总部采用策略模板与分支建立多条IPsec隧道

总部采用策略模板与分支建立多条IPsec隧道

项目情况

1.总部路由器有固定公网IP地址,分支路由器没有固定IP地址,上海分公司,天津分公司,没有固定的IP地址
2.只能是分支路由器想总部路由器发起建立IPSec VPN请求,需要在总部路由器创建策略模板
3.各路由器之间是通的
各路由器之间是通的

1.拓扑图

image-20250707173540144

2.环境配置

R1

<Huawei>sys
[Huawei]sys R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 20.1.1.2 24
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 20.1.2.2 24
[R1-GigabitEthernet0/0/1]int g2/0/0
[R1-GigabitEthernet2/0/0]ip add 20.1.3.2 24

R2

<Huawei>sys
[Huawei]sys R2
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip address 20.1.1.1 24
[R2-GigabitEthernet0/0/0]int vlanif 1
[R2-Vlanif1]ip address 10.1.1.1 24

[R2]ip route-static 20.1.3.0 24 20.1.1.2
[R2]ip route-static 20.1.2.0 24 20.1.1.2

R3

<Huawei>sys
[Huawei]sys R3
[R3]int g0/0/0
[R3-GigabitEthernet0/0/0]ip add 20.1.2.1 24
[R3-GigabitEthernet0/0/0]int vlanif1
[R3-Vlanif1]ip add 10.1.2.1 24

[R3]ip route-static 20.1.3.0 24 20.1.2.2
[R3]ip route-static 20.1.1.0 24 20.1.2.2

R4

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys R4
[R4]int g0/0/0
[R4-GigabitEthernet0/0/0]ip add 20.1.3.1 24
[R4-GigabitEthernet0/0/0]int vlanif1
[R4-Vlanif1]ip add 10.1.3.1 24

[R4]ip route-static 20.1.1.0 24 20.1.3.2
[R4]ip route-static 20.1.2.0 24 20.1.3.2

连通性测试

image-20250707170302036

image-20250707170330681

image-20250707170428167

3.创建IPsec隧道

3.1.在总部路由器上的配置-R2

<R2>sys

#认证与加密方式
[R2]ipsec proposal prol
[R2-ipsec-proposal-prol]quit

#确认设备的方式
[R2]ike peer rut1 v2
[R2-ike-peer-rut1]pre-shared-key simple 91xueit
[R2-ike-peer-rut1]quit

#使用策略模板
[R2]ipsec policy-template server 10
[R2-ipsec-policy-templet-server-10]ike-peer rut1
[R2-ipsec-policy-templet-server-10]proposal prol
[R2-ipsec-policy-templet-server-10]quit

#安全策略调用策略模板
[R2]ipsec policy policy1 10 isakmp template server

#绑定物理接口
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ipsec policy policy1
[R2-GigabitEthernet0/0/0]quit

#添加路由
[R2]ip route-static 10.1.2.0 24 20.1.1.2
[R2]ip route-static 10.1.3.0 24 20.1.1.2

3.2.配置R3

<R3>sys

#acl访问控制
[R3]acl 3100
[R3-acl-adv-3100]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[R3-acl-adv-3100]quit

#认证和加密方式
[R3]ipsec proposal prol
[R3-ipsec-proposal-prol]quit

#确认设备的方式
[R3]ike peer rut1 v2
[R3-ike-peer-rut1]pre-shared-key simple 91xueit
[R3-ike-peer-rut1]remote-address 20.1.1.1
[R3-ike-peer-rut1]quit

#安全策略的调用之前的配置
[R3]ipsec policy policy1 10 isakmp 
[R3-ipsec-policy-isakmp-policy1-10]ike-peer rut
[R3-ipsec-policy-isakmp-policy1-10]proposal prol
[R3-ipsec-policy-isakmp-policy1-10]security acl 3100
[R3-ipsec-policy-isakmp-policy1-10]quit

#物理接口绑定安全策略
[R3]interface GigabitEthernet 0/0/0
[R3-GigabitEthernet0/0/0]ipsec policy policy1
[R3-GigabitEthernet0/0/0]quit

#添加路由
[R3]ip route-static 10.1.1.0 24 20.1.2.2

3.3.配置R4

<R4>sys

[R4]acl 3100
[R4-acl-adv-3100]rule permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0
.0.0.255
[R4-acl-adv-3100]quit

[R4]ipsec proposal prol
[R4-ipsec-proposal-prol]quit

[R4]ike peer rut1 v2
[R4-ike-peer-rut1]pre-shared-key simple 91xueit
[R4-ike-peer-rut1]remote-address 20.1.1.1
[R4-ike-peer-rut1]quit

[R4]ipsec policy policy1 10 isakmp
[R4-ipsec-policy-isakmp-policy1-10]ike-peer rut1
[R4-ipsec-policy-isakmp-policy1-10]proposal prol
[R4-ipsec-policy-isakmp-policy1-10]security acl 3100
[R4-ipsec-policy-isakmp-policy1-10]quit

[R4]int g0/0/0
[R4-GigabitEthernet0/0/0]ipsec policy policy1
[R4-GigabitEthernet0/0/0]quit

[R4]ip route-static 10.1.1.0 24 20.1.3.2

3.4.配置让两个分公司通过总公司IPSec-VPN通信

[R3]acl 3100    
[R3-acl-adv-3100]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
[R3-acl-adv-3100]quit

[R3]ip route-static 10.1.3.0 24 20.1.2.2
[R4]acl 3100
[R4-acl-adv-3100]rule permit ip source 10.1.3.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[R4-acl-adv-3100]quit

[R4]ip route-static 10.1.2.0 24 20.1.3.2

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注