02-H3C 路由器 GRE over IPsec典型配置
本章节下载: 02-H3C 路由器 GRE over IPsec典型配置 (215.08 KB)
H3C 路由器
GRE over IPsec典型配置
Copyright © 2024 新华三技术有限公司 版权所有,保留一切权利。
非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,并不得以任何形式传播。
除新华三技术有限公司的商标外,本手册中出现的其它公司的商标、产品标识及商品名称,由各自权利人拥有。
本文档中的信息可能变动,恕不另行通知。
本文档介绍路由器GRE over IPsec典型配置的方法。
本文档适用于使用Comware V7软件版本的路由器,如果使用过程中与产品实际情况有差异,请以设备实际情况为准。
本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
本文档假设您已了解IPsec特性。
如图3-1所示,Device A和Device B之间通过GRE隧道传输数据,要求对通过GRE隧道的数据进行IPsec加密处理。
· 为了对经GRE封装的数据进行IPsec加密,将IPsec策略应用在物理接口上,访问控制列表源和目的地址为物理接口地址。
· 为了使IPsec保护整个GRE隧道,应用IPsec策略的接口和GRE隧道源、目的接口必须是同一接口。
在开始配置之前,请确保Device A的GE1/0/2接口和Device B的GE1/0/2接口之间IPv4报文路由可达。
(1) 配置各接口IP地址。
# 配置接口GigabitEthernet1/0/1的IP地址。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] quit
# 配置接口GigabitEthernet1/0/2的IP地址。
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] ip address 1.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/2] quit
(2) 配置GRE隧道。
# 创建Tunnel0接口,并指定隧道模式为GRE over IPv4隧道。
[DeviceA] interface tunnel 0 mode gre
# 配置Tunnel0接口的IP地址为10.1.1.1/24。
[DeviceA-Tunnel0] ip address 10.1.1.1 255.255.255.0
# 配置Tunnel0接口的源端地址为1.1.1.1/24(Device A的GigabitEthernet1/0/2的IP地址)。
[DeviceA-Tunnel0] source 1.1.1.1
# 配置Tunnel0接口的目的端地址为2.2.2.1/24(Device B的GigabitEthernet1/0/2的IP地址)。
[DeviceA-Tunnel0] destination 2.2.2.1
[DeviceA-Tunnel0] quit
(3) 配置ACL。
# 创建ACL3000,定义需要IPsec保护的数据流。
[DeviceA] acl number 3000
[DeviceA-acl-adv-3000] rule 0 permit gre source 1.1.1.1 0 destination 2.2.2.1 0
[DeviceA-acl-adv-3000] quit
(4) 配置静态路由。
# 配置从Device A经过Tunnel0接口到Host B所在子网的静态路由。
[DeviceA] ip route-static 192.168.2.1 255.255.255.0 tunnel 0
(5) 配置IPsec VPN。
# 配置IKE keychain。
[DeviceA] ike keychain keychain1
[DeviceA-ike-keychain-keychain1] pre-shared-key address 2.2.2.1 255.255.255.0 key simple 123456TESTplat&!
[DeviceA-ike-keychain-keychain1] quit
# 配置IPsec安全提议。
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
# 创建一条IKE协商方式的IPsec安全策略,名称为policy1,序列号为1。
[DeviceA] ipsec policy policy1 1 isakmp
[DeviceA-ipsec-policy-isakmp-policy1-1] security acl 3000
[DeviceA-ipsec-policy-isakmp-policy1-1] remote-address 2.2.2.1
[DeviceA-ipsec-policy-isakmp-policy1-1] transform-set tran1
[DeviceA-ipsec-policy-isakmp-policy1-1] quit
# 在接口GigabitEthernet1/0/2上应用安全策略。
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] ipsec apply policy policy1
[DeviceA-GigabitEthernet1/0/2] quit
(1) 配置各接口IP地址。
# 配置接口GigabitEthernet1/0/1的IP地址。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 192.168.2.1 255.255.255.0
[DeviceB-GigabitEthernet1/0/1] quit
# 配置接口GigabitEthernet1/0/2的IP地址。
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ip address 2.2.2.1 255.255.255.0
[DeviceB-GigabitEthernet1/0/2] quit
(2) 配置GRE隧道。
# 创建Tunnel0接口,并指定隧道模式为GRE over IPv4隧道。
[DeviceB] interface tunnel 0 mode gre
# 配置Tunnel0接口的IP地址为10.1.1.2/24。
[DeviceB-Tunnel0] ip address 10.1.1.2 255.255.255.0
# 配置Tunnel0接口的源端地址为2.2.2.1/24(Device B的GigabitEthernet1/0/2的IP地址)。
[DeviceB-Tunnel0] source 2.2.2.1
# 配置Tunnel0接口的目的端地址为1.1.1.1/24(Device A的GigabitEthernet1/0/2的IP地址)。
[DeviceB-Tunnel0] destination 1.1.1.1
[DeviceB-Tunnel0] quit
(3) 配置静态路由。
# 配置从DeviceB经过Tunnel0接口到Host A所在子网的静态路由。
[DeviceB] ip route-static 192.168.1.1 255.255.255.0 tunnel 0
(4) 创建ACL。
# 创建ACL3000,定义需要IPsec保护的数据流。
[DeviceB] acl number 3000
[DeviceB-acl-adv-3000] rule 0 permit gre source 2.2.2.1 0 destination 1.1.1.1 0
[DeviceB-acl-adv-3000] quit
(5) 配置IPsec VPN。
# 配置IKE keychain。
[DeviceB] ike keychain keychain1
[DeviceB-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!
