76-MSR系列路由器与Cisco进行IPsec over GRE互通典型配置举例
本章节下载: 76-MSR系列路由器与Cisco进行IPsec over GRE互通典型配置举例 (176.6 KB)
MSR系列路由器与Cisco进行IPSec over GRE互通典型配置举例
Copyright © 2014杭州华三通信技术有限公司 版权所有,保留一切权利。 非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部, 并不得以任何形式传播。本文档中的信息可能变动,恕不另行通知。 |
本文档介绍MSR与Cisco进行IPsec over GRE互通的典型配置举例。
有两种方式能够实现MSR和Cisco的IPsec over GRE互通。
方式一:Cisco端进行正常配置,MSR端在IKE peer中指定remote-address为Cisco物理口地址,而不是Tunnel接口地址。
方式二:MSR端正常配置,在Cisco上需要创建loopback接口,Tunnel接口unnumbered指向loopback接口,并且配置crypto map tunnel local-address Loopback0。
按照方式一的配置,MSR和Cisco物理口地址进行IKE协商和IPsec协商,MSR发送报文时根据IPsec SA进行IPsec封装后直接发给对端物理口,不进行GRE封装,Cisco发送报文时会进行IPsec封装和GRE封装。这种方式下虽然能够通信,其实不能算作严格意义上的IPsec over GRE。
按照方式二配置,两端发送报文都会进行IPsec封装和GRE封装。
本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准。
本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
本文档假设您已了解IPsec和GRE特性。
如图1所示,MSR和Cisco通过以太网相连,要求:Cisco端正常配置,MSR端IKE对等体地址为Cisco端物理口地址,实现IPsec over GRE 保护数据,负责传输内网之间路由。
图1 MSR与Cisco进行IPsec over GRE互通配置组网图
· 通过配置静态路由穿越GRE隧道,从而使两端私网之间可以互通。
· 将IPsec与GRE结合使用,可以对通过GRE隧道的路由即两端私网间的通信进行保护。
· 在MSR端在IKE peer中指定remote-address为Cisco物理口地址,使MSR在发送报文时不进行GRE封装,Cisco端进行GRE封装。
本举例是在Release 2317版本上进行配置和验证的。
# 配置接口Gigabitethernet0/0的IP地址。
<MSR> system-view
[MSR] interface gigabitethernet 0/0
[MSR-GigabitEthernet0/0] ip address 1.0.0.2 24
[MSR-GigabitEthernet0/0] quit
# 配置LoopBack0的IP地址。
[MSR] interface loopback 0
[MSR-LoopBack0] ip address 100.0.0.1 32
[MSR-LoopBack0] quit
# 配置GRE隧道。
[MSR] interface tunnel 0
[MSR-Tunnel0] ip address 10.0.0.2 24
[MSR-Tunnel0] source 1.0.0.2
[MSR-Tunnel0] destination 1.0.0.1
[MSR-Tunnel0] quit
# 创建ACL3001,定义需要IPsec保护的数据流。
[MSR] acl number 3001
[MSR-acl-adv-3001] rule 0 permit ip source 10.0.0.2 0 destination 10.0.0.1 0
[MSR-acl-adv-3001] rule 10 permit ip source 100.0.0.0 0.0.0.255 destination 101.0.0.0 0.0.0.255
[MSR-acl-adv-3001] quit
# 配置IKE对等体。
[MSR] ike peer tunnel
[MSR-ike-peer-tunnel] pre-shared-key simple test
[MSR-ike-peer-tunnel] remote-address 1.0.0.1
[MSR-ike-peer-tunnel] quit
# 配置IPsec安全提议。
[MSR ]ipsec proposal test
[MSR-ipsec-proposal-test] esp encryption-algorithm 3des
[MSR-ipsec-proposal-test] quit
# 配置IPsec安全策略。
[MSR] ipsec policy tunnel 1 isakmp
[MSR-ipsec-policy-isakmp-tunnel-1] security acl 3001
[MSR-ipsec-policy-isakmp-tunnel-1] ike-peer tunnel
[MSR-ipsec-policy-isakmp-tunnel-1] proposal test
[MSR-ipsec-policy-isakmp-tunnel-1] quit
# 在GRE隧道接口上应用IPsec安全策略。
[MSR] interface tunnel 0
[MSR-Tunnel0] ipsec policy tunnel
[MSR-Tunnel0] quit
# 配置静态路由。
[MSR] ip route-static 101.0.0.0 255.255.255.0 Tunnel0
# 配置接口fastEthernet0/0的IP地址。
Cisco> enable
Cisco# configure terminal
Cisco(config)# interface fastEthernet 0/0
Cisco(config-if)# ip address 1.0.0.1 255.255.255.0
Cisco(config-if)# duplex full
Cisco(config-if)# exit
# 配置LoopBack0的IP地址。
Cisco(config)#interface loopback 0
Cisco(config-if)# ip address 101.0.0.1 255.255.255.255
Cisco(config-if)# exit
# 配置GRE隧道。
Cisco(config)# interface tunnel 0
Cisco(config-if)# ip address 10.0.0.1 255.255.255.0
