1. 組網需求
分支機構的用戶訪問公司總部過程如下:
分支機構的用戶上網方式沒有限制,撥號或者固定IP上網。
分支機構的網關設備接口地址是動態獲取的
公司總部有兩臺SecPath,兩臺SecPath互相備份
公司總部與分支機構之間的數據連接要求IPSEC加密
3680模擬Internet,為分支結構動態分配IP地址
2. 組網圖
(1) 2630的配置
# sysname Quidway # ike local-name client # //由于2630要與SecPath1與SecPath2都建立GRE連接,所以需要建立兩個ike協商 ike peer 1 //ike對等體的名字為1 exchange-mode aggressive pre-shared-key 1 //配置身份驗證字為1 id-type name //使用name方式作為ike協商的ID類型 remote-name 1 //指定對端的name,也就是SecPath1的name remote-address 2.1.1.2 //指定對端的IP地址 nat traversal # ike peer 2 //第二個ike exchange-mode aggressive pre-shared-key 1 id-type name remote-name 2 remote-address 3.1.1.2 nat traversal # ipsec proposal 1 //配置一個安全提議,使用默認的安全提議參數 # ipsec policy 1 1 isakmp //使用IKE創建第一個安全策略,第一個1是安全策略組的名字, |
# sysname Quidway # ike local-name client # ike peer 1 exchange-mode aggressive pre-shared-key 1 id-type name remote-name 1 remote-address 2.1.1.2 nat traversal # ike peer 2 exchange-mode aggressive pre-shared-key 1 id-type name remote-name 2 remote-address 3.1.1.2 nat traversal # ipsec proposal 1 # ipsec policy 1 1 isakmp security acl 3000 ike-peer 1 proposal 1 # ipsec policy 1 2 isakmp security acl 3001 ike-peer 2 proposal 1 # interface Virtual-Template1 ip address 172.31.3.1 255.255.255.0 # interface Aux0 async mode flow link-protocol ppp # interface Dialer1 link-protocol ppp ppp pap local-user 1 password simple 1 mtu 1450 ip address ppp-negotiate dialer user test dialer bundle 1 ipsec policy 1 # interface Ethernet2/0 pppoe-client dial-bundle-number 1 # interface Ethernet2/1 # interface Ethernet3/0 # interface Serial0/0 link-protocol ppp # interface Serial0/1 clock DTECLK1 link-protocol ppp # interface GigabitEthernet1/0 # interface Tunnel0 ip address 4.1.1.3 255.255.255.0 source 192.168.0.3 destination 192.168.0.1 ospf cost 100 # interface Tunnel1 ip address 5.1.1.3 255.255.255.0 source 192.168.0.3 destination 192.168.0.2 ospf cost 99 # interface Tunnel9 # interface NULL0 # interface LoopBack0 ip address 192.168.0.3 255.255.255.255 # acl number 3000 rule 0 permit ip source 192.168.0.3 0 destination 192.168.0.1 0 acl number 3001 rule 0 permit ip source 192.168.0.3 0 destination 192.168.0.2 0 # ospf 1 area 0.0.0.0 network 4.1.1.0 0.0.0.255 network 5.1.1.0 0.0.0.255 network 172.31.3.0 0.0.0.255 # ip route-static 0.0.0.0 0.0.0.0 Dialer 1 preference 60 # user-interface con 0 user-interface aux 0 user-interface vty 0 4 # return |
| 共2頁: 1 [2] 下一頁 | ||
|