[DeviceB-ike-keychain-keychain1] quit
# 配置IPsec安全提议。
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
# 创建一条IKE协商方式的IPsec安全策略,名称为policy1,序列号为1。
[DeviceB] ipsec policy policy1 1 isakmp
[DeviceB-ipsec-policy-isakmp-policy1-1] security acl 3000
[DeviceB-ipsec-policy-isakmp-policy1-1] remote-address 1.1.1.1
[DeviceB-ipsec-policy-isakmp-policy1-1] transform-set tran1
[DeviceB-ipsec-policy-isakmp-policy1-1] quit
# 在接口GigabitEthernet1/0/2上应用安全策略。
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ipsec apply policy policy1
[DeviceB-GigabitEthernet1/0/2] quit
# 以Host A向Host B发起通信为例,从192.168.1.2 ping 192.168.2.2,会触发IPsec协商,建立IPsec隧道,在成功建立IPsec隧道后,可以ping通。
C:\Users> ping 192.168.2.2
Pinging 192.168.2.2 with 32 bytes of data:
Request timed out.
Reply from 192.168.2.2: bytes=32 time=2ms TTL=254
Reply from 192.168.2.2: bytes=32 time=2ms TTL=254
Reply from 192.168.2.2: bytes=32 time=1ms TTL=254
Ping statistics for 192.168.2.2:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms
# 在Device A上使用display ike sa命令,可以看到第一阶段的SA正常建立。
<DeviceA> display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
2 2.2.2.1 RD IPSEC
Flags:
RD--READY RL--REPLACED FD-FADING
# 在Device A上使用display ipsec sa命令可以看到IPsec SA的建立情况。
<DeviceA> display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/2
-------------------------------
-----------------------------
IPsec policy: policy1
Sequence number: 1
Mode: isakmp
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect forward secrecy:
Path MTU: 1443
Tunnel:
local address: 1.1.1.1
remote address: 2.2.2.1
Flow:
sour addr: 1.1.1.1/255.255.255.255 port: 0 protocol: gre
dest addr: 2.2.2.1/255.255.255.255 port: 0 protocol: gre
[Inbound ESP SAs]
SPI: 2130348402 (0x7efa8972)
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3573
Max received sequence-number: 3
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 2811839266 (0xa7994322)
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3573
Max sent sequence-number: 3
UDP encapsulation used for NAT traversal: N
Status: Active
# 在Device A上通过命令display interface tunnel 0可以查看经过GRE隧道传输的流量情况。
<DeviceA> display interface tunnel 0
Tunnel0
Current state: UP
Line protocol state: UP
Description: Tunnel0 Interface
Bandwidth: 64kbps
Maximum Transmit Unit: 1476
Internet Address is 10.1.1.1/24 Primary
Tunnel source 1.1.1.1, destination 2.2.2.1
Tunnel keepalive disabled
Tunnel TTL 255
Tunnel protocol/transport GRE/IP
GRE key disabled
Checksumming of GRE packets disabled
Output queue - Urgent queuing: Size/Length/Discards 0/100/0
Output queue - Protocol queuing: Size/Length/Discards 0/500/0
Output queue - FIFO queuing: Size/Length/Discards 0/75/0
Last clearing of counters: Never
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 43 packets, 3480 bytes, 0 drops
Output: 45 packets, 3740 bytes, 2 drops
# 从Host B向Host A发起通信验证方法相同,此不赘述。
· Device A:
#
interface GigabitEthernet1/0/1
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 1.1.1.1 255.255.255.0
ipsec apply policy policy1
#
interface Tunnel0 mode gre
ip address 10.1.1.1 255.255.255.0
source 1.1.1.1
destination 2.2.2.1
#
ip route-static 192.168.2.1 24 Tunnel0
#
acl number 3000
rule 0 permit gre source 1.1.1.1 0 destination 2.2.2.1 0
#
ipsec transform-set tran1
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec policy policy1 1 isakmp
transform-set tran1
security acl 3000
remote-address 2.2.2.1
#
ike keychain keychain1
pre-shared-key address 2.2.2.1 255.255.255.0 key cipher $c$3$n6jdlYtuR+K6mijQ8
qp4hMMjV/iteA==
#
· Device B:
#
interface GigabitEthernet1/0/1
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 2.2.2.1 255.255.255.0
ipsec apply policy policy1
#
interface Tunnel0 mode gre
ip address 10.1.1.2 255.255.255.0
source 2.2.2.1
destination 1.1.1.1
#
ip route-static 192.168.1.1 24 Tunnel0
#
acl number 3000
rule 0 permit gre source 2.2.2.1 0 destination 1.1.1.1 0
#
ipsec transform-set tran1
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec policy policy1 1 isakmp
transform-set tran1
security acl 3000
remote-address 1.1.1.1
#
ike keychain keychain1
pre-shared-key address 1.1.1.1 255.255.255.0 key cipher $c$3$n6jdlYtuR+K6mijQ8
qp4hMMjV/iteA==
#
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!