在华为设备上实施GRE隧道和IPSEC VPN

在华为设备上实施GRE隧道和IPSEC VPN

IPSEC ×××是干私活利器哦，欢迎大家学习和掌握

[Huawei-Tunnel0/0/0]ping 10.1.12.2PING 10.1.12.2: 56 data bytes, press CTRL_C to breakReply from 10.1.12.2: bytes=56 Sequence=1 ttl=255 time=70 msReply from 10.1.12.2: bytes=56 Sequence=2 ttl=255 time=30 ms在GRE隧道上实施路由协议：[R2-GigabitEthernet0/0/1]dis cu conf rip[V200R003C00]#rip 1version 2network 10.0.0.0 //实施在GRE隧道上的动态路由协议！[R1-rip-1]dis th[V200R003C00]#rip 1version 2network 10.0.0.0通过GRE隧道得到的路由[R1-rip-1]dis ip rou pro ripRoute Flags: R - relay, D - download to fib

Public routing table : RIPDestinations : 1 Routes : 1

RIP routing table status : Destinations : 1 Routes : 1

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.1.2.0/24 RIP 100 1 D 10.1.12.2 Tunnel0/0/0

RIP routing table status : Destinations : 0 Routes : 0终端的通信：PC>ping 10.1.1.1

Ping 10.1.1.1: 32 data bytes, Press Ctrl_C to breakRequest timeout!From 10.1.1.1: bytes=32 seq=2 ttl=126 time=15 msFrom 10.1.1.1: bytes=32 seq=3 ttl=126 time=15 msFrom 10.1.1.1: bytes=32 seq=4 ttl=126 time=15 msFrom 10.1.1.1: bytes=32 seq=5 ttl=126 time=15 ms

--- 10.1.1.1 ping statistics ---5 packet(s) transmitted4 packet(s) received20.00% packet lossround-trip min/avg/max = 0/15/15 ms2.L2L的IPSEC ×××实施步骤：1）实施路由的可达性HEDEX加解密设备至少需要3条路由：A.到达对端加解密点的路由；B.到达本端通信点的路由；C.到达对端通信点的路由（这点容易忽略，但是转发设备如果没有到达目的地的路由就丢弃数据包）R1的路由实施：[R1]ip route-static 10.1.2.0 24 g0/0/0 202.100.1.2另外两个要求默认使用直连路由完成[R2]ip route-static 0.0.0.0 0.0.0.0 g0/0/0 202.100.1.12）实施第一阶段的Proposal策略R1&R2：ipsec proposal QYTesp authentication-algorithm sha1[R2]display ipsec proposal

Number of proposals: 1

IPSec proposal name: QYT Encapsulation mode: Tunnel Transform : esp-newESP protocol : Authentication SHA1-HMAC-96 Encryption DES[R2]3）实施SPD（ACL来匹配哪些数据通过IPSEC 处理），感兴趣R1：acl name ××× 3999 rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 R2：acl name ××× 3999 rule 10 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 4）整合IPSEC 策略R1：ipsec policy NONGDA 10 manualsecurity acl 3999proposal QYTtunnel local 202.100.1.1tunnel remote 202.100.1.2sa spi inbound esp 6543sa string-key inbound esp simple nongdasa spi outbound esp 3456sa string-key outbound esp simple nongdaR2：ipsec policy NONGDA 10 manualsecurity acl 3999proposal QYTtunnel local 202.100.1.2tunnel remote 202.100.1.1sa spi inbound esp 3456sa string-key inbound esp simple nongdasa spi outbound esp 6543sa string-key outbound esp simple **应用策略两个网关设备应用：interface GigabitEthernet0/0/0ip address 202.100.1.2 255.255.255.252 ipsec policy NONGDA[R2]dis ipsec sa //验证安全关联

===============================Interface: GigabitEthernet0/0/0Path MTU: 1500

IPSec policy name: "NONGDA"Sequence number : 10Acl Group : 3999Acl rule : 0Mode : Manual

Encapsulation mode: Tunnel Tunnel local : 202.100.1.2 Tunnel remote : 202.100.1.1 Qos pre-classify : Disable [Outbound ESP SAs] SPI: 6543 (0x198f) Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1 No duration limit for this SA [Inbound ESP SAs] SPI: 3456 (0xd80) Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1 No duration limit for this SA

[R2]dis ipsec statistics esp //验证通过SEC加解密的报文Inpacket count : 9Inpacket auth count : 0Inpacket decap count : 0Outpacket count : 7

NAT bypass（用acl拒绝掉×××流量，再配置其他流量去访问互联网），即在NAT环境下实施IPSEC ×××

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。