Cisco(config-if)# tunnel source 1.0.0.1
Cisco(config-if)# tunnel destination 1.0.0.2
Cisco(config-if)# bandwidth 2048
Cisco(config-if)# exit
# 创建ACL102,定义需要IPsec保护的数据流。
Cisco(config)#access-list 102 permit ip host 10.0.0.1 host 10.0.0.2
Cisco(config)#access-list 102 permit ip 101.0.0.0 0.0.0.255 100.0.0.0 0.0.0.255
# 配置IKE对等体。
Cisco(config)# crypto isakmp policy 1
Cisco(config-isakmp)# authentication pre-share
Cisco(config-isakmp)# exit
Cisco(config)# crypto isakmp key test address 10.0.0.2
# 配置IPsec安全提议。
Cisco(config)# crypto ipsec transform-set test esp-3des esp-md5-hmac
Cisco(config-trans)# mode tunnel
Cisco(config-trans)# exit
# 配置IPsec安全策略。
Cisco(config)# crypto map tunnel 10 ipsec-isakmp
Cisco(config-crypto-map)# set peer 10.0.0.2
Cisco(config-crypto-map)# set transform-set test
Cisco(config-crypto-map)# match address 102
Cisco(config-crypto-map)# exit
# 在GRE隧道接口上应用IPsec安全策略。
Cisco(config)# interface tunnel 0
Cisco(config-if)# crypto map tunnel
Cisco(config-if)# exit
# 配置静态路由
Cisco(config)# ip route 100.0.0.0 255.255.255.0 Tunnel0
# 在MSR上可以通过如下显示信息看到,IKE协商成功,生成了两个阶段的SA。
<MSR> display ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
141 1.0.0.1 RD|ST 2 IPSEC
140 1.0.0.1 RD|ST 1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
# 在MSR上可以通过如下显示信息查看协商生成的IPsec SA。
<MSR> display ipsec sa
===============================
Interface: Tunnel0
path MTU: 1476
===============================
-----------------------------
IPsec policy name: "tunnel"
sequence number: 1
mode: isakmp
-----------------------------
connection id: 13
encapsulation mode: tunnel
perfect forward secrecy: None
tunnel:
local address: 10.0.0.2
remote address: 1.0.0.1
Flow :
sour addr: 10.0.0.2/255.255.255.255 port: 0 protocol: IP
dest addr: 10.0.0.1/255.255.255.255 port: 0 protocol: IP
[inbound ESP SAs]
spi: 3234777945 (0xc0cecb59)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3584
max received sequence-number: 4
anti-replay check enable: Y
anti-replay window size: 32
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 3885596902 (0xe79980e6)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3584
max sent sequence-number: 5
udp encapsulation used for nat traversal: N
# 在Cisco设备上可以通过如下显示信息查看生成的IKE SA。
Cisco# show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1 1.0.0.1 10.0.0.2 ACTIVE des sha psk 1 23:58:44
Connection-id:Engine-id = 1:1(software)
# 在Cisco设备上可以通过如下显示信息查看生成的IPsec SA。
Cisco#show crypto ipsec sa detail
interface: Tunnel0
Crypto map tag: tunnel, local addr 1.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/0)
current_peer 10.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 1.0.0.1, remote crypto endpt.: 10.0.0.2
path mtu 1476, ip mtu 1476
current outbound spi: 0xC0CECB59(3234777945)
inbound esp sas:
spi: 0xE79980E6(3885596902)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: tunnel
sa timing: remaining key lifetime (k/sec): (1759742/3502)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC0CECB59(3234777945)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: SW:6, crypto map: tunnel
