设备MSR810与思科设备对接MGRE,我们做为NHC,思科作为NHS。目前MSRG2只支持作为NHC,不支持作为NHS。
! cisco crypto isakmp policy 1 authentication pre-share crypto isakmp key test address 0.0.0.0 ! crypto ipsec transform-set 1 esp-3des esp-sha-hmac mode tunnel ! crypto ipsec profile 1 set transform-set 1 ! interface Loopback1 ip address 1.1.1.1 255.255.255.255 ip ospf 1 area 0 ! interface Tunnel1 ip address 112.0.0.1 255.255.255.0 no ip redirects ip nhrp authentication 123456 ip nhrp network-id 9 ip nhrp holdtime 3600 ip ospf network broadcast ip ospf 1 area 0 tunnel source 172.32.65.131 tunnel mode gre multipoint tunnel protection ipsec profile 1 ! interface GigabitEthernet1 ip address 172.32.65.131 255.255.0.0 negotiation auto no mop enabled no mop sysid ! router ospf 1 router-id 1.1.1.1 ! ip route 0.0.0.0 0.0.0.0 172.32.1.255 ip route 168.32.0.0 255.255.0.0 172.32.1.255 |
# msr810 ip vpn-instance 1 # ospf 1 router-id 2.2.2.2 area 0.0.0.0 # interface LoopBack1 ip address 2.2.2.2 255.255.255.255 ospf 1 area 0.0.0.0 # interface GigabitEthernet0/4 port link-mode route ip binding vpn-instance 1 ip address 168.32.65.7 255.255.0.0 # interface Tunnel1 mode mgre ip address 112.0.0.2 255.255.255.0 ospf network-type broadcast ospf 1 area 0.0.0.0 source GigabitEthernet0/4 tunnel vpn-instance 1 nhrp network-id 9 nhrp authentication simple 123456 nhrp holdtime 3600 nhrp nhs 112.0.0.1 nbma 172.32.65.131 tunnel protection ipsec profile 1 # ip route-static 0.0.0.0 0 192.168.6.1 ip route-static vpn-instance 1 172.32.0.0 16 168.32.1.255 # ipsec transform-set 1 esp encryption-algorithm 3des-cbc esp authentication-algorithm sha1 # ipsec profile 1 isakmp transform-set 1 # ike keychain 1 vpn-instance 1 pre-shared-key address 0.0.0.0 0.0.0.0 key simple test # |
<msr810a>disp mgre session
Interface : Tunnel1
Number of sessions: 1
Peer NBMA address Peer protocol address Type State State duration
172.32.65.131 112.0.0.1 C-S Succeeded 00:04:25
<msr810a>disp mgre session v
Interface : Tunnel1
Link protocol : IPsec-GRE
Number of sessions: 1
Peer NBMA address : 172.32.65.131
Peer protocol address: 112.0.0.1
Session type : C-S
SA's SPI :
inbound: 3145967776 (0xbb83a8a0) [ESP]
outbound: 3165846560 (0xbcb2fc20) [ESP]
State : Succeeded
State duration : 00:04:27
Input : 252 packets, 252 data packets, 0 control packets,
4 multicasts, 0 errors
Output: 247 packets, 247 data packets, 0 control packets,
33 multicasts, 0 errors
<msr810a>
<msr810a>disp ike sa
Connection-ID Local Remote Flag DOI
-------------------------------------------------------------------------
65 168.32.65.7 172.32.65.131 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
<msr810a>
<msr810a>disp ipsec tunnel
Tunnel ID: 1
Status: Active
Perfect forward secrecy:
Inside vpn-instance:
SA's SPI:
outbound: 3165846560 (0xbcb2fc20) [ESP]
inbound: 3145967776 (0xbb83a8a0) [ESP]
Tunnel:
local address: 168.32.65.7
remote address: 172.32.65.131
Flow:
sour addr: 168.32.65.7/255.255.255.255 port: 0 protocol: gre
dest addr: 172.32.65.131/255.255.255.255 port: 0 protocol: gre
<msr810a>
<msr810a>ping -a 2.2.2.2 1.1.1.1
Ping 1.1.1.1 (1.1.1.1) from 2.2.2.2: 56 data bytes, press CTRL+C to break
56 bytes from 1.1.1.1: icmp_seq=0 ttl=255 time=2.601 ms
56 bytes from 1.1.1.1: icmp_seq=1 ttl=255 time=2.255 ms
56 bytes from 1.1.1.1: icmp_seq=2 ttl=255 time=2.252 ms
56 bytes from 1.1.1.1: icmp_seq=3 ttl=255 time=2.230 ms
56 bytes from 1.1.1.1: icmp_seq=4 ttl=255 time=2.233 ms
--- Ping statistics for 1.1.1.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.230/2.314/2.601/0.144 ms
<msr810a>
<msr810a>disp ip rout 1.1.1.1
Summary count : 2
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 192.168.6.1 GE0/2
1.1.1.1/32 O_INTRA 10 1563 112.0.0.1 Tun1
<msr810a>