H3C-v7版本-ipsec-over-gre配置指导

Ipsecovergre配置RT1和RT3用环回口来模拟私网上的接口。它们的封装方式是先封装ipsec，然后在进行gre的封装，所以在ipsec的ACL中要匹配的事两端私网的地址。报文的封装格式：IP公|gre|ip头|esp头|ip私|date|esp尾RT1的主要配置：进入系统试图H3Csystem-view配置接口IP[H3C]interfaceGigabitEthernet0/0[H3C-GigabitEthernet0/0]ipaddress10.1.1.124创建环回接口：[H3C-GigabitEthernet0/0]quit[H3C]interfaceLoopBack0[H3C-LoopBack0]ipaddress192.168.1.132创建Tunnel口：[H3C-LoopBack0]quit[H3C]interfaceTunnel0modegre[H3C-Tunnel0]ipaddress100.1.1.124指定Tunnel口源接口地址[H3C-Tunnel0]source10.1.1.1指定Tunnel口目的端地址[H3C-Tunnel0]destination20.1.1.2[H3C-Tunnel0]quit创建访问控制列表[H3C]acladvanced3000[H3C-acl-ipv4-adv-3000]rule0permitipsource192.168.1.10.0.0.0destination192.168.2.10.0.0.0[H3C-acl-ipv4-adv-3000]quit创建ipsec安全提议tran1[H3C]ipsectransform-settran1指定安全协议的工作模式为隧道模式[H3C-ipsec-transform-set-tran1]encapsulation-modetunnel选择安全协议为esp[H3C-ipsec-transform-set-tran1]protocolesp加密算法为des[H3C-ipsec-transform-set-tran1]espencryption-algorithmdes-cbc验证算法为md5[H3C-ipsec-transform-set-tran1]espauthentication-algorithmmd5[H3C-ipsec-transform-set-tran1]quit配置ikekaychain，创建ike1[H3C]ikekeychainike1配置对端tunnel口的IP和使用的预共享秘钥[H3C-ike-keychain-ike1]pre-shared-keyaddress100.1.1.224keysimple123[H3C-ike-keychain-ike1]quit创建ikeprofile，名称为profile1[H3C]ikeprofileprofile1绑定ikekeychain[H3C-ike-profile-profile1]keychainike1配置本地封装的IP地址[H3C-ike-profile-profile1]local-identityaddress100.1.1.1配置对端封装的IP地址[H3C-ike-profile-profile1]matchremoteidentityaddress100.1.1.224[H3C-ike-profile-profile1]quit创建一条ike协商方式的ipsec安全策略，序列号为1，名字为policy1[H3C]ipsecpolicypolicy11isakmp指定引用ACL3000[H3C-ipsec-policy-isakmp-policy1-1]securityacl3000指定引用的ikeprofile为profile1[H3C-ipsec-policy-isakmp-policy1-1]ike-profileprofile1指定引用的安全协议为tran1[H3C-ipsec-policy-isakmp-policy1-1]transform-settran1指定对端隧道地址[H3C-ipsec-policy-isakmp-policy1-1]remote-address100.1.1.2[H3C-ipsec-policy-isakmp-policy1-1]quit进入Tunnel0[H3C]interfaceTunnel0把ipsec策略在Tunnel口生效[H3C-Tunnel0]ipsecapplypolicypolicy1在三个路由器之间使用rip路由协议[H3C]rip[H3C-rip-1]version2[H3C-rip-1]undosummary[H3C-rip-1]network10.1.1.1RT2的主要配置：H3Csystem-view[H3C]interfaceGigabitEthernet0/0[H3C-GigabitEthernet0/0]ipaddress10.1.1.224[H3C-GigabitEthernet0/0]quit[H3C]interfaceGigabitEthernet0/1[H3C-GigabitEthernet0/1]ipaddress20.1.1.124[H3C-GigabitEthernet0/1]quit配置rip路由协议[H3C]rip[H3C-rip-1]version2[H3