sa timing: remaining key lifetime (k/sec): (1759742/3502)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (101.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (100.0.0.0/255.255.255.0/0/0)
current_peer 10.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 1.0.0.1, remote crypto endpt.: 10.0.0.2
path mtu 1476, ip mtu 1476
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
· MSR:
#
acl number 3001
rule 0 permit ip source 10.0.0.2 0 destination 10.0.0.1 0
rule 10 permit ip source 100.0.0.0 0.0.0.255 destination 101.0.0.0 0.0.0.255
#
ike peer tunnel
pre-shared-key simple test
remote-address 1.0.0.1
#
ipsec proposal test
esp encryption-algorithm 3des
#
ipsec policy tunnel 1 isakmp
security acl 3001
ike-peer tunnel
proposal test
#
interface LoopBack0
ip address 100.0.0.1 255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
ip address 1.0.0.2 255.255.255.0
#
interface Tunnel0
ip address 10.0.0.2 255.255.255.0
source 1.0.0.2
destination 1.0.0.1
ipsec policy tunnel
#
ip route-static 101.0.0.0 255.255.255.0 Tunnel0
#
· Cisco:
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key test address 10.0.0.2
!
crypto ipsec transform-set test esp-3des esp-md5-hmac
mode tunnel
!
crypto map tunnel 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set test
match address 102
!
interface Tunnel0
bandwidth 2048
ip address 10.0.0.1 255.255.255.0
tunnel source 1.0.0.1
tunnel destination 1.0.0.2
crypto map tunnel
!
interface Loopback0
ip address 101.0.0.1 255.255.255.255
!
interface FastEthernet0/0
ip address 1.0.0.1 255.255.255.0
duplex full
!
ip route 100.0.0.0 255.255.255.0 Tunnel0
!
access-list 102 permit ip host 10.0.0.1 host 10.0.0.2
access-list 102 permit ip 101.0.0.0 0.0.0.255 100.0.0.0 0.0.0.255
!
End
如图2所示,MSR和Cisco通过以太网相连,要求:MSR端正常配置,IKE对等体地址为Cisco端GRE隧道地址,实现IPsec over GRE 保护数据,负责传输内网之间路由。
图2 MSR与Cisco进行IPsec over GRE互通配置组网图
· 通过配置静态路由穿越GRE隧道,从而使两端私网之间可以互通。
· 将IPsec与GRE结合使用,可以对通过GRE隧道的路由即两端私网间的通信进行保护。
· 在Cisco上Tunnel接口unnumbered指向loopback接口,在MSR上,配置remote-address地址为对端GRE隧道地址,使两端都能够进行GRE封装和IPsec封装。
本举例是在MSR Release 2207和Cisco12.4版本上进行配置和验证的。
# 配置接口Gigabitethernet0/0的IP地址。
<MSR> system-view
[MSR] interface Gigabitethernet0/0
[MSR-GigabitEthernet0/0] ip address 1.0.0.2 24
[MSR-GigabitEthernet0/0] quit
# 配置LoopBack0的IP地址。
[MSR] interface LoopBack0
[MSR-LoopBack0] ip address 100.0.0.1 32
# 配置GRE隧道。
[MSR] interface tunnel0
[MSR-Tunnel0] ip address 10.0.0.2 32
[MSR-Tunnel0] source 1.0.0.2
[MSR-Tunnel0] destination 1.0.0.1
[MSR-Tunnel0] quit
# 创建ACL3001,定义需要IPsec保护的数据流。
[MSR] acl number 3001
[MSR-acl-adv-3001] rule 0 permit ip source 10.0.0.2 0 destination 10.0.0.1 0
[MSR-acl-adv-3001] rule 10 permit ip source 100.0.0.0 0.0.0.255 destination 101.0.0.0 0.0.0.255
[MSR-acl-adv-3001] quit
# 配置IKE对等体。
[MSR] ike peer tunnel
[MSR-ike-peer-tunnel] pre-shared-key simple test
[MSR-ike-peer-tunnel] remote-address 10.0.0.1
[MSR-ike-peer-tunnel] quit
# 配置IPsec安全提议。
[MSR] ipsec proposal test
