全部栏目

首页 旅游资讯 线路攻略 景点大全 国内游 境外游 美食特产
您的当前位置:首页正文

DVPN over IPSEC over OSPF的典型配置案例

2020-08-10 来源:星星旅游
DVPNoverIPSECoverOSPF的典型配置案例

技术支持中心:赵彪04708

组网需求

分支和中心采用DVPN进行互通,同时要求私网网段之间的数据流采用IPSEC隧道加密传输,分支和中心之间采用OSPF动态路由协议。组网图

配置步骤1.配置中心

配置本端IKE名称ikelocal-namezhongxin配置IKE参数ikepeer1exchange-modeaggressivepre-shared-key123456id-typenameremote-namefenzhinattraversal创建安全提议,采用默认参数ipsecproposal1创建IPSEC模板,并引用IKE和安全提议ipsecpolicy-templatetemp1ike-peer1proposal1创建IPSEC策略ipsecpolicypol11isakmptemplatetemp定义NAT转换的ACLaclnumber3000rule0permitipsource192.168.1.00.0.0.255rule1denyip

1

配置外网口interfaceEthernet1/0ipaddress202.38.1.2255.255.255.0natoutbound3000ipsecpolicypol1配置内网口interfaceE0/0ipaddress192.168.1.1255.255.255.0配置DVPN隧道接口interfaceTunnel1ipaddress10.0.0.1255.255.255.0tunnel-protocoludpdvpnsourceLoopBack0dvpninterface-typeserverdvpndvpn-id100ospfnetwork-typep2mp配置loopback地址,用作DVPN的外层IP封装interfaceLoopBack0ipaddress1.1.1.1255.255.255.255将接口加入到区域firewallzonetrustaddinterfaceEthernet1/0setpriority85firewallzoneuntrustaddinterfaceEthernet0/0addinterfaceTunnel1setpriority5配置OSPFospf1area0.0.0.0network10.0.0.00.0.0.255network192.168.1.00.0.0.255启动dvpn服务dvpnserviceenable配置默认路由iproute-static0.0.0.00.0.0.0202.38.1.12.配置Internet路由器接口配置interfaceEthernet0/0ipaddress202.38.1.1255.255.255.0interfaceEthernet0/1ipaddress61.1.1.1255.255.255.0将接口加入到区域

2

firewallzoneuntrustaddinterfaceEthernet0/0addinterfaceEthernet0/1setpriority5

3.配置分支配置本端IKE名称ikelocal-namefenzhi配置IKE参数ikepeer1exchange-modeaggressivepre-shared-key123456id-typenameremote-namezhongxinremote-address202.38.1.2nattraversal创建安全提议,采用默认参数ipsecproposal1创建IPSEC策略ipsecpolicypol11isakmpsecurityacl3000ike-peer1proposal1配置DVPNServer的息dvpnclasszhongxinpublic-ip1.1.1.1private-ip10.0.0.1指定去往中心私网的数据流aclnumber3000rule0permitipsource1.1.1.20destination1.1.1.10rule1denyip定义natoutbound的网段aclnumber3001rule0denyipsource192.168.2.00.0.0.255destination192.168.1.00.0.0.255rule1denyipsource1.1.1.20destination1.1.1.10rule2denyip配置外网口interfaceEthernet0/0ipaddress61.1.1.2255.255.255.0natoutbound3001ipsecpolicypol1配置内网口interfaceEthernet1/0

3

ipaddress192.168.2.1255.255.255.0配置DVPN隧道接口interfaceTunnel1ipaddress10.0.0.2255.255.255.0tunnel-protocoludpdvpnsourceLoopBack0dvpndvpn-id100dvpnserverzhongxinospfnetwork-typep2mp配置loopback地址,用作DVPN的外层IP封装interfaceLoopBack0ipaddress1.1.1.2255.255.255.255将接口加入到区域firewallzonetrustaddinterfaceEthernet1/0setpriority85firewallzoneuntrustaddinterfaceEthernet0/0addinterfaceTunnel1setpriority5配置OSPFospf1area0.0.0.0network10.0.0.00.0.0.255network192.168.2.00.0.0.255启动dvpn服务dvpnserviceenable配置默认路由iproute-static0.0.0.00.0.0.061.1.1.1配置关键点

1、SecPath安全产品V1R6版本DVPN服务默认是关闭的;2、Tunnel口下,指定OSPF的网络类型为P2MP类型;

3、启用ospf,包含Tunnel网段和私网网段,注意不要包含Loopback地址。

4

因篇幅问题不能全部显示,请点此查看更多更全内容

查看全文