z-notes

基于Tunnel接口的IPsecVPN

1.拓扑图

2.环境搭建

R2

<Huawei>sys
[Huawei]sys R2
[R2]interface g0/0/0
[R2-GigabitEthernet0/0/0]ip address 20.1.1.1 24
[R2-GigabitEthernet0/0/0]int vlanif1
[R2-Vlanif1]ip add 10.1.1.1 24
[R2-Vlanif1]quit

[R2]ip route-static 20.1.3.0 24 20.1.1.2
[R2]ip route-static 20.1.2.0 24 20.1.1.2

R1

<Huawei>sys
[Huawei]sys R1

[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 20.1.1.2 24

[R1-GigabitEthernet0/0/0]int g2/0/0
[R1-GigabitEthernet2/0/0]ip add 20.1.3.2 24

[R1-GigabitEthernet2/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 20.1.2.2 24

R3

<Huawei>sys
[Huawei]sys R3

[R3]int g0/0/0
[R3-GigabitEthernet0/0/0]ip add 20.1.2.1 24

[R3-GigabitEthernet0/0/0]int vlanif1
[R3-Vlanif1]ip add 10.1.2.1 24

[R3]ip route-static 20.1.3.0 24 20.1.2.2
[R3]ip route-static 20.1.1.0 24 20.1.2.2

R4

<Huawei>sys
[Huawei]sys R4

[R4]int g0/0/0
[R4-GigabitEthernet0/0/0]ip add 20.1.3.1 24
[R4-Vlanif1]ip add 10.1.3.1 24

[R4-Vlanif1]quit
[R4]ip route-static 20.1.1.0 24 20.1.3.2
[R4]ip route-static 20.1.2.0 24 20.1.3.2

测试连通性

3.创建Tunnel

3.1.R2-》R4

<R2>sys
#数据认证与加密
[R2]ipsec proposal prop
[R2-ipsec-proposal-prop]quit

#对等实体认证
[R2]ike peer spu1 v2
[R2-ike-peer-spu1]peer-id-type ip    
[R2-ike-peer-spu1]pre-shared-key simple 91xueit
[R2-ike-peer-spu1]quit

#配置清单
[R2]ipsec profile profile1
[R2-ipsec-profile-profile1]proposal prop
[R2-ipsec-profile-profile1]ike-peer spu1
[R2-ipsec-profile-profile1]quit

#配置隧道
[R2]interface Tunnel 0/0/0
[R2-Tunnel0/0/0]ip address 192.168.0.1 24
[R2-Tunnel0/0/0]tunnel-protocol ipsec      #协议
[R2-Tunnel0/0/0]source 20.1.1.1           #源地址
[R2-Tunnel0/0/0]description 20.1.3.1      #目标地址
[R2-Tunnel0/0/0]ipsec profile profile1    #调用配置清单
[R2-Tunnel0/0/0]quit

#路由
[R2]ip route-static 10.1.3.0 24 192.168.0.2

3.2.R2-》R3

<R2>sys
[R2]ike peer spu2 v2
[R2-ike-peer-spu2]peer-id-type ip    
[R2-ike-peer-spu2]pre-shared-key simple 51cto
[R2-ike-peer-spu2]quit

[R3]ipsec profile profile2
[R2-ipsec-profile-profile2]proposal prop
[R2-ipsec-profile-profile2]ike-peer spu2
[R2-ipsec-profile-profile2]quit

[R2]interface Tunnel 0/0/1
[R2-Tunnel0/0/1]ip address 192.168.1.1 24
[R2-Tunnel0/0/1]tunnel-protocol ipsec
[R2-Tunnel0/0/1]source 20.1.1.1    
[R2-Tunnel0/0/1]destination 20.1.2.1    
[R2-Tunnel0/0/1]ipsec profile profile2
[R2-Tunnel0/0/1]quit

[R2]ip route-static 10.1.2.0 24 192.168.1.2

3.3.R4-》R2

<R4>sys

[R4]ipsec proposal prop
[R4-ipsec-proposal-prop]quit

[R4]ike peer spu1 v2
[R4-ike-peer-spu1]peer-id-type ip
[R4-ike-peer-spu1]pre-shared-key simple 91xueit
[R4-ike-peer-spu1]quit

[R4]ipsec profile profile1
[R4-ipsec-profile-profile1]proposal prop
[R4-ipsec-profile-profile1]ike-peer spu1
[R4-ipsec-profile-profile1]quit

[R4]interface Tunnel 0/0/0
[R4-Tunnel0/0/0]ip address 192.168.0.2 24
[R4-Tunnel0/0/0]tunnel-protocol ipsec
[R4-Tunnel0/0/0]source 20.1.3.1
[R4-Tunnel0/0/0]destination 20.1.1.1    
[R4-Tunnel0/0/0]ipsec profile profile1 
[R4-Tunnel0/0/0]quit

[R4]ip route-static 10.1.1.0 24 192.168.0.1

3.4.R3-》R2

<R3>sys
[R3]ipsec proposal prop
[R3-ipsec-proposal-prop]quit

[R3]ike peer spu2 v2
[R3-ike-peer-spu2]peer-id-type ip
[R3-ike-peer-spu2]pre-shared-key simple 51cto
[R3-ike-peer-spu2]quit

[R3]ipsec profile profile2    
[R3-ipsec-profile-profile2]proposal prop 
[R3-ipsec-profile-profile2]ike-peer spu2
[R3-ipsec-profile-profile2]quit

[R3]interface Tunnel 0/0/1
[R3-Tunnel0/0/1]ip address 192.168.1.2 24    
[R3-Tunnel0/0/1]tunnel-protocol ipsec 
[R3-Tunnel0/0/1]source 20.1.2.1
[R3-Tunnel0/0/1]destination 20.1.1.1    
[R3-Tunnel0/0/1]ipsec profile profile2 
[R3-Tunnel0/0/1]quit

[R3]ip route-static 10.1.1.0 24 192.168.1.1

3.5.R3-》R4，R4-》R3

方法一、类似于上面的建立方隧道

方法二、利用静态路由

#通过R2来中转
[R3]ip route-static 10.1.3.0 24 192.168.1.1
[R4]ip route-static 10.1.2.0 24 192.168.0.1

4.测试

5.抓包