Contents
总部采用策略模板与分支建立多条IPsec隧道
项目情况
1.总部路由器有固定公网IP地址,分支路由器没有固定IP地址,上海分公司,天津分公司,没有固定的IP地址
2.只能是分支路由器想总部路由器发起建立IPSec VPN请求,需要在总部路由器创建策略模板
3.各路由器之间是通的
各路由器之间是通的
1.拓扑图

2.环境配置
R1
<Huawei>sys
[Huawei]sys R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 20.1.1.2 24
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 20.1.2.2 24
[R1-GigabitEthernet0/0/1]int g2/0/0
[R1-GigabitEthernet2/0/0]ip add 20.1.3.2 24
R2
<Huawei>sys
[Huawei]sys R2
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip address 20.1.1.1 24
[R2-GigabitEthernet0/0/0]int vlanif 1
[R2-Vlanif1]ip address 10.1.1.1 24
[R2]ip route-static 20.1.3.0 24 20.1.1.2
[R2]ip route-static 20.1.2.0 24 20.1.1.2
R3
<Huawei>sys
[Huawei]sys R3
[R3]int g0/0/0
[R3-GigabitEthernet0/0/0]ip add 20.1.2.1 24
[R3-GigabitEthernet0/0/0]int vlanif1
[R3-Vlanif1]ip add 10.1.2.1 24
[R3]ip route-static 20.1.3.0 24 20.1.2.2
[R3]ip route-static 20.1.1.0 24 20.1.2.2
R4
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys R4
[R4]int g0/0/0
[R4-GigabitEthernet0/0/0]ip add 20.1.3.1 24
[R4-GigabitEthernet0/0/0]int vlanif1
[R4-Vlanif1]ip add 10.1.3.1 24
[R4]ip route-static 20.1.1.0 24 20.1.3.2
[R4]ip route-static 20.1.2.0 24 20.1.3.2
连通性测试



3.创建IPsec隧道
3.1.在总部路由器上的配置-R2
<R2>sys
#认证与加密方式
[R2]ipsec proposal prol
[R2-ipsec-proposal-prol]quit
#确认设备的方式
[R2]ike peer rut1 v2
[R2-ike-peer-rut1]pre-shared-key simple 91xueit
[R2-ike-peer-rut1]quit
#使用策略模板
[R2]ipsec policy-template server 10
[R2-ipsec-policy-templet-server-10]ike-peer rut1
[R2-ipsec-policy-templet-server-10]proposal prol
[R2-ipsec-policy-templet-server-10]quit
#安全策略调用策略模板
[R2]ipsec policy policy1 10 isakmp template server
#绑定物理接口
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ipsec policy policy1
[R2-GigabitEthernet0/0/0]quit
#添加路由
[R2]ip route-static 10.1.2.0 24 20.1.1.2
[R2]ip route-static 10.1.3.0 24 20.1.1.2
3.2.配置R3
<R3>sys
#acl访问控制
[R3]acl 3100
[R3-acl-adv-3100]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[R3-acl-adv-3100]quit
#认证和加密方式
[R3]ipsec proposal prol
[R3-ipsec-proposal-prol]quit
#确认设备的方式
[R3]ike peer rut1 v2
[R3-ike-peer-rut1]pre-shared-key simple 91xueit
[R3-ike-peer-rut1]remote-address 20.1.1.1
[R3-ike-peer-rut1]quit
#安全策略的调用之前的配置
[R3]ipsec policy policy1 10 isakmp
[R3-ipsec-policy-isakmp-policy1-10]ike-peer rut
[R3-ipsec-policy-isakmp-policy1-10]proposal prol
[R3-ipsec-policy-isakmp-policy1-10]security acl 3100
[R3-ipsec-policy-isakmp-policy1-10]quit
#物理接口绑定安全策略
[R3]interface GigabitEthernet 0/0/0
[R3-GigabitEthernet0/0/0]ipsec policy policy1
[R3-GigabitEthernet0/0/0]quit
#添加路由
[R3]ip route-static 10.1.1.0 24 20.1.2.2
3.3.配置R4
<R4>sys
[R4]acl 3100
[R4-acl-adv-3100]rule permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0
.0.0.255
[R4-acl-adv-3100]quit
[R4]ipsec proposal prol
[R4-ipsec-proposal-prol]quit
[R4]ike peer rut1 v2
[R4-ike-peer-rut1]pre-shared-key simple 91xueit
[R4-ike-peer-rut1]remote-address 20.1.1.1
[R4-ike-peer-rut1]quit
[R4]ipsec policy policy1 10 isakmp
[R4-ipsec-policy-isakmp-policy1-10]ike-peer rut1
[R4-ipsec-policy-isakmp-policy1-10]proposal prol
[R4-ipsec-policy-isakmp-policy1-10]security acl 3100
[R4-ipsec-policy-isakmp-policy1-10]quit
[R4]int g0/0/0
[R4-GigabitEthernet0/0/0]ipsec policy policy1
[R4-GigabitEthernet0/0/0]quit
[R4]ip route-static 10.1.1.0 24 20.1.3.2
3.4.配置让两个分公司通过总公司IPSec-VPN通信
[R3]acl 3100
[R3-acl-adv-3100]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
[R3-acl-adv-3100]quit
[R3]ip route-static 10.1.3.0 24 20.1.2.2
[R4]acl 3100
[R4-acl-adv-3100]rule permit ip source 10.1.3.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[R4-acl-adv-3100]quit
[R4]ip route-static 10.1.2.0 24 20.1.3.2