需求:
总部固定ip地址,分部PPPOE上网动态获取IP,要求总部分部之间建立IPSEC VPN隧道,内网互通。
拓扑:
配置方法:
基础配置
ISP配置
sysname ISP
interface GigabitEthernet0/0/0
ip address 32.0.0.2 255.255.255.252
interface GigabitEthernet0/0/1
ip address 12.0.0.2 255.255.255.252
interface GigabitEthernet0/0/2
ip address 22.0.0.2 255.255.255.252
PC地址配置
PC1 192.168.1.2/24
PC2 192.168.2.2/24
PC3 192.168.3.2/24
总部出口路由器基础配置:
sysname zb
interface GigabitEthernet0/0/0
ip address 12.0.0.1 255.255.255.252
nat outbound 3000
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
ip route-static 0.0.0.0 0 12.0.0.2
acl advanced 3000
rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 10 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 15 permit ip source 192.168.1.0 0.0.0.255
//内网互访地址不做NAT
分部1出口路由器基础配置
sysname fb1
interface GigabitEthernet0/0/0
ip address 22.0.0.1 255.255.255.252
nat outbound 3000
interface GigabitEthernet0/0/1
ip address 192.168.2.1 255.255.255.0
ip route-static 0.0.0.0 0 22.0.0.2
acl advanced 3000
rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 10 permit ip source 192.168.2.0 0.0.0.255
分部2出口路由器基础配置
sysname fb2
interface GigabitEthernet0/0/0
ip address 32.0.0.1 255.255.255.252
nat outbound 3000
interface GigabitEthernet0/0/1
ip address 192.168.3.1 255.255.255.0
ip route-static 0.0.0.0 0 32.0.0.2
acl advanced 3000
rule 5 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 10 permit ip source 192.168.3.0 0.0.0.255
基础配置完成后内网访问互联网正常
每台PC PING测外网都正常。
IPSEC VPN的配置
由于分部是PPPOE获取的动态IP,总部是无法预先知道分部的地址,因此采用野蛮模式,与分部建立IPSEC VPN通道,并且,只能由分部首先发起访问,才会建立隧道。
为了说明原理,简化掉了PPPOE配置。
总部配置
IKE proposal 1
ike keychain 1
pre-shared-key hostname fb1 key simple 123
ike keychain 2
pre-shared-key hostname fb2 key simple 123
//对端IP事先未知,采用对等体名称配置预共享密钥
ike profile 1
keychain 1
exchange-mode aggressive
local-identity fqdn zb
match remote identity fqdn fb1
proposal 1
//采用IKE野蛮模式
ike profile 2
keychain 2
exchange-mode aggressive
local-identity fqdn zb
match remote identity fqdn fb2
proposal 1
ipsec transform-set tra1
esp encryption-algorithm des-cbc
esp authentication-algorithm md5
ipsec policy-template t1 1
transform-set tra1
ike-profile 1
ipsec policy-template t1 2
transform-set tra1
ike-profile 2
ipsec policy p1 1 isakmp template t1
//采用模板方式配置IPSEC策略,不需要配置感兴趣流
interface GigabitEthernet 0/0/0
ipsec apply policy p1
//出接口应用IPSEC策略
分部1IPSEC VPN配置
acl advanced 3001
rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
//配置访问总部的感兴趣流
ike proposal 1
ike keychain 1
pre-shared-key address 12.0.0.1 255.255.255.255 key simple 123
//总部IP固定,配置相同预共享密钥
ike profile 1
keychain 1
exchange-mode aggressive
local-identity fqdn fb1
match remote identity fqdn zb
proposal 1
ipsec transform-set tra1
esp encryption-algorithm des-cbc
esp authentication-algorithm md5
ipsec policy p1 1 isakmp
transform-set tra1
security acl 3001
remote-address 12.0.0.1
ike-profile 1
interface GigabitEthernet 0/0/0
ipsec apply policy p1
分部2的配置
acl advanced 3001
rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
ike proposal 1
ike keychain 1
pre-shared-key address 12.0.0.1 255.255.255.255 key simple 123
ike profile 1
keychain 1
exchange-mode aggressive
local-identity fqdn fb2
match remote identity fqdn zb
proposal 1
ipsec transform-set tra1
esp encryption-algorithm des-cbc
esp authentication-algorithm md5
ipsec policy p1 1 isakmp
transform-set tra1
security acl 3001
remote-address 12.0.0.1
ike-profile 1
interface GigabitEthernet 0/0/0
ipsec apply policy p1
配置完成后测试分部PC访问总部PC正常
在总部路由上查看IKE sa IPSEC sa信息正常。