总部分公司SD-WAN+IPSEC双链路互联配置实例(3)

Datacom

目录:


总部与分公司GRE over IPSEC配置

一、缺省路由配置

建立IPSEC之前,要确认外网路由器相互可访问。既路由器公网地址互通。

1.1-C5外网防火墙-R2配置:

[C5-R2]ip route-s 0.0.0.0 0 113.98.160.1

1.2-总部大楼外网防火墙-R3配置:

[Zongbu-R3]ip route-s 0.0.0.0 0 149.176.37.1

1.3-分公司外网防火墙-R5配置:

[FGS-R5]ip route-s 0.0.0.0 0 14.29.117.1

此时,R2、R3、R5公网地址可以相互ping通,如图1

总部分公司SD-WAN+IPSEC双链路互联配置实例(3)-下一朵云
图1 公网地址互通测试

二、IPSEC配置

总部分公司SD-WAN+IPSEC双链路互联配置实例(3)-下一朵云
图2 IPSEC隧道

2.1-C5外网防火墙-R2配置:

(1)acl设置

[C5-R2]acl advanced 3000
[C5-R2-acl-ipv4-adv-3000]rule permit ip source 113.98.160.2 0 destination 14.29.117.2 0

(2)ipsec安全提议

[C5-R2]ipsec transform-set tran1
[C5-R2-ipsec-transform-set-tran1] esp encryption-algorithm 3des-cbc
[C5-R2-ipsec-transform-set-tran1] esp authentication-algorithm md5

(3)ike安全提议

#默认

(4)预共享密钥

[C5-R2]ike keychain key1
[C5-R2-ike-keychain-key1] pre-shared-key address 14.29.117.2 255.255.255.0 key simple 12345

(5)ipsec安全策略

[C5-R2]ipsec policy policy1 10 isakmp
[C5-R2-ipsec-policy-isakmp-policy1-10] transform-set tran1
[C5-R2-ipsec-policy-isakmp-policy1-10] local-address 113.98.160.2
[C5-R2-ipsec-policy-isakmp-policy1-10] remote-address 14.29.117.2
[C5-R2-ipsec-policy-isakmp-policy1-10] security acl 3000

(6)接口应用ipsec安全策略

[C5-R2]int g0/1
[C5-R2-GigabitEthernet0/1]ipsec apply policy policy1

2.2-分公司外网防火墙-R5配置:

同上2.1的步骤配置分公司防火墙-R5连接C5防火墙-R2,配置命令如下:

[FGS-R5]acl adv 3000
[FGS-R5-acl-ipv4-adv-3000]rule permit ip source 14.29.117.2 0 destination 113.98.160.2 0
[FGS-R5-acl-ipv4-adv-3000]qu
[FGS-R5]ipsec transform-set tran1
[FGS-R5-ipsec-transform-set-tran1]esp authentication-algorithm md5
[FGS-R5-ipsec-transform-set-tran1]esp encryption-algorithm 3des-cbc
[FGS-R5-ipsec-transform-set-tran1]qu
[FGS-R5]ike keychain key1
[FGS-R5-ike-keychain-key1]pre-shared-key address 113.98.160.2 255.255.255.0 key simple 12345
[FGS-R5-ike-keychain-key1]qu
[FGS-R5]ipsec policy policy1 10 isakmp
[FGS-R5-ipsec-policy-isakmp-policy1-10]transform-set tran1
[FGS-R5-ipsec-policy-isakmp-policy1-10]local-address 14.29.117.2
[FGS-R5-ipsec-policy-isakmp-policy1-10]remote-address 113.98.160.2
[FGS-R5-ipsec-policy-isakmp-policy1-10]security acl 3000
[FGS-R5-ipsec-policy-isakmp-policy1-10]qu
[FGS-R5]int g0/0
[FGS-R5-GigabitEthernet0/0]ipsec apply policy policy1

此时先ping一下c5防火墙-R2的公网地址113.98.160.2,然后使用命令查看ike sa和ipsec sa已经建立成功,如图3

[C5-R2]dis ike sa
[C5-R2]dis ipsec sa
总部分公司SD-WAN+IPSEC双链路互联配置实例(3)-下一朵云
图3 IPSEC SA

同样的,配置分公司防火墙-R5到总部防火墙-R3的IPSEC隧道。配置如下:

[FGS-R5]acl adv 3001
[FGS-R5-acl-ipv4-adv-3001]rule permit ip source 14.29.117.2 0 destination 149.176.37.2 0
[FGS-R5-acl-ipv4-adv-3001]qu
[FGS-R5]ike keychain key1
[FGS-R5-ike-keychain-key1]pre-shared-key address 149.176.37.2 24 key simple 12345
[FGS-R5-ike-keychain-key1]qu
[FGS-R5]ipsec policy policy1 20 isakmp
[FGS-R5-ipsec-policy-isakmp-policy1-20]transform-set tran1
[FGS-R5-ipsec-policy-isakmp-policy1-20]local-address 14.29.117.2
[FGS-R5-ipsec-policy-isakmp-policy1-20]remote-address 149.176.37.2
[FGS-R5-ipsec-policy-isakmp-policy1-20]security acl 3001

2.3-总部大楼外网防火墙-R3配置:

[Zongbu-R3]acl advanced 3000
[Zongbu-R3-acl-ipv4-adv-3000]rule permit ip source 149.176.37.2 0 destination 14.29.117.2 0
[Zongbu-R3-acl-ipv4-adv-3000]qu
[Zongbu-R3]ipsec transform-set tran1
[Zongbu-R3-ipsec-transform-set-tran1]esp authentication-algorithm md5
[Zongbu-R3-ipsec-transform-set-tran1]esp encryption-algorithm 3des-cbc
[Zongbu-R3-ipsec-transform-set-tran1]qu
[Zongbu-R3]ike keychain key1
[Zongbu-R3-ike-keychain-key1]pre-shared-key address 14.29.117.2 24 key simple 12345
[Zongbu-R3-ike-keychain-key1]qu
[Zongbu-R3]ipsec policy policy1 10 isakmp
[Zongbu-R3-ipsec-policy-isakmp-policy1-10]transform-set tran1
[Zongbu-R3-ipsec-policy-isakmp-policy1-10]local-address 149.176.37.2
[Zongbu-R3-ipsec-policy-isakmp-policy1-10]remote-address 144.29.117.2
[Zongbu-R3-ipsec-policy-isakmp-policy1-10]security acl 3000
[Zongbu-R3-ipsec-policy-isakmp-policy1-10]qu
[Zongbu-R3]int g0/1
[Zongbu-R3-GigabitEthernet0/1]ipsec apply policy policy1

此时,总部大楼外网防火墙-R3可以ping通分公司外网防火墙-R5。且在R3、R5上可以看到ike sa和ipsec sa,R5上会有两条记录。如图4为R3上的查看结果,图5为R5上的查看结果。

总部分公司SD-WAN+IPSEC双链路互联配置实例(3)-下一朵云
图4 R3上查看ike sa和ipsec sa
总部分公司SD-WAN+IPSEC双链路互联配置实例(3)-下一朵云
图5 R5上查看ike sa和ipsec sa

三、GRE配置

3.1-分公司外网防火墙-R5配置:

[FGS-R5]interface Tunnel0 mode gre
[FGS-R5-Tunnel0]ip address 11.1.1.5 255.255.255.0
[FGS-R5-Tunnel0]source 14.29.117.2
[FGS-R5-Tunnel0]destination 113.98.160.2
[FGS-R5-Tunnel0]qu
[FGS-R5]int tunnel1 mode gre
[FGS-R5-Tunnel1]ip add 11.1.2.5 24
[FGS-R5-Tunnel1]source 14.29.117.2
[FGS-R5-Tunnel1]destination 149.176.37.2

3.2-C5外网防火墙-R2配置:

[C5-R2]int tunnel0 mode gre
[C5-R2-Tunnel0]ip add 11.1.1.2 24
[C5-R2-Tunnel0]source 113.98.160.2
[C5-R2-Tunnel0]destination 14.29.117.2

3.3-总部外网防火墙-R3配置:

[Zongbu-R3]int tunnel0 mode gre
[Zongbu-R3-Tunnel0]ip add 11.1.2.3 24
[Zongbu-R3-Tunnel0]source 149.176.37.2
[Zongbu-R3-Tunnel0]destination 14.29.117.2
>>本文为下一朵云的原创文章,转载请附上原文出处链接及本声明
>>原文链接地址:总部分公司SD-WAN+IPSEC双链路互联配置实例(3)

暂无评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注