1. 组网需求
分支机构的用户访问公司总部过程如下:
分支机构的用户上网方式没有限制,拨号或者固定IP上网。
分支机构的网关设备接口地址是动态获取的
公司总部有两台SecPath,两台SecPath互相备份
公司总部与分支机构之间的数据连接要求IPSEC加密
3680模拟Internet,为分支结构动态分配IP地址
2. 组网图
3. 配置步骤
(1) 2630的配置
#
sysname Quidway
#
ike local-name client
# //由于2630要与SecPath1与SecPath2都建立GRE连接,所以需要建立两个ike协商
ike peer 1 //ike对等体的名字为1
exchange-mode aggressive
pre-shared-key 1 //配置身份验证字为1
id-type name //使用name方式作为ike协商的ID类型
remote-name 1 //指定对端的name,也就是SecPath1的name
remote-address 2.1.1.2 //指定对端的IP地址
nat traversal
#
ike peer 2 //第二个ike
exchange-mode aggressive
pre-shared-key 1
id-type name
remote-name 2
remote-address 3.1.1.2
nat traversal
#
ipsec proposal 1 //配置一个安全提议,使用默认的安全提议参数
#
ipsec policy 1 1 isakmp //使用IKE创建第一个安全策略,第一个1是安全策略组的名字,
第二个1是安全策略的序列号
security acl 3000 //引用访问控制列表3000
ike-peer 1 //引用ike对等体1,注意1是ike对等体的名字,而不是编号
proposal 1 //引用安全提议1
#
ipsec policy 1 2 isakmp//使用IKE创建第二个安全策略,安全策略组的名字为1
security acl 3001
ike-peer 2
proposal 1
#
controller T1 2/0
#
controller T1 2/1
#
interface Virtual-Template1 //l2tp配置使用虚拟模板用于配置动态创建的虚接口的参数
ip address 172.31.4.1 255.255.255.0
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Dialer1 //创建一个共享式拨号接口1
link-protocol ppp //拨号接口封装的链路层协议为PPP
mtu 1450
ip address ppp-negotiate //拨号接口的地址采用PPP协商方式得到
dialer user test //配置呼叫对端的用户
dialer bundle 1 //创建拨号接口池1
ipsec policy 1
#
interface Ethernet0/0
pppoe-client dial-bundle-number 1 //pppoe client配置在以太网接口上配置,
也可以在virtual-ethernet上配置,此配置是配置pppoe会话,一个拨号接口对应创建一个pppoe会话
#
interface Tunnel0
ip address 6.1.1.3 255.255.255.0
source 192.168.0.4
destination 192.168.0.1
ospf cost 100
#
interface Tunnel1
ip address 7.1.1.3 255.255.255.0
source 192.168.0.4
destination 192.168.0.2
ospf cost 99
#
interface NULL0
#
interface LoopBack0 //这里配置loopback解决的目的是为了给tunnel接口配置源ip地址
ip address 192.168.0.4 255.255.255.255
#
acl number 3000
rule 0 permit ip source 192.168.0.4 0 destination 192.168.0.1 0
acl number 3001
rule 0 permit ip source 192.168.0.4 0 destination 192.168.0.2 0
#
ospf 1
area 0.0.0.0
network 6.1.1.0 0.0.0.255
network 7.1.1.0 0.0.0.255
network 172.31.4.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
#
return
(2)3640的配置
#
sysname Quidway
#
ike local-name client
#
ike peer 1
exchange-mode aggressive
pre-shared-key 1
id-type name
remote-name 1
remote-address 2.1.1.2
nat traversal
#
ike peer 2
exchange-mode aggressive
pre-shared-key 1
id-type name
remote-name 2
remote-address 3.1.1.2
nat traversal
#
ipsec proposal 1
#
ipsec policy 1 1 isakmp
security acl 3000
ike-peer 1
proposal 1
#
ipsec policy 1 2 isakmp
security acl 3001
ike-peer 2
proposal 1
#
interface Virtual-Template1
ip address 172.31.3.1 255.255.255.0
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Dialer1
link-protocol ppp
ppp pap local-user 1 password simple 1
mtu 1450
ip address ppp-negotiate
dialer user test
dialer bundle 1
ipsec policy 1
#
interface Ethernet2/0
pppoe-client dial-bundle-number 1
#
interface Ethernet2/1
#
interface Ethernet3/0
#
interface Serial0/0
link-protocol ppp
#
interface Serial0/1
clock DTECLK1
link-protocol ppp
#
interface GigabitEthernet1/0
#
interface Tunnel0
ip address 4.1.1.3 255.255.255.0
source 192.168.0.3
destination 192.168.0.1
ospf cost 100
#
interface Tunnel1
ip address 5.1.1.3 255.255.255.0
source 192.168.0.3
destination 192.168.0.2
ospf cost 99
#
interface Tunnel9
#
interface NULL0
#
interface LoopBack0
ip address 192.168.0.3 255.255.255.255
#
acl number 3000
rule 0 permit ip source 192.168.0.3 0 destination 192.168.0.1 0
acl number 3001
rule 0 permit ip source 192.168.0.3 0 destination 192.168.0.2 0
#
ospf 1
area 0.0.0.0
network 4.1.1.0 0.0.0.255
network 5.1.1.0 0.0.0.255
network 172.31.3.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
#
return