[MSR-ipsec-proposal-test] esp encryption-algorithm 3des
[MSR-ipsec-proposal-test] quit
# 配置IPsec安全策略。
[MSR] ipsec policy tunnel 1 isakmp
[MSR-ipsec-policy-isakmp-tunnel-1] security acl 3001
[MSR-ipsec-policy-isakmp-tunnel-1] ike-peer tunnel
[MSR-ipsec-policy-isakmp-tunnel-1] proposal test
[MSR-ipsec-policy-isakmp-tunnel-1] quit
# 在GRE隧道接口上应用IPsec安全策略。
[MSR] interface tunnel0
[MSR-Tunnel0] ipsec policy tunnel
[MSR-Tunnel0] quit
# 配置静态路由。
[MSR]ip route-static 101.0.0.0 255.255.255.0 Tunnel0
# 配置接口fastEthernet0/0的IP地址。
Cisco> enable
Cisco# configure terminal
Cisco(config)# interface fastEthernet0/0
Cisco(config-if)# ip address 1.0.0.1 255.255.255.0
Cisco(config-if)# duplex full
Cisco(config-if)# exit
# 配置LoopBack0的IP地址。
Cisco(config)# interface loopback0
Cisco(config-if)# ip address 10.0.0.1 255.255.255.255
Cisco(config-if)# exit
# 配置LoopBack10的IP地址。
Cisco(config)# interface loopback10
Cisco(config-if)# ip address 101.0.0.1 255.255.255.255
Cisco(config-if)# exit
# 配置GRE隧道。
Cisco(config)# interface Tunnel0
Cisco(config-if)# ip unnumbered Loopback0
Cisco(config-if)# tunnel source 1.0.0.1
Cisco(config-if)# tunnel destination 1.0.0.2
Cisco(config-if)# bandwidth 2048
Cisco(config-if)# exit
# 创建ACL102,定义需要IPsec保护的数据流。
Cisco(config)# access-list 102 permit ip host 10.0.0.1 host 10.0.0.2
Cisco(config)# access-list 102 permit ip 101.0.0.0 0.0.0.255 100.0.0.0 0.0.0.255
# 配置IKE对等体。
Cisco(config)# crypto isakmp policy 1
Cisco(config-isakmp)# authentication pre-share
Cisco(config-isakmp)# exit
Cisco(config)# crypto isakmp key test address 10.0.0.2
# 配置IPsec安全提议。
Cisco(config)# crypto ipsec transform-set test esp-3des esp-md5-hmac
Cisco(config-trans)# mode tunnel
Cisco(config-trans)# exit
# 配置IPsec安全策略。
Cisco(config)# crypto map tunnel 10 ipsec-isakmp
Cisco(config-crypto-map)# set peer 10.0.0.2
Cisco(config-crypto-map)# set transform-set test
Cisco(config-crypto-map)# match address 102
Cisco(config-crypto-map)# exit
# 在GRE隧道接口上应用IPsec安全策略。
Cisco(config)# interface Tunnel0
Cisco(config-if)# crypto map tunnel
Cisco(config-if)# exit
# 配置静态路由
Cisco(config)# ip route 100.0.0.0 255.255.255.0 Tunnel0
# 在MSR上可以通过如下显示信息看到,IKE协商成功,生成了两个阶段的SA。<MSR> display ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
87 10.0.0.1 RD|ST 1 IPSec
89 10.0.0.1 RD 2 IPSec
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
# 在MSR上可以通过如下显示信息查看协商生成的IPsec SA。
<MSR> display ipsec sa
===============================
Interface: Tunnel0
path MTU: 1476
===============================
-----------------------------
IPsec policy name: "tunnel"
sequence number: 1
mode: isakmp
-----------------------------
connection id: 8
encapsulation mode: tunnel
perfect forward secrecy: None
tunnel:
local address: 10.0.0.2
remote address: 10.0.0.1
Flow :
sour addr: 100.0.0.0/255.255.255.0 port: 0 protocol: IP
dest addr: 101.0.0.0/255.255.255.0 port: 0 protocol: IP
[inbound ESP SAs]
spi: 2043256353 (0x79c99e21)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/281
max received sequence-number: 5
anti-replay check enable: Y