C-rip-1]undosummary[H3C-rip-1]network10.1.1.2[H3C-rip-1]network20.1.1.1RT3的主要配置：进入系统试图H3Csystem-view配置接口IP[H3C]interfaceGigabitEthernet0/0[H3C-GigabitEthernet0/0]ipaddress20.1.1.224创建环回接口：[H3C-GigabitEthernet0/0]quit[H3C]interfaceLoopBack0[H3C-LoopBack0]ipaddress192.168.2.132创建Tunnel口：[H3C-LoopBack0]quit[H3C]interfaceTunnel0modegre[H3C-Tunnel0]ipaddress100.1.1.124指定Tunnel口源接口地址[H3C-Tunnel0]source20.1.1.2指定Tunnel口目的端地址[H3C-Tunnel0]destination10.1.1.1[H3C-Tunnel0]quit创建访问控制列表[H3C]acladvanced3000[H3C-acl-ipv4-adv-3000]rule0permitipsource192.168.2.10.0.0.0destination192.168.1.10.0.0.0[H3C-acl-ipv4-adv-3000]quit创建ipsec安全提议tran1[H3C]ipsectransform-settran1指定安全协议的工作模式为隧道模式[H3C-ipsec-transform-set-tran1]encapsulation-modetunnel选择安全协议为esp[H3C-ipsec-transform-set-tran1]protocolesp加密算法为des[H3C-ipsec-transform-set-tran1]espencryption-algorithmdes-cbc验证算法为md5[H3C-ipsec-transform-set-tran1]espauthentication-algorithmmd5[H3C-ipsec-transform-set-tran1]quit配置ikekaychain，创建ike1[H3C]ikekeychainike1配置对端tunnel口的IP和使用的预共享秘钥[H3C-ike-keychain-ike1]pre-shared-keyaddress100.1.1.124keysimple123[H3C-ike-keychain-ike1]quit创建ikeprofile，名称为profile1[H3C]ikeprofileprofile1绑定ikekeychain[H3C-ike-profile-profile1]keychainike1配置本地封装的IP地址[H3C-ike-profile-profile1]local-identityaddress100.1.1.2配置对端封装的IP地址[H3C-ike-profile-profile1]matchremoteidentityaddress100.1.1.124[H3C-ike-profile-profile1]quit创建一条ike协商方式的ipsec安全策略，序列号为1，名字为policy1[H3C]ipsecpolicypolicy11isakmp指定引用ACL3000[H3C-ipsec-policy-isakmp-policy1-1]securityacl3000指定引用的ikeprofile为profile1[H3C-ipsec-policy-isakmp-policy1-1]ike-profileprofile1指定引用的安全协议为tran1[H3C-ipsec-policy-isakmp-policy1-1]transform-settran1指定对端隧道地址[H3C-ipsec-policy-isakmp-policy1-1]remote-address100.1.1.1[H3C-ipsec-policy-isakmp-policy1-1]quit进入Tunnel0[H3C]interfaceTunnel0把ipsec策略在Tunnel口生效[H3C-Tunnel0]ipsecapplypolicypolicy1配置rip路由协议[H3C]rip[H3C-rip-1]version2[H3C-rip-1]undosummary[H3C-rip-1]network20.1.1.2测试从RT1的环回口来pingRT3的环回口[H3C]ping-a192.168.1.1192.168.2.1Ping192.168.2.1(192.168.2.1)from192.168.1.1:56databytes,pressCTRL_CtobreakRequesttimeout56bytesfrom192.168.2.1:icmp_seq=1ttl=255time=2.000ms56bytesfrom192.168.2.1:icmp_seq=2ttl=255time=2.000ms56bytesfrom192.168.2.1:icmp_seq=3ttl=255time=2.000ms56bytesfrom192.168.2.1:icmp_seq=4ttl=255time=1.000ms说明VPN建立成功。