實(shí)驗(yàn)32大量分支GREoverIPSec接入的簡(jiǎn)易配置(精)

60606060大量分支GREoverIPSec接入的簡(jiǎn)易配置、組網(wǎng)需求客戶的網(wǎng)絡(luò)拓?fù)浔容^大，一個(gè)中心網(wǎng)點(diǎn)和N個(gè)分支網(wǎng)點(diǎn)，且每個(gè)分支網(wǎng)點(diǎn)都需要利用GREOVERIPSe與中心網(wǎng)點(diǎn)建立VPN連接。由于GRE!道有一定的局限性，Tunnel接口過多，造成配置的復(fù)雜，而Tunnel接口的最大數(shù)目為4096個(gè)，那么，分支數(shù)目超過此數(shù)就無法繼續(xù)建立GRE!道，且還沒有算上有些是備份的鏈路。采用P2MP各大大簡(jiǎn)化Tunnel接口的配置，且也解決了Tunnel接口數(shù)目不足帶來的問題。同樣，設(shè)備的公網(wǎng)出接口數(shù)目是有限的，我們不可能在 N個(gè)出接口上建立IPSec隧道。采用IPsec的模板配置，解決相應(yīng)配置的問題。二、組網(wǎng)拓?fù)鋱D實(shí)驗(yàn)所用設(shè)備:中心設(shè)備為SecBlade防火墻插卡；軟件版本Feature3171P11;公網(wǎng)出接口G0/3:172.16.10.1。分部一設(shè)備為SecBlade防火墻插卡；軟件版本Feature3171P11;公網(wǎng)出接口G0/3:172.16.30.1。分部二設(shè)備為SecPathV3防火墻；軟件版本Release1662P07;公網(wǎng)出接口G0/1:172.16.20.1。因特網(wǎng)設(shè)備為S7503E-S交換機(jī)；軟件版本Release6616P01;實(shí)驗(yàn)中所用接口為G0/0/25:172.16.10.2，G0/0/27:172.16.30.2，G0/0/28:192.168.20.1 。

卩心業(yè)務(wù)網(wǎng)^^-4^^ookbackO1+1+1*1、GRE」］友尸Lookbackl192.168,10,1172J6.1OJGREOVERTunnelllOAOJ分ihifj"業(yè)務(wù)網(wǎng)LookbackO1.2.2.2SeeGRE対裝Lookbackl192.16840；GREOVERTunnelllOAOJ分ihifj"業(yè)務(wù)網(wǎng)LookbackO1.2.2.2SeeGRE対裝Lookbackl192.16840；172.1630.Tunnell10.0.0J1）基本配置各個(gè)設(shè)備的接口和區(qū)域的配置。分部的IP地址本應(yīng)該為動(dòng)態(tài)獲取，這里為了簡(jiǎn)化配置，直接改為靜態(tài)了。路由配置:中心：iproute-staticO.O.O.OO.O.O.O172.16.10.2//公網(wǎng)路由iproute-static2.2.2.2255.255.255.2551O.O.O.2//將業(yè)務(wù)數(shù)據(jù)流引向Tunnel接口，從而觸發(fā)GRE封裝分部一：iproute-staticO.O.O.OO.O.O.O172.16.30.2//公網(wǎng)路由iproute-static1.1.1.1255.255.255.25510.0.0.1//將業(yè)務(wù)數(shù)據(jù)流引向Tunnel接口，從而觸發(fā)GRE封裝分部二：iproute-staticO.O.O.OO.O.O.O172.16.20.2preferenee60iproute-static1.1.1.1255.255.255.25510.0.0.1prefereneeikelocal-namefw1 //IKEikelocal-namefw1 //IKE本端名字（千萬不能忘記）ikelocal-namefw1 //IKEikelocal-namefw1 //IKE本端名字（千萬不能忘記）2)GRE配置中心設(shè)備:interfaceTunnel1ipaddress10.0.0.1255.255.255.0tunnel-protocolgrep2mp//這里默認(rèn)采用GREtunnel-protocolgrep2mp//這里默認(rèn)采用GRE改為P2MPsource192.168.10.1的地址//源封裝地址為回環(huán)接口Lookback1grep2mpbranch-network-mask255.255.255.0//采用P2MP的封裝模式，無表示對(duì)端的封裝地址為多少，只能設(shè)置一個(gè)掩碼表示范圍分部一設(shè)備:interfaceTunnel1ipaddress10.0.0.2255.255.255.0source192.168.10.2destination192.168.10.1//分部設(shè)備對(duì)中心設(shè)備來與是點(diǎn)到點(diǎn)的類型，直接封裝相應(yīng)的源地址和目標(biāo)地址就行了分部二:interfaceTunnel1ipaddress10.0.0.3255.255.255.0source192.168.10.3destination192.168.10.13)IPSec配置在本實(shí)驗(yàn)中，分部的IP都不是固定的，都為動(dòng)態(tài)獲取所得，所以，IKE的協(xié)商方式這里采用野蠻模式中心設(shè)備:ikepeer10exchange-modeaggressivepre-shared-keycipher$c$3$/3EvhWhcCcwOSYCWzLohlg2r1bGeCVY=id-typenameremote-namefw2remote-addressfw2dynamic//此處可以不做配置，如果不做配置默認(rèn)為所有 IP地址，如圖所示:對(duì)端網(wǎng)關(guān)；0IIP地址:0IIP地址:0.0.0.0255.255.255.255ipsecproposal10//安全提議采用默認(rèn)的配置即可，也可以自行更改，默認(rèn)為:PiTsttarwlMiSh*/|cescscPiTsttarwlMiSh*/|cescsc10ipsecpolicy-templatezb110ike-peer10proposal10//總部的類型為點(diǎn)到多點(diǎn)，所以這里采用模板的方法，這樣無法配置 ACL進(jìn)行數(shù)據(jù)流匹配ipsecpolicycnc10isakmptempiatezb1//模板的應(yīng)用方式interfaceGigabitEthernet0/3portlink-moderouteipaddress172.16.10.1255.255.255.0ipsecpolicycnc分部一:aclnumber3000rule0permitipsource192.168.10.20destination192.168.10.10ikelocal-namefw2// 配置本端名字ikepeer10exchange-modeaggressivepre-shared-keycipher$c$3$UaPgUwWG/SiXbHB6XVbtbAVmEBQk1AE=id-typenameremote-namefw1remote-address172.16.10.1ipsecproposal10// 采用默認(rèn)，這里也可以不做配置ipsecpolicyfb10isakmpsecurityacl3000ike-peer10proposal10//分部為點(diǎn)到點(diǎn)模式，不用配置模板，此里的acl可以用于中心設(shè)備的反向匹配分部二:ikepeer10exchange-modeaggressivepre-shared-keycipherKqbfKcrPdHA=id-typenameremote-namefw1remote-address172.16.10.1ipsecproposal10ipsecpolicyfb10isakmpsecurityacl3000ike-peer10proposal10aclnumber3000rule0permitipsource192.168.10.30destination192.168.10.104）連通性測(cè)試只能由分部觸發(fā)建立，中心側(cè)無法觸發(fā)。分部一:[H3C]ping-a22221.1.1.1PING1.1.1.1:56databytes,pressCTRL_CtobreakRequesttimeoutReplyfrom1.1.1.1:bytes=56Sequence=2ttl=255time=1msReplyfrom1.1.1.1:bytes=56Sequence=3ttl=255time=1msReplyfrom1.1.1.1:bytes=56Sequence=4ttl=255time=1msReplyfrom1.1.1.1:bytes=56Sequence=5ttl=255time=1ms---1.1.1.1pingstatistics---5packet(s)transmitted4packet(s)received20.00%packetlossround-tripmin/avg/max=1/1/1ms[H3C]分部二:vQuidway>ping-a3.3.3.31.1.1.1PING1.1.1.1:56databytes,pressCTRL_CtobreakReplyfrom1.1.1.1:bytes=56Sequence=1ttl=255time=1msReplyfrom1.1.1.1:bytes=56Sequence=2ttl=255time=1msReplyfrom1.1.1.1:bytes=56Sequence=3ttl=255time=1msReplyfrom1.1.1.1:bytes=56Sequence=4ttl=255time=1msReplyfrom1.1.1.1:bytes=56Sequence=5ttl=255time=1ms---1.1.1.1pingstatistics---5packet(s)transmitted5packet(s)received0.00%packetlossround-tripmin/avg/max=1/1/1msvQuidway>中心設(shè)備情況:<H3C>displayikesatotalphase-1SAs:connection-idpeeredoi statusflagphas172.16.30.1RDIPSECIPSECIPSECIPSECflagmeaning172.16.20.1172.16.30.1172.16.20.1RDRDRDRD--READYST--STAYALIVERL--REPLACEDFD--FADINGTO--TIMEOUT<H3C>分部一與分部二都已經(jīng)成功建立隧道查看IPSecSA隧道vH3C>displayipsecsaInterface:GigabitEthemetO/3pathMTU:1500IPsecpolicyname:"zb"sequeneenumber:10mode:tempiateconnectionid:1encapsulationmode:tunnelperfectforwardsecrecy:tunnel:localaddress:172.16.10.1remoteaddress:172.16.30.1//這個(gè)是分部一flow:souraddr:192.168.10.1/255.255.255.255port:0 protocol:IPdestaddr:192.168.10.2/255.255.255.2550 protocol:IPport:[inboundESPSAs]spi:3758878501(0xe00bef25)//這個(gè)與分部一的出方向的SA相同proposal:ESP-ENCRYPT-DESESP-AUTH-MD5saduration(kilobytes/sec):1843200/3600saremainingduration(kilobytes/sec):1843196/1246maxreceivedsequence-number:34anti-replaycheckenable:Yanti-replaywindowsize:32udpencapsulationusedfornattraversal:Nstatus:--[outboundESPSAs]spi:2870550202(0xab191eba)proposal:ESP-ENCRYPT-DESESP-AUTH-MD5saduration(kilobytes/sec):1843200/3600saremainingduration(kilobytes/sec):1843196/1246maxreceivedsequence-number:35udpencapsulationusedfornattraversal:Nstatus:--IPsecpolicyname:"zb"sequeneenumber:10mode:tempiateconnectionid:2encapsulationmode:tunnelperfectforwardsecrecy:tunnel://這個(gè)是分部二//這個(gè)是分部二remoteaddress:172.16.20.1flow:port:souraddr:192.168.10.1/255.255.255.255port:0 protocol:IPport:destaddr:192.168.10.3/255.255.255.255port:0 protocol:IP[inboundESPSAs]spi:3651661767(0xd9a7efc7)proposal:ESP-ENCRYPT-DESESP-AUTH-MD5saduration(kilobytes/sec):1843200/3600saremainingduration(kilobytes/sec):1843197/1559maxreceivedsequence-number:19anti-replaycheckenable:Yanti-replaywindowsize:32udpencapsulationusedfornattraversal:Nstatus:--[outboundESPSAs]spi:460917123(0x1b790983)proposal:ESP-ENCRYPT-DESESP-AUTH-MD5saduration(kilobytes/sec):1843200/3600saremainingduration(kilobytes/sec):1843197/1559maxreceivedsequence-number:20udpencapsulationusedfornattraversal:Nstatus:--<H3C>分部一的IPSecSA<H3C>displayipsecsaInterface:GigabitEthernet0/3pathMTU:1500IPsecpolicyname:"fb"sequeneenumber:10mode:isakmpconnectionid:1encapsulationmode:tunnelperfectforwardsecrecy:tunnel:localaddress:172.16.30.1remoteaddress:172.16.10.1//與總部方向建立SAflow:souraddr:192.168.10.2/255.255.255.255port:0 protocol:IPdestaddr:192.168.10.1/255.255.255.255port:0 protocol:IP[inboundESPSAs]spi:2870550202(0xab191eba)//對(duì)比總部的第一個(gè)出方向的SA這兩個(gè)值相同proposal:ESP-ENCRYPT-DESESP-AUTH-MD5saduration(kilobytes/sec):1843200/3600saremainingduration(kilobytes/sec):1843196/738maxreceivedsequence-number:34anti-replaycheckenable:Yanti-replaywindowsize:32udpencapsulationusedfornattraversal:Nstatus:--flow: (38timesmatched)flow: (38timesmatched)flow: (38timesmatched)flow: (38timesmatched)[outboundESPSAs]spi:3758878501(0xe00bef25)proposal:ESP-ENCRYPT-DESESP-AUTH-MD5saduration(kilobytes/sec):1843200/3600saremainingduration(kilobytes/sec):1843196/738maxreceivedsequence-number:35udpencapsulationusedfornattraversal:Nstatus:--<H3C>分部二IPSecSA<Quidway>displayipsecsaInterface:GigabitEthernet0/1pathMTU:1500IPsecpolicyname:"fb"sequeneenumber:10mode:isakmpCreatedby:"Host"connectionid:4encapsulationmode:tunnelperfectforwardsecrecy:Nonetunnel://與總部方向建立//與總部方向建立SAremoteaddress:172.16.10.1souraddr:192.168.10.3/255.255.255.255 port:souraddr:192.168.10.3/255.255.255.255 port: 0 protocol:IPport:destaddr:192.168.10.1/255.255.255.255port:0 protocol:IP[inboundESPSAs]bpi：460917123(0x1b790983//與總部第二個(gè)出方向的SA值相同proposal:ESP-ENCRYPT-DESESP-AUTH-MD5sakeyduration(bytes/sec):1887436800/