anti-replay window size: 32
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 4220072552 (0xfb893268)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/281
max sent sequence-number: 6
udp encapsulation used for nat traversal: N
# 在Cisco设备上可以通过如下显示信息查看生成的IKE SA。
Cisco# show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
10 10.0.0.1 10.0.0.2 ACTIVE des sha psk 1 22:05:55
Connection-id:Engine-id = 10:1(software)
# 在Cisco设备上可以通过如下显示信息查看生成的IPsec SA。
Cisco# show crypto ipsec sa detail
interface: Tunnel0
Crypto map tag: tunnel, local addr 10.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/0)
current_peer 10.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
path mtu 1476, ip mtu 1476
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (101.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (100.0.0.0/255.255.255.0/0/0)
current_peer 10.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
path mtu 1476, ip mtu 1476
current outbound spi: 0x79C99E21(2043256353)
inbound esp sas:
spi: 0xFB893268(4220072552)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: SW:6, crypto map: tunnel
sa timing: remaining key lifetime (k/sec): (1780660/256)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x79C99E21(2043256353)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: tunnel
sa timing: remaining key lifetime (k/sec): (1780660/256)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
· MSR:
#
acl number 3001
rule 0 permit ip source 10.0.0.2 0 destination 10.0.0.1 0
rule 10 permit ip source 100.0.0.0 0.0.0.255 destination 101.0.0.0 0.0.0.255
#
ike peer tunnel
pre-shared-key simple test
remote-address 10.0.0.1
#
ipsec proposal test
esp encryption-algorithm 3des
#
ipsec policy tunnel 1 isakmp
security acl 3001
ike-peer tunnel
proposal test
#
interface LoopBack0
ip address 100.0.0.1 255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
ip address 1.0.0.2 255.255.255.0
#
interface Tunnel0
ip address 10.0.0.2 255.255.255.0
source 1.0.0.2
destination 1.0.0.1
ipsec policy tunnel
#
ip route-static 101.0.0.0 255.255.255.0 Tunnel0
#
return
· Cisco:
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key test address 10.0.0.2
!
crypto ipsec transform-set test esp-3des esp-md5-hmac
mode tunnel
!
crypto map tunnel local-address Loopback0
crypto map tunnel 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set test
match address 102
!
interface Tunnel0
bandwidth 2048
ip unnumbered Loopback0
tunnel source 1.0.0.1
tunnel destination 1.0.0.2
crypto map tunnel
!
interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
interface Loopback10
ip address 101.0.0.1 255.255.255.255
!
interface FastEthernet0/0
ip address 1.0.0.1 255.255.255.0
duplex full
!
ip route 100.0.0.0 255.255.255.0 Tunnel0
!
access-list 102 permit ip host 10.0.0.1 host 10.0.0.2
access-list 102 permit ip 101.0.0.0 0.0.0.255 100.0.0.0 0.0.0.255
!
end
· H3C MSR 系列路由器 命令参考(V5)-R2311
· H3C MSR 系列路由器 配置指导(V5)-R2311
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!