实例：动态智能VPN(DSVPN)_shortcut

Contents

动态只能VPN(DSVPN)详解.mp4

动态只能VPN(DSVPN)详解.mp4

1.DSVPN简介

1.1.定义

动态智能VPN（Dynamic Smart Virtual Private Network），简称DSVPN，是一种在Hub-Spoke组网方式下为公网地址动态变化的分支之间建立VPN隧道的解决方案。

1.2.目的

越来越多的企业希望建立Hub-Spoke方式的IPSec VPN网络将企业总部（Hub）与地理位置不同的多个分支（Spoke）相连，从而加强企业的通信安全、降低通信成本。当企业总部采用静态的公网地址接入Internet，分支机构采用动态的公网地址接入Internet时，使用传统的IPSec、GRE over IPSec等技术构建VPN网络将存在一个问题，即分支之间无法直接通信（源分支无法获取目的分支公网地址，也就无法在分支之间直接建立隧道），所有分支之间的通信数据只能由总部中转。转自华为

2.拓扑图

3.环境配置

[Huawei]sys R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 20.1.1.2 24
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 20.1.2.2 24
[R1-GigabitEthernet0/0/1]int g2/0/0
[R1-GigabitEthernet2/0/0]ip add 20.1.3.2 24

<Huawei>sys 
[Huawei]sys R2
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 20.1.1.1 24
[R2]int vlanif1
[R2-Vlanif1]ip add 192.168.1.1 24
[R2]ip route-static 20.1.2.0 24 20.1.1.2
[R2]ip route-static 20.1.3.0 24 20.1.1.2

<Huawei>sys
[Huawei]sys R3
[R3]int g0/0/0
[R3-GigabitEthernet0/0/0]ip add 20.1.2.1 24
[R3]int vlanif1
[R3-Vlanif1]ip add 192.168.2.1 24
[R3]ip route-static 20.1.1.0 24 20.1.2.2
[R3]ip route-static 20.1.3.0 24 20.1.2.2

<Huawei>sys
[Huawei]sys R3
[R4]int g0/0/0
[R4-GigabitEthernet0/0/0]ip add 20.1.3.1 24
[R4]int vlanif1
[R4-Vlanif1]ip add 192.168.3.1 24
[R4]ip route-static 20.1.1.0 24 20.1.3.2
[R4]ip route-static 20.1.2.0 24 20.1.3.2

连通性测试

4.配置DSVPN

4.1.配置R2-HUB

<R2>sys
Enter system view, return user view with Ctrl+Z.
[R2]sys R2-HUB
[R2-HUB]interface Tunnel 0/0/0
[R2-HUB-Tunnel0/0/0]ip address 172.16.0.1 24
[R2-HUB-Tunnel0/0/0]tunnel-protocol gre p2mp
[R2-HUB-Tunnel0/0/0]source GigabitEthernet 0/0/0
[R2-HUB-Tunnel0/0/0]nhrp entry multicast dynamic 
[R2-HUB-Tunnel0/0/0]quit

[R2-HUB]ip route-static 192.168.2.0 24 172.16.0.2
[R2-HUB]ip route-static 192.168.3.0 24 172.16.0.2

4.2.配置R3

[R3]interface Tunnel 0/0/0
[R3-Tunnel0/0/0]ip add 172.16.0.2 24
[R3-Tunnel0/0/0]tunnel-protocol gre p2mp
[R3-Tunnel0/0/0]source GigabitEthernet 0/0/0
[R3-Tunnel0/0/0]nhrp entry 172.16.0.1 20.1.1.1 register 
[R3-Tunnel0/0/0]quit

[R3]ip route-static 192.168.1.0 24 172.16.0.1
[R3]ip route-static 192.168.3.0 24 172.16.0.3

4.3.配置R4

[R4]interface Tunnel 0/0/0
[R4-Tunnel0/0/0]ip address 172.16.0.3 24
[R4-Tunnel0/0/0]tunnel-protocol gre p2mp
[R4-Tunnel0/0/0]source GigabitEthernet 0/0/0    
[R4-Tunnel0/0/0]nhrp entry 172.16.0.1 20.1.1.1 register 
[R4-Tunnel0/0/0]quit

[R4]ip route-static 192.168.1.0 24 172.16.0.1
[R4]ip route-static 192.168.2.0 24 172.16.0.2

5.测试

6.抓包

192.168.2.2 PING 192.168.1.2

192.168.2.2 PING 192.168.3.2

没有任何抓包信息，证明R3和A4是直接通讯的

7.查询命令

#查看令居信息
display nhrp peer all

8.DSVPN-shortcut

8.1.简介

与前面的不同之处，shortcut的所有流量都会经过hub

8.2.配置DSVPN-shortcut

HUB-R2

[R2]sys HUB-R2
[HUB-R2]interface Tunnel 0/0/0
[HUB-R2-Tunnel0/0/0]ip address 172.16.0.1 24
[HUB-R2-Tunnel0/0/0]tunnel-protocol gre p2mp
[HUB-R2-Tunnel0/0/0]source GigabitEthernet 0/0/0
[HUB-R2-Tunnel0/0/0]nhrp entry multicast dynamic 
[HUB-R2-Tunnel0/0/0]nhrp redirect
[HUB-R2-Tunnel0/0/0]quit

[HUB-R2]ip route-static 192.168.2.0 24 172.16.0.2
[HUB-R2]ip route-static 192.168.3.0 24 172.16.0.3

<R3>sys
[R3]interface Tunnel 0/0/0
[R3-Tunnel0/0/0]ip address 172.16.0.2 24
[R3-Tunnel0/0/0]tunnel-protocol gre p2mp
[R3-Tunnel0/0/0]source GigabitEthernet 0/0/0
[R3-Tunnel0/0/0]nhrp entry 172.16.0.1 20.1.1.1 register 
[R3-Tunnel0/0/0]nhrp shortcut
[R3-Tunnel0/0/0]quit

[R3]ip route-static 192.168.0.0 16 172.16.0.1

<R3>sys
[R4]interface Tunnel 0/0/0
[R4-Tunnel0/0/0]ip add 172.16.0.3 24
[R4-Tunnel0/0/0]tunnel-protocol gre p2mp
[R4-Tunnel0/0/0]source GigabitEthernet 0/0/0
[R4-Tunnel0/0/0]nhrp entry 172.16.0.1 20.1.1.1 register 
[R4-Tunnel0/0/0]nhrp shortcut
[R4-Tunnel0/0/0]quit

[R4]ip route-static 192.168.0.0 16 172.16.0.1

8.3.测试

PC1 PING通 PC2，PC3

抓包

PC2 PING通 PC3

一	二	三	四	五	六	日
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

z-notes