公司内部的网络并不是很复杂,典型的星型结构。总部与多个分支建立了VPN,同时还需要跑一些组播以及OSPF的东西,所以采用了比较经典的 GRE OVER IPSEC 的配置。之前的H3C设备上配置没有发现什么问题,但最近基于设备性能的考虑准备换用华为的AR系列产品。相对而言华为的设备较H3C价格稍贵,但性能上要强不少。此次使用的设备主要是华为AR2220以及AR151。 华为设备在配置ipsec vpn的时候如果采用传统的方式配置则每个2220路由器只能和16个分支建立vpn连接,超过16个变无法配置成功。对于这个问题华为提出了在核心网一侧的路由器上采用策略模板的方式来建立多个ipsec vpn,这种方式在核心网一侧不需要配置ACL,在分支一侧需要指定acl。另外如果华为跟其他厂商的设备配置IPSEC VPN 则应该选择配置v1版本的ike peer。以下是我核心网采用2220 分支采用151的配置。 网络结构比较简单,拓扑图如下:
<SZ_CR_1>disp cur [V200R002C01SPC200] # sysname SZ_CR_1 # snmp-agent local-engineid 800007DB03E0247F20C08B snmp-agent # drop illegal-mac alarm # acl number 3000 # ipsec proposal 1 # ike peer br v1 pre-shared-key simple 123 local-address 202.96.1.9 # ipsec policy-template br 1 ike-peer br proposal 1 # ipsec policy cr 1 isakmp template br # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password cipher %$%${*|FV4WA)E/|SkH9I0I7gulc%$%$ local-user admin privilege level 3 local-user admin service-type telnet ssh # interface GigabitEthernet0/0/0 description connect to sz_cs_1/0/0/48 ip address 20.0.29.1 255.255.255.252 # interface GigabitEthernet0/0/1 description connect to internet ip address 202.96.1.1 255.255.255.252 ipsec policy cr # interface GigabitEthernet0/0/2 # interface NULL0 # interface Tunnel0/0/0 description connect to sz_brr_1 ip address 20.0.1.1 255.255.255.248 tunnel-protocol gre source 202.96.1.9 destination 202.96.1.1 # ip route-static 20.0.0.0 255.255.255.248 Tunnel0/0/0 ip route-static 202.96.0.0 255.255.0.0 202.96.1.2 # user-interface con 0 authentication-mode password set authentication password cipher %$%$}vVu=u!Vr.+&il)6m3#',"vm+Mx[TaMW!+abu=@)VPR#(|w%$%$ user-interface vty 0 4 authentication-mode aaa user-interface vty 16 20 # voice # diagnose # Return <sz_br_1>disp cur [V200R002C01SPC200] # sysname sz_br_1 # snmp-agent local-engineid 800007DB03CCCC8174F532 snmp-agent # drop illegal-mac alarm # acl number 3000 rule 0 permit ip source 202.96.1.9 0.0.0.0 destination 202.96.1.1 0.0.0.0 # ipsec proposal 1 # ike peer cr v1 pre-shared-key simple 123 local-address 202.96.1.9 remote-address 202.96.1.1 # ipsec policy br 1 isakmp security acl 3000 ike-peer cr proposal 1 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password cipher %$%$Z'#iOA:^$!]-{U(C97{XhH~6%$%$ local-user admin privilege level 3 local-user admin service-type telnet ssh # interface Vlanif1 ip address 20.0.0.1 255.255.255.248 # interface Ethernet0/0/0 port link-type access # interface Ethernet0/0/1 # interface Ethernet0/0/2 # interface Ethernet0/0/3 # interface Ethernet0/0/4 description connect to internet ip address 202.96.1.9 255.255.255.252 ipsec policy br # interface NULL0 # interface Tunnel0/0/0 description connect to sz_cr_1 ip address 20.0.1.2 255.255.255.248 tunnel-protocol gre source 202.96.1.1 destination 202.96.1.9 # ip route-static 20.0.0.0 255.255.0.0 Tunnel0/0/0 ip route-static 202.96.0.0 255.255.0.0 202.96.1.10 # user-interface con 0 authentication-mode password set authentication password cipher %$%$n~z&;^8SvD+%tH'4{pn0,md[".Y^'ppeO$Ut&ZSQb*73*sje%$%$ user-interface vty 0 authentication-mode aaa user privilege level 15 user-interface vty 1 4 authentication-mode aaa user-interface vty 16 20 # voice # diagnose # return <sz_br_1> |
不良信息举报Q:2000617|Archiver|ROS软路由论坛 ROSABC.com 网络方案网络工程交流
GMT+8, 2025-11-6 18:01 , Processed in 0.036073 second(s), 15 queries .
Powered by Discuz! X3.4
Copyright © 2001-2021, Tencent Cloud.
