3.3 255.255.255.255
interface GigabitEthernet1/0/1
ip address 117.x.x.46 255.255.255.252
ipsec apply policy uni
acl advanced 3333
rule 1 permit ip source 10.101.1.34 0 destination 10.0.54.254 0
rule 5 permit ip source 3.3.3.3 0 destination 3.3.3.4 0
ipsec policy uni 90 isakmp
transform-set 1
security acl 3333
local-address 117.x.x.46
remote-address 113.x.x.14
ike-profile 1
sa duration time-based 3600
ike profile 1
keychain 1
local-identity address 117.x.x.46
match remote identity address 111.x.x.254 255.255.255.255
match local address GigabitEthernet1/0/1
proposal 1
proposal 1
ike keychain 1
pre-shared-key address 111.x.x.254 255.255.255.255 key cipher $c$3$yLmco62beRq851i6O68iGJaI1ZzEVj7Q2g==
ipsec transform-set 1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
ip route-static 0.0.0.0 0 117.x.x.45
2、带实例侧F5040_2_IRF 配置,放通安全策略需要带上vrf
ip vpn-instance 6uffjmj4198n58iff9qvgur2oh
interface Reth1 //外网口加入实例
ip binding vpn-instance 6uffjmj4198n58iff9qvgur2oh
ip address 10.x.x.2 255.255.255.0
ipsec apply policy ipsecpolicy
interface LoopBack0 //对端ipsec指向本端地址所在接口
ip binding vpn-instance 6uffjmj4198n58iff9qvgur2oh
ip address 113.x.x.14 255.255.255.255
ipsec policy ipsecpolicy 90 isakmp
transform-set 1
security acl 3210
local-address 113.x.x.14
remote-address 117.x.x.46
ike-profile 1
sa duration time-based 3600
ike profile 1
keychain 1
local-identity address 113.x.x.14
match remote identity address 117.x.x.46 255.255.255.255 vpn-instance 6uffjmj4198n58iff9qvgur2oh //必须带实例
match local address 113.x.x.14 vpn-instance 6uffjmj4198n58iff9qvgur2oh //必须带实例
proposal 1
ipsec transform-set 1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
ike keychain 1 vpn-instance 6uffjmj4198n58iff9qvgur2oh //必须带实例
pre-shared-key address 117.x.x.46 255.255.255.255 key cipher $c$3$urvNF+FT3HU43MbjdvOj+RUJhkPoCpSpsw==
acl advanced 3210
rule 0 permit ip vpn-instance 6uffjmj4198n58iff9qvgur2oh source 10.0.54.254 0 destination 10.101.1.34 0 counting //保护数据流带实例
rule 5 permit ip vpn-instance 6uffjmj4198n58iff9qvgur2oh source 3.3.3.4 0 destination 3.3.3.3 0 //保护数据流带实例
ip route-static vpn-instance 6uffjmj4198n58iff9qvgur2oh 0.0.0.0 0 10.x.x.254 //vpn-instance添加默认路由从reth1出